Por Steve Oates
Steve Oates, CISSPSteve Oates, CISSP | Director at SAVIT Group.
Why did I write this? This article is NOT a presentation of theory.. nor do I take the time to build a technical position. Instead, I’m very concerned and want to offer my colleagues here some practical Information Security considerations for work at home. Please take a moment to protect yourself, your data, your business communications and financial transactions at home by considering and acting upon the following.
We can longer assume our home network is secure. If you are in healthcare, finance / accounting, engineering or software design please take a moment to read this carefully.
Our children are on smartphones, guests want the “guest Wi-Fi password” (we call it “Wee-fee”) and now smart TVs, gaming systems, VOIP phones and Wi-Fi enabled speakers need more access. This requires greater attention and consideration toward information security at home!
Let’s call out the obvious. Developing good Info-Sec awareness are critical “manners” for work-at-home professionals and anyone wanting to protect their valuable information so let’s discuss our advanced tech and how to address it at home.
Our Advanced Tech and How to Address It.
Non-Essential Devices Should Be Segmented
This is very important! I cannot stress this enough. I recommend the following devices NOT be on the same “network” actively used for your business, personal finance or anything frankly you don’t want potential attackers to see.
I personally group the following devices on their own internal network and I recommend the same for any data conscious colleague reading this article. These devices cannot connect or “see” any business computers, devices or communications. Very important!
- Smart TV’s
- Wireless Home Speakers
- Guest WIFI access
- WIFI for children (smart phones or tablets)
- Gaming Systems (XBOX, PlayStation, etc.)
- I also add non-critical VOIP phones in this group
- Children / Guest physical computer
Critical Devices For Business Should Be Independent
The following devices should be on their own internal network. Laymen terms.. the following devices should not be able to “see” or “connect” to anything from the first group or vice versa.
- Business Computers
- Phones with business email
- Tablets used to either connect or communicate for business
- Devices used to manage or track financial records and accounts
- Paperless solutions for your home (both personal and corporate documents)
- VOIP Phones for business BUT I restrict what types of protocols and connections the phone can make. Very important.
Critical Devices for Personal Household – Should be Handled Different.
I like to group the last into its own category due to the newness and developing nature of the technology. It relates to home security, appliance management, solar panels and electric cars.
- Depending on your personal “estate” you may have the need to segment your home security by itself but I don’t have a mansion with million-dollar art hanging in the foyer. Instead, we keep the high dollar Art in the kids bedrooms(grin). For most of my colleagues one group for these devices would be sufficient.
- Electric Car management / smart cars.
- Home Appliance monitoring / management (e.g. Temperature control, appliance alerts, etc.)
- Home lighting control
- Worthy to mention here: Restricting what communications come in and go out of your home may become an important consideration depending on your specific needs and items to protect. Ask your professional.
3 Basic InfoSec Standards as a Foundation.
The following are the basics that we should all be doing but I’ll include just in case you are one of those thinking “…it won’t happen to me”.
- Use antivirus software on all your personal devices—including your smartphone—and always keep it up-to-date. This is important for Mac users, too. For phones, consider Lookout for both Android devices and iPhone. On Windows based phones, you have even more security option. Not all anti-virus programs are the same.. so do a bit of research.
- Turn on automatic patching to keep your software and apps up-to-date. That way you can benefit from the information security efforts of software vendors. Many if not most attacks target vulnerabilities in outdated software versions and thus can be thwarted simply by patching.
- “Think before you click” on links and attachments! Phishing emails still represent a significant entry point for malware, virus and overall social engineering. See VERIZON REPORT for more information on this point.
- Lastly, if you installed a one-stop powerful Wi-fi with “firewall built it” — most likely its not enough. See below for more information.
How Do We Get Started?
If this seems overwhelming then please hire a professional. We can no longer go to the local B3stBuck > pick out our wireless router and assume “we’re good”. One device CAN do all of this if purchased and configured correctly but they are not sold at B3stBuck or W@llcart. (Personally – We have two wireless routers in addition to the Fortigate device mentioned below.) There are a number of devices out there but my professional favorite would be the Fortinet UTM appliance (Next generation Firewall – 60D thru 90D is sufficient for the home office).
You will most likely need a professional to configure it correctly but it is totally worth the effort and peace of mind.
- She/he can configure it with automatic email / text messages if there are critical alerts detected (e.g. child downloads an app on their smart phone and it is maliciously exploring the network.) This has happened to us!
- Offers another layer of virus / malware protection.
- These devices typically have much faster content control for the family should you wish to restrict web content. Notable content to block: malicious websites, phishing websites, adult material, bandwidth consuming sites, etc.
Brief BIO: Steve Oates has a Master’s Degree in Information Sciences | Cyber security and Assurance from the College of Information Sciences and Technology at Pennsylvania State University. In addition, he maintains certifications related to Microsoft systems engineering / network management and CISSP (Certified Information Systems Security Professional).
