Cybersecurity Best Practices for the Home and Family

We have heard, and continue to hear of instances of a cybersecurity compromise in our families or, experienced one ourselves. This article is a compilation of best practices that we have heard of or, learned from different sources over time. The intent is to give basic education and guidance to stay safe and be protected from a cybersecurity compromise, for us and our families.?I hope that you find this useful and share with your family and friends for a social good.

As we all know, cybersecurity is a very broad topic about which so many books have been written and companies established to deal with it. In general, any defense through technology or user education cannot be deemed foolproof. We must believe that it is a question of time that attackers will find a way through it and that only a passage of time can prove its effectiveness. Some of the most sophisticated users have been compromised, but that is no reason to not follow the basics. Security and convenience are orthogonal to each other, the highest security being like jail life with minimal access to Internet resources and the most lax security resulting in a compromise with loss of credit worthiness and/or financial assets.?

So it is important to be alert, have detection and mitigation mechanisms in place, yet not alarmed and lose sleep.

Common ways of being compromised

• Clicking on malicious links in unsolicited emails
• Clicking on links or calling numbers from unsolicited SMS in smart devices
• Divulging Personal Identifiable Information (PII) e.g. Social Security numbers, Date of Birth, Passport ID etc. in unsolicited phone calls or emails
• Exploitation of vulnerabilities in software
• Applets that are downloaded to endpoint by visiting compromised websites
• Opening malicious attachments that install malware on endpoints
• Leveraging stolen credentials available on the dark web to login to our personal online accounts
• Using social engineering tactics by earning trust through unsolicited phone calls or in-person interactions and stealing PII or financial assets

Detection of malice in messages

Ask yourself, does the message look “FAKE”

• Feelings––does it evoke a strong emotion like excitement or fear
• Action––does it ask you take an action or to do something with urgency e.g. request payment
• Know––do you know the sender and does it sound out-of-character or look outside the norm e.g. poor grammar
• Expect––were you expecting the email or message and is it from a legitimate sender

Mitigating risks of a compromise

Here are ways to protect ourselves from attacks or if the compromise had occurred, detect it and initiate remedial actions.

Preventing a malicious network connection

• Avoid connecting to unknown WiFi hotspots in public workspaces. Anybody can set up such a hot spot and have traffic captures going on. To mitigate against this risk, establish a VPN connection to a head end combined with Multi factor authentication (MFA) in hotspots such as airports and then access resources. It mitigates the risk of man-in-the middle attacks where a malicious device replays the SSID of a legitimate network.
• Connecting to 4G/5G networks is less risky than WiFi as it is not easy to snoop into the wire in these massive organizations with cell towers. However, cell phone networks are vulnerable to downgrade attacks where (in a foreign country) you are forced off a 4G network into 2G or 3G. The earlier standards are not secure and you should not be accessing bank or sensitive sites from 2G or 3G, if you can help it. When you are roaming into another country, your mobile country and network code are visible to snoopers. This means that you can be easily tracked with commercially available equipment. If on 2G, shut off your phone and power up after 15 minutes to see if you can get on a 4G/5G network.
• Avoid charging via USB in public places, rather use a power adaptor. USB provides a data connection that can be used to exfiltrate data or install malware. If no power outlet is available, turn off the smart device and then charge. Do not purchase USB-enabled devices or cables that are cheap. Try to stick to known brands
• Turn off “automatic” bluetooth and WiFi connections while traveling

Preventing malicious web site access

• Set up DNS server in your DHCP setup to point to a DNS resolver service that redirects accessing malicious or compromised sites to a page forbidding access
• Setup a firewall at the perimeter of the network with Web filters blocking certain categories and only allowing others. This requires an annual subscription from the vendor to keep it updated. However, there’s always the possibility of mis-categorization resulting in a block which will require a manual override configuration.
• Don’t access web sites that are not HTTPS or have invalid certificates. However, this by itself is not a security measure as there are many malicious sites that are HTTPS and it is pretty easy to set up such a site. As a safety measure, if the browser reports a security warning about the certificate, it is best to stay away from that site
• Set up commonly accessed web sites as a browser favorite and use that for access. Attackers use close enough domain names to trick the victim to visit their site that looks identical to the original and then steal sensitive personal information.

