Listen to learn how to set up a firewall at home and other Internet safety best practices.
"Hackers don't solely go after Fortune 500 companies. Almost everyone I know has some story with their Facebook getting hacked, or their bank information getting stolen. The way to tackle that is cybersecurity for yourself."
It's a common misconception that hackers only go after large companies or entities, when in reality they target normal people every day. Building your cybersecurity at home is essential to maintain a safe network from these threats.
Noah Pack (Threat Hunter/Security Operations Center Analyst, Security+, ITF+, Sophos Certified Engineer) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss the best things you can do to build your home cybersecurity.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the SecurityMetrics podcast. I'm Jen Stone. I'm one of the principal security analysts here at SecurityMetrics, and I am very excited today to talk to, one of my colleagues. His name is Noah Pack.
Noah is a threat hunter and, security operations center analyst here at SecurityMetrics. If you follow our news podcast, you probably know him from there. Noah and Heff, come up with a a news podcast. How often is it?
Like, every Every other week.
Every other week.
Yeah.
So, when you're not listening to this podcast, you can always head over to theirs. I love it. I listen to it whenever it comes out. I so I should know when it happens. But what is time? So let me tell you a bit a little bit about Noah.
He's got some security plus, ITF plus, SoFlo certified engineer. He's very into the, security operations, so hands on. So where I will go and and take a look at your your systems and your and your program and say where you probably could improve it. He does the actual work. He does the actual threat hunting and I really admire that. Noah, thank you for coming and talking to me. Welcome to the show.
Thank you so much for having me on. I'm excited to be here.
Excellent. Well, we thought that it would be a good topic today, to talk about, you know, security away from the office. So a lot of us, we have that that security built into when we are actually working on our home systems and we have all of the security controls taken care of for us. You know, there's very little as as as professionals in an office situation.
If your security team has taken care of things correctly, there's very little that you actually have to to think about because it's already there. You have to use multi factor authentication. You have to keep your your antivirus going because you can't affect it. Right? So if these things are set up properly, then it's almost seamless to you. But then you go home and think, hopefully, hey, maybe I should have security here as well.
I hope people are thinking that. Yeah.
And maybe that's an assumption. Maybe I'm wrong. Maybe most people are like, I don't wanna think about security. Because sometimes it can be kind of, like an afterthought. Like, why does this surely, somebody's handling it for me here. Is my ISP doing it right? Like, what do we even have to think about?
Why why why should we think about it at home? What's why is that important at home?
It's because attackers don't solely go after Fortune five hundred companies or humongous paydays.
Almost everyone I know has some sort of story with their Facebook account getting hacked or their bank banking information being stolen. And if either of those things have happened to you, you know that it's extremely frustrating and inconvenient. And the way to tackle that is cybersecurity for yourself, for your home.
Right. But it can feel like super overwhelming. Right?
Because you're Hundred percent.
There's a lot to it and you're just one person.
Right.
Yeah. And so so if someone says, okay. Yes. I know I should do this at home, but I don't even know where to start. What would you tell people where to start?
Tell people to start with their antivirus on their computer.
Make sure that you have Windows Defender enabled and you're running regular virus scans because you can change your passwords as much as you want. But if you have a virus that's stealing those passwords, it doesn't do you any good.
So so let's let's talk about antivirus for just a minute.
So like you said, Windows Defender or Microsoft Defender or whatever the Yeah.
Tech defender, you know, they're talking about now. That's free on all Windows machines now. It just comes with it.
Yeah. Yeah. It's pretty great.
Right? And that's actually when it first started out, it wasn't that great.
Yeah. Oh, believe me. I know. Yeah.
And so a lot come a long way.
Yeah. So a lot of my people might be saying, well, you know, I heard that it wasn't good. You're right. It was not good in the past.
But it has grown up a lot and it really is, it's a decent pro product now. So, Windows Windows Defender, but what if they don't have a Windows machine? Macs don't get viruses. Right?
Oh, that's totally wrong. No.
Actually Oh.
There's more viruses being made for Macs than Windows.
Yeah.
So But that's another thing that a lot of people think because that's the that is the truth that that was so up until about probably five years ago even.
Yeah. You're right.
So, is there do you know if there's like an equivalent free version for Mac? I should have looked that up before I asked that question.
No. I actually don't know.
I've never been in an environment where I'm Where you're really supporting using the built in antivirus in an enterprise environment.
I have used Sophos on Mac endpoints before, and it has done wonders for us. So that's one I could recommend if you're a Mac user.
Alright. Great.
