AB 03052008 Podcast Interview Matt Sarrell 96 kbps EDITMSC (AllBusiness.com’s Paul Kilduff interviews Matt Sarrell.) 

Paul Kilduff: You’re listening to the AllBusiness podcast. I’m Paul Kilduff. If you’re getting this through iTunes and RSS feed or an online streaming-media player, you can hear interviews with other experts at AllBusiness.com.

Kilduff: Networking computers has become a commonplace business practice these days. Whether it’s just a couple of guys in a warehouse or a 12-person office, being able to have your computers talk to each other and share files and printers increases productivity. But what kind of security issues are there with networks? For the answers, we turn to Matt Sarrell, founder of Sarrell Group, an information technology consulting company. Matt is also an AllBusiness technology blogger and a contributing editor at PC Magazine. Matt, obviously wireless networks are becoming more and more popular but aren’t they more easily compromised?

Matt Sarrell: In theory, they could be more easily compromised than a wired network. This is primarily just because a wireless signal travels beyond walls and a wired signal just travels along wires so, you know, any data that travels across a wireless network is potential exposed to anyone who can pick up those radio signals. However, there are things you can do to encrypt the traffic as it goes across the network and also to authenticate users and make sure that they really belong on the network. So there are some theoretical things that you would have to take into account but in real life, wireless networks can be secured.

Kilduff: Matt, what’s the most effective encryption method today?

Sarrell: Access points today currently shift with WPA or Wifi Protected Access or even WPA2. this replaces the old standard which was WEP or Wired Equivalent Privacy. WEP wasn’t particularly good. It reused the same keys and the encryption was not very strong. So eventually, it became trivial to hack it. You could download code off the internet and break into anyone’s web-encrypted network so you know; you definitely want to avoid WEP. You definitely want to avoid having an open network. You could use WPA, WPA2, or there are even some proprietary solutions.

Kilduff: Can you still even get WEP?

Sarrell: You can get WEP. It comes, you know, it will come on all the access points and it will be available on the old access points. The old access points many times it will have a firmware upgrade to add WPA but they do, they keep WEP in there for compatibility reasons.

Kilduff: Describe encryption. What are you actually doing?

Sarrell: With encryption, you are exchanging a key that is then used to perform a complex mathematical operation to encrypt or scramble the data that is being sent across the wire or across the radio waves. This is very much like if you were to think about maybe passing notes as a kid and using a code or you know, you doing some kind of communications during wartime using ciphers, things like that. So basically, what it is now is that they can harness the power of computers to do much, much more complicated calculations, almost to the point where it’s almost a trivial amount of computing power that’s needed. So it’s basically scrambling, taking the legitimate data that used to be on your screen, scrambling it, sending it over the wire to another computer which already has the key and can use that key to unscramble it, process it, re-scramble it, send it back, you unscramble it, and run it.

Kilduff: So physically, what does it look like? Does it look like alphabet soup to someone who’s trying to pick up on your network?

Sarrell: yeah, it would just look like garbage. It would just look like gobbledygook. You couldn’t make any sense of it. You would see technically speaking, if you were sniffing the network and they was encrypted traffic on it, you would see the header information so you would know which two computers were communicating, but you would not be able to read the data in any meaningful way.

Kilduff: Are either one of these encryption methods, WPA or WPA2 hackable?

Sarrell: Anything can be hacked just; it’s going to take time. I think that ultimately, we would see weaknesses exposed in WPA or WPA2. There are none that I know of.

Kilduff: How do know your WPA2 is on? Is there an icon on your computer that flashes or something or…?

Sarrell: Yeah, if you were sitting at your computer, let’s assume you’re running Windows, you would look at the system tray, you have a wireless network icon and you double-click on that wireless network icon and it will show you a view of the available networks, a view of the available wireless networks. Look at your wireless network, if it’s open, it will say it’s open. If it’s secured, there will be a little picture with a lock and it will say it’s secured. It may say WPA secured network or WEP secured network. If you wanted to make sure, you could then click on the advanced tab and look at the settings for that network specifically and see if it’s WPA or WEP.

Kilduff: Who’s likely to try to break into your network? Is there a profile?

Sarrell: I don’t know if there’s really a profile. I think that to a certain extent, I just have this vision of hackers all being, you know, being maybe 12 or 15 years old and just screwing around with stuff. Perhaps that’s because when I was 12 or 15 years old, I was screwing around with stuff and that’s just how I see the community but I’m sure there are professional hackers, there are people who take this stuff very seriously. So you know, you have to look for and protect yourself from both the casual hacker as well as the professional hacker who may be hired by one of your competitors to come after some kind of proprietary information that you have.

