Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

Meltdown affects a wide range of systems. At the time of disclosure, this included all devices running any but the most recent and patched versions of iOS, Linux, macOS,or Windows. Accordingly, many servers and cloud services were impacted, as well as a potential majority of smart devices and embedded devices using ARM based processors (mobile devices, smart TVs and others), including a wide range of networking equipment. A purely software workaround to Meltdown has been assessed as slowing computers between 5 and 30 percent in certain specialized workloads, although companies responsible for software correction of the exploit are reporting minimal impact from general benchmark testing.

Meltdown was issued a Common Vulnerabilities and Exposures ID of CVE-2017-5754, also known as Rogue Data Cache Load, in January 2018. It was disclosed in conjunction with another exploit, Spectre, with which it shares some, but not all characteristics. The Meltdown and Spectre vulnerabilities are considered “catastrophic” by security analysts. The vulnerabilities are so severe that, initially, security researchers believed them to be false.

Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published. Meltdown patches may produce performance loss. Spectre patches have been reported to significantly reduce performance, especially on older computers; on the newer eighth-generation Core platforms, benchmark performance drops of 2–14 percent have been measured. On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported. Nonetheless, according to DELL computers: “No ‘real-world’ exploits of these vulnerabilities [ie, Meltdown and Spectre] have been reported to date [January 26, 2018], though researchers have produced proof-of-concepts.” Further, recommended preventions include: “promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources … following secure password protocols … [using] security software to help protect against malware (advanced threat prevention software or anti-virus).”

On January 25, 2018, the current status and possible future considerations in solving the Meltdown and Spectre vulnerabilities were presented.

Mitigation of this vulnerability requires changes to operating system kernel code, including increased isolation of kernel memory from user-mode processes. Linux kernel developers have referred to this measure as kernel page-table isolation (KPTI). KPTI patches have been developed for Linux kernel 4.15, and have been released as a backport in kernels 4.14.11, 4.9.75. Red Hat released kernel updates to their Red Hat Enterprise Linux distributions version 6 and version 7. CentOS also already released their kernel updates to CentOS 6 and CentOS 7.

Apple included mitigations in macOS 10.13.2, iOS 11.2, and tvOS 11.2. These were released a month before the vulnerabilities were made public. Apple has stated that watchOS and the Apple Watch are not affected. Additional mitigations were included in a Safari update as well a supplemental update to macOS 10.13, and iOS 11.2.2.

Microsoft released an emergency update to Windows 10, 8.1, and 7 SP1 to address the vulnerability on January 3, 2018, as well as Windows Server (including Server 2008 R2, Server 2012 R2, and Server 2016) and Windows Embedded Industry. These patches are incompatible with third-party antivirus software that use unsupported kernel calls; systems running incompatible antivirus software will not receive this or any future Windows security updates until it is patched, and the software adds a special registry key affirming its compatibility. The update was found to have caused issues on systems running certain AMD CPUs, with some users reporting that their Windows installations did not boot at all after installation. On January 9, 2018, Microsoft paused the distribution of the update to systems with affected CPUs while it investigates and addresses this bug.

It was reported that implementation of KPTI may lead to a reduction in CPU performance, with some researchers claiming up to 30% loss in performance, depending on usage, though Intel considered this to be an exaggeration. It was reported that Intel processor generations that support process-context identifiers (PCID), a feature introduced with Westmere and available on all chips from the Haswell architecture onward, were not as susceptible to performance losses under KPTI as older generations that lack it. This is because the selective translation lookaside buffer (TLB) flushing enabled by PCID (also called address space number or ASN under the Alpha architecture) enables the shared TLB behavior crucial to the exploit to be isolated across processes, without constantly flushing the entire cache – the primary reason for the cost of mitigation.

A statement by Intel said that “any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time”. Phoronix benchmarked several popular PC games on a Linux system with Intel’s Coffee Lake Core i7-8700K CPU and KPTI patches installed, and found that any performance impact was little to non-existent. In other tests, including synthetic I/O benchmarks and databases such as PostgreSQL and Redis, a measurable impact in performance was found.

