This article aims to sensitize the use of the internet in a business or education context. It will be explained, What needs to be undertaken by both sides (users and company). To guide how it can be gradually built a long-term serving security plan to set up remote work or education environment. In larger companies or institutions there will be specialists in the IT service department, who will take care of the issue for them. But the users and all other smaller businesses will be needing for some guidance. This article can also serve for the purpose of guidance.
1.1 Home Office
The home office is the work environment of the future. There will be always people who will work from home and there number will only keep increasing and will not be decreasing in time. Therefore it will be the concern of most of the today’s institutions.
1.2 Secure home Office
Every data is valuable. The data security does not only assures the (confidentiality) privacy of the digital data but also the (integrity) safety of that data. This means the security assures that, the data (work) will not get lost stolen or get manipulated.
The fundamentals of securing home office environment and how to secure the data and the connection is described in the following sections.
- Securely connect to the router in section 2
- Securely connect to the institution in section 3
- Securely manage users connected to the institution in section 4
- Secure the data by taking regular backups in section 5
- Improve users behaviour by raising there awareness in section 6
1.3 Usable security
Unusable security is not a security. It needs to be assured, that any implemented security can be applied easily or with less effort possible. Not every user is an IT-Security specialist. Even those specialists can not know everything. But the security needs to be assured for every user in the network. Any network is only as strong as its weakest link.
The instructions for the users are presented with examples.
- The used Windows version is a Windows 8.1 (Windows 10 or Windows 11 require the same steps). Use always a password to lock and unlock the Windows. Encrypting the hard drive using bitlocker in Windows is also advisable.
- The used Routers are D-Link and TP-Link (All other routers, which supports the same settings, can be used).
These steps are also needed to be applied to all wireless routers, regardless if the home-office PC is connecting to the router through an Ethernet cable or through wireless signal.
2.1 Use protected wireless signals
First things first make sure your network is protected by WPA/WPA2 Pre-shared key (password of the wireless) with AES encryption. Do not use unprotected Wireless networks or any router via cable which is podcasting an unprotected wireless access point.
To check it under any Windows version you can simply run the following code in any console such as cmd or powershell.
netsh wlan show interfaces
In the respond the Authentication option needs to be WPA2. As follow:
Name : Wi-Fi Description : Intel(R) Dual Band Wireless-AC GUID : ********-****-****-****-000000000000 Physical address : **:**:**:**:**:** State : connected SSID : RoutersName BSSID : **:**:**:**:**:** Network type : Infrastructure Radio type : 802.11n Authentication : WPA2-Personal Cipher : CCMP Connection mode : Auto Connect Channel : 3 Receive rate (Mbps) : 144.4 Transmit rate (Mbps) : 144.4 Signal : 95% Profile : RoutersName Hosted network status : Not started
Alternativlely it can be checked and edited inside the router settings page. Which can be navigated through typing the routers IP address inside the url bar of internet browser. To find the routers IP address it can be written the following command in cmd.
Inside the respond we search for the default gateway of wifi network if we are connected through wifi. Or we search Ethernet if we are connected through a cable.
Connection-specific DNS Suffix . : IPv6 Address. . . . . . . . . . . : ****:****::0000 Temporary IPv6 Address. . . . . . : ****:****::0000 Link-local IPv6 Address . . . . . : ****::****:****::0000 IPv4 Address. . . . . . . . . . . : 192.168.1.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1
Next to the Default Gateway is the IP address of the router. In our case it is http://192.168.1.1. After writing it in the browser. We navigate to this address by writing the IP address inside the url bar of any browser. The Default username or Password can be checked in the manufactures website or it can be written on the router itself. If it is not yet changed. In our case we sign in to the routers setting by using the following credentials (Username:admin, Password:admin). These default credentials can differ between router models.
Check or change the wireless security settings as follow.
Make the same changes for both 2 and 5 GHz networks if available.
2.2 No strange users are connected to your network
There are no unknown devices connected to the network. (if So change the password of the wireless as in the previous step).
Check for the connected devices for both wired and wireless networks.
2.3 Disable possible vulnerabilities
Disable the WPS option if it is not explicitly needed. Specially by older routers the WPS feature was vulnerable to brute-force attacks. Most of newer router are patched today. But better safe than sorry disable it, if it is not explicitly needed or used.
