Best Practices for Keeping

Your Home Network Secure

September 2016

Don’t be a victim. Cyber criminals may leverage your 4. Limit Use of the Administrator Account
home network to gain access to personal, private, and
confidential information. Help protect yourself and In every OS the highly-privileged administrator account
your family by observing some basic guidelines and has the ability to access all files and configurations on
implementing the following mitigations on your your system. Malware can more effectively compromise
home network. your system if executed while you are logged on as an
administrator. Create a non-privileged “user” account for
normal, everyday activities such as web browsing, email
Electronic Computing access, and file creation/editing. Only use the privileged
Device Recommendations account for maintenance, installations, and updates.
Electronic computing devices include computers, laptops,
printers, mobile phones, tablets, security cameras, home 5. Update Software from Trusted Sources
appliances, cars, and “Internet of Things” devices. Take
special care to secure them and prevent misuse. Attackers often exploit vulnerabilities in unpatched,
outdated software applications running on your
computing device. Enable the auto-update feature for
1. Migrate to a Modern Operating System applications that offer this option and promptly install
patches. If automated updates are not available within
The most recent version of any operating system (OS) an application, seek out products that can quickly survey
inevitably contains security features not found in the product health/status. For mobile devices, disable
previous versions. Many of these security features are third-party software installations, don’t jailbreak/root the
enabled by default and help prevent common attack device, and disable developer mode.
vectors. Utilizing the latest available and supported
64-bit OS for desktops and laptops increases difficulty of
gaining privileged access to a computer by an adversary. Network Recommendations
Employ the OS auto-update feature to keep computers
updated. Alternatively, download patches and updates Home network devices include modems, routers, and
from a trusted vendor on a monthly basis at a minimum. wireless access points (WAP). These devices control the
flow of information into and out of your network and
should be carefully secured.
2. Install a Security Suite
Install a comprehensive security suite that provides 1. Improve Administrator Control
layered defense via anti-virus, anti-phishing, safe
browsing, host-based intrusion prevention, and firewall Your Internet Service Provider (ISP) may provide a
capabilities. Several security suites also provide access modem/router as part of your service contract. To
to a cloud-based reputation service for detecting and maximize administrative control over the routing and
preventing execution of malware. wireless features of your home network, use a personally-
owned routing device that connects to the ISP-provided
To prevent data disclosure in the event that a laptop is modem/router. Use modern router features to create a
lost or stolen, implement full disk encryption. separate wireless network for guests.

3. Protect Passwords 2. Employ Firewall Capabilities

Ensure that passwords and challenge responses are Ensure your personally-owned routing device supports
properly protected since they provide access to personal basic firewall capabilities. Verify that it includes Network
information. Passwords should be strong1, unique for Address Translation (NAT) to prevent internal systems
each account, and difficult to guess. from being scanned at the network boundary. WAPs

CFS U/OO/802635-16
Best Practices for Keeping
Your Home Network Secure

generally do not provide these capabilities, so it may be 2. Use Strong Passwords for Service Accounts
necessary to purchase a router. If your ISP supports IPv6,
ensure your router supports IPv6 firewall capabilities. Home entertainment devices typically require you to sign
up for additional service accounts or link with other social
media accounts. Ensure that each account is protected
3. Implement WPA2 on the Wireless Network with a strong1, unique, and difficult to guess password.
To keep your wireless communication confidential,
ensure your personal or ISP-provided WAP is using Wi-Fi Internet Behavior Recommendations
Protected Access 2 (WPA2). When configuring WPA2, use
a strong passphrase of 20 characters or more. Note that In order to avoid revealing sensitive information, abide by
some computers may not support WPA2 and require the following guidelines while accessing the Internet.
a software or hardware upgrade. When identifying a
suitable replacement, ensure the device is WPA2-Personal 1. Authentication Safeguards
certified. Change the default SSID to something unique.
Protect your login passwords and take steps to minimize
misuse of password recovery options.
4. Limit Administration to the Internal Network
Disable the feature that allows web sites or programs
Disable the ability to perform remote/external
to remember passwords.
administration on the routing device. Only make network
configuration changes from within your internal network. Many online sites make use of password recovery
Disable Universal Plug-n-Play (UPnP). These measures or challenge questions. To prevent an attacker from
help close holes that may enable an attacker leveraging personal information to answer challenge
to compromise your network. questions, consider providing a false answer to a fact-
based question, assuming the response is unique
5. Implement Strong Passwords and memorable.
on all Network Devices Use multi-factor authentication whenever possible.
Examples of multi-factor authentication that pair
For any network device that can be managed through a
with password login include secondary confirmation
web interface, such as routers and printers, use a strong1
phone/email, security questions, and trusted device
and unique password. Devices with a missing, weak, or
identification.
default passwords may allow attackers to infiltrate these
devices and gain access to other internal systems.
2. Exercise Caution when
Home Entertainment Accessing Public Hotspots
Device Recommendations Many establishments, such as coffee shops, hotels, and
airports, offer wireless hotspots or kiosks for customers to
Most home entertainment devices, such as Blu-Ray access the Internet. Because the underlying infrastructure
players, streaming video players, and video game of these is unknown and security is often weak, these
consoles, can access the Internet. Implement security hotspots are susceptible to adversarial activity. If you
measures to ensure these devices don’t become a weak have a need to access the Internet while away from home,
link in your network. avoid direct use of public access.