And an antivirus is it's not just making sure it's running, but it's also is it doing the scans? So go in try not to be too afraid of the configuration. Right? You go in and take a look and see what are the defaults and do you think that's going to suit what you've got going on in your home or not? And and kind of maybe do a deep dive on it and and ask yourself, do these look right? But if that feels overwhelming and you don't wanna even do that, just make sure that you have it on. Just start with Exactly.
Yeah.
Start with the default. Start somewhere. And and antivirus is a great way place to start. Okay.
So then you said passwords. Tell me tell me about where people can get themselves into trouble with passwords at home. You know what? One thing that occurs to me is reusing passwords.
We tell people don't reuse passwords, but that oh, some people don't even know what that means.
Yeah. That's a really big problem. It's when people use the same password for different accounts on different sites or with different services. Right. Maybe their email password is the same password to their computer. Right. That's pretty common.
And or to their banking.
Yeah. That that is really bad, especially.
So, you know, when you get the the message that says your pass your, we had a breach and your password was compromised. Go change your password.
What's frustrating to me is it's of course, they're gonna change their password on that. So let's say Facebook get Facebook gets popped in. You're using your email address and and password there. And it's the same email address and password you're using for your banking. Right?
Yeah.
What they don't tell you is go change this password everywhere else you use it because the bad guys will then take it and try it at all sorts of banks.
Username, password. Oh, does this work? Oh, it does. Great.
And so when when you get that notification that your password has been compromised, you gotta think where else am I using this password?
Yep. You definitely have to do that. Make sure you're using different, very different passwords for every account.
That's hard to do though.
Yeah, it is. But if you have a secure way of storing it, it becomes a lot easier. So you could use a password manager like LastPass or I'm not against, having a physical notebook that you keep locked up in your house because it's pretty unlikely that somebody's gonna break in and steal your notebook.
Yeah. So We used to say don't write your password down, But really, that's in a work environment where somebody is going to take your work password and and use it there on the work system. Right?
Right.
But if you're at home and you have a password book, that's not gonna be so much of a problem depending on on how nefarious your kids are.
Yeah.
If they can get into your banking, that might be a niche gift.
I don't know.
But, you know, there's different ways to make sure that you keep it secure though, that you don't want your password to be so secret and secure that you can't remember what it is.
Oh, I can't remember almost any of my passwords because they're so long.
Right. But you wanna be able to look it up.
Right.
So Yep. You wanna find what you either where you've written it down or I use LastPass personally. And I think it does a really good job.
Yes, it has had its issues, but I always look at it, if you're using, some kind of anything, a service that gets, breached, it's a lot more about how do they recover from that breach than, the the breach happened in the first place. Although we of course, we don't want either we don't want the breach to happen in the first place. But if it does, you can really look at how does that company respond and recover from that. Did they take any, learnings away from that?
Not just be like, oh, well, they got breached. I'm never gonna use them again. That doesn't seem like they waited. This episode is brought to you by our SecurityMetrics penetration testing team.
They do a lot of pen tests. They do a lot, like, network layer, application layer, segmentation checks. They're very, very knowledgeable and, some of them have even won, like, competitions at Defcon. So you can rely on these guys to know what they're doing.
Head over to securitymetrics.com Learn more about pen testing.
You wrote an article recently I did.
Yep.
On, the Osiris codex? Tell me tell me about that. This you were a guest author or something?
I was. So this is a publication online aimed at the intersection of information security and national security.
So it's mainly people that work in the DOD that are kind of the common reader of this and my article was about how useful it might be to have a firewall in your home network, especially targeted towards these people. And it's incredibly useful and important because adversaries to the United States are attacking DOD contractors or people that work at the DOD through their home network to try and get into the government. And a firewall is one of the ways to help mitigate that risk.
Okay. And that's awesome. And I agree with you. But a lot of people, when I say, do you have a firewall at home?
They go, that seems big and overwhelming and I don't even know where to start. Yeah. So let's say a lot of our home users are very intelligent people, but they don't know firewalls. Right?
Yeah.
So what do you tell them?
So firewall is a device that you can use to segment your home network. So you can split it up so some of the devices can't see other devices on your network. For example, you might not want your smart light bulbs to see your desktop computer or your work computer when you're working from home. Mhmm. That might be a good choice and a good use case for a firewall.
But the best use case, I would say, is to pair it with an intrusion detection system and an intrusion prevention system.
And that will help prevent malware. It'll catch a lot of different types of attacks and kinda reduce that attack surface against your home network.
So let's say somebody wants to, implement or configure an existing firewall on their home network, where would you tell them to start?
