Installer's Name*

Select the disciplines, products and devices that you'll be installing or configuring. As you are taken through section, you'll be reminded of the steps required to secure those devices and sub-systems.

After you complete the checklist, you'll receive a rating and a report showing the scoring system. You can email a copy of the report to your customer or yourself.

Select the categories you are installing:*
Select all that apply.

NOTE: The Passwords, Networking, and Modems and Routers sections are required.


The final score obtained from this Connected Home Security Online Tool (“Online Tool”) should not be used without first obtaining competent professional or technical advice with respect to its suitability in any given situation. Users acknowledge and agree that the results obtained from this Online Tool should not be, and is not, a substitute for professional judgment.

CTA does not warrant or assume any liability or responsibility for the accuracy, completeness or usefulness of the results obtained from this Online Tool. CTA disclaims any and all warranties, express or implied, and will not be responsible for any loss sustained by any person who uses, takes any action or refrains from taking any action based on this Online Tool. Anyone using this Online Tool assumes all liability and risks resulting from such use and will indemnify and hold CTA harmless from any claims which may arise from the use of the Online Tool and generated results, including those arising from any personal injury or property damage.

Passwords

CRITICAL STEP

1. Change default username and create unique, not obvious, username OR verify manufacturer used a unique, serialized username and password on a per-device basis.
2. Use strong passwords.
3. Get permissions in writing for managing client passwords for all relevant systems.
4. Use password encryption.
5. Use different passwords for all devices and systems.

INSTALLATION TIP: Ensure the client is using a password management tool (paper or electronic).

INSTALLATION TIP: Be selective with any password hints.

INSTALLATION TIP: Update passwords regularly or schedule password updates in a maintenance agreement.

Networking

CRITICAL STEP

1. Change default username and passwords for all networks
2. Use strong passwords on all networks.
3. Recommend installing up-to-date anti-virus and anti-malware tools on customers’ computers, or recommend they seek professional help.
4. Create a log-in without administrative privileges for client.
5. Limit access from outside physical structure of the client site.
6. Ensure live Ethernet connections are not available outside the home.
7. If the system is utilizing power line networking technology, block the signal for outdoor power receptacles.

Segment the Network for Different Purposes

CRITICAL STEP

8. Change default username and passwords for each VLAN.
9. Use strong passwords for each VLAN.
10. Create segmented VLAN for different uses.
11. Separate Wi-Fi channels among the segments.
12. Separate physical cable networks.
13. Use a separate network or VLAN for gaming systems.
14. Ensure port forwarding and UPnP are disabled on the WAN.
15. Use a hardwired network when available.

Set Up Basic Security

INSTALLATION TIP: Take snapshot of current device configuration to compare to in the future.

INSTALLATION TIP: Use network monitoring app.

INSTALLATION TIP: Use automated tools to help with configuration and change tracking.

INSTALLATION TIP: A/V Components - Apply security guidance here as well.

16. Minimize DHCP range.
17. Disable port forwarding on unused functions, if applicable.
18. Take snapshot of network's 'as-built' configuration for reference.

CRITICAL STEP

19. Secure the Wi-Fi network to the highest available level of security.

CRITICAL STEP

20. Enable Wi-Fi Encryption.
21. Disable a network DMZ, if applicable.
22. Change the router's default SSID.
23. Turn off router SSID broadcasting.
24. Disable WPS (Wi-Fi Protected Setup).
25. For a higher level of security, enable wireless MAC Filtering.
26. Set up a guest network with separate password protection and SSID.
27. Determine available VPN protocols for installation compatibility, performance and security requirements in all supported devices.

Modems and Routers

1. Install a stand-alone modem instead of an all-in-one router/modem.
2. Install a stand-alone router instead of an all-in-one router/modem.
INSTALLATION TIP: If using a modem/router from the ISP, disable DHCP and Wi-Fi. Connect via bridge mode to your router.
3. Install the latest available firmware on router.
INSTALLATION TIP: Check to see if the ISP is updating the box firmware.

CRITICAL STEP

4. Change default administrator username and password on router.
5. Use strong passwords on router.
6. Disable port forwarding on the router, if possible.
7. Disable WAN UPnP and HNAP on the router.
8. Disable WPS on the router.
9. Enable the router firewall.
10. Disable port forwarding on the router.
INSTALLATION TIP: Unblock ports used by consumer's applications.
11. Use nonstandard port values on the router for applications.
12. Segment remote access on a separate network.
INSTALLATION TIP: Partner with a vendor that provides additional network security.
13. Check the private network with a port scanning tool.
14. Log out of admin services when done configuring the router.

Consumer Network Management Tools and Devices

CRITICAL STEP

1. Change default username and passwords.
2. Use strong passwords on all devices connected to the CNMD.
3. Use allow-list, deny-list and other resources to minimize hacking, intrusion and other malware and limit access to suspicious social networks, search engines and websites.
4. Limit access on all network connected devices to firmware updates and content related to their specific purpose.
5. Identify and set up parameters and document ongoing maintenance needs.

