We've been managing firewalls for our small business customers for years, and we have seen our fair share of small business networks. Whenever we begin a firewall installation process for a new customer, we get to see their network: every nook and cranny, every detail. And we see a lot of the same problems pop up again and again.
So, we picked the top 10 most common problems we see when setting up and managing firewalls for our customers. In this blog, we're going to discuss why each one is important and how you can resolve or avoid them.
Get Started with PCI ComplianceStart Here
10. Messy Network Cabling
Messy network cabling creates a risk of disruption. These can include situations such as device failure or longer troubleshooting times.
When you address this problem, it can be very difficult and time consuming to figure out what the issue is when nothing is labeled and everything is a mess. Perhaps you have new equipment that you want to connect and there aren’t any parts available, or you unplug the wrong device to make room for it causing offline time for other essential devices. It’s important to know where things are and have good labeling.
Devices can also end up in awkward locations because cables aren’t long enough to reach an optimal location. Or, your cables could be too long and overextended causing tripping hazards or damage to devices.
Finally, having messy network cabling can make it difficult and time consuming to install a firewall. We have had fifteen-minute firewall installations take days because we don’t know where wires are going and neither do the people in the office. This makes it difficult to make security improvements and can cause other inconveniences along the way.
You can organize your cables by using these strategies:
- Use velcro cable straps and tie the cables together to make them neat and tidy
- Get longer or shorter cables depending on your needs
- You can get colored cables so they are easier to identify
- Create a network diagram (there are lots of free tools online that help you do this, or you can sketch out a hard copy)
9. Weak Third Party Providers
Third party providers can include:
Your internet service provider
Your point of sale system
Security or surveillance systems
First, you want to make sure that you have strong providers that are:
Responsive to you and your customers’ needs,
Effective in the service they provide, and
Efficient in resolving problems.
Service providers should be willing to coordinate with each other and with you and your customers. For example, it can be extremely difficult for SecurityMetrics to coordinate with the point of sale system and the customer at the time when trying to set up a firewall.
It's so important to pick third party providers that will be available and willing to work through complex issues.
Sometimes service providers make requests for firewall configurations that make their service provision easier for them. This can open up traffic and introduce vulnerabilities in your firewall and security systems and make you an easy target for hackers.
Before you’ve committed to a third party provider, check reviews. See what other customers are saying and know what your options are. Who are the top providers in that space?
When selecting a provider, make sure to keep your own documentation and don’t lose contact, account,or technical information.
8. Outdated Wi-Fi encryption
As you know, the hacker community is out there 24/7, 365 days a year trying to hack through the latest encryption codes. And they break every encryption code eventually, so it's always just a matter of time before our current encryption is no longer secure. To combat this, it’s important to always keep your Wi-Fi technology up to date. Specifically, keep your firmware updated on your Wi-Fi device. As long as you continue to update the firmware, your router should be fine for several years with any particular Wi-Fi device.
How do you update outdated Wi-FI encryption?
Some Wi-Fi devices are managed through an app. If that’s the case, you should be able to open the settings in the app and find where it notifies you of automatic updates.
Or you can update it manually. Some Wi-Fi devices allow you to log into the device itself, and you're able to go into settings and either see the update happening automatically, or you can manually update it.
Sometimes you'll need to visit the manufacturer’s website, download what you need and update that patch following a procedure that they'll give you.
If you have an old device, it may not be able to provide the necessary updates and patches to your device. Newer devices offer better performance and the management tools are really good too. You want to look for a WPA2 or possibly WPA3 for the encryption protocol. You’ll know this when you try to connect to it with your device or your laptop. If you are unable to do these updates or you don’t do these updates, you can’t be confident that your Wi-Fi devices are updated and secure. Even if you are fine right now, it will become more vulnerable to hackers in due time.
You need to make sure that your Wi-Fi devices are regularly updated and if you need to do manual updates, that you are doing those as well.
7. DIY Network Configuration
We all love our DIY projects, but your business network is not the place for this sort of thing. You will be able to connect to the Internet, but you won’t know if you’ve got gaping holes in your security and whether hackers have access to your systems.