It it depends on who it is. You know?
If it's someone that doesn't have a lot of experience in IT or they've maybe never set up a router before, a home Wi Fi router, this is going to be a little bit difficult for them. So I'd recommend they go with a more user friendly firewall, like a Ubiquiti.
That'd be a good choice. But if you kind of know what you're doing, you know your way around the command line, p f sense or o p n sense, it's a really good choice and it offers a little bit more customizability.
Right. So people who and we have all sorts of people who listen to this, podcast that that have the range. Now some people are like, yeah.
I've done many, many firewalls. And other people just tell them, hey. Put in a firewall, and it kind of gives them a sense of anxiety.
But like almost everything else in in this world, YouTube has instructions for everything. So let's say that you currently have a firewall, but you don't even know how to access it.
You can do some searching and and YouTube will get you started on that.
Oh, yeah. There's some great YouTube videos out there. How to set up a firewall, how to install your firewall, basics of networking. Those are all videos you'd be interested in watching if you're gonna do a project like this.
Since you mentioned the the basics of networking, one of the things that you talked about was segmentation.
Why is segmentation important? What does it help with in terms of security?
So when your network is segmented, it's like the devices are on their own completely different network. If you think of it like rooms, it would be like one room has, maybe your smart TV and your smart doorbell. And another room has maybe, like, your phones. And another room has your desktop computer and your work computer, something like that.
And that's gonna prevent malware that gets on one of these devices from spreading to another segment or, like, another room. So because if you set it up correctly If you set it up correctly it's not gonna jump from room to room. Instead, it has to go through some pretty good rules Yep.
To to to let it know whether it's supposed to to cross or not. Then the other thing that you talked about was intrusion detection, intrusion prevention. Yep. Can you give, like, the basics of what that is and why it would be helpful?
Yeah. So an intrusion detection intrusion prevention is like if you have a castle and somebody wants to get into the castle, they have to call up to the guard and say, oh, I'm this person. And the guard is like, okay, open the gate. And then they come through. Right? Right. So that's like that kind of a setup for your network.
Okay.
And intrusion detection and intrusion prevention will say, oh, this packet that's coming in, it looks like it might have malware, so we're gonna block it. And that'll prevent you from maybe accidentally downloading malware or some kind of attack. But it it's also not perfect.
Basically, what's a packet?
It's a little piece of information that flows through the Internet.
Yeah. Yeah. And it it can hold it can hold a tiny bit of information. It can hold a good chunk of information.
Kind of depends, you know, how the packets are connected with each other and and the way they come through. Right? So don't be scared about the name packet. It's just all it means is it is a bit of information.
And and it's how, again, how the firewall looks at and allows or disallows information to come into your systems.
Yep. Exactly.
So what other kinds of things would you recommend for home security?
So my number one thing for people that say, oh, firewall is too much work, but I'm willing to set up my antivirus and my passwords.
I would say, okay, well take a look at your router.
Search up the model number with, the words breach or virus or, vulnerability probably.
And if your router's affected by some kind of vulnerability, just unplug it and throw it in the trash.
I tell people all the time, like, if your router came with your house and it's like ten years old, just throw it away at this point.
Actually. No. Because it's not being supported anymore. You can't even patch it to the point where you're gonna need to where it's going to be secure for you.
Yeah. You wanna patch your router as every time there's an update available right away. Just go for it because that's gonna provide security updates.
Right. So, another thing that I tell people is that most of these, firewalls come with, and and routers come with default usernames and passwords.
That is a big one. Yeah.
And that means that anybody who knows what kind of system you have and you can just by basically asking it, what kind of system are you?
We'll come back and tell you what kind it is. And then you can go look up all of the usernames and passwords are listed on the internet somewhere.
Yep.
And then you can get in and suddenly have control over that, environment.
Yeah. You definitely wanna change the default Wi Fi name, Wi Fi password, the admin name and the admin password if you can on your router, and you want to make those complicated passwords.
Right.
Because the way that people kind of hack your Wi Fi to get onto your network is with attacks that guess the most common passwords.
Right.
That's the usual type of way. So if your password is thirty two characters long with a bunch of symbols and no nothing that makes sense to the untrained eye Mhmm. Then you're gonna be a lot less likely to be Yeah. Hacked into.
Yeah. A lot of people I've seen, they'll they'll make the password password.
Oh, that's cool.
Or they'll make, like, password one two three. Or they'll make the password the same thing as the, the SSID the the the Wi Fi name. They'll repeat the Wi Fi name as the password or maybe put a one after it because that's not sneaky. Alright.
