Tradecraft Guide:20 Critical Steps to Secure

Your Firm's WiFi Router

This is a quick tutorial to properly securing and hardening the router andwifi network of any SEC or FINRA registered firm. It is meant to be a direct action list to highlight the major vulnerabilities I find in almostevery firm that I engage with.

The 20 Biggest Issues:

1.Change the default password and user id. The new one should be atleast 16 characters long. Keep “Correct Horse Battery Staple” in mind.

2. Turn off WPS. Someone within range of your firm can easily use this protocol to brute force their way into your router.

www.mtradecraft.com | 210-264-2578 | info@mtradecraft.com

3. Turn off UPnP. Plug and Play is super convienient. You know who else finds it convienient? The Russians.

4. Turn off NAT-PMP. It a No-go on this protocol. It sucks. *Also aPutin favorite.

5. Wi-Fi radio encryption should be WPA2 with AES (at a minimum). IfWPA3 is available, use that.

6.Wi-Fi passwords should be strong and secure with 2 factor authentication. As should ALL of your passwords. See item #1 on how to make a secure password.

7. Don’t use a WiFi SSID that identifies your firm. When I am performing an onsite penetration test of a client’s network, the first thing I do when I arrive is head for the nearest bathroom. I

www.mtradecraft.com | 210-264-2578 | info@mtradecraft.com

grab a stall and start sniffing wireless traffic to see what I can find. If I can find a WiFi network that says “ABCWealthManagement” then jackpot. I will sit in the stall and start working on gaining access. I have complete privacy and nobody suspects a thing. (Note:Anyone who advises you to turn off SSID transmission as a cybersecurity precaution doesn’t know what they are talking about. When you don’t broadcast your SSID you only make it difficult for your employees to find the network. It makes no difference to a penetration tester or a malicious hacker. We see it anyways.) 8. Use a password protected Guest Network. Use it for guests and IoT devices. Have clients that bring their kids to meetings and thekid will not calm down until he gets the WiFi password so that he can watch YouTube on his iPad? Yeah, I have had some of those too. No problem really...just make sure you have a segregated network forjunior to watch Thomas the Train on.

9. Turn Off Remote Administration. Seriously, are you accessing your modem/router from your house? If so, is it mission critical work? If not, then turn Remote Admin off. Because....if you can have access, so can I.

10. Test for open ports and services. The SEC and State boards willask you for this information. If you don’t have it, it is a pretty clear sign that you haven’t been following your cybersecurity compliance obligations. How can you protect your network if you don’t know what Ports and Services are running? Nmap is free and does the job excellently. Sample Screenshot below.

www.mtradecraft.com | 210-264-2578 | info@mtradecraft.com

11.Turn off Port forwarding...if you can. Some IT providers and Apps may require it and if so, that is OK. Just make sure you keep your firmware and software up to date at all times. Speaking of which....

12. Check for new firmware and software updates monthly. You need to have it as part of your compliance duties to administer these devices and ensure they are always up to date. We recommend using agraphical network map of your firm to walk through the process and document the tasks each month. Below is an example of the MTradecraft domain. We use Maltego to produce these maps for our clients.

13. Get rid of the ISP provided equipment. The internet service providers are know for distributing vulnerable equipment that they never update. It is their trademark. You don’t have the ability toadminister the device (review logs, for example) or update/upgrade it as the device manufacturer release new software. Can it and buy some equipment that you own and can monitor.

14. Change the DNS servers that your router gives out to attached devices. ISP assigned DNS servers are usually the default, and

www.mtradecraft.com | 210-264-2578 | info@mtradecraft.com

worst, option. Use DNS servers 9.9.9.9 (from Quad 9, backed up by 149.112.112.112) and 1.1.1.1 (from Cloudflare backed up by 1.0.0.1).

15.Change the LAN side IP address of the router. Don’t go with the default 192.168.0.1. Use something unique, to make it more time consuming for a hacker to map your network. Also, sometime the default IP issued can help a hacker ID the equipment they are working with.

16. For routers with a web interface, lock down access to the routerfrom the LAN side with 2fa.

17. Turn off Ping reply. Hacking Step #1: Ping a device to see if it is alive. If a device doesn’t reply, you might get lucky and theattacker will move on.

18. Turn off the wireless networks when not in use. Most devices will have a physical kill switch to On/Off the WiFi radio. Make it a practice to turn it off at night before the crew leaves the office.

19. Block network printers from making any outbound connections.

20. Configure the router to notify you of suspicious behavior. This is on of my favorite features. The router we use notify me anytime anew device connects to the network and ask me to approve the request. It will also let me know if an employee has visited a risky or banned website or malicious domain. Each morning, I get a nice email with a cybersecurity assessment of the network.

www.mtradecraft.com | 210-264-2578 | info@mtradecraft.com

About the Author:

My name is Brian Hahn and I founded MTradecraft in 2009. I have been in the investment industry for over 20 years with experienceas a:

-COO|CCO of a SEC Registered Investment Advisor-Head Trader and Operations Manager for a SEC registered hedge fund.-CS Associate at Ray Dalio's Bridgewater Associates. -Co-Founder of two investment management firms (a RIA and hedge fund)

I have experience designing every aspect of a firm's IT operations, compliance manuals, operational workflows, and cybersecurity infrastructure.

Unlike most firms, I do not sell ongoing cybersecurity products, nor am I affiliated with outside IT vendors. That means you will receive unbiased advice that is focused on protecting your network and you never have to worry about an up sell at the end.

I live and breathe cybersecurity and investment management operations and I am dedicated to the tradecraft of helping my clients protect their most sensitive data and client relationships.

MTradecraft supports over 180 clients nationwide.

We serve all financial institutions, with focused expertise inthe RIA, broker-dealer, hedge fund, and family office space.

www.mtradecraft.com | info@mtradecraft.com