… then how much more important is it at work?
It is well said that the price of freedom is eternal vigilance. Similarly the price of personal freedom must be paid on a recurring basis. For me, activity during the week focuses upon work. And updating of security at home is almost always deferred until the weekend change window – when my wife (i.e., the CAB chairperson) can accept a more protracted outage.
So the change was scheduled for last night. And what were the contents of the change? Security updates were the sole focus.
Last month, the Talos team (at Cisco) issued a warning about an old threat (i.e., VPNFilter) that had returned from the dead – in a much more virulent form. Talos (and the FBI) recommended immediate reboots of home routers. I did this the same day of the warning. But after Talos (and the FBI) repeated their warnings about VPNFilter, I determined that it was time to rebuild the router from scratch following a factory reset. So once my wife disconnected from her “work” network, I started the changes. And it went reasonably well.
 
Since I coupled the change with a complete renumbering of the IP address space at home, the time before service restoration was longer than it would otherwise have been. In fact, the total rebuild of the router – and the assignment of new IP addresses across the network – took about two hours. After that window, normal services were successfully restored. But it took another two hours to clean up a few items – including the rebuilding of my Home Assistant hub. So the total change window lasted approximately four hours. At the end of the change window, we had a completely rebuilt home network.
 
When I got up this morning, I realized that it was also time to further secure my browser. My posture was immeasurably better than most of my neighbors. I browse via a VPN. I use uBlock Origin and Pi-hole to block ads. I use Privacy Badger for another layer of browser protection. But “good enough” is not good enough for me. So I decided to deploy uMatrix as an additional means of both understanding all network interactions and controlling those interactions.
 
For those not familiar with uMatrix (which is pronounced “micro matrix”), think of it as the next step beyond the NoScript tool. With uMatrix, you see a matrix of external sites and access types used when you load pages from any site (or domain). And you can allow access on either a temporary or a permanent basis. Once you get past the first shock of seeing all of the cross-site and cross-domain activity, you realize that uMatrix does provide you with incredibly granular control over how pages are rendered in your browser.
 
The first thing that I realized when I started to dig deeper was that securing my browsing experience almost always results in a “broken” user experience. This was not a new revelation. When I first used NoScript, I had to whitelist a whole lot of sites – or live with reduced functionality. So the process of evaluating sites and functions was both expected and welcomed.
 
The first sites that I decided to validate were those associated with security-related podcasts. And as expected, every podcast was accompanied by necessary changes to enable streaming. The most ironic thing that I saw was just how much cross-site activity was required to even listen to security podcasts. But knowing the precise elements that were needed by a page allowed me to open just those elements that were truly required. Basically, uMatrix provided me with fine-grained access control. And it also reminded me that “free” almost always means trading function/feature access against limited access to me (and my data) by advertising agencies/networks.
 
Once I dealt with the security podcasts, I wanted to see just how pernicious Facebook access was. Currently, I do not use any Facebook “apps”. Instead, I use a simple browser. I run their browser pages inside of a “container” that limits data leakage. Nevertheless, I still expected some additional cross-site activity. What I saw was positively astonishing. Over two-hundred elements requiring cross-domain access were requested. And that was after ad blocking was done by my Pi-hole and by uBlock Origin. Am I surprised? No, not really. But the scope of what remained – even after ad blocking – was positively astonishing.
 
So what are the key takeaways from yesterday and today?
 
  1. Change control is always needed – even at home. Of course, the discipline that you follow at home will depend upon the willingness of family members. But this is no different than how things function at the office. Build your processes to meet your stakeholders’ and customers’ needs. Please remember that there are differences between the needs of both groups. At home, you and your spouse are the stakeholders while your kids (and guests) are the customers. As the stakeholders, you need to make the choices about how much security is too much security. And I guarantee that whatever you decide, your kids will probably disagree with you. 😉
  2. There is no such thing as secure enough. You can always do more in order to be even more secure. And if you do nothing, you will just lose ground over time. To stay secure, you need to always do more.
  3. Always remember that “free” just means that the price may not be immediately discernible or quantifiable. Use tools that help you discern the heretofore indiscernible. I do recommend uMatrix. But other tools can be used.

The work of ensuring security is never complete. Your home is not safe just because you have a door lock. You need to lock it. And then you need to realize that your windows are a threat vector. In the same way, information security is not just about having an ISP-provided router and a password on you primary system. But whether you are totally insecure or currently “state-of-the-art” in your practices, there is always more that you can do. So take the next steps to further secure your home. Then remember, your workplace is no different than your home. It requires constant tending – by both the security professionals and by every employee.