Download document () of 20
Send email
Download
You have exceeded the download limit
Eaton is committed to minimizing the cybersecurity risk in its products and deploying cybersecurity best practices in its products and solutions, making them more secure, reliable and valuable for customers. Managing cybersecurity risk throughout the lifecycle requires the consistent application of security best practices. Eaton assumes the customer will implement the recommendations here along with other vendor guidelines as applicable. Residential devices could directly or indirectly provide an attacker access to personal information or provide the ability to maliciously monitor or control devices (e.g. smart lights, thermostats) for the purpose of demanding a ransom or something of value. Default credentials (e.g. passwords), known vulnerabilities, and general weak Wi-Fi security are the most common vulnerabilities that are exploited.
The following guidelines are recommended to reduce cybersecurity risks:
1. Verify (at a minimum monthly) the latest versions of firmware, software, recommended by the manufacturer are installed on all devices.
2. Verify (at a minimum monthly) no known vulnerabilities exist on any devices by searching (at a minimum) vendor sites and the National Vulnerability Database (NVD) at www.nvd.org.
3. Use a network firewall or firewall capability in the internet router, and only allow necessary traffic through the network required for each device to function.
4. Use host-based firewall capability on devices if available (e.g. Windows Firewall, and IP tables on Linux).
5. Use Antivirus (with updated signatures) and whitelisting (allow only authorized access).
6. Disable unnecessary services and software. Whitelisting is still one of the best ways to harden the security on a device.
7. Change the factory-default configurations on the router.
8. Regularly back up your data.
9. Apply the following Wi-Fi Security configurations:
a. Use the strongest encryption protocol available. NCCIC recommends using WPA2 (Wi-Fi Protected Access 2) Personal Advanced Encryption standard (AES) and Temporary Key Integrity Protocol (TKIP), which is currently the most secure router configuration available for home use.
b. Change the router’s default administrator password. During setup, the router presents an option of changing the admin password because the router is pre-configured with default administrator credentials. Changing the routers default password will protect it against attacks using default credentials.
c. Change the default SSID. It is also commonly known as network name. It is a unique name that identifies a WLAN (Wireless local area network). All devices use the same SSID to communicate with each other. Default SSIDs typically disclose the manufacturer of the actual device. This is useful for an attacker to identify the device and exploit any of its known vulnerabilities. Make your SSID unique and do not tie it to your identity or location.
d. Disable Wi-Fi Protected Setup (WPS). It is a simplified mechanism for a wireless device to join a Wi-Fi network using a PIN instead of a network password. However, a design enables the attacker to brute force this PIN, because it informs them that the first half of the eight-digit PIN is correct. Many routers lack a proper lockout after a certain number of failed attempts to guess the PIN.
e. Reduce the wireless signal strength. Make sure your Wi-Fi signal strength does not penetrate the perimeter of your home. This can significantly reduce eavesdropping of the network traffic. Note: While this reduces your risk, a motivated attacker may still be able to intercept a signal that has limited coverage.
f. Turn off the network when not in use. While it may be impractical to turn the network off and on frequently, consider disabling it during travel or extended periods when you will not need to be online. Many wireless routers offer an option to configure a wireless schedule that will automatically disable the Wi-Fi at specified times.
g. Disable UPnP when not needed. UPnP is a feature that allows networked devices to seamlessly discover and establish communication with each other. Attackers use this to bypass the router’s firewall to spread malware on your network.
h. Upgrade Firmware. Check the router manufacturer’s website to see whether you are running the most updated firmware on your router. Most of the routers have the option to turn on automatic updates.
i. Disable remote management. Most of the routers offer the option to view and modify the router’s configuration over the internet. Turn this feature off to guard against unauthorized individuals accessing and changing your router’s configuration.
j. Monitor for unknown device connections. See the manufacturer’s website for tips on how to prevent unauthorized devices from connecting to your network.
10. Use caution when using email:
a. Suspicious sender’s email address. Pay attention to the sender’s email address. It may imitate a legitimate business with a few characters altered or omitted.
b. Generic greetings and signatures. Both a generic greeting such as “Dear Valued Customer” or “Sir/Ma’am” and a lack of contact information in the signature block are strong indicators of a phishing email. A trusted organization will normally address you by name and provide their contact information.
c. Suspicious attachments. An unsolicited email requesting a user to download and open an attachment is a common delivery mechanism for malware.
d. Spoofed hyperlinks. Hover your cursor over any links in the body of the email. The links not matching the text that appears when hovering should raise a red flag.
e. Poor spelling. Poor grammar and sentence structure, misspellings, and inconsistent formatting are other indicators of a possible phishing attempt.
11. Follow username and password best practices:
a. Change default passwords and user/account names (where possible).
b. Rename, disable, and/or remote unnecessary user accounts.
c. Create unique password for each account. Do not use the same password for all accounts. This way, if one account gets compromised, the attacker cannot breach the other accounts.
d. Use a password manager. A password manager is software that can help you generate, store, encrypt, and retrieve unique and complex login credentials for all accounts, effectively eliminating the need to remember to write down passwords.
e. Make passwords long and complex. The most effective aspect of a strong password is its length. You should therefore consider using the longest password with letters, numbers, and special characters. The best way to remember a long password is use a passphrase like “thisisPasswd4Router!” It is relatively simple to remember, but it makes the attacks more difficult based on length and use of numeric and special characters. Do not use common phrases, song lyrics, famous quotations, or sequential keyboard combinations.
f. Never use personal information. Avoid using your personal information like your name, pet’s name, license plate number, phone number, or any other publicly available information.
g. Use two-factor authentication. If the attacker manages to get your credentials from a data leak, he cannot breach your account because of the second factor involved in the authentication, which is usually a personal device, another account, or login code generator. Most popular social networking sites and banking websites have implemented two-factor authentication.
11. Consider implementing the following advanced home network security techniques:
a. Enable MAC filtering to create a whitelist of devices allowed to connect to your router. The only drawback with this is that it is a tedious process to add individual devices on the router.
b. Segment the home network into different parts, just like what is done for enterprise networks. This may require specific hardware like a router capable of handling multiple zones. For example, each zone can have a specific purpose with specific types of devices. Each zone can utilize MAC filtering or other whitelisting techniques to further restrict access just for that zone. Additionally, these zones could be configured such that devices will not be able to access the internet but allowed to communicate with each other. Further segmentation could include a visitor’s zone for guests. This zone can restrict access to other zones on your network limiting the spread of any potential malware.
