Thoughts on SOHO:

CISA and the FBI have created guidance based upon recent and ongoing activity targeting small office/home office (SOHO) routers by malicious cyber actors—particularly the PRC-sponsored Volt Typhoon group. I’d like to briefly highlight what SOHO equipment is and where it fits in among those tools that help create a strong cybersecurity posture.

SOHO stands for Small Office/Home Office. It's a category of networking equipment that is designed to be a step up from consumer-grade devices but not as advanced or expensive as enterprise-level equipment. SOHO devices include modems, routers, switches, and Wi-Fi access points that are more robust and feature-rich than typical home devices but are still accessible for small businesses or home offices.

SOHO devices are designed to provide reliable internet and network connectivity for small-scale operations. They often come with more advanced networking capabilities and greater reliability compared to standard consumer devices. In other words, SOHO is basically the (marginal) step up from consumer-grade; consider it entry-level to business/commercial grade. Like the modem/router/wifi device you got from your ISP that is largely neglected in any update processes. People (business IT) update windows, but when was the last time you logged into the web UI of every network device, printer, switch, modem, router, server bios, to upgrade the firmware of said systems? They aren’t all deprecated, however neglected devices are equally as "secure" as deprecated EOL devices.

Here are 3 key aspects of SOHO (again, as they compare to retail/consumer-grade devices; not to be confused with the robust feature sets available on mid-market or enterprise-grade devices): Enhanced Security Features SOHO devices typically include more advanced security features such as firewalls, VPN support, and better encryption methods to protect against cyber threats. Improved Performance These devices can handle higher traffic loads and provide more stable connections, which is crucial for businesses that rely on the internet for their operations. Regular Updates Unlike many consumer devices, SOHO equipment is usually supported with regular firmware updates from the manufacturer to address security vulnerabilities and improve performance.

Why SOHO is Necessary for Strong Cybersecurity?

Consumer-grade devices, like the modem/router you might get from your ISP, often do not receive regular firmware updates. Firmware is the software that operates the device, and outdated firmware can have security vulnerabilities that hackers can exploit. SOHO devices are more likely to receive these updates, ensuring they remain secure.

Many people are diligent about updating their computer operating systems, like Windows, but often neglect other network devices. This includes modems, routers, switches, and even printers. These devices can be just as vulnerable as computers if not kept up to date. SOHO helps make up for a “neglection gap” in one’s typical cybersecurity posture.

Also keep in mind that a device that is no longer supported by the manufacturer (End Of Life or EOL) is considered deprecated. This means it won’t receive any more updates, leaving it vulnerable to new security threats. There are real security risks with depreciated devices. But as you can expect, a supported device that is not being patched is often no better than a deprecated device.

Finally, I’d to end with a few practical steps for maintaining a robust network and defense for your home office or small business:

1. Regularly Update Firmware. Log into the web interface of your network devices periodically to check for and install firmware updates. This includes your router, modem, switches, printers, and any other network-connected devices.

Protip: Some auto-update features allow attackers to present malicious code under the guise of an update, where auto-updated devices can fall victim.

2. Use Strong and Unique Passwords. Ensure all your network devices are secured with strong, unique passwords. At all costs, avoid using default passwords that come with the device.

3. Enable Security Features. Make use of the advanced security features available on your SOHO devices, such as firewalls and VPNs.

Protip: Just because a security feature breaks functionality of a site is not a sound excuse for disabling said security feature (looking at you, basic IT providers) – troubleshoot and ensure the blocked site hasn’t recently been compromised or otherwise blocked for legitimate reasoning.

4. Monitor Network Activity. Keep an eye on your network for any unusual activity that could indicate a security breach. There are certain tell-tale signs.

Be equally as cautious of filtering outbound connections as you are with inbound connections.

On a reactionary basis, we’re looking for anomalies:

Unexpected upstream bandwidth???You may be a live victim of data exfiltration.

Unexpected ports or services connecting?? An endpoint may be contacting C2 Servers.

By understanding and implementing these practices, even a small office or home office can maintain strong cybersecurity and protect against potential threats. Remember, EOL and deprecated devices are precisely identical. EOL equals deprecated hardware/firmware/software that is currently unsupported by the manufacturer or vendor.

Stay vigilant and suspicious.