In this second part of Security 101 we will briefly look into some quick steps how to secure your physical and wireless network.
When it comes to physical network we mean:
- Network ports
Here is a quick checklist that offers a security baseline:
- Ensure remote access to these devices is turned off (unless restricted to very specific source IPs like your IT providers office location to allow for remote assistance)
- ALWAYS change the default password of the device. This is the first thing an attacker will attempt is going by the manufacturers published default username and password
- Use a password generator and set a unique password for each device. In case one is compromised, not all will be exposed. If you want to go a step further there is solutions like „just in time” access and one-off passwords. Will try cover these in a future blog. The documentation of these passwords should ideally be kept on a secure SharePoint site locked down to IT managers and senior administrators. This is the easiest, out of the box, to have an audit trail for who and when accessed those files.
- The most common issue noticed by myself out in the field at small and medium businesses is that almost all network devices are left with the default firmware version. The consequence of this is that an attacker a year down the road will have a handful of zero-day bugs to choose in order to gain access.
- Turn off remote ping and enable basic DDoS protection on Internet facing routers. Almost all of them have these options now out of the box.
- Physical security to devices should be top priority. No matter how good your logon password is. All devices have a hard reset function that someone with malicious intent can leverage.
- Access to LAN ports should also be considered (see part one of this blog). An attacker once on the internal network can easily run a network and port scan and quickly find a host to infect with malware and after have permanent access into the network.
The most common issue I have encountered is the Wi-Fi is taken for granted and password handed out to connect personal smartphones, guests, etc. The password should not be visible to anyone and devices should be joined either by an administrator or enrolled by Microsoft Intune which allows you to deploy a wi-fi configuration seamlessly. This way protecting the password and giving you the ability to change it if you feel one was compromised. The next step is to not allow access from wi-fi to your backend core infrastructure. Wi-fi should never allow RDP, SSH.., to core infrastructure servers (my opinion personal opinion). Someone can easily from the car park connect to these or run a denial of service attack. One could go as far as MAC address restricting the corporate wi-fi but this is a huge overhead and unless you are the FBI this is overkill in my opinion.
Create a guest wi-fi with following settings:
- Endpoint isolation. Meaning endpoints on this wi-fi cannot contact other devices on same network
- Use external DNS server so internal infrastructure is not discoverable
- Block access to corporate subnets and have the guess wi-fi connect straight out to the Internet
- Limit the bandwidth per endpoint of this network to ex: 10mb
- Enable the time schedule function. Meaning outside office hours this network will not be available.
For quite a few years there is the Zero Trust methodology that is now getting more and more popular. It is definitely one of the best methods out there to lock down your infrastructure. If you want to find out what zero trust model is, here is a very good article on this matter: https://www.cloudflare.com/en-gb/learning/security/glossary/what-is-zero-trust/.
See you in the next part where we will discuss software.