Several procedures to help protect home computers and related devices from the Meltdown and Spectre security vulnerabilities have been published.[14][15][16][17] Meltdown patches may produce performance loss.[18][19][20] On January 18, 2018, unwanted reboots, even for newer Intel chips, due to Meltdown and Spectre patches, were reported.[22] According to DELL computers: “No ‘real-world’ exploits of these vulnerabilities [ie, Meltdown and Spectre] have been reported to date [January 26, 2018], though researchers have produced proof-of-concepts.”[23][24] Further, recommended preventions include: “promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources … following secure password protocols … [using] security software to help protect against malware (advanced threat prevention software or anti-virus).

How to protect yourself from the “KRACK” WiFi vulnerability

Security researchers recently publicly disclosed a major vulnerability in the WPA2 encryption protocol. Most devices and routers currently rely on WPA2 to encrypt your WiFi traffic, so chances are you’re affected. But first, let’s clarify what an attacker can and cannot do using the KRACK vulnerability.

The attacker can intercept some of the traffic between your device and your router. If traffic is encrypted properly using HTTPS, an attacker can’t look at this traffic. Attackers can’t obtain your Wi-Fi password using this vulnerability. They can just look at your unencrypted traffic if they know what they’re doing. With some devices, attackers can also perform packet injection and do some nasty things. This vulnerability is like sharing the same WiFi network in a coffee shop or airport.
The attacker needs to be in within range of your WiFi network. They can’t attack you from miles and miles away. The attacker could also take control of a zombie computer near you, but this is already a much more sophisticated attack. That’s why companies should release patches as soon as possible because chances are most attackers just learned about this vulnerability today.

There’s at least a theoretical possibility that this vulnerability could be exploited by hackers to make it more scalable as an attack vector in future, for example, how worms have been developed and released that spread from one insecure IoT device to another to build a zombie botnet. But currently, this is not the case.
So here’s what to do now that the WPA2 protocol is vulnerable…

Update all the wireless things you own

Good news! Your devices can be updated to prevent the KRACK vulnerability. Updated devices and non-updated devices can co-exist on the same network as the fix is backward compatible.
So you should update all your routers and Wi-Fi devices (laptops, phones, tablets etc…) with the latest security firmware/patches. You should also consider turning on auto-updates for future vulnerabilities as this won’t be the last one. Modern operating systems have become quite good at auto-updates. Some devices (ahem Android) don’t receive a lot of updates and could continue to pose risks.
The main point is that both clients and routers need to be fixed against KRACK so there are lots of potential attack vectors to consider.

Look at your router

Your router’s firmware definitely needs to be updated. If the router has been supplied by your ISP, ask the company when their branded devices will be updated. If they don’t have an answer, keep asking. You can make sure your router is up-to-date by browsing the administration panel. Find the user guide for your ISP-branded router and follow the instructions to connect to the admin pages.
If your ISP is not quickly putting out a firmware update to fix KRACK, it may be time to consider switching your ISP. A less drastic option would be to buy a WiFi router from a responsible company that has already issued a patch. Plugging a WiFi router into your ISP router and disabling WiFi on your antique ISP hardware is a good alternative.
Here’s a list of some of the router makers that have already put out fixes (Ubiquiti, Microtik, Meraki, Aruba, FortiNet…).

Use Ethernet

If your router doesn’t yet have a fix, and you don’t have a patched WiFi access point that could be used for wireless instead, you could Ethernet into your router and turn off its wireless function until it’s updated (assuming WiFi can be disabled on your router). Turn off WiFi on your device as well so that you’re sure all traffic goes through the Ethernet cables.
If you still want to keep WiFi for some devices, consider switching to Ethernet for your essential devices. For instance, if you spend hours every day on a computer and use a ton of internet traffic from this computer, buy an Ethernet cable.

Consider using cellular data on your phone

Your phones and tablets don’t have an Ethernet port. If you want to make sure nobody is watching your traffic, disable WiFi on your device and use cellular data instead. This isn’t ideal if you live somewhere with a spotty network, pay extra for mobile data, or if you don’t trust your telecom provider.
Devices running Android 6.0 and later are more vulnerable than other devices. It is trivially easy to perform a key reinstallation attack because of a bad implementation of the handshake mechanism in the WiFi stack. So Android users do need to be more careful.

