Defense

When it comes to digital technology, we have to consider many things.

Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:

  • What does a typical consumer care about?
  • What security and privacy considerations could be made?

A typical consumer may be about:

  • Availability
  • Cost
  • WIFI Coverage
  • Performance
  • Ease of Use
  • Ease of Support/Troubleshooting
  • Style/Looks
  • What happens if it breaks?
  • Can I stop my kids messing with it? (Probably not so why bother)

Enter the cyber nerds!

The ISP Router

  • That ISP can remotely access data
  • That ISP can remotely access the device
  • That ISP can remotely upgrade the firmware
  • When do firmware upgrade occur? Will they affect running tasks on the network?
  • What does the ISP router service supply chain look like?
  • What does the ISP router hardware supply chain look like?
  • What does the router software supply chain look like?
  • The ISP DNS is snooped on
    • Sold to third parties
    • Provided to countries intelligence services (bulk collection)
    • Is provided to law enforcement (with a warrant)
    • Has unauthorised access
  • The IPS collects netflow data
    • This is shared with third parties
    • This is collected by IS

Major concerns (from a paranoid person not for the average person):

  • Remote access Potential
  • DNS Data
  • Netflow Data
  • Code Execution/Forced Firmware/Backdoored Firmware
  • Configuration Control

Configuration Concerns

  • UPNP
  • DMZ
  • DNS Configuration
  • DHCP Configuration
  • Connectivity Polling
  • Admin Interface Exposure
  • Admin interface encryption in transit

WIFI

  • Is the SSID snooped by google etc.? (Google maps/cars)
  • Is the SSID on wigle.net?
  • What can someone tell from the SSID MAC address?
  • What security mode is in use?
  • Are management frames protected?
  • Can we detect rogue wireless access points?
  • Can we detect DEUATH attacks?
  • Can anyone with the password simply join?
  • Should I use certificate based auth?
  • Should I use radius based auth?
  • Should I restrict based on MAC address?

Options for Deployment (Current state)

  • ISP Router
  • “Business/Enterprise Commercial Router/Firewall”
  • Consumer Grade Common off the Shelf Solution
  • Build your own Router/Firewall/WIFI

Or this option:

  • Do NOT use a router, use a 3g/4g/5g GSM device (either built in or external) and connect to internet via mobile and CGNAT

Or:

  • Use someone else’s WIFI
  • Neighbour (with permissions)
  • Neighbour (without permission)
  • Public WIFI

Summary

This is by far from an exhaustive list, but it shows a contrast between thinking, the potential attack surface and how we need to be thinking with a diverse mindset. We need to consider:

  • Usability/Functionality
  • Cost
  • Security
  • Privacy
  • Ease of Use

I’m experimenting with how “easy” it is to operate security using a range of new kit recently, I’m not exactly raving about how “easy” this all is! (Its bloody annoying and complex as soon as we stop thinking about only ease of use.

Organisational Approach
to Technology and Security

Related articles