I'm no cyber security expert or tech guru so for those of us without those skills what should we do to protect our home networks? All of these cyber attacks and other information I receive from work have me rethinking home cyber security.

Something I ran across called a Yubico Key was highly recommended to safeguard against someone from accessing your online accounts. Apparently, there is a way to get around 2FA (two factor authentication) like when the bank send your phone a code for you to enter to gain access. This key apparently has not had a successful attack against it in the past 11 years. It's made in Sweden and the U.S. and is a Swedish company.

My current network just exists of my own cable modem and an Apple Airport Extreme router. Outside of that I run no virus software or any type of security software on my Macs and have NEVER had a problem. However, I cannot say the same for computers I have had running Windows with antivirus software like McAfee or Norton. Those things are virus magnets. Just this morning my work computer (HP laptop with Windows 10) went all crazy with alarms when I incorrectly keyed in a web site name and I had to sever my connection to the web.

Is there a separate hardware security device (e.g. Firewalla) I can put between my home and the World Wide Web? What do I need? Do I need a dedicated VPN subscription, which one?

All this crap seems to be getting out of control rather quickly and we seem unable to stop it. I know of a hospital chain who has paid out multiple times on ransomware attacks even with the FBI involved. As far as I can tell, if you want to be secure, do not connect anything to the internet.

Before you go to the extremes you mentioned you have to ask yourself "what am I protecting?".
Is someone going to go to extremes just to extort you for your personal stuff or do you house some real valuable data?
All of the stuff you mentioned is valid and can take hours if not days to discuss.
If you are looking for a quick answer then you are not looking at security properly.
Start with common sense with you contact with the outside world.
Create a backup /recovery plan - with multiple instances and locations.
VPN, router/firewall, password policies and more don't fix in an easy one-size-fits-all solution.
Take it in layers step by step based on need and circumstances.
Wear a mask (LOL).

smschulz,

Understood. I'm trying to protect any account I have online from unauthorized entry. To date I have 2FA on everything I possibly can and started using very long and complex passwords unique to those sites. Secondly, I'm trying to keep bad guys/malware/etc. out of my system. Is someone going to spend days trying to hack my little home network, not likely. However, devices such as the NEST thermostats have been used previously in cyber attacks. How they accessed them and controlled them I have no idea.

quote:

Originally posted by jcsabolt2:
smschulz,

Understood. I'm trying to protect any account I have online from unauthorized entry.

Then:

• Use an encrypted keyring (aka: "password manager") and use it for URLs, as well as credentials. This way you won't accidentally typo a URL and enter your credentials into a scam site. (It happens all the time.)
  
• Use long, complex passwords and pass-phrases. Never use the same or similar passwords or pass phrases at multiple sites.
  
• Use tagged email addresses wherever you can. E.g.: Instead of jsmith@example.com everywhere, jsmith+site-specific-tag@example.com. E.g.: jsmith+paypal@example.com. Then bad actors have to guess not only your password, but your email address, as well. Plus that can help reveal scam emails.
  
• Use 2FA where available. (But note that can result in locking you out if there's trouble getting the 2FA token to you.)
  
• Don't access your accounts from untrusted public WiFi networks
  

quote:

Originally posted by jcsabolt2:
Secondly, I'm trying to keep bad guys/malware/etc. out of my system.

The best thing you can do to keep malware out of your stuff is practice safe computing. Keep your stuff patched, don't open attachments or click on links in dodgy email, don't visit dodgy sites. Don't install questionable software.

On mobile devices: Shun games. All of them. Also avoid dodgy messaging and social networking apps. (If you run WeChat, Weibo, or TikTok apps you deserve what you get, IMO. Same thing, to a somewhat lesser extent, for Facebook, Facebook Messenger, WhatsApp, Twitter, or Instagram.) Never side-load apps unless you really know what you're about.

quote:

Originally posted by jcsabolt2:
Is someone going to spend days trying to hack my little home network, not likely.

Bad assumption. If you ran in-depth daily log analysis on your Internet-facing stuff like I do, you'd know better.

quote:

Originally posted by jcsabolt2:
However, devices such as the NEST thermostats have been used previously in cyber attacks. How they accessed them and controlled them I have no idea.

Dodgy firmware on the IoT devices and/or users deploying them w/o changing default account names and passwords, mostly. Other than using quality, brand-name IoT devices (no guarantee, of course) and changing access account credentials: Appropriate ingress and egress rules on Internet border routers.

For both ingress and egress: The standard MS-Windows file-sharing ports (135, 137-139, 445) should never be allowed to transit your Internet gateway. (You would be amazed at the amount of MS-Win file sharing traffic I see on the Internet side of our router. Simply astounding.)

Egress rules examples: No computer or other device on my LAN should ever need to use outgoing port 25 (SMTP), so that port is denied, by default, to everything on our LAN save our network server. Nobody on our LAN except me ever uses IRC, so outgoing IRC connections (ports 194, 994, 6667) are blocked by default. (IRC is often used from command-and-control by botnets.) There are others. I don't have the list to hand, atm.

These last two are going to be controversial, but so be it: I don't use MS-Windows or Google Android. It's not that the other platforms are immune, and I don't even want to get into the whole argument of whether they are or are not more insecure than other platforms. What is undeniable is they are attacked more often than competing platforms.

quote:

Originally posted by jcsabolt2:
Is someone going to spend days trying to hack my little home network, not likely.

However, devices such as the NEST thermostats have been used previously in cyber attacks.
How they accessed them and controlled them I have no idea.

It is why a lot of us segment the IoT from our local network with VLANS.
Even that can get compromised and why you need rules to access the VLAN from your primary network.
You would also need a VLAN aware router or a layer 3 switch to communicate between VLANS.
Static IP Block you could completely isolate but that might be overkill and unnecessary.

FWIW, a good router (firewall - not talking about Wi-Fi here) properly configured, 2FA and good browsing habits along with a good backup system will get you a long way.

I ordered a Yubikey and am awaiting its delivery. My primary use will be for crypto accounts, but may very well end up using it for most everything.

So far, Last pass has served me well for password generation and safekeeping.

quote:

Originally posted by tigereye313:
I ordered a Yubikey and am awaiting its delivery. My primary use will be for crypto accounts, but may very well end up using it for most everything.

So far, Last pass has served me well for password generation and safekeeping.

KeePass may be even better. I set it up for one of the departments in my IT division, and it's been great with a fantastic amount of customization abilities and very good security if implemented using best security practices. I use it on my personal computer as well. It will run on Linux as well. Maybe other operating systems too.