What about Internet-of-Things devices?

If you own a lot of IoT devices, consider which of those devices pose the most serious risk if unencrypted traffic were intercepted. Say, for example, you own a connected security camera that doesn’t encrypt traffic when you’re on the same WiFi network — well, that could allow attackers to snoop on raw video footage inside your home. Yikes!
Take action accordingly — e.g. by pulling the riskiest devices off your network until their makers issue firmware updates. And be sure to keep an eye on the kinds of devices your kids might be connecting to your home network.
At the same time, if an attacker can intercept traffic between your smart lightbulbs and your router, it’s probably fine. What are they going to do with this information anyway? It’s fair to say that Edward Snowden wouldn’t want even info about how his lightbulbs are being turned on and off getting into the hands of a hacker, and with good reason. But most people aren’t at risk of such an extreme level of state-sponsored surveillance. So you should determine your own level of risk and act accordingly.
That said, the Internet of Things does have a horrible reputation when it comes to security. So this could be a good moment to audit your connected device collection and consider junking any WiFi device whose makers don’t quickly issue a patch — they could pose some form of long term risk to your network.

Install the HTTPS Everywhere extension

As mentioned above, you can mitigate risks by prioritizing encrypted internet traffic over unencrypted traffic. The EFF has released a neat browser extension called HTTPS Everywhere. If you’re using Google Chrome, Firefox or Opera, you should consider installing the extension. There’s no need to configure it so that anybody can do it.
If a website offers unencrypted access (HTTP) and encrypted access (HTTPS), the extension automatically tells your browser to use the HTTPS version to encrypt your traffic. If a website still relies exclusively on HTTP, the extension can’t do anything about it. The extension is no use if a company has a poor implementation of HTTPS and your traffic isn’t really encrypted. But HTTPS Everywhere is better than nothing.

Don’t rely on a VPN as a solution

On paper, using a VPN server sounds smart. But we’ve been there already — be careful with VPN services out there. You can’t trust any of them.
When you use a VPN service, you reroute all your internet traffic to a VPN server in a data center somewhere. An attacker can’t see what you’re doing on your WiFi network, but a VPN company can log all your internet traffic and use it against you.
For instance, The Register discovered last week in a legal document that PureVPN shared key information with authorities to track and arrest a man. And yet, the company’s website claims that PureVPN doesn’t keep any log. Again, don’t trust any VPN company. Unless you’re willing to build your own VPN server, a VPN service is not the solution.

Especially paranoid? Move to the woods…
For the most paranoid out there, who don’t want to/can’t stop using WiFi entirely, it may be time to relocate to a remote cabin in the woods far from any neighbors.

Your Router’s Security Stinks! (here’s how you can fix it)

Most gateway routers used by home customers are profoundly not secure,

and some routers are so vulnerable to attack that they should be thrown out, a security expert said at the HOPE X hacker conference in New York. “If a router is sold at [an electronics chain], you don’t want to buy it,” independent computer consultant Michael Horowitz said in a presentation. “If your router is given to you by your internet service provider [ISP], you don’t want to use it either, because they give away millions of them, and that makes them a prime target both for spy agencies and bad guys.”

Horowitz recommended that security-conscious consumers instead upgrade to commercial routers intended for small businesses, or at least separate their modems and routers into two separate devices. (Many “gateway” units, often supplied by ISPs, act as both.) Failing either of those options, Horowitz gave a list of precautions users could take.

Problems with consumer routers

Routers are the essential but unheralded workhorses of modern computer networking, yet few home users realize they are computers, with their own operating systems, software and vulnerabilities.

“A compromised router can spy on you,” Horowitz said, explaining that a router under an attacker’s control can stage a man-in-the-middle attack, alter unencrypted data or send the user to “evil twin” websites masquerading as often-used webmail or online-banking portals.

Many consumer-grade home-gateway devices fail to notify users if and when firmware updates become available, even though those updates are essential to patch security holes, Horowitz noted. Some other devices will not accept passwords longer than 16 characters.

