Leaderboard

Any time you allow Internet access to anything the threat level goes from "very little" to "a lot," regardless of what you try to do to mitigate it. For starters: Login access to your router from the Internet should be entirely prohibited. Period. Incoming connections should be on a "that which is not explicitly allowed is denied" basis. Proper, explicit port-forwarding rules should see to that. Default accounts should be disabled. Or at least have passwords or pass phrases so incredibly long and complicated they might as well be. If login access has any "break in attempt" detection, that can temporarily blacklist source addresses that get an account i.d. and/or password wrong "X number of times in time T," that will tend to slow attackers down so badly the likelihood of success is vanishingly low. Regarding LAN security: It's wise, when possible, to use VLANs and isolate IoT devices to their own VLANs. Also: If IoT devices do not need access to the Internet (e.g.: cameras talking to a local NVR have no need to swap spit with anything on the Internet, other than to occasionally check for firmware updates), they should be prohibited from doing so, either by putting them on their own network segments, using VLANs that don't have access to the Internet gateway, or by blocking them at the gateway. (VLANs enforced by managed Ethernet switches are more secure than border-router blocking. Separate LANs, isolated with internal routers are even more secure.) Lastly: You have to put it in perspective. Unless you're a bank, government entity or some other high-value target: Odds are anybody taking a shot at you is just what we call "knob-twisting" in the I.T. security field. They'll get in if they can, but it's unlikely anybody will mount a concerted attack against you. You're probably at greater risk from what you receive in email and what you browse with your web browser than you are with your NVR and cameras.