Detecting malice in emails

• Pause, check, and hover before you click
• Verify if something seems out of the ordinary because it could be a masquerade
• Hover your cursor over all hyperlinks, before clicking a link, to confirm it matches legitimate resources in the true destination path
• Maintain a healthy dose of skepticism with online communications, cautiously open attachments, and opening emails or short messages from a mobile device can be especially risky

Mitigating the risk of a compromised password?

• Use a strong password or better, a passphrase. See reference for top passwords that can be used in dictionary attacks. Avoid these. Have a minimum of 10 characters that include special characters. Avoid using PII in these.
• Use Password Manager whose config is stored locally or in the cloud. Backup config file regularly, if stored locally.
• Set up Multi factor authentication (MFA). Examples of MFA are a combination of at least two of these - what you know (Password), what you have (One time password sent to your smart phone or email), who you are (Face ID or biometrics). Set up MFA for ALL critical online access - bank accounts, 401K, Brokerage, Amazon and other online retailers
• Rotate passwords twice a year, at least for critical accounts
• Change all default passwords as shipped by manufacturer e.g. cameras, WiFI devices, Internet access devices and so on

Mitigation steps to detect and recover from a compromised email

• Sign up to https://haveibeenpwned.com/ to alert if the email address is part of a breach
• Set up backup email addresses for recovery

Mitigation steps to detect unauthorized withdrawals in bank accounts

• Set up alerts in bank and credit card accounts to email and/or SMS when a withdrawal or transfer occurs
• Set up alerts when balance drops below a specified amount
• Check account transactions once a month for transactions that appear suspicious
• Inform the financial institution as soon as a compromise is suspected

Detect and prevent identity theft

• Sign up to reputable credit monitoring - Credit Karma from Intuit and Experion. Check scores and activity regularly. Set up your profile to send email alerts on changes. Note that these are monitoring agencies, not enforcement agencies.
• Freeze hard credit inquiries in all bureaus. Lift the freeze if you are applying for credit. This may result in an inconvenience if you are applying for credit on a weekend and you are not able to, or wonder why it doesn’t go through ??
• Be careful not to post any sensitive information or travel plans in social media where the home will be unattended
• Avoid accepting friend requests from unknown requestors. Attackers typically need multiple pieces of information to orchestrate the attack. Social media is an easy avenue to get this information. There is nothing to lose by not accepting a request from an unknown person?
• Manage and protect your credit with 3-bureau credit monitoring, quarterly access to all 3 FICO? Scores, and powerful ID theft protection. Investigate the capabilities of a service like Experian CreditWorks? Premium, if that will report and block suspicious activity

Mitigating the risk of a compromised device

• Apply software patches as they are released. Enable automatic updates
• Pay and Install reputable Total protection software from Norton, McAfee or such. Cybersecurity research is not cheap and so we need to pay for it. Avoid any software that has links to countries considered adversarial or a threat actor. Many ISPs provide free virus protection as part of the Internet service, but ensure it is a total protection and not just anti-virus.
• Set up a schedule to run regular scans and quarantine suspicious files
• Set up AdBlocker on browsers
• Protect critical documents such as Word documents or Excel spreadsheets with a password that would be required to open the document
• Avoid inserting untrusted dongles into a laptop

Recovering from a lost device

• Backup smart phone and computer to reputable cloud providers like Google storage or iCloud. Pay for the required storage
• Search for PII in the photos of mobile devices and delete them
• Set up Account recovery users for smart phones
• Establish “find my phone” features to locate the device, if you were to misplace

Recovering from a lost wallet

• Have contact phone numbers for credit card and bank accounts on a device or in cloud
• Cancel cards and freeze accounts once the loss is detected

