If Santa brings you a bunch of new electronic toys for Christmas, take an extra moment to secure them properly. Many new devices will work fine straight out of the box, but this usually means they are set up with very insecure manufacturer defaults. Here are our tips:
- Default passwords – Always take a moment to replace the default user name and password (often just “admin” and “password”) with something more secure. Passwords should be at least 12 characters long. If the device is never leaving the building, such as a smart thermostat or wireless router, I have no problem with affixing a label with the login information to the device as a memory aid. If your attacker can read the label, you have bigger problems to worry about.
- Remote administration – If your device allows for remote support and administration, turn this feature off unless it is absolutely necessary. If remote administration needs to be enabled, then choose an especially good user name and password combination.
- Non-privileged account – Only use the administrator account for performing administrative functions. It is much safer to create a non-privileged or non-administrative user account for general use. This is especially true if your device is connecting to the Internet.
- Configure securely – When setting up your device, use the most secure settings that are available.
- Sharing – Take a close look at any configuration for information sharing, and restrict sharing to applications where it is absolutely necessary.
- Location – Many devices are location aware, and report their location to an online resource of some sort. Determine if this is necessary to the operation of your device, and if not, turn it off.
- Device locking – Make your device require a password or pin when starting or accessing a device for use. This is especially important for portable devices such as phones, tablets, and laptops. If you can just power it up and use it without a password, so can the guy who just stole it. Or your snoopy in-laws.
- Remove unneeded apps – Many devices come with a bunch of pre-installed applications. Flaws in applications can provide an exploitable vulnerability an attacker can use. Removing apps you don’t use will reduce the attack surface.
- Patch and update – Patches and updates usually provide security enhancements.
- Secure IoT devices – Internet of things devices such as smart thermostats, web connected security cameras, baby monitors, and wireless routers have enough memory and processing power to be used as part of an botnet. We saw the power of the Mirai botnet earlier this year. Make sure your IoT devices are configured securely, too.
Here’s hoping you have a very electronic Christmas, and a secure and safe New Year!Share