So changing those is really important. You know what else I find I get pinged a lot for on on Instagram, actually, is, hey. My Instagram account got hacked. Is there anything you can do?
And, unfortunately, there's just not. I mean, the people at Instagram, there's almost like they have no support. And they they don't care.
Oh, yeah. Somebody came to us in the threat intelligence center this past week and said that the same thing. Oh, my Instagram was hacked. Is there anything you guys can do to help me out? And we tried everything we could, but Yeah. Really it's onto Instagram and their support isn't gonna do very much for you unless you're got millions of followers probably and are bringing in money for Instagram.
Yeah. Maybe. But even then, man, they're they're not very good at at protecting people. And so I always tell try and tell people before it happens. And it you always feel bad because you're like, yeah, sorry that happened to you. Well, if you get it back or, you know, if you get a new, if you decide to do a new account, but really all you can tell people is make sure two factor, multi factor authentication is in place.
Yep. You want two factor authentication, on every single account, especially like your bank, your social media, things like that. And I would advise against using your phone as the backup Yeah. If you can do it, because a common attack that we're seeing too is called SIM swapping.
And that's where somebody will call up your phone provider and say, Hi, I'm Jen Stone and I lost my phone. Can you send me a new SIM card to this totally random address?
Yeah.
And your phone provider's like, oh, yeah, totally. We'll we'll send that right out.
Mhmm.
And then now that person has access to your two factor authentication code Right.
When it comes in to get into your account. So the other thing you'd wanna do to prevent that is to call up your phone service provider and tell them if I ever request a new SIM card or wanna make changes to my account, make me read off this password.
Right. And more of them are starting to do that by default when you set up the account is is what is what are your SIM request passwords? You know, what is what is the protocol for that? And so it's not entirely ironed out, and a lot of them don't have that in place yet. But, yeah, that's still a problem.
So putting multifactor in place in your social media is super important. But it's not just social media. There are people who don't have multifactor in place on their bank accounts. Oh, no. I know.
And some banks won't allow you to not have it.
Which is good.
Yeah. It's it's absolutely required. And a lot of times I hear people say, well, it slows me down or, you know, there's there's a variety of excuses that I hear for them not wanting in place. And what's what's your response to that?
I'd say, has your bank account ever been hacked? And then they'd say, oh, no. No. I was like, well, I know someone who did and it took them, like, a month to get their finances figured out, to get their money back. And if you're not willing to type in an extra password when you're logging into your bank, you're exposing yourself to that risk.
Yep. For sure. So what else, for home, security can you advise people?
I'd say to keep track of what software you're using across your devices and keep that updated as well.
The apps on your phone, your phone's operating system, you want to update that.
Don't let things get too old that they're not supported anymore by the manufacturer.
And, yeah, that's kind of the basics of home network security.
Yeah. That's a good one. So patching systems and also patching up operating systems.
Yep. Especially.
Yeah. Because if you have, let's say you have a Windows machine that says, Hey, this is ready to install. And you're like, Oh, I don't have time for that. I'm just not going to do it.
But but you might not know that that that there's a security vulnerability there that you're going to actually, expose yourself possibly to a ransomware attack Oh, yeah.
Or some of these other very common issues if you don't, update that. And unfortunately, the the computer basically does all the work for you. It says, hey.
Yeah. Can I can I do this now? And you can go, yes. Please do this now. Right? It's not like you actually have to know a lot about a system to be able to update it.
Yep.
And if you do, if it's difficult or it's not if it's not working, probably your system is so old at that point that it's you're just need to get rid of it.
Sadly Yeah.
Computers are not something that are even intended to to last for a lot of years. You know, you get to four or five years and that's it's getting pretty up there in age.
Yeah.
It's almost like planned obsolescence Yeah. With some of these devices.
I'd recommend before you buy something used or even before you buy kinda any big tech purchase to look at the end of life from the manufacturer.
Can you explain end of life?
That's when the manufacturer is gonna stop supporting the device, providing security updates.
Right. It's the and so people are like, well, I don't care.
I don't ask for support anyway, but it's providing the security updates That's what you need.
That really gets you in trouble at end of life. Just because you aren't getting a message, hey, Apache's ready to go because of a security update, doesn't mean there's not a vulnerability there. So there's a lot of times where people have gotten in trouble like the the, Windows XP when people when that was passed end of life and people weren't updating and then all of a sudden, you know, we got all that wanna cry coming through and just wiping people out. Right?