VPN

CRITICAL STEP

1. Change default username and passwords.
2. Use strong passwords.
3. Encrypt all data going out of the network using VPN Router/Service.
4. Select hosted "cloud" VPN services based on logging policies and other user privacy protections.
5. Use recommended, current encryption protocols such as Transport Layer Security (TLS 1.2 or higher).
6. Set up secure remote access through VPN or vendor specific applications.

INSTALLATION TIPS

  • Follow and document requirements for VPN installation for remote access.
  • Follow and document requirements for VPN installation for "cloud" servers.

Z-Wave

CRITICAL STEP

1. Change default username and passwords on Z-Wave control devices and software.
2. Use strong passwords on Z-Wave control devices and software.
3. Record the unique Z-Wave home ID for all installations and keep confidential.
4. Always create unique home IDs; never recycle or reuse.
5. Password protect the primary controller and/or gateway to ensure only authorized individuals can maintain, change or add to the designated Z-Wave mesh network.
6. At time of installation, document all products to ensure all points on the Z-Wave mesh network are known and can be reliably maintained for security.
7. If a home ID is compromised, regenerate a new Home ID for this installation and assign to all documented products in the installation via the primary controller.
8. Use Z-Wave AES 128 network security keys and keep them confidential.
9. Use lowest possible RF power settings with Z-Wave products.

CRITICAL STEP

10. Ensure any Internet connected Z-Wave gateways are properly firewalled and protected.
11. Limit access and provide physical security for Z-Wave primary controllers/gateways.

ZigBee

CRITICAL STEP

1. Change default username and passwords on Zigbee control devices and software.
2. Utilize strong passwords on Zigbee control devices and software.
3. At time of installation, document all installed ZigBee products to ensure all points on the ZigBee mesh network are known and can be reliably maintained for security.

CRITICAL STEP

4. Ensure any internet-connected ZigBee gateways are properly firewalled, filtered and protected on an installation.
5. UseZigBee's AES CCM security suite to establish an 802.15.4 network encryption key, where possible.
6. Enable ZigBee application layer security, if available, for enhanced protection of designed installations.
7. Limit access and provide physical security for ZigBee coordinators/gateways.

Beacons (NFC/RFID)

CRITICAL STEP

1. Change default username and passwords on Beacons.
2. Use strong passwords on Beacons.
3. Install NFC readers so as to minimize unwanted physical access.
4. Install RFID readers so as to minimize unwanted physical access.
5. Install beacons so as to minimize unwanted physical access.

Bluetooth

1. At time of installation, document all installed Bluetooth products to ensure all devices are known and can be reliably maintained for security.
2. Enable all Bluetooth 128 bit encryption and/or password/PIN authentication mechanisms.
3. Verify all applicable Bluetooth devices are non-discoverable after initial installation and provisioning.
4. Confirm internet-connected Bluetooth applications are properly firewalled, filtered and protected.
5. Verify visible beacons on Bluetooth low-energy applications do not contain sensitive information.

A/V Components

CRITICAL STEP

1. Change default username and passwords on A/V Components.
2. Use strong passwords on A/V Components.
3. Disable and/or cover built-in cameras when applicable.
4. Use wired network connections over Wi-Fi whenever possible.
5. Implement process for managing streaming account credentials.

INSTALLATION TIPS:

  • Minimize replication of streaming accounts across multiple source components.
  • Require clients to create strong credentials for streaming accounts.

Home Security Devices

1. Maintain system policies on activation, testing and turnover.

CRITICAL STEP

2. Have client change master code and store in safe place.

CRITICAL STEP

3. Change default username and passwords on security devices.
4. Use strong passwords on security devices.
5. Leave client clear instructions on how to change and manage master codes.
6. As a dealer, only maintain installer codes, not master codes.

INSTALLATION TIPS:

  • If the customer wants the dealer to maintain codes, ensure a written agreement is used.
  • Protect the content of client-monitoring agreements by storing them securely.

Mobile Devices

CRITICAL STEP

1. Change default username and passwords on mobile devices.
2. Use strong passwords on mobile devices.
3. Don't let mobile device save passwords, require user to enter every time used.
4. Ensure client knows how to manage system passwords and updates to software.
5. Ensure client knows how to administer remote and local access on mobile devices (across all platforms).
6. Ensure client has set up remote administration of mobile devices, including remote access and back-ups; in case of loss or theft.

INSTALLATION TIP: Share best practices with all users of system (i.e., don't share passwords).

Score

Rating: None

Rating: Bronze

Rating: Bronze

Rating: Bronze

Rating: Silver

Rating: Silver

Rating: Gold

Rating: Gold

Rating: Platinum

Rating: Platinum

Rating: Platinum

Please check to confirm*
Please check to confirm*

Copyright © 2003 - 2021 CTA. All rights reserved. Read our privacy policy or terms of use.

Progress
Cancel
Confirm