Millions of routers throughout the world have the Universal Plug and Play (UPnP) networking protocol enabled on internet-facing ports, which exposes them to external attack.

“UPnP was designed for LANs [local area networks], and as such, it has no security. In and of itself, it’s not such a big deal,” Horowitz said. But, he added, “UPnP on the internet is like going in for surgery and having the doctor work on the wrong leg.”

Another problem is the Home Network Administration Protocol (HNAP), a management tool found on some consumer-grade routers that transmits sensitive information about the router over the Web at http://[router IP address]/HNAP1/, and grants full control to remote users who provide administrative usernames and passwords (which many users never change from the factory defaults).

In 2014, a router worm called TheMoon used the HNAP protocol to identify vulnerable Linksys-brand routers to which it could spread itself. (Linksys quickly issued a firmware patch.)

“As soon as you get home, this is something you want to do with all your routers,” Horowitz told the tech-savvy crowd. “Go to /HNAP1/, and, hopefully, you’ll get no response back, if that’s the only good thing. Frankly, if you get any response back, I would throw the router out.”

The WPS Threat

Worst of all is Wi-Fi Protected Setup (WPS), an ease-of-use feature that lets users bypass the network password and connect devices to a Wi-Fi network simply by entering an eight-digit PIN that’s printed on the router itself. Even if the network password or network name is changed, the PIN remains valid.

“This is a huge expletive-deleted security problem,” Horowitz said. “That eight-digit number will get you into the [router] no matter what. So a plumber comes over to your house, turns the router over, takes a picture of the bottom of it, and he can now get on your network forever.”

That eight-digit PIN isn’t even really eight digits, Horowitz explained. It’s actually seven digits, plus a final checksum digit. The first four digits are validated as one sequence and the last three as another, resulting in only 11,000 possible codes instead of 10 million.

“If WPS is active, you can get into the router,” Horowitz said. “You just need to make 11,000 guesses” — a trivial task for most modern computers and smartphones.

Then, there’s networking port 32764, which French security researcher Eloi Vanderbeken in 2013 discovered had been quietly left open on gateway routers sold by several major brands. Using port 32764, anyone on a local network — which includes a user’s ISP — could take full administrative control of a router, and even perform a factory reset, without a password.

The port was closed on most affected devices following Vanderbeken’s disclosures, but he later found that it could easily be reopened with a specially designed data packet that could be sent from an ISP.

“This is so obviously done by a spy agency, it’s amazing,” Horowitz said. “It was deliberate, no doubt about it.”

How to lock down your home router

The first step toward home router security, Horowitz said, is to make sure the router and modem are not a single device. Many ISPs lease such devices to customers, but they’ll have little control over their own networks.

“If you were given a single box, which most people I think call a gateway,” he said, “you should be able to contact the ISP and have them dumb down the box so that it acts as just a modem. Then you can add your own router to it.”

Next, Horowitz recommended that customers buy a low-end commercial-grade Wi-Fi/Ethernet routers, which retail for about $200, rather than a consumer-friendly router that can cost as little as $20. Commercial-grade routers are unlikely to have UPnP or WPS enabled. Regardless of whether a router is commercial- or consumer-grade, there are several things, varying from easy to difficult, that home-network administrators can do to make sure their routers are more secure:

Easy fixes

Change the administrative credentials from the default username and password. They’re the first things an attacker will try. Your router’s instruction manual should show you how to do this; if it doesn’t, then Google it.

Change the network name, or SSID, from “Netgear,” “Linksys” or whatever the default is, to something unique — but don’t give it a name that identifies you.

“If you live in an apartment building in apartment 3G, don’t call your SSID ‘Apartment 3G,'” Horowitz quipped. “Call it ‘Apartment 5F.'”

Enable WPA2 wireless encryption so that only authorized users can hop on your network.

Disable Wi-Fi Protected Setup, if your router lets you.

Set up a guest Wi-Fi network and offer its use to visitors, if your router has such a feature. If possible, set the guest network to turn itself off after a set period of time.

