Zero Trust for the Home

4 Questions for A Zero Trust Expert – Home Network Edition

While big corporate breaches have been making headlines recently, hackers have also realized that attacking an individual’s personal data can be incredibly lucrative. It’s never been more important to educate ourselves and our families on how to keep our homes safe from cyber threats. I sat down with MindPoint Group’s Director of Architecture and Engineering, Andrew Seely, to talk through the challenges of protecting home networks, what strategies cybersecurity experts are using to protect their families, and what new threats are on the horizon:

1. What’s the most common digital security mistake you see in home networks, and what do you recommend doing instead?

My family and friends really feel like they are not a target for cyber exploits because they don’t have anything to hide, or they just don’t have anything of value. People who diligently lock their doors at night are the same people who use common passwords across multiple accounts, install new devices in their home network with default administrative accounts and passwords, and who freely access important data like banking in the same way they access entertainment. Since there’s no direct perceived linkage between how they protect data at home and how their exploited data gets sold and ultimately exploited, there’s no real incentive to change.

I think people should adopt a “Zero Trust” mentality in the home. In the same way that you might protect valuables in a safe because you assume that your front door lock can be overcome, Zero Trust assumes that your primary defenses are already overcome, and an adversary has access. A Zero Trust mindset means that you assume an outside attacker is already able to gain access to your home network, so you take steps to make it more difficult to gain access to other things in the network.  

Zero Trust in the home means thinking about your computing in terms of the five “pillars” of Zero Trust: Identity, applications, networks, computers, and data.  

Following those pillars, a home user can take simple steps towards Zero Trust in the home:  

  • Using strong passwords that are unique for different services helps to protect identity,  
  • Changing default administrative passwords and account names helps to protect computers,  
  • Enabling automatic patching helps to protect applications,  
  • Creating separate WiFi networks for entertainment, for guests, and for business helps protect the networks  
  • Using encryption and keeping backups helps to protect data.

2. What does your home network look like?

I attempt to use the Zero Trust principles as guidelines in the home, although my successes there are limited by the ultimate insider threat: My family. Not every home realizes it, but every family has an unofficial Chief Information Security Officer (CISO), and in my home I’m it.  

To protect my family and data, I start with a good configuration management process: I document every device that connects to my network, and I keep a list of what’s allowed. My router is configured to use the highest wireless security possible for the devices in the house, and I have also configured Media Access Control (MAC) address filtering, so only pre-configured devices can connect. I have the network segmented into three zones, one for “serious things,” one for entertainment, and one for guests. My router also includes the ability to block or allow devices and services to access the Internet on schedules, so I am able to control, to some extent, the content children are able to access and how non-person devices like printers and televisions behave on the network. I am not satisfied with the level of logging and alerting I have in the home, but there’s no great solution for this that doesn’t turn my home CISO role into a full-time job.

While there is not a lot of buy-in from the rest of the family to follow me, I personally use a commercial Virtual Private Network (VPN) service to encrypt my own network traffic in the Internet and obfuscate my location, and I have my browser configured to run in private browsing mode and to delete cache, cookies, and passwords on exit. I also diligently use an encrypted password safe, and I use its auto-generate function so that even I don’t know my own passwords for most services I use. To help defend against potential ransomware attack, I also use a free software tool to take a regular backup of my data to an external hard drive – it’s important to remember to disconnect the drive after the backup, or a ransomware attack will get it, too!

While my thoughts about security in the home are mostly focused on devices that connect to the home network, one of my favorite security tools is the comprehensive consumer-market security package I subscribe to that includes an anti-theft tool for mobile devices. The tool takes a snapshot with the front camera of a smart phone after three failed unlock attempts, and sends me the picture and location. Thanks to this tool, I regularly get to see which of my middle school kid’s friends is goofing off with my kid’s phone.

3. What are some surprising gaps in home cybersecurity that people often miss?

I have a lot of confidence that digital natives today have a pretty good sense of security and identity in the networked world. Older generations, Gen X and Boomers, can also live securely in the digital age, but they may have an outdated sense of where important data is. Consider the collected history of a family in pictures: Today that entire history is likely digital and accessible and exploitable from potentially anywhere in the world, but only a generation ago that history would be in physical albums on a shelf in a house. I would advise more people to think about their ”unimportant” data like family pictures to be more like the vital data of the family unit that is more at risk than they realize. The damage to a family’s history if the only existing copies of family pictures were burned in a fire is terrible, and yet it’s the exact same impact to the family if a family’s history is lost to ransomware or other exploits.

I would also suggest that people consider how their personal data today is deeply intertwined with their business of being a family. Finances, insurance, utilities, licenses, all the boring parts of life that are the structural framework of a family are all more or less intertwined today with the more fun things, entertainment, social media, and shopping. It’s increasingly hard to keep serious things serious and fun things fun when the tools we use to live our lives create easy ways to do things, while hiding how those things keep our data safe. I encourage anyone to build a continuous monitoring mindset: Watch over accounts, change passwords, report problems, and not just in online services, but also with financial accounts and credit reports. When the world becomes so integrated that you can’t tell where your data goes or how it is protected, you’re still the one who pays the price when security fails.

4. What types of cyber threats should users be looking out for moving forward?

I have seen and personally experienced some highly personalized and sophisticated phishing attacks in the recent past. Automated, misspelled emails from distant royalty promising millions of dollars are yesterday’s scam, but direct communication with what appears to be a live person on the other end, communicating with inside knowledge about a topic on channels you don’t expect can overcome even the most cynical defense. The increase in “deep fake” technology combined with the increase in stolen identity data on massive scales creates a new challenge for how we trust – and everyone is vulnerable.  

I am also in a cyber arms race with my teenager, like probably most any parent of a teenager is. Block an app, he finds the app’s web site. Block a web address at the router and he installs a free (and suspect) VPN application to bypass the block. Block all network access at the network router and catch him using his phone’s hotspot. Block the hotspot itself and he discovers how to boot his phone in “safe mode” and disable the block. Every time he overcomes my latest defense, I’m more worried that he’s exposing himself and the family network to unknown dangers, and yet I’m more and more proud that this arms race between him and me is making him think about how to protect data and how protections themselves are vulnerable. He’ll think he won in the end and he’ll be right, but not for the reasons he thinks.

Read more about Zero Trust:

More from Our Cybersecurity Experts