Even though you might have a pretty solid understanding of the technology, the hacker community has an infinitely advanced knowledge of the same technology.
Make sure you get help setting up your business network. We recommend using your local internet service provider. Even if you are using a national or larger entity, it’s helpful if they have a local presence. It’s also helpful if you can establish a good working relationship with employees from the entity you are using. They get to know your network and your business, which helps their services become more effective.
Another option is to engage a company to provide a fully managed firewall service (like SecurityMetrics Managed Firewall). Then you can have the managed firewall provider really focus closely on your network’s security.
Usually these sorts of vendors can also perform external scans of your network to check for any vulnerabilities. They will likely use the same types of tools that the hackers will use, so if they find vulnerabilities, then you know that the hackers are going to find them too. Your managed firewall vendor should help you close those gaps.
6. Thinking Your ISP Modem is a Firewall
Every Internet service provider (ISP) gives you a modem device, and it does sort of protect you from the bad guys, but it is not a firewall.
There are two key features that a firewall has that are essential in protecting your network:
Firewalls can have customized rules that you can adjust for your network.
Firewalls allow you to segment your network. That's the process that makes it possible for you to protect certain portions of your network and allow more free traffic to flow into other parts of your network.
Even though you have certain information or functionality that you're getting out of that ISP provided modem, every business network needs to have an actual firewall right behind that. Everything else should plug into that firewall.
Another great option is to get a fully managed firewall service. They will lease you a firewall for a low amount each month and then take care of all the details and make sure that it fits your needs. You’ll also get monitoring services so that if they do detect any sort of sketchy traffic going on through your network, they can notify you.
5. Having a flat network
A flat network is where every device is plugged in the same and everything can talk to everything. There are no restrictions and nothing prohibiting total communication between devices on your network.
The danger with flat networks is that a hacker just needs to find the easiest vulnerability, and then they will gain full access to your network.
Some systems in your network will need ports to send traffic in and out pretty easily, but other systems don’t need that. Segmenting your network with a router or with a firewall can help you control your network security. These devices allow you to segment your network with a set of rules that determine the strength of your security. For example, you might have strict rules around your cardholder data environment (CDE), where you have to know about it and give permission to anything trying to get in or out of the system. On the other hand, you might keep your guest Wi-Fi much more open. In the middle, you might have your employee network, where you understand employees will be browsing different places, but it’s still more secure than your guest Wi-Fi.
Setting up firewalls and routers can get complicated, especially if you segment your network. However, getting the equipment and help to segment your network isn’t terribly expensive. If you don’t have a firewall, you definitely need one. Usually that provides all the functionality you’ll need. However, you can also have a vendor do a vulnerability scan over the network to find any possible weak spots in your network.
4. Having a poorly managed guest Wi-Fi
Everybody loves guest Wi-Fi, but it can get you into trouble if you're not careful. The biggest problem (especially for small companies) is that there’s a sense of trust between their customers and their organization, so they open their employee network to guests. Never, never, never open up your employee network to your guests.
Another thing to watch out for is ensuring that your guest Wi-Fi and your employee network are actually separated. Just because you named it “guest Wi-Fi” doesn’t mean it’s not connected to your employee network. Make sure the router you are using allows you to have two separate Wi-Fi networks.
Resist the urge to leave default passwords in place or to allow passwords to be visible externally. This will make it very easy for attackers to get on your Wi-Fi network. Change your Wi-Fi passwords regularly and use passphrases instead of shorter, complex passwords. Use the settings that have your guests sign in before they can use your Wi-Fi. Having your guests sign in to use your Wi-Fi is best practice because it gives you some control over the amount of time a guest can spend on your Wi-Fi and tells you some information about your guests.
3. Poor password hygiene
Sharing passwords is very convenient. However, the more people that know the password, the harder it is to know who is accessing your system.
It’s also difficult to revoke access if an employee is terminated or leaves your company. Try to keep passwords as private as possible.
Another common problem is not changing passwords often enough. It’s frustrating to have to learn new passwords, but if a password gets cracked and you don’t change your passwords regularly, then a threat actor can have continual access to your network and accounts.
