Securing Office Networks and Routers

HILLSBORO, Ore. - Jan. 28, 2016 - PRLog -- Enabling basic configuration safeguards can go a long way in securing many office networks. However, even default security configurations are in many instances not adequate to avoid breaches or patch up security holes. This results in hackers easily discovering vulnerabilities in these very unsecured networks. These same routers are also continuously powered on and discoverable with the default configurations providing 24/7 access to confidential business data.

Preventing unauthorized access to networks:

If an attacker knows something as simple as the manufacturer or brand of the networking device, they can look up what the default username and passwords are for that particular hardware and attempt a simple cracking (password and username guessing) attempt to gain access. This is the simplest way to gain full access and must always be changed immediately after initial setup and configuration. Good strong passwords are recommended to be about 14 characters long or more with numbers and letters as well as special characters. For example, 0ff1CEs3cuR1ty is an example of a good password. It is also advised to change this password every 90 days or less. It can be argued however, that constantly having to change passwords can end up with simpler and simpler passwords as admins or users run out of hard to guess passwords. Staying with a much longer and hard to guess password (that's easier to remember) that changes less frequently may be an option. Constantly changing good passwords may result in bad easy to remember passwords instead due to the inconvenience at the time of the forced password change dictated by company policy. Creating a password for a much longer period of time, the admin can create a much more complicated one.

Changing default SSID's:

All Wireless Local Area Networks need to use the same Service Set Identifier. Since manufacturers set a default SSID at the factory, many times an attacker can identify the hardware name and exploit any known vulnerabilities. This can be especially troublesome if the router is not updated to the latest firmware which can often patch up security vulnerabilities.

Providing too much of a detailed description for the SSID can also provide details on the organization, location as well as their own name. Any details that a hacker can use to help make a hack attempt successful needs to be avoided. In many cases several different pieces of information are obtained to lead to a successful hack. There is not always just a single piece of information that leads to a compromise.

Log-out of a router’s web based user interface to prevent Cross Site Request Forgery (CSRF):

Routers are notoriously vulnerable to CSRF attacks and if staying logged in while visiting another website that may be infected with nefarious hacker code, it can attempt to reconfigure the router’s settings. This could result in port forwarding or DNS server changes etc. Many examples of CSRF’s can be found here: http://www.routercheck.com/category/router-vulnerability/csrf/ which shows a disturbing number of incidents or discoveries. Being in the possession of an updated and secured router will if not eliminate, then greatly minimize this threat.

Setup Wi-Fi Protected Access 2 For Better Security:

Wired Equivalent Privacy (WEP) is not a secure enough encryption standard anymore and has not been for many years. The newer security standard; WPA-2 Advanced Encryption Standard encrypts communication between the wireless device and the router using 128-bit encryption. WPA2 is the most secure router configuration possible  for home use and is highly recommended for all router configurations.

Limit WLAN Signal Reach and Powering Off:

Many wireless routers will simply broadcast farther than they really need to in a home office environment or workplace making it easier for unauthorized users to try and gain access outside of the workplace area. If the signal cannot be reached by intruders it’s impossible to try to connect in the first place and gain access. Careful positioning of antennas can limit signal reach, extending way beyond the required distance for all coworkers to use. Antennas that broadcast signals too far may simply not be needed.

In addition, instead of using the more popular omnidirectional antenna, a directional antenna that transmits only towards a certain area may be a viable solution. If hackers find no signal to connect to, the risk of intrusion is non existent. However, this is not a sure way of preventing intrusions from a motivated hacker with a very sensitive antenna.

Another simple method to ensure intrusion prevention is simply powering off the wireless router. If offices are closed during weekends they can be switched off, as well as during holidays and off-seasons. Shutting down a network reduces the amount of time any hacker has of gaining access to secure systems.

Finally, monitoring the connection to a wireless router can inform anyone whether experienced in wireless security or not, to discover if there is a user connected to the network that should actually not be there. Even a log showing attempted connections can determine if the workplace is in a high risk area for intrusions and needs to beef up security if it has not already done so. Firewalls can be setup on routers as well and not just office computers and dedicated servers. The router manufacturer will have details on how to setup and configure this feature.

For more information please go here: http://www.hostinganddesigns.com/Blog/


SOURCE: https://www.us-cert.gov/ncas/tips/ST15-002 Security Tip (ST15-002)
Securing Your Home Network.