Wireless office routers are a must-have for any business environment and vital for global and even internal communications. Not only are routers implemented in offices but as well as homes, schools, hospitals etc. In many cases, these same routers are installed and setup without much concern for changing default parameters and logins enabling them to be “Internet-ready” for immediate use. Enabling basic configuration safeguards can go a long way in securing office networks and routers. However, even default security configurations are in many instances not adequate to avoid breaches or patch up security holes. This results in hackers easily discovering vulnerabilities in these very unsecured networks. These same routers are also continuously powered on and discoverable with the default configurations providing 24/7 access to confidential business data.
The basics of securing office networks and routers
If an attacker knows something as simple as the manufacturer or brand of the networking device, they can look up what the default username and passwords are for that particular hardware and attempt a simple cracking (password and username guessing) attempt to gain access. This is the simplest way to gain full access and must always be changed immediately after initial setup and configuration. Good strong passwords are about 14 characters long or more with numbers and letters as well as special characters. For example, 0ff1CEs3cuR1ty is an example of a good password.
Change this password every 90 days or less. It can be argued, however, that constantly having to change passwords can end up with simpler and simpler passwords as admins or users run out of hard to guess passwords. Staying with a much longer and hard to guess password (that’s easier to remember) that changes less frequently may be an option. Constantly changing good passwords may result in bad easy to remember passwords. This is due to the inconvenience at the time of the forced password change dictated by company policy. Creating a password for a much longer period of time, the admin can create a much more complicated one. Frequently changing passwords can help protect encrypted backups, however. http://www.networkworld.com/article/2602889/infrastructure-management/don-t-change-your-passwords-regularly.html
Changing default SSID’s
All Wireless Local Area Networks need to use the same Service Set Identifier. Manufacturers set a default SSID at the factory. An attacker can then simply identify the hardware name and exploit any known vulnerabilities. This can be especially troublesome if the router is not updated to the latest firmware which can often patch up security vulnerabilities.
Providing too much of a detailed description for the SSID can also provide details on the organization, location as well as their own name. Avoid any details that a hacker can use to help make a hack attempt successful. In many cases, several different pieces of information are obtained to lead to a successful hack. There is not always just a single piece of information that leads to a compromise.
Log-out of a router’s web-based user interface to prevent Cross-Site Request Forgery (CSRF)
Routers are notoriously vulnerable to CSRF attacks and if staying logged in while visiting another website that may be infected with nefarious hacker code, it can attempt to reconfigure the router’s settings. This could result in port forwarding or DNS server changes etc. Many examples of CSRF’s can be found here: http://www.routercheck.com/category/router-vulnerability/csrf/ which shows a disturbing number of incidents or discoveries. Being in the possession of an updated and secured router will if not eliminate, then greatly minimize this threat. An updated firmware on a router is a much more secure router.
Setup Wi-Fi Protected Access 2 For Better Security
Wired Equivalent Privacy (WEP) is not a secure enough encryption standard anymore and has not been for many years. The newer security standard; WPA-2 Advanced Encryption Standard encrypts communication between the wireless device and the router using 128-bit encryption. WPA2 is the most secure router configuration possible for home use and is highly recommended for all router configurations.
Limit WLAN Signal Reach and Powering Off
Many wireless routers will simply broadcast farther than they really need to in a home office environment or workplace. This makes it easier for unauthorized users to try and gain access outside of the workplace area. If the signal cannot be reached by intruders it’s impossible to try to connect in the first place and gain access. This is a great solution for securing office networks and routers. Careful positioning of antennas can limit signal reach, extending way beyond the required distance for all coworkers to use. There is no need for antennas that broadcast signals too far.
In addition, instead of using the more popular omnidirectional antenna, a directional antenna that transmits only towards a certain area may be a viable solution. If hackers find no signal to connect to, the risk of intrusion is non-existent. However, this is not a sure way of preventing intrusions from a motivated hacker with a very sensitive antenna.
Another simple method to ensure intrusion prevention is simply powering off the wireless router. Switch off the routers during holidays and off-seasons. This also applies to offices that close during weekends. Shutting down a network reduces the amount of time any hacker has of gaining access to secure systems.
Firmware Upgrade
Don’t forget firmware updates when securing office networks and routers. When a wireless router is manufactured and finally placed on the shelves for sale, several firmware updates could have been released while the routers gathered dust on the shelves. Once purchased and installed for wireless communication the same old firmware is still running on that particular router. This is a serious problem when securing office networks and routers if overlooked. Using an outdated firmware is a security vulnerability. Update the router as soon as possible to patch any security vulnerabilities provided there are also no zero-day exploits for that wireless router.
Finally, monitor the connection to a wireless router. This will inform anyone whether experienced in wireless security or not, to discover if there is a user connected to the network that should actually not be there. Even a log showing attempted connections can determine if the workplace is in a high-risk area for intrusions and needs to beef up security if it has not already done so. Setup firewalls on routers as well and not just office computers and dedicated servers. The router manufacturer will have details on how to setup and configure this feature.