Oh, yeah. Security awareness. That's another thing. Just browsing the internet safely because you can have the best security on your computer, your antivirus, you can have a firewall, But if you're maybe downloading movies from free movies one hundred and twenty three whatever dot com.
That's sketchy.
Oh, one hundred percent.
You are definitely gonna get a virus. Like it is only a matter of time.
So make sure when you're downloading things, it's right from the publisher.
Don't steal. Don't Yeah.
You know. Free isn't free.
Free free cracked versions of software is usually bad.
Yeah. Because people don't put that out there because they just wanna share it with everyone. They're putting it out there because they wanna put something malicious on your machine.
Exactly.
And that is the, that's the bait they're using to reel you in.
Exactly. Yeah. That's one hundred percent correct.
Make sure when you're clicking on links on emails well, actually never click on all the information. I was gonna say, what do you mean when?
Well, sometimes you have to where it's like, oh, to activate your account, click this link.
I know. I hate that.
And I'm like, come on. You can't just let me and I'll like manually type in the URL to like URL scan, which is a website where you can scan URLs. Yeah. And I'll make sure like, oh, yeah.
Okay. This is legit. And then I'll type it in. But make sure you're not clicking on links on emails.
That's a big factor for how accounts are stolen. Yeah. With like fake login pages where, it looks exactly like the real login page to your bank. And then you type everything in and it even asks like, oh, we need your two factor authentication code.
And you type that in too. Mhmm.
And then it redirects you to your bank.
But now the session is stolen. Like, the attacker is also logged into your bank Right. At the same time.
Yeah. So, making sure that you understand exactly what those links are doing. And there's, like you said, it's very difficult to tell. But some of the ways you can tell that something is not legitimate sometimes so the you know, these phishing emails that we all get or the phishing texts that say, hey.
Click here. Ask yourself, is are they using are they kind of poking me in the greed center? Because they're saying, hey. We have a hundred and twenty dollars that's that belongs to you that because you overpaid.
Click here to get it back. And you're like, oh, I'm sure I overpaid for something sometime and click on it. And all of a sudden, you're you've gone down that rabbit hole of of of, good intentions. So, yeah, making sure that it's not something that makes you panic.
Like, it's tax season. Right?
Oh, yeah.
That's a good one. Yeah. People are getting phone calls and emails saying, we are going to take action against you and levy against your house and blah, blah, blah.
Just don't panic. First of all, it takes so much process to get to the point where the IRS is actually gonna take action against you.
Yeah. And they won't call you.
No. No. They will not call you. They don't wanna talk to you on the phone.
The the they're gonna send you very official mail that's physical in these very official envelopes. And and it's it's something that you can go and phone them. Actually, you should probably look up their phone number in a separate place, not on the thing that comes in the mail. So whenever you're not sure, ask yourself, how can I verify this piece of information through another avenue?
So you get something from the IRS and it says, we're taking your house. Call here. And you're like, well, I don't think I'm gonna call there, but I'm gonna look up the IRS number and see if I can call them or text or email or whatever avenue they have for for contacting them. And then make sure that you verify.
There is always time. Don't panic. If you get something that makes you feel like you have to panic and take action right then, it's almost guarantee you it's phishing of some kind.
Oh, yeah. That's a big tactic that phishers will use social engineers. A sense of urgency.
Yeah. Yeah. Urgency. Fear. Greed.
Confusion, you know, or or just just kind of making you feel like, oh, this seems like it's legit because I just bought something off of Amazon. So maybe I should verify that I told them the right address. But, no, don't do that.
A good saying that I saw earlier this week was good security doesn't just happen. It needs to be planned.
So have a home security plan, teach your kids the basics of being safe on the Internet, do what you can to mitigate risk.
Update your router, update your antivirus, run antivirus scans, and it'll greatly reduce your attack surface.
There's no way to be perfectly secure because new attacks come out every single day, But you can make yourself a harder target and then you're a lot less likely to be breached.
That is an excellent statement to wrap up on. I really appreciate your time today. I hope that you, if you're listening or watching, have gotten some information that you can apply. And just remember, we did cover a lot of information today, but don't feel like it's overwhelming. Like if you're not, if you don't have anything in place, start with one thing and then let that settle and then think about the next thing. And then eventually you're you're going to improve your security stance at home and and feel like you're you can cruise the Internet safely.
Yeah. Exactly. Thank you so much for having me on, Jen. Alright.
We'll talk to you again. Thank you for joining us here again at the SecurityMetrics podcast. I hope to see you again in the future.
Thanks for watching. To watch more episodes of SecurityMetrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your your favorite podcast platforms. See you on the slopes.
.svg)
