TIPS FOR SMALL BUSINESSES
There are plenty of tools out there to help map your network and see what’s connected at any given time, as well as identify your network’s weak spots. The good news is that these needn’t cost a fortune – or, indeed, anything at all. Even if they don’t require a direct financial investment, however, they do require you to invest some time to learn how to best use them and properly understand the results they’re returning. For the small business that really wants to get to grips with network security, there’s plenty to be said for adopting the “think like a hacker” approach. Using the same vulnerability discovery tools as they do is one great example, and such tools don’t come any better than Metasploit. Unfortunately, Metasploit is no longer free, although the owners (Rapid7) do offer a free small-business edition ( rapid7.com/products) that lets you simulate real-world attacks on your network to expose holes a malicious hacker may otherwise exploit. Individual users (look for the Community Edition) also get access to the Rapid7 Nexpose vulnerability scanner, which provides a contextualised view of the network attack surface.
If your small business has a security budget then it’s well worth investing in a business-grade firewall that goes beyond password-only access, and takes Wi-Fi into the realm of certificate-based EAP-TLS authentication. Simply put, this would mean that every client and every router would have to identify itself to the other using public-key cryptography before any connection is allowed. That’s all fine and dandy, until you mention the Internet of Things...
The majority of IoT devices are built to budget, and a low one at that. This means certificate-based authentication (as described above) almost certainly won’t be supported. All is not lost, however, as most consumergrade routers actually support the use of multiple virtual LANs (VLANs) and will even go as far as managing the port-forwarding options as well. This means it’s possible to circumvent some of the insecurities of IoT devices by connecting them to a VLAN that’s different than that to which your laptops and smartphones are connected.
Your router firewall, assuming it has such functionality, is worth enabling for an additional layer of security. Layered security is usually a good thing: if a casual attacker peels off one layer and there are even more to burrow through, then they’ll likely give up. A determined hacker, who has good reason to compromise your network and the skills to exfiltrate your data, will most likely succeed whatever you do, so it’s almost worth considering them a lost cause to defend against. If that sounds defeatist, it really isn’t: 99% of the attackers probing your networks will be casual hackers trying their luck. The good thing with the firewalls that are built into routers is, for the most part, they can be used to set up rules that will lock devices down as well the ports that might broadcast information to non-trusted parties. You can also set up firewall rules so that traffic isn’t allowed to cross between VLANs, with the exception of connecting from your main network to the guest, and not the other way around.
Something the home user doesn’t have to worry about, for the most part anyway, is the physical security of IT devices. Let’s face it, whose house have you visited where the router was secured with a Heath Robinson Kensington lock contraption? While the small business may not have to worry too much about someone stealing the router, a prankster resetting it could be more than a little problematical. Keeping it secure in a locked cabinet makes good sense all round, but may not always be practical. If not, then try locating on a high shelf or cupboard top, where stealthy access is simply impossible. It also makes it much harder for a would-be data thief to simply walk up and plug a cable into a spare Ethernet port in an attempt to sidestep your Wi-Fi security measures. Talking of which, ensure your Wi-Fi network is firewalled off from the rest of your network.