10 steps you can take to effectively guard your business Wi-Fi from hackers
As a small business or SME, knowing what is happening on your network and who is accessing it is of the greatest importance. Hackers could be on your network stealing data, using your processing power mining for crypto-currency, greedily taking your bandwidth and potentially getting you in trouble with the law. They could also be trying to hack your systems and cause your business some serious damage.
And if you think your Wi-Fi is already pretty secure, think again. In October 2017 security experts Mathy Vanhoef and Frank Piessens discovered that the security protocol used to protect the majority of Wi-Fi connections (called WPA2) had been broken with the possibility of exposing wireless internet traffic to cyber attackers. Called Krack,
In the expert's report on the severe replay attack, called Krack, the authors said, ‘Attackers can use this novel technique to read information that was previously assumed to be safely encrypted […] This can be used to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on.’ The discovery brought to light just one of the many ways routers are susceptible to being infiltrated. Other research has found the same. In fact, in a recent scan of 4.3 million routers by Avast! found that nearly half (48%) had a vulnerability.
Here are 10 ways to lock down your Internet connection:
1. Switch up the admin password
In a survey of 2000 people by Broadband Genie, 53% of respondents admitted to never having changed their Wi-Fi router or admin password. Just 19% had also accessed their router’s administrator controls. Generally, ISPs make these passwords very easy to remember and therefore hack.
Because of this, it is vitally important that you change it as soon as possible, and update it regularly. To do this you’ll need to find your way to your router’s admin gateway. BT defaults to 192.168.1.254, TalkTalk to 192.168.1.1, and Sky is 192.168.0.1. If you changed your IP address you’ll need to use Google to find out what it is.
If you’ve never changed your password but don’t know what it is, you can use www.routerpasswords.com where most models’ login details are listed. (Making it even more obvious why you need to change your password).
The default logins should only ever be used to get you up and running. As soon as this is organised you should change your username (if possible) and your password.
2. Disable WPS
Wi-Fi protected setup or WPS is employed by touching a button or entering a pin number to allow you to establish a secure/encrypted connection between your network and a device. So why are we saying you should disable it? Because unfortunately WPS is flawed and could leave you open to considerable risk.
While the pin number function is supposed to use eight digits, the last one is always the same, making brute force hacking much easier to complete. Also, the first four digits and the last three are seen as two single sequences Together this means possible password combinations drop from millions to just 11,000. and the majority of routers don’t enforce as a break or cooling off period between adding the WPS password. These weaknesses combined mean a hacker with the right tools can force their way into your WPS in minutes or even seconds.
3. Use a VPN
When you think of virtual private networks, you probably think of the third party software that takes your traffic and reroutes it through a proxy server. These servers can be free or they can come at a cost. However, there is also another way to use a VPN and that’s by setting one up through your own router.
With your own VPN, you get the same end to end encryption but with the benefit that you can access your encrypted network securely wherever you are. To do this, you will need to set up a DDNS or Dynamic DNC server, as you’ll need an IP address that isn’t static. A free version of this is available at NOIP.com
4. Create a guest network
If you’re an SME with a customer front keeping your corporate Wi-Fi private is very important. Every time you hand out a Wi-Fi password, whether to visitors, customers, stakeholder or team members, you weaken your security level. The more people with access, the higher possibility of a successful cyber attack.
Setting up a guest network provides you with a solution. Make sure you have a router and the necessary firmware to set up a guest network, not all routers/firmware do. With a guest network, you can allow people to use your Wi-Fi without additionally lowering your security or making your connected computers and devices visible and therefore open to attack.
5. Update firmware or install alternatives
This is an incredibly simple and no cost trick that most small businesses and entrepreneurs don’t use. This is purely patch management, something you need to employ to be secure. Most routers have an automatic update setting, but it is usually turned off in factory settings. So simply turn it on and upgrade your firmware. Whenever you update you always need to check your other settings, like logins and passwords are still in place as sometimes it can default back to factory settings.
If you want to take your security to the next level, you could update your firmware using an external supplier. If you want extra security for your business and Wi-Fi, alternative firmware can give you what you need. The downside is that doing this can invalidate the warranty on your router.