“You can turn on your guest network, and set a timer, and three hours later, it turns itself off,” Horowitz said. “That’s a really nice security feature.”

If you have a lot of smart-home or Internet of Things devices, odds are many of them won’t be terribly secure. Connect them your guest Wi-Fi network instead of your primary network to minimize the damage resulting from any potential compromise of an IoT device.

Do not use cloud-based router management if your router’s manufacturer offers it. Instead, figure out if you can turn that feature off.

“This is a really bad idea,” Horowitz said. “If your router offers that, I would not do it, because now you’re trusting another person between you and your router.”

Many new “mesh router” systems, such as Google Wifi and Eero, are entirely cloud-dependent and can interface with the user only through cloud-based smartphone apps. While those models offer security improvements in other areas, such as with automatic firmware updates, it might be worth looking for a mesh-style router that permits local administrative access, such as the Netgear Orbi.

Moderately difficult

Install new firmware when it becomes available. Log into your router’s administrative interface routinely to check. With some brands, you may have to check the manufacturer’s website for firmware upgrades. Newer routers, including most mesh routers, will have automatically update the firmware. But have a backup router on hand if something goes wrong.

Set your router to use the 5-GHz band for Wi-Fi instead of the more standard 2.4-GHz band, if possible and if all your devices are compatible.

“The 5-GHz band does not travel as far as the 2.4-GHz band,” Horowitz said. “So if there is some bad guy in your neighborhood a block or two away, he might see your 2.4-GHz network, but he might not see your 5-GHz network.”

Disable remote administrative access, and disable administrative access over Wi-Fi. Administrators should connect to routers via wired Ethernet only. (Again, this won’t be possible with many mesh routers.)

Advanced tips for more tech-savvy users

Change the settings for the administrative Web interface, if your router permits it. Ideally, the interface should enforce a secure HTTPS connection over a non-standard port, so that the URL for administrative access would be something like, to use Horowitz’s example, “https://192.168.1.1:82” instead of the more standard “http://192.168.1.1”, which by default uses the internet-standard port 80.

Use a browser’s incognito or private mode when accessing the administrative interface so that your new URL is not saved in the browser history.

Disable PING, Telnet, SSH, UPNP and HNAP, if possible. All of these are remote-access protocols. Instead of setting their relevant ports to “closed,” set them to “stealth” so that no response is given to unsolicited external communications that may come from attackers probing your network.

“Every single router has an option not to respond to PING commands,” Horowitz said. “It’s absolutely something you want to turn on — a great security feature. It helps you hide. Of course, you’re not going to hide from your ISP, but you’re going to hide from some guy in Russia or China.”

Change the router’s Domain Name System (DNS) server from the ISP’s own server to one maintained by OpenDNS (208.67.220.220,  208.67.222.222) or Google Public DNS (8.8.8.8, 8.8.4.4). If you’re using IPv6, the corresponding OpenDNS addresses are 2620:0:ccc::2 and 2620:0:ccd::2, and the Google ones are 2001:4860:4860::8888 and 2001:4860:4860::8844.

Use a virtual private network (VPN) router to supplement or replace your existing router and encrypt all your network traffic.

“When I say VPN router, I mean a router that can be a VPN client,” Horowitz said. “Then, you sign up with some VPN company, and everything that you send through that router goes through their network. This is a great way to hide what you’re doing from your internet service provider.”

Many home Wi-Fi routers can be “flashed” to run open-source firmware, such as the DD-WRT firmware, which in turn supports the OpenVPN protocol natively. Most commercial VPN services support OpenVPN as well and provide instructions on how to set open-source routers up to use them.

Finally, use Gibson Research Corp.’s Shields Up port-scanning service at https://www.grc.com/shieldsup. It will test your router for hundreds of common vulnerabilities, most of which can be mitigated by the router’s administrator.

Original article posted on Tom’s guide.

10 Network Security Recommendations for Small Business

Just because your business is small, doesn’t mean that hackers won’t target you. The reality is that automated scanning techniques and botnets don’t care whether your company is big or small, they’re only looking for holes in your network security to exploit.

