Segmenting Your Home Network For Stronger Security
The rise of remote work has triggered an increase in certain types of cybercrime. According to recent global threat reports from FortiGuard Labs, the top attack targets switched from corporate devices and applications to things like consumer-grade routers and devices like DVRs, which are normally attached to home networks — that are notoriously unpatched and undersecured.
The reason is that cybercriminals are hoping to leverage the "home branch" to access the corporate data center by infiltrating the home network through a compromised device. One way to prevent this is to isolate work devices and connections from the rest of the home network. Network segmentation is a technique long used at the enterprise level that can also be applied to the home in a way that's affordable and fairly easy. Let's take a look at current risks, how network segmentation helps, and how it can be implemented.
Understanding the risks
The increase in mobile technology, IoT and smart devices means that there are more and more devices attached to your home network – this includes everything from the obvious (laptops, tablets, cellphones) to things like gaming devices, smart speakers, your home security system, home routers and modems, and more. The problem is, many of these devices are either cheaply produced or simply less secure by default than corporate versions. And as the number of IoT devices on the network increases, so does the number of potential vectors for cyber incidents.
And because of the pandemic, we saw a massive shift to remote work and distance school — which means that many corporate and school-issued devices are now sharing home networks with vulnerable devices. And that means your video game and home entertainment systems are likely on the same network as the laptop you're using to access your company's sensitive information – and on the same network your kids are using to browse the internet.
Bad actors know this, and they are highly motivated to take advantage of this situation because rather than spending resources building new attacks, they can simply reuse older malware that — while no longer effective against corporate assets — works just fine on home networks.
What is network segmentation?
Digital innovation is significantly changing organizations, adding new network edges, such as dynamic multi-cloud platforms, to enable new services and business opportunities. However, adding new environments can also compound risk. Network segmentation is commonly used in corporate IT settings to isolate and separate network segments, workers, devices, and other resources. Essentially, it's an approach that divides a network into multiple segments or subnets — with each acting as its own small network.
Enterprises use segmentation to improve monitoring, boost performance, localize technical issues, and improve security. It lets network administrators control the flow of traffic between subnets, based on granular policies. And it gives network security personnel a way to prevent unauthorized users — whether insiders or malicious attackers — from moving laterally across a network to gain access to valuable assets and information.
You can apply this same approach to your home office or network. It's the same idea as protecting a physical environment from burglary or theft. A bank, for example, not only has locks on the doors and windows to secure the perimeter, but it also has locks and passcodes on the teller cash drawers, a lock on the door to the safe, and individual locks on safety deposit boxes inside the safe. So even if a bad actor gets inside, and even manages to get inside the cash drawer of a teller, it is still extremely difficult to gain access to the rest of the assets inside the bank.
This is the basic premise behind home network segmentation. And this also ties directly into the security concept of zero trust, a network security philosophy that states no one inside or outside the network should be trusted unless their identification has been thoroughly checked. Zero trust operates on the assumption that threats both outside and inside the network are an omnipresent factor.
Steps for getting started
The idea is to set up separate networks for trusted devices (such as your company-issued laptop) and for non-trusted devices – which could include things like your home entertainment system or your kids' tablets or smart phones. Fortunately, it's not as difficult as it sounds. There are three basic steps:
Step 1: Identify which devices should be on a trusted network versus a personal network. This requires some analysis. First, you need to identify everything connected to your network. This can be trickier than it sounds, as many devices, like the ones that belong to friends, may only be connected temporarily. Then you need to divide them into three groups: work, home, and guest.
Devices you use to connect to corporate resources should be assigned to the work network. This will include things like your company laptop and perhaps even your smartphone if you use it for work purposes. A personal or home network should be set up for things like personal devices, gaming and entertainment systems, and IoT devices such as smart appliances. And a guest network should be set up for temporary visitors.
You may also want to set up an additional personal trusted network to be used when you're dealing with sensitive information, such as filing taxes or conducting online banking, for your home security system, or to provide an extra layer of protection for your kids while they are attending online school.
Step 2: Configure those devices. Once you've identified which devices go on which networks, you will need to configure them. Many wireless routers offer the ability to set up multiple networks, each with their own security settings, names, and passwords, which makes this much easier. Another, more expensive option is to have two separate routers. That way, the devices you use for work will attach to their own separate WiFi access point.
Organizations are increasingly providing this sort of solution for their remote workers, especially for those employees who handle sensitive information or for super users who need a high level of dedicated bandwidth. New desktop SD-WAN (software-defined wide area network) devices provide corporate-grade secure connectivity, including WiFi, so remote workers can set up a fully functional home office with a dedicated connection to the corporate network and cloud-based applications and resources.
Step 3: Maintain this setup. You have to stay vigilant — especially anytime you introduce a new device to your network. It's tempting to think that the new smart TV you bought at your local electronics store will have security innately built in, but that's not a safe assumption. You're going to need to ensure devices like this are added to your "non-trusted" network.
Segmenting for security
For cybercriminals, the global shift to remote work has presented a gold mine of opportunity. Many have changed their strategy, targeting consumers and home networks because of their weaker security posture. But you don't have to be one of their victims. Along with training, patching and updating devices, and installing endpoint security (many companies are providing remote workers with security software for both corporate and personal devices), an effective component of a cybersecurity strategy is network segmentation. It allows you to assign devices to different networks within your home based on the different levels of trust you need.
By following the steps listed above, you can reduce risk both to yourself and to your employer.
(Derek Manky is the chief of security insights and global threat alliances at FortiGuard Labs)
© Copyright IBTimes 2024. All rights reserved.