6. Search for fake devices
Despite all the extra security you may put in place, cybercriminals may still find a way to tap into your Wi-Fi. They’re sneaky like that. This is when you need to start actively searching for rogue devices.
Head to your router gateway to have a look at your ‘attached devices’ list and scroll through to check all the devices you see are supposed to be there. There are a number of tools, like Fing, which can scan IP ranges and show what’s connected and the information you need to block it too. If you notice something that shouldn’t be there, make sure you remove it immediately and block from your router to prevent it from connecting again in the future.
7. MAC filtering to the rescue
The Media Access Code or MAC has been around for a long time. It’s a 48-bit identifier utilised by a device to tag network packets, and it’s allocated to every device on your network.
If a device has your password, a router will usually allow it to instantly connect with it, but with MAC filtering you can add an extra layer of security to this process. As soon as you have a MAC address code you need to find any connected devices that you don’t recognise. This is where Fing comes in (see above) or you can use an online site such as What’s My IP.
If and when you’ve found suspect devices open your access control setting on your router and MAC filtering. In this section of your router, you can manage things by either blocking new devices completely, setting it up sop any device that wishes to join your network must be whitelisted, or you can block devices by blacklisting their MAC address too.
The one caveat is that most devices will allow their MAC to be changed so the best way to protect yourself is still to not give out your Wi-Fi password in the first place.
>> Quick tip: A router’s security settings can easily be overwritten if someone is physically able to restore it to factory default settings. Make sure your device is physically secured to prevent a real-world reboot <<
8. Hide your router
A Service Set Identifier (or SSID) is the primary name associated with an 802.11 wireless local area network. It’s what other people, offices, teams in your area see when they look for wireless networks nearby on their devices. If you want to keep your Wi-Fi secure you need to change your SSID. Considering how simple it can be for a cyber criminal to acquire login details, it makes sense to make it as tricky as possible to find you.
Of course, not broadcasting your SSID isn’t going to stop really pesky hackers, but at the very least by changing your SSID you are showing potential cyber attackers you are protecting yourself more thoroughly than others. If you use a business-grade access point you could also create a number of different SSIDs and assign them to different policies, like various virtual LANs, authentications, or encryption configurations. Additional SSIDs could be made to isolate sections of the business from the corporate network, and separate off devices like wireless speakers, IP camera and IoT sensors, for example, leaving the main production network unaffected and untouched.
9. Use a different DNS
Your ISP has a default Domain Name System (DNS) and changing it is one way to make sure you're a little better protected. DNS servers do come under attack, and this threat has grown recently, especially against businesses. The biggest and most popular ISPs are usually a target for this as the returns for hackers can be enormous.
DNS servers often go down, so it's worth having a backup and knowing how to use it. Two popular choices are Google Public DNS and OpenDNS and setting them up is simple (there are tutorials online to help). It's as easy as going into your router admin panel and finding the DNS server settings page. Most providers allow you to have two or even 3 DNS IPs.
10. Choose the right security
There are three main protocols to use that give you varying levels of security, they are WEP, WPA, and WPA2.
WEP is easy to hack and really only protects the most casual Wi-Fi user. Wi-Fi Protected Access, or WPA, has two versions. WPA offers reasonable protection while WPA2 is the best you can get. WPA and WPA2 can be set to either personal (also known as Pre-Shared Key/PSK) and enterprise (802.1X, RADIUS, or EAP).
Personal mode WPA/WPA2 is simple to set up but susceptible to brute force hacking. Creating a long and strong password offers protection from this. However, if your business has more than two Wi-Fi users you’ll be better off with the Enterprise mode. It is more complicated to set up and requires a server but offers the best level of security for organisations. It also stops users on your network from spying on others traffic, stealing passwords, or taking over accounts. You can also combine this with EAP-TLS authentication, which is an extended authentication protocol on the transport layer of security. EAP-TLS authentication is better for business as it uses digital certificates to validate users instead of passwords.
If you don’t have the time or knowledge to set up a WPA2-Enterprise security you could use a hosted service. A managed IT service provider like Xenace can also help get your web security under control. Contact us now for a quick chat about how we can ensure your business is safer online.