Mitigating the risk of compromise through social engineering

• Don’t give OTP or any PII data to any unsolicited caller?
• Don’t respond to emails from unknown senders
• Don’t pick up calls from unknown phone numbers. Set up Voice Mail. If it is a caller trying to reach you, they will leave a message with the details that you can then evaluate to decide if it needs a call back
• Don’t respond to SMS from unknown senders
• Don’t give credentials to anyone who you did not call that is not known to be the authorized contact number of a financial institution or government agency
• Always Google search for contact info before calling as someone may have reported it

General best practices

• Never write usernames, passwords, or PINs on Post-it notes or whiteboard for public display
• Always lock computer screens while away
• Be alert while sharing the screen in online meetings to avoid displaying sensitive information. Share individual applications, as and when possible. Or, close unnecessary applications not needed for the meeting prior to joining the call
• Avoid using your usernames and passwords for the purposes of testing in a remote desktop environment, as you will now be at the mercy of the security of the remote desktop
• Maintain a clean desk policy
• Avoid filesharing via USB dongles in untrusted environments like conferences. Always try to share via Sharepoint or Dropbox or Google Drive
• Using a mobile App is more secure than typing in a url or clicking on one
• If the storage needed for backup is larger than that provided by cloud providers, savvy folks may want to invest in a Network Attached Storage (NAS) device for backup of computers. Beware of the additional vulnerabilities within the NAS software itself if you are exposing ports to allow access from the Internet to the private network
• Home security devices that use 2.4 GHz WiFi are prone to interference and can easily be jammed. Using multi-band devices improves but does not eliminate the vulnerability. At a future date, devices may be directly connected to cellular, and it will be far more difficult for an attacker.?
• For continued availability, WiFi Routers and Internet set-top boxes can be powered via a universal power supply with battery backup to mitigate the effects of power-outages

Beware of Freemiums

• Dashcams and home security devices that store your information on the cloud are likely to leak information. Buy from a trusted provider
• Toll tags allow authorities to track your location, possibly also exposing your location to hackers who know about vulnerabilities. There is not much we can do here, other than have all the detective mechanisms outlined earlier

Threat vectors - A technical summary

• Remote Code Execution (RCE) - code that exploits vulnerabilities in software
• Viruses and trojans - software that can corrupt data or exfiltrate them
• Spyware - tracks browser activity, collect keystrokes, logins and send to attacker that can be used to access bank accounts
• Adware - Ads in browsers that can change browser settings and possibly collect data
• Ransomware - malware installed on endpoint for extortion by encrypting the system and demanding a ransom payment to decrypt
• Cryptojacking - uses the computer’s processing power to mine crypto currency, leading to slowdowns
• Phishing (Email), Vishing (VM or Phone calls), Smishing (SMS) and Quishing (QR code) - Email, voice, SMS and QR codes? to lure and call phone numbers or click on links to start the attack to get the victim to divulge sensitive information. This is by far the most common infection vector
• Social Engineering - using human interactions to gain trust and elicit personal and sensitive information
• Applets - Executables that are downloaded from websites upon access

Useful references

Fortinet Corporate Information Security (CIS) Awareness Training

DHS CISA Guide

DHS CISA Guide - Home Network Security

DHS CISA Guide - Good Security Habits

DHS CISA Guide - Securing Wireless Networks

Common credentials

What You Should Do After a Data Breach

Verizon 2023 Data Breach Investigations Report

Social Engineering - Art of Deception

Social Engineering - Art of Intrusion

Srikant Ramachandran is a cybersecurity specialist at Fortinet working with major enterprise customers architecting security solutions. Sri has been a technologist for many decades and is an industry expert with extensive experience across multiple technology domains of Public cloud, Cybersecurity, and Enterprise Networking spanning pre-sales, solutions architecture, and implementation. Sri holds a Master of Engineering degree in Computer Science from the Asian Institute of Technology. I would like to acknowledge and thank my classmates for their peer reviews and contributions in the creation of this article.