The next common mistake is shared passwords across multiple systems. If you have a favorite password and you use that for all your stuff at work and at home, that can lead to major issues. It's like bonus access for the hackers. If they can figure out one of your passwords, the first thing they're going to do is test it on all your other standard accounts. Do not reuse passwords across multiple systems.
Weak passwords are also a common mistake. A nine-letter password can be cracked in about an hour with a brute force cracking approach. Adding a couple of special characters, numbers, spaces, or a capitalized letter takes months or years to crack, using the same hacking method. Passphrases are the best way to create passwords that can be easier to remember and more difficult to crack.
Avoid sending usernames or passwords electronically because none of those platforms are safe.
The last common practice that we caution against is storing password information in an unencrypted file on your computer or device. You need to assume that whatever is on your computer or your device is just kind of out there, so don't have a file that includes your username, password, username, password, or data.
To practice good password hygiene, we recommend getting a password manager. There are quite a few options for password managers, so you can find one that best suits your preferences and needs. Password managers will generate secure passwords and securely store your passwords. As an employer, make sure that the systems that you use in your company require good password practices.
2. Allowing inbound traffic into your network
This sounds scary, but there are plenty of legitimate reasons that this would show up in your network. For example, you may have an online ordering system or perhaps a file upload service for printing. Or you have a remote access service that allows employees to log into your network remotely. Or maybe you need third party technical support.
These are legitimate and necessary for your business, but the problem is that they can open up gaps in your network. If you don't have your network tightened down and segmented properly, hackers can take advantage of those vulnerabilities and get into the soft and chewy center of your network.
This doesn't mean that you can’t have these sorts of services. You just have to be very careful about how you arrange your network configuration and your security rules so that only the specified type of traffic can get in through the little hole that you created. Create rules that are very specific about inbound traffic and they should keep you safe.
We talked about segmenting previously, but it’s applicable here as well. You may need an online ordering service, but you can segment your network so that they are only allowed access to what they need. Best practice is to only have what you need.
So, how do you know if you have inbound traffic rules on your network? The best way to know is to have your network scanned by a scanning vendor or security provider. They use tools similar to what hackers use and will let you know if there are any gaps in your network or places that need better segmentation.
1. Believing that hackers are not actually after you
One of my favorite sayings is “it's not paranoia if they really are after you.”
I'm not trying to give you nightmares or anything like that, but they are after you now. Who's they exactly? It's all the names that we love to talk about in the hacker community, it could be a disgruntled employee or it could be just random. However, I am primarily referring to the hacker community. They are constantly scanning networks so if you leave an opening, they're going to find it and exploit it.
We hear a lot of excuses like, “I don't have anything that they would be interested in,” “I don't have the budget for expensive security systems,” or “I've been running without a firewall for years and I'm fine.” The one I really like is, “well, they probably already have all my secrets anyways, so what's the use?” There's some truth in all of these excuses and you can talk yourself out of prioritizing security if you want, but these excuses won’t benefit you in the long run.
Of course hackers can monetize things you wouldn't believe. But sometimes they're just in it for the pain and suffering that they can cause. It does you no good to let yourself become a victim of a hacker simply because you stood by and let it happen. Additionally, you don't want your customers to suffer.
So the main point to remember is that your attitude and your orientation towards this–and how seriously you take it–matters.
On a final note, it’s essential to remember that employees are the biggest risk when it comes to security breaches. None of the security measures that we had talked about today can keep an employee from sharing a password or clicking a link that triggers malware.
You and all of your employees–the people that share access to your network–need to be aligned on security and act responsibly. Workforce training can immensely help your company culture to be focused on good security practices so that you can decrease your risk of a breach.
Protecting your network and configuring your firewalls can get complicated, so don't hesitate to go get help and don't try to do it by yourself. These types of security measures aren’t going to break the bank. In fact, getting hacked will cost you much more in the long run. Ransomware costs are going up every year and SMB’s continue to be a major target of hackers because they often leave vulnerabilities, like the ones we’ve discussed here, open. If you have any questions about the firewall management services that SecurityMetrics offers, you can check them out here.
Author: Greg Steffen