The good news is that there are a lot of things that small businesses can do to lock down networks without spending a small fortune. Through a combination of hardware, software and best practices, you can minimize your risks and reduce the attack surface that your small business presents to the world. The following are some great network security recommendations to consider.

10 Tips to Tighten Network Security

 

1. Get a Firewall

The first step for any attacker is to find network vulnerabilities by scanning for open ports. Ports are the mechanisms by which your small business network opens up and connects to the wider world of the Internet. A hacker sees an open port to as an irresistible invitation for access and exploitation. A network firewall locks down ports that don’t need to be open.

 A properly configured firewall acts as the first line of defense on any network. The network firewall sets the rules for which ports should be open and which ones should be closed. The only ports that should be open are ports for services that you need to run.
If you’re running a Web or mail server on your network, the proper ports for those services need to be open. If you’re not running those services directly on your own network, say for example you’re hosting your website and email with a service provider, you shouldn’t have your Web server and email ports open.

Typically, most small business routers include some kind of firewall functionality, so chances are if you have a router sitting behind your service provider or DSL/cable modem, you likely have a firewall already.

To check to see if you already have firewall capabilities at the router level in your network, log into your router and see if there are any settings for Firewall or Security. If you don’t know how to log into your router on a Windows PC, find your Network Connection information. The item identified as Default Gateway is likely the IP address for your router.

There are many desktop firewall applications available today as well, but don’t mistake those for a substitute for firewall that sits at the primary entry point to your small business network.  You should have a firewall sitting right behind where your network connectivity comes into your business to filter out bad traffic before it can reach any desktop or any other network assets.

 

2. Password Protect your Firewall

Great you’ve got a firewall, but it’s never enough to simply drop it into your network and turn it on. One of the most common mistakes in configuring network equipment is keeping the default password.

It’s a trivial matter in many cases for an attacker to identify the brand and model number of a device on a network. It’s equally trivial to simply use Google to obtain the user manual to find the default username and password.

Take the time to make this easy fix. Log into your router/firewall, and you’ll get the option to set a password; typically you’ll find it under the Administration menu item.

 

3. Update Router Firmware

Outdated router or firewall firmware is another common issue. Small business network equipment, just like applications and operating systems, needs to be updated for security and bug fixes. The firmware that your small business router and/or firewall shipped with is likely out-of-date within a year, so it’s critical to make sure you update it.

Some router vendors have a simple dialogue box that lets you check for new firmware versions from within the router’s administration menu. For routers that don’t have automated firmware version checking, find the version number in your router admin screen, and then go to the vendor’s support site to see if you have the latest version.

 

4. Block Pings

 Most router and firewalls include multiple settings that help to determine how visible your router and/or firewall will be to the outside world. One of the simplest methods that a hacker uses to find a network is by sending a ping request, which is just a network request to see if something will respond. The idea being if a network device responds, there is something there that the hacker can then explore further and potentially exploit.

You can make it harder for attackers by simply setting your network router or firewall so that it won’t respond to network pings. Typically the option to block network pings can be found on the administration menu for a firewall and/or router as a configuration option.

 

5. Scan Yourself

One of the best ways to see if you have open ports or visible network vulnerabilities is to do the same thing that an attacker would do — scan your network.

By scanning your network with the same tools that security researchers (and attackers) use, you’ll see what they see. Among the most popular network scanning tools is the open source nmap tool). For Windows users, the Nmap download now includes a graphical user interface, so it’s now easier than ever to scan your network with industry standard tools, for free.

Scan your network to see what ports are open (that shouldn’t be), and then go back to your firewall to make the necessary changes.

 

6. Lock Down IP Addresses

By default, most small business routers use something called DHCP, which automatically allocates IP addresses to computers that connect to the network.

DHCP makes it easy for you to let users connect to you network, but if your network is exploited it also makes it easy for attackers to connect to your network. If your small business only has a set number of users, and you don’t routinely have guest users plugging into your network, you might want to consider locking down IP addresses.

On your router/firewall admin page, there is likely a menu item under network administration that will let you specify IP addresses for DHCP users. You’ll need to identify the MAC address to which you can then assign an IP.

