There is a new tendency in cybersecurity named Zero Trust which I believe was initially developed by Google and became the baseline of their services. It means that users and services are constantly being questioned and that persistent identification is needed.
This superseded the previous concept of the trusted boundary, where after a user made it through the network boundary, she/he was trusted.
While zero trust becomes mainstream, we rely on the boundary provided by the service providers when we connect to the internet. We also trust that malicious actors outside of our local network can not make it through this boundary. Now, a few cybersecurity concerns follow this assumption generally based on a simple concept: How much do you trust your service provider?
There are several concerns that we should consider and are described next:
Service Provider Equipment
When a service provider sends you the equipment to provide internet service, it is important to understand that the minimum they must provide is a modem. The modem translates the internet signal into the medium of distribution provided by the service provider, such as cable, fiber, or no longer existing phone landline. However, they generally extend their reach with router/wireless capabilities, sometimes for a moderate renting monthly fee.
All this service provider equipment comes pre-configured to allow the user a standard plug & play, but this pre-configuration comes with a risk. What if your device provider, who has a significantly larger footprint than you as a user, gets compromised, and this information gets leaked? At this point, your local network will be exposed and vulnerable.
This brings us to rule number one to protect the boundary of your network:
#1. Never leave any network device owned by your service provider or you with the default password, as this is the first test a malicious actor will try to compromise your network.
This is the #1 basic rule that we all need to follow, but sometimes, your service provider may have access to your network information. Therefore, this brings us to the next section.
User-Owned Equipment
To protect the boundary of your network, it is important not to rely on the equipment provided by your service provider. Therefore, the next rule should be considered:
#2. Purchase your network router and wireless access point, independent of your service provider, which should be configured at least using rule #1.
This will provide you with the peace of mind that compromise on your service provider are less likely to propagate within your network. Additionally, pre-configurations on service providers that may be vulnerable and publicly known will also be avoided by the additional layer of protection provided by your own device.
While this is a good practice, do not forget that a proper configuration of your devices is key to provide a good cybersecurity posture.