Home Security 101
Whether you are working from home or just living, at this point in time you should have some level of security at home. In this post I’m going to explore the basics. Pros and prosumers, you can stop reading here, you know all this :)
OK, so what exactly are .. The Basics? Let’s start with 3 fundamentals.
- Use an Authenticator app for your most important stuff
- Install patches and updates
- Configure an upstream DNS filtering service
Authenticator Apps
This might sound scary and complicated, but it’s really not. In essence what you have is an app on your phone (I’m just going to jump to the conclusion that you are using an iPhone or an Android device at this point in time), and whenever you try to log into a website or application that you have chosen to protect, you will type in a seemingly random code displayed on your phone into the app or website. What this is doing is making it harder for the Bad Person to pretend to be you. They can have your username/email address and your password, but unless they also have your phone, it’s unlocked and physically with them, they can’t log in.
How to get started? Pick an authenticator app. There are a few, and they essentially all work the same way. I have, and currently use (by choice) 4 different ones (cause I’m a security geek and it’s fun to test them and see what they change) … Microsoft, Google, Authy and Okta. For home use, I would suggest going with Authy if you use multiple devices or Microsoft.
After that, it is sadly a one-by-one configuration to log into each app/website and enable the use of two-factor login. If you can, avoid the SMS/TXT options … it is possible to spoof doing this, it’s better than nothing, but if there is the option to use an authenticator app, take that one. Oh, and ignore any labels about specific authenticator apps … they will all scan the QR codes and they will all present a valid code to enter. While it is technically possible for this not to be the case, I have yet to see a situation where using Google instead of Microsoft authenticator apps made any difference, even in ahem “secure environments”.
Focus on banking, financial, legal and other websites and apps where your most sensitive information is. If a Bad Person could get your money or your personal information, start there.
Install Patches and Updates
Perhaps one of the simplest aspects, but often overlooked or skipped … installing the updates provided by your technology provider. Whether it be Microsoft for Windows and Office, Apple for iDevices and Macs, Google for Chromebooks and Chrome or for apps through AppStores … if there is an updates, especially a security update, install it! The days of being nervous about that are long past, and at the speed that nefarious actors are attacking and looking for gaps in defenses, erring on the side of action is frankly my recommendation. And even if there is an issue with the update, trust me the technology provider will fix that fast.
Configure an upstream DNS filtering service
Where I might take you into uncomfortable territory, and this is why this is the 3rd item, is to configure an upstream DNS filtering service. A what?
A quick sidebar: DNS stands for Domain Name Service. When you type www.google.com into your browser, that’s just for dumb humans who can’t remember long and complicated numbers and internet locations. In reality, when you type that, DNS takes that string of letters, looks up a massive database of names to find where on the internet that actually is, and redirects you there.
What’s the problem? Well, a few things. Firstly, anything that makes things easier like this, makes it easier for everyone … including Bad People. It makes it easy to leverage typos to direct you to fake sites, and it also provides the mechanism for things like trackers and ads to monitor what you do and build a profile so they can target you.
So, a DNS filtering service takes that huge database, and marks all the bad stuff as … bad … and if you try to go there, it says no. Now, nothing will stop everything, but it will stop the majority, and that’s a huge win.
How do you do this? It kinda depends, if you are using a wifi device and/or router from your internet provider, they tend to be very basic in nature, and the default password is literally written on it. I joke not. You log onto it, and change the DNS settings to the provider of your choice. I cannot give a lot more details on this simply because of the sheer number of devices and their interfaces, but if you do a search on the internet, most of them are very easy to change.
What are the options? I’ll break this down into 2 groups:
- Devices
- Services
Devices. The most common device people use for a Home based ad and tracking filter in a RaspberryPi. This is a small, very low cost device that has many uses, one of which is to install something like Pi-hole or AdGuard Home on it. You point your DNS to this device, it drops all the bad stuff. The key value this gives you over the web service options below is that the traffic never leaves your home. So if you have a data based internet plan, the traffic savings can be significant. It does come with both a setup cost and effort and some maintenance, but if you want to get a little geeky, it is a fun learning experience!
Services. If you just want to point-and-click, you can point your DNS at one of many DNS filtering services. There are many options, some are free, some are paid, some have a free tier and then step up pricing for more. Here’s a few of the ones I use or have tried and know work well:
- OpenDNS. The free version works great, and allows you to block categories of content … adult sites, dating etc, and a basic level of ads and tracking. It’s fine as a low-impact start, but it does not go as deep and intrusive as the others for ads and tracking.
- Quad9. Similar to OpenDNS, Quad9 will give you a basic level of protection against threats and known bad domain names.
- AdGuard DNS. AdGuard has a variety of offerings, you saw AdGuard Home above, and the second item I would recommend is the web service version of that, AdGuard DNS. There is a free tier that for many would be just fine, or if you have a high traffic environment or multiple locations you can purchase for a relatively low cost expanded protection.
Final note on DNS Filtering … sometimes things don’t work. Especially if you get a little aggressive with the filters, so you have to keep in mind that when something isn’t working, it might be getting blocked. Each of the solutions above have a way to look at a Query Log and see what’s been passed through and what has been blocked. I would recommend a quick “Disable Protection” and test … if it immediately works then the filter is the problem and you can start digging. If it still doesn’t work, it’s not the filter and likely just an issue somewhere else on the internet.
I’ll go into more detail on my own security setup in a separate post, but if you can start using an Authenticator app and installing patches, that is a great start :)
Stay safe.