The benefit of assigning an IP is that when you check your router logs, you’ll know which IP is associated with a specific PC and/or user. With DHCP, the same PC could potentially have different IPs over a period of time as machines are turned on or off. By knowing what’s on your network, you’ll know where problems are coming from when they do arise.

 

7. Use VLANs

Not everyone in your small business necessarily needs access to the same network assets. While you can determine and set access with passwords and permissions on applications, you can also segment your network with VLAN or virtual LANs.

VLANs are almost always part of any business class router and let you segment a network based on needs and risks as well as quality of service requirements. For example, with a VLAN setup you could have the finance department on one VLAN, while sales is on another. In another scenario, you could have a VLAN for your employees and then setup another one for contract or guest workers.
Mitigating risk is all about providing access to network resources to the people who are authorized and restricting access to those who aren’t.

 

8. Get an IPS

A firewall isn’t always enough to protect a small business network. Today’s reality is that the bulk of all network traffic goes over Port 80 for HTTP or Web traffic. So if you leave that port open, you’re still at risk from attacks that target port 80.

In addition to the firewall, Intrusion Prevention System (IPS) technology can play a key network security role. An IPS does more than simply monitor ports; it monitors the traffic flow for anomalies that could indicate malicious activity.

IPS technology can sometimes be bundled in on a router as part of a Unified Threat Management (UTM) device. Depending on the size of your small business network, you might want to consider a separate physical box.

Another option is to leverage open source technologies running on your own servers (or as virtual instances if you are virtualized).  On the IPS side, one of the leading open source technologies is called SNORT.

 

9. Get a WAF

A Web Application Firewall (WAF) is specifically tasked with helping to protect against attacks that are specifically targeted against applications. If you’re not hosting applications within your small business network, the risks that a WAF helps to mitigate are not as pronounced.

If you are hosting applications, WAF in front of (or as part of) your Web server is a key technology that you need to look at. Multiple vendors including Barracuda have network WAF boxes. Another option is the open source ModSecurity project, which is backed by security vendor Trustwave.

 

10. Use VPN

If you’ve gone through all the trouble of protecting your small business network, it makes sense to extend that protection to your mobile and remotely connected employees as well.

A VPN or Virtual Private Network lets your remote workers log into your network with an encrypted tunnel. That tunnel can then be used to effectively shield your remote employees with the same firewall, IPS and WAF technologies that local users benefit from.

A VPN also protects your network by not letting users who may be coming in from risky mobile environments connect in an insecure fashion.

 

You Can Secure Your Network

You may be a small business, but you can use these 10 tips to help secure your network. Though hackers don’t discriminate against small business, they also tend to target the low-hanging fruit and the easier targets.

Lock down your network with a properly configured firewall, understand your own internal network with locked down IPs, VLANs and VPN, and you’ll be ten steps ahead of the low-hanging fruit.

How to Protect Your Family Online With OpenDNS Familyshield

WHAT IS FAMILYSHIELD?

OpenDNS FamilyShield is the first and only standalone parental controls solution to — when set up on a wireless router — protect the family Wii, Xbox or any Internet-connected gaming console. Additionally, the service automatically blocks websites known as proxies and anonymizers, commonly used by Internet-savvy kids to bypass Web filters and render a parents’ efforts to secure their home Internet useless. Proxies and anonymizers are no match for FamilyShield.

FamilyShield is also the only parental controls service to automatically block fraud and identity theft sites known as phishing and sites known as malware that spread viruses and can wreak havoc on home computers.

Additionally, FamilyShield is the only parental controls service to constantly update the lists of blocked websites, 24/7. That means when a new pornographic, phishing or malware site, or a new proxy or anonymizer, is published to the Internet, FamilyShield users can rest assured their household is automatically protected, with no action required on their end.

Lastly, FamilyShield is the only parental controls service that will actually improve the household Internet performance, making it both faster and more reliable. This is in stark contrast to other software-based parental controls products that bloat and often slow down computers and the Internet when installed.

HOW DOES IT WORK?

When configuring a standalone computer (desktop or laptop), a network router, or an internal DNS server, and you set the IP addresses to point to OpenDNS you are instructing the Internet browsers, email systems and other Web applications to use OpenDNS servers to find your intended Internet destination.

