Protecting your Digital Home

Week 2 of Cybersecurity Awareness Month focuses on steps users and organizations can take to protect internet-connected devices for both personal and professional use.

Secure your home office

Physical security shouldn’t go out the window when you’re working from home. Just as you lock the up the office when you leave for the day, do the same when working from home.

Laptops can be stolen from your backyard, living room, or home office. Take your laptop inside when you go and make lunch, and lock the door to your home office. Keep your home workspace as secure as you keep your normal office.

Secure your home router

Cybercriminals look to exploit default passwords on home routers because of not many people bother to change it, leaving their home network vulnerable.

Changing your router’s password from the default to something unique is a simple step you can take to protect your home network from malicious actors who want access to your devices.

This is a good first step, but there are additional actions you can take. For example, you should ensure firmware updates are installed as soon as possible so known vulnerabilities aren’t exploitable.

DO YOUR HOMEWORK

Before purchasing a new smart device, do your research. Check out user reviews on the product, look it up to see if there have been any security/privacy concerns, and understand what security features the device has or doesn’t have.

Put your IoT Devices on a Guest Network

Why? Because if a smart device’s security is compromised, it won’t grant an attacker access to your primary devices, such as laptops.

Separate work and personal devices

It might be easier said than done, but it’s important to carve out boundaries between your work life and home life, especially while working from home.

While it may seem cumbersome to constantly switch between devices to simply pay a bill or online shop, do your best to keep your work computer and home computer separate. You never know if one has been compromised.

If you can do the same for your mobile devices, even better.

This can help reduce the amount of sensitive data exposed if your personal device or work device has been compromised.

Encrypt your devices

If your employer hasn’t already turned on encryption for you, you should turn it on as it plays an important part in reducing the security risk of lost or stolen devices, as it prevents strangers from accessing the contents of your device without the password, PIN, or biometrics.

For reference, encryption is the process of encoding information so only authorized parties can access it. While it doesn’t prevent interference and man-in-the-middle attacks, it does deny intelligible content to the interceptor.

How you turn on encryption will depend on your device:

  • Windows: Turn on BitLocker.
  • macOS: Turn on FileVault.
  • Linux: Use dm-crypt or similar.
  • Android: Enabled by default since Android 6.
  • iOS: Enabled by default since iOS 8.

Update Software

When the manufacturer issues a software update, patch it immediately. Updates include important changes that improve the performance and security of your devices.

Enable two-factor authentication and use an authenticator app

Two-factor authentication is an authentication method where access is granted only after successfully presenting two pieces of evidence to an authentication mechanism.

Two-factor authentication can dramatically reduce the risk of successful phishing emails and malware infections because even if the attacker is able to get your password, they are unable to login because they do not have the second piece of evidence. To successfully login, they would need access to whatever is generating your one-time code, which should be an authenticator app or security key.

The first and most common evidence is a password. The second takes many forms but is typically a one-time code or push notification.

It’s important to be aware that while convenient, SMS is not a good choice for the second factor.

In fact, NIST SP 800-63 Digital Identity Guidelines explicitly disapprove of its use because attackers have learned how to trick telecommunication companies into switching the phone number to a new sim card through social engineering.

The best practice is to use an authenticator app, at Northwestern University we use Duo. Other good alternatives are Google Authenticator and Authy.

Enable find my device and remote wipe

Being able to find and ideally remote your device is a crucial part of ensuring information security when a device is lost or stolen. Securely wiping a device makes it much harder to access your data, no matter how much time or determination an attacker has.

Here’s how to enable find my device:

  • Windows: Enable in Settings > Update & Security & Find my device.
  • macOS: Setup iCloud on your device by going to Settings > Your Name > iCloud > Find My Mac.
  • Linux: Not built into the operating system and requires a third-party app
  • Android: Set up a Google account on the device and it will be enabled by default.
  • iOS: Setup iCloud on your device by going to Settings > Your Name > iCloud > Find My iPhone/iPad.

Use a virtual private network (VPN)

A virtual private network (VPN) extends a private network across a public network, enabling you to send and receive data across shared or public networks as if you are directly connected to the private network. They do this by establishing a secure and encrypted connection to the network over the internet and routing your traffic through that.

This keeps you secure on public hotspots and allows for remote access to secure computing assets.

VPNs can reduce the risk of certain cyberattacks, like MITM attacks, as they make it difficult to snoop on your traffic and intercept what you are doing. They can also prevent websites from knowing your real location, or your internet provider from monitoring your activity.

At Northwestern University we highly recommend using the GlobalProtect VPN client.