3.1 Commercial VPNs
The use of VPN in general context is the question of trust. Who is more trustworthy the ISP or the VPN service provider company? With the use of VPN service the data will be hidden from the ISP, but not from the VPN company itself. Because they act like proxy servers. Every connection between the user and the VPN server is encrypted. But the same request continues to the target server unencrypted as soon as it lefts the proxy server. Throughout history we know that the VPN companies can lie about their data collection policies. The collected telemetry data from these companies is also a myth.
3.2 Zero trust policy
The zero trust policy is always the best way to ensure security. But most of the time it’s not the most efficient way. Institutions cannot invest time developing or implementing there own security solutions. Hereby the automated solutions play a key role in businesses.
3.3 VPNs in home-office context
In the home-office context the VPN is provided by the institution itself so the work payload is encrypted through the Virtual Private Network. VPN’s can be used in conjunction with an existing WiFi network to ensure that the data is encrypted when it’s sent to and from your office. VPN’s also anonymize an employee’s web traffic when they’re working remote and using a less secure WiFi signal. In the case of full tunnel VPN connections for all remote host traffic on the corporate network. This can cause some performance issues, especially when the users stay on the VPN after finishing there work or study.
How to set a VPN connection between cooperate network and users? The OpenVPN protocol is safe and easy to set. The cooperate Network’s router needs to support OpenVPN protocol. The manufacturer company will be having a guide which can be followed.
In our case.
- TP-Link: https://www.tp-link.com/us/support/faq/1239/.
- D-Link: The used router model does not support VPN protocol. The router can be flashed to some custom rom like (pfSense, OpenWrt, DD-WRT) to support OpenVPN. But this article will not cover it.
At the user side the OpenVPN GUI client can be installed and used to connect to the institution’s router. It is easy to set and use.
4.1 Network structure
The excellent strategy is to separate the departments, rooms, servers physically or virtually to isolate them, this offers secure, authenticated proxy services that sit in front of applications. That won’t solve all problems, but it can drastically reduce the surface area you are presenting to malicious users. Monitoring and logging the network traffic is also on of indispensables. In addition to the monitoring tools, the following tools in this section are also used. Which tool or tools are needed depends on the context and the need. Always keep it simple. Over engineering any security application can lead to unintended vulnerabilities.
Firewalls regulate network traffic in several ways:
Packet Filtering firewalls: These firewalls can examine packets to check, whether they are suitable to the security rule or not, as those packets attempt to pass in and out of network. It compares packets against filters, which identifies network threats and then blocks unwanted packets. It works through inspecting some specific meta data like source and destination IP address, port number, protocol, and other surface-level data. Packet filtering firewalls don’t open and examine the contents of packets. Any data packet that fails the simple inspection is dropped. These firewalls are not resource-intensive and have a low impact on system performance. Their main disadvantage is that they provide only basic protection, which is vulnerable to being bypassed. Packet-filtering firewalls can either be stateful or stateless. Stateless firewalls only analyze each packet individually, whereas stateful firewalls is a more secure option, it takes previously inspected packets into consideration. Stateful Inspection conducts an in-depth examination of a data packet’s elements, such as source IP addresses and ports, and compares them against a database of trusted information to ensure that data packets aren’t malicious.
Proxy firewalls: also known as application-level firewalls. These types of firewalls may work more slower than others, but they are great at mirroring the system behind the firewall, which prevents direct connections between data packets and the end system device. This is useful in keeping malicious data packets away from the main devices. It works as an intermediary between two systems, proxy firewalls monitor traffic at the application layer (protocols at this layer include HTTP and FTP). To detect malicious traffic, Both stateful and deep packet inspection are used.
NAT firewalls: Network address translation (NAT) firewalls work by assigning a public address to a group of devices inside a private network. With NAT, individual IP addresses are hidden. This prevents attackers from scanning for IP addresses on a network, so it is not possible to discover certain details from outside of the network. NAT firewalls and proxy firewalls both act as a intermediaries connecting groups of devices with external traffic.
Web application firewalls (WAF): are responsible for filtering, monitoring and blocking data packets as they go in and out of websites or web applications. A WAF can either reside on the network, at the host or in the cloud and it is typically placed in front of one or many websites or applications. WAFs are available as server plugins, cloud services, or network devices. A WAF is most similar to the proxy firewall, but has a more specific focus on defending against application layer web-based attackers. It protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having clients pass through the WAF before reaching the server. A WAF operates according to a set of rules often referred to as policies. These policies are designed to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by changing WAF policies.