When you change your DNS preferences to OpenDNS, you are improving the capability of your computer and your network to navigate the Internet, send email and perform other Web functions.

OpenDNS security features offer significant safety benefits that protect Internet users from identity theft, infected computer systems and related down-time, and from receiving and unwittingly spreading viruses, botnets and spam.

FamilyShield Router Configuration Instructions

1. Login to your router to access preferences/settings.

Usually the preferences are set in your web browser, via a URL with local network ip addresses (example: http://192.168.0.1 or http://192.168.1.1). You will need the username and password. Default username/password for your router are easily found by searching online for your routers make/model & default login information. (admin/admin and admin/password are often defaults)

2. Locate the DNS server settings.

Scan for the letters DNS next to a field which allows two or three sets of numbers, each broken into four groups of one to three numbers. It should look something like this: You will probably need to check a box to use custom DNS servers before you can add your own.
 (old DNS servers)

3.Its a good idea to write down your current settings before entering the OpenDNS addresses, in case you want to change back later. Enter the below FamilyShield DNS servers addresses into your router, replacing your current primary and secondary DNS servers.  Now click save/apply.  A router restart may be required for settings to take effect.

  • 208.67.222.123 (Family Shield primary DNS)
  • 208.67.220.123 (Family Shield Secondary DNS)

 

4. Now Test your Settings

Browse to https://welcome.opendns.com/. If you have successfully set your public DNS to the our servers, you will see “Welcome to OpenDNS!”.

5 Good Practices To Avoid Getting Hacked

Computer hacking is a serious problem and will only get worse until more advanced security measures are developed and put into place. In Canada, there are about 33 hacking cases for every 100,000 people each year. Businesses are targeted more than individuals and according to a Ponemon Institute study, 90% of the respondents said their organizations’ computers had been breached at least once by hackers over the past 12 months. Some simple precautions can be followed to reduce the likelihood of being hacked. The following suggestions are some of the best ways you can prevent your business from being hacked.

Use Complex Passwords
According to StopTheHacker.com, it takes only 10 minutes to crack a lowercase password that is six characters long. It is very important to avoid using simple passwords such as “password123” or “login123” or passwords that reference personal information such as your name. Instead, use a complex password using upper and lower case letters, numbers, and symbols if possible. Something like “W0rk1ngF0r@L1v1ng!” is far more secure and relatively easy to remember. Also, use a different password for each login account across your systems and websites. Also, never store passwords in a digital file on your computer or servers…especially a file called passwords.doc etc…. If you must write them down, use pen and paper, and keep the document in a very secure location, such a locking file cabinet or safe. https://howsecureismypassword.net/ is an excellent tool to help determine what constitutes a good and bad password.

Enable two-step authentication whenever possible.
Most cloud-based web logins now support this option which adds a second layer of authentication to verify your identity as you log into your email, banking, shopping, and other online website portals. Usually, these systems require you to log in to your account with your password, Then a text is sent to you a with a code for the second step of authentication. Some websites offer an Android or IOS app that authenticates a code for the second step of security.

Watch Out for Suspicious Links in Emails
Hacking attempts often occur when a person clicks on a link in an email. Be extremely cautious of what links you click, even if the emails are from people you know, That Innocent looking link may have malware, a virus, or a hacking tool at the other end of it. When in doubt, delete the email.

Be Careful With Attachments
The same logic holds true for all email attachments. Use an anti-virus software that can scan and filter email attachments before they are opened. The most commonly used file types for hacking via email attachments are .zip, .pdf, .doc and .exe files. Be leery of emails if they have been caught by your spam folder or are from an unknown sender.

Don’t Share Sensitive Data on Public Wi-Fi
Public Wi-Fi can be a hotspot for hackers. The security on these networks is often minimal, and just by connecting to the public Wi-Fi, hackers can gain access to your computer and its precious data. If you must use public Wi-Fi, use a VPN solution to encrypt all traffic to/from your computer, or use a cellular portable hotspot since the security on these connections is much more secure and difficult to intercept and hack.