If possible, use the cellular network (that is, mobile Wi-Fi,

1. Protect the Device within the Network 3G, or 4G services) to connect to the Internet instead of
Ensure the device is behind the home router/firewall to public hotspots. This option generally requires a service
protect it from unfettered access from the Internet. In plan with a cellular provider.
the case of a device that supports wireless, follow the
Wireless LAN security guidance in this document.

CFS U/OO/802635-16
Best Practices for Keeping
Your Home Network Secure

If public Wi-Fi must be used, make use of a trusted virtual 6. Follow Email Best Practices
private network (VPN). This option can protect your
connection from malicious activities and monitoring. Email is a potential attack vector for hackers. The following
recommendations help reduce exposure to threats:

3. Do Not Exchange Home and Work Content • To prevent reuse of any compromised passwords, use
a different password for each account. Periodically
The exchange of information between home systems change your password.
and work systems via email or removable media may
put work systems at an increased risk of compromise. • Avoid using the out-of-office message feature unless
Ideally, use organization provided equipment and absolutely necessary. Make it harder for unknown
accounts to conduct work while away from the office. parties to learn about your activities or status.
If using a personal device, it’s preferable to attach to a
remote desktop or terminal server inside the corporate • Always use secure email protocols, particularly if
network. Avoid using personal accounts and resources using a wireless network. Configure your email client
for business interactions. Always use a VPN to connect to use the TLS option (Secure IMAP or Secure POP3).
to corporate networks to ensure your data is secured
• Avoid opening attachments or links from unsolicited
through encryption.
emails. Check the identity of the sender via secondary
methods (phone call, in-person) and delete the email
4. Device Isolation if verification fails. For those emails with embedded
links, open a browser and navigate to the web site
Establish a level of trust based on a device’s security directly by its well-known web address or search for
features and its usage. Consider segregating devices the site using an Internet search engine.
dedicated to different purposes. For example, one device
may be for financial/PII use and another for games/ • Never open emails that make outlandish claims
children activities. or offers that seem “too good to be true.”

5. Enable the Use of TLS Encryption 7. Take Precautions on Social Networking Sites
Application encryption (TLS) over the Internet protects Social networking sites are a convenient means for
the confidentiality of sensitive information while in sharing personal information with family and friends.
transit when logging into web based applications However, this convenience also brings a level of risk.
such as webmail, banking, and social networking sites. To protect yourself, do the following:
This prevents others from intercepting, reading, and
potentially altering your data while in transit between • Avoid posting information such as address, phone
you and the site. number, place of employment, and other personal
information that can be used to target or harass you.
When conducting activities such as account logins and
financial transactions, ensure the web site supports TLS. • Limit access of your information to “friends only” and
Many browsers enable TLS by default; if an older browser verify any new requests by phone.
must be used, select TLS over other encryption (SSL). • Review the security policies and settings available
Most web browsers provide some indication that TLS is from your social network provider quarterly or when
enabled and is shown as “https:” in the URL or displayed the site’s Terms of Use changes. Opt-out of exposing
as a lock icon for instance. personal information to search engines.
• Refer to email best practices about precautions
concerning unsolicited requests and links.

CFS U/OO/802635-16
Best Practices for Keeping
Your Home Network Secure

References Contact Information

1
A strong password contains a mix of lower and
uppercase characters, numbers, and symbols. It has Industry Inquiries
a minimum length of 12 characters and does not use
dictionary words or keyboard patterns. 410-854-6091
[email protected]

Additional Guidance
Client Requirements and General
IAD Mitigations (Top Ten, Identity Theft, Social Information Assurance Inquiries
Media, Operating Systems, Biometrics, Wireless)
https://www.nsa.gov Client Contact Center
410-854-4200
DISA STIGs A thru Z subjects [email protected]
http://iase.disa.mil/stigs/Pages/a-z.aspx

Protection Profiles Disclaimer: The information and opinions contained in this document
are provided “as is” and without any warranties or guarantees. Reference
https://www.niap-ccevs.org/pp herein to any specific commercial products, process, or service by trade
name, trademark, manufacturer, or otherwise, does not constitute or
Mobile Access Capability Package imply its endorsement, recommendation, or favoring by the United States
https://www.nsa.gov Government, and this guidance shall not be used for advertising or product
endorsement purposes.
General topics
https ://www.niap-ccevs.org/pp

NIST
http://csrc.nist.gov/publications/PubsSPs.html#800-124

Protecting Personally Identifiable Information

http://csrc.nist.gov/publications/nistpubs/800-122/
sp800-122.pdf

CFS U/OO/802635-16