Next generation firewalls (NGFW): It is a combination of several technologies according to the need. Such as packet inspection, stateful inspection, deep packet inspection, intrusion detection and prevention, malware filtering, antivirus and even encrypted traffic inspection. As the threat landscape intensifies, the Next-generation firewall (NGFW) is the most popular firewall type available today. Thanks to the major improvements in storage space, memory, and processing speeds, it can unpack the packet’s data to prevent any packets with malicious data from moving forward. Securing each and every device on your network is still a challenge, but not impossible. With a judicious mix of technology (antivirus/anti-spam, firewall, business activity monitoring, etc) and management (internet usage policy, BYOD guidelines, identity management, regular updates, etc) you can ensure that your network, devices and databases can be insulated from most threats.
4.3 Privileged Access Management (PAM)
Sometimes referred to as privileged identity management (PIM) or privileged access security (PAS). It protects against the threats posed by credential theft and privilege misuse. PAM refers to a comprehensive cybersecurity strategy, comprising people, processes and technology to control, monitor, secure and audit all human and non-human privileged identities and activities across an enterprise IT environment. PAM is grounded in the principle of least privilege, wherein users or programs only receive the minimum levels of access required to perform their job functions. The principle of least privilege is widely considered to be a cybersecurity best practice and is a fundamental step in protecting privileged access to high-value data and assets. By enforcing the principle of least privilege, organizations can reduce the attack surface and mitigate the risk from malicious insiders or external cyber attacks that can lead to costly data breaches.
4.4 Identity Governance and Administration (IGA)
IGA automates the creation, management, and certification of user accounts, roles, and access rights for individual users in an organization. This means companies can streamline user provisioning, password management, policy management, access governance, and access reviews within their business. It is a policy-based approach to identity management and access control. As the name implies, IGA systems merge identity governance and identity administration to provide additional functionality beyond traditional identity and access management (IAM) tools. IGA differs from IAM in that it allows organizations to not only define and enforce IAM policy, but also connect IAM functions to meet audit and compliance requirements. This means Identity Governance and Administration has the distinct purpose to ensure IAM policies are connected and enforced. Identity governance helps support overall IT security and regulatory compliance.
It has two components are:
- Identity governance: Processes and policies that cover the segregation of duties, role management, logging, access reviews, analytics, and reporting.
- Identity administration: Account and credential administration, user and device provisioning and deprovisioning, and entitlement management.
4.5 Identity and Access Management (IAM)
IAM is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. The IT managers can control user access to critical information within their organizations. There is a difference between identity management and authentication. Systems used for IAM include single sign-on systems, two-factor authentication, multi-factor authentication and privileged access management. These technologies also provide the ability to securely store identity and profile data as well as data governance functions to ensure that only data that is necessary and relevant is shared. IAM systems can be deployed on premises, provided by a third-party vendor through a cloud-based subscription model or deployed in a hybrid model.
On a fundamental level, IAM encompasses the following components:
- how individuals are identified in a system. (Authentication)
- how roles are identified in a system and how they are assigned to individuals. Adding, removing and updating individuals and their roles in a system. Assigning levels of access to individuals or groups of individuals. (identity management)
In this way it helps protecting the sensitive data within the system and securing the system itself. Together, PAM and IAM help to provide fined-grained control, visibility, and auditability over all credentials and privileges.
Regular backups are indispensable for every institution, because the increasing number of home office employees and the increasing dependence of institutions on the Internet increases the likelihood of cyber attacks of all kinds. Not only these attacks can endanger the data, but also some human errors or some bug in code can seriously risk the security of the data. As a result, not only protection needs to be provided, but also a backup plan, which is carried out after a compromise is detected, needs to be set. Partial and full backup plans should be set, and restored according to the size of the compromise. Zero trust policy must also be taken into account for the paid and free cloud storage solutions. It is preferable to host your own cloud storage server. If this is not a valid option, data encryption can be implemented before some data has been saved to online cloud storage.
6 Security awareness by users
Training should emphasize strong separation of home and work environment, phishing education and awareness, the need for continuous backups, and the importance of security updates to keep devices secure. Always keeping the device locked when it is not used. Even the users with great training and motivation are not a guarantee against incidents. The training should also make sure, that users know how and whom to contact in the institutions side for security emergencies. Such as IT-security responsible person or team. Gamification is one of the most popular and effective ways in cyber security training Today.
Setting up a secure home office environment can be seen as a continuous work. Manual and automated monitoring is required to ensure the security. Setting up the correct security solutions must also be carefully selected. The solutions needs to be usable and never over engineer a security solution. Human factor must be reduced as much as possible. Automated security solutions and Awareness training are best solutions for this problem.