Kilduff: And what about say, credit card information from your customers, is that what hackers are looking for as well?

Sarrell: Yeah, quite often they are looking for credit card information you’re your customers. There’s been a lot in the news about security breaches and stolen credit card numbers and there was a big thing with TJ Maxx last year that cost them over $15 million to clean up. That was basically because they had unencrypted credit card numbers stored on a server that was exposed to the internet.

Kilduff: So, I think I saw this report. Anybody who wanted to, who had the right computer capability could drive up into the parking lot and hack into their system and get customer credit cards, is that right?

Sarrell: Well, that’s slightly different from--I’m talking about something that was exposed over the internet. I think you’re talking about the recent thing. I forget who it was but their point of sales system was using an unencrypted wireless network and yes, people could literally just sit in the parking lot and pick up credit card numbers as they went across the wire or not across the wire, across the air as part of the transaction process.

Kilduff: And then you can, with these numbers, somebody can then go out and buy stuff in your name, correct?

Sarrell: Oh yeah. It’s an identity theft thing. The credit card numbers, they can use that credit card to apply for other credit cards. These are not good things if you’re a business. If you let people get your customers’ information and your customers ultimately find out that you’re the one who exposed their data, it’s very unlikely that they would continue to purchase things from you.

Kilduff: And you’re also liable, correct?

Sarrell: Yes, you’re liable. There are states that have passed quite a few laws requiring notification. California has, Massachusetts, I believe New Hampshire, there’s also legislation pending in many states that basically if you divulge someone’s personal information then you have to at the very least, notify them. And to a certain extent, you’re liable for damages.

Kilduff: Wow! So stores, if they knew that this was happening or a business that knew that they had this breach, would actually have to contact all the potential customers or just the ones who they know that the data was compromised from?

Sarrell: That’s unclear. It’s certainly the ones that they know were compromised. Potentially, they should contact everyone. I’ve been reading things; I think I read a paper by Symantec. They were talking about for each person whose information you divulge, it ends up costing $15,000 to $25,000 to clean up the mess so that’s to notify that person, you’ve got to have, you know, you’re going to hire lawyers to write the letter; you’re going to hire lawyers to approve all the copy on the website you set up to help them get the information. It’s actually, you can put forth a very compelling business argument that you should spend the money upfront to protect your customers’ information because it will cost you much less than what you’ll have to spend afterwards to clean up the mess.

Kilduff: I would agree. You’re listening to an AllBusiness podcast with information technology consultant, Matt Sarrell, founder of Sarrell Group. Matt, let’s say you’ve asked your IT consultation to set up your wireless network, what are the basics you need to know as far as security is concerned?

Sarrell: Well, you have to get into install WPA. That has to be there. We went over earlier how that could be done from your computer that you could check and make sure that it was done. You should also talk to him about doing a site survey. Again, you know, a wireless signal is broadcast so you would want the further that you broadcast that wireless signal, the greater risk you are at for attack just because, you know, it’s information getting around. So you want to make sure that access points are installed in a place that covers your business location but does not cover non business locations like the parking lot or the floor upstairs or something like that.

Kilduff: So you can actually direct your wireless signal to only to places where you want it to go.

Sarrell: Yes, you can. There are a variety of antennas that are available. A business class wireless access point will have replaceable antennas and they will use the industry standard connections so you can replace them with directional antenna or an omni-directional antenna, you can use different strength antennas and you can actually, you know, make sure that you’re only covering the area that you want to cover.

Kilduff: A virtual private network or VPN is even harder to crack than an WPA2. What is it and how does it work?

Sarrell: A virtual private network establishes a tunnel between two endpoints and encrypts all the data that goes between those endpoints so there is a difference where WPA encrypts the radio transmission and the VPN is actually encrypting the data within that transmission. So used together VPN encrypting the data and then encapsulating that within the WPA encryption, you can create a very strong solution that would probably meet most security needs.

Kilduff: Under what circumstances do you recommend clients use VPN?

Sarrell: If what you’re using is critical to your business then you should use a VPN in order to secure wireless networking. There’s also the angle of using a VPN to allow people to access your network across the internet and work that way but right now, we’re just talking about wireless access. So what we’re saying is that you need security above and beyond what WPA provides. So let’s say, maybe you’re a financial firm or a doctor’s office, you know, something where there are severe…a defense contractor, something where there would be severe repercussions if the data were to be leaked. There is actually, you may ask why do we want to run a VPN inside WPA? Why do we want to encapsulate inside encapsulation? So, there’s a principle in security called defense in depth and what this says is that if you have one measure that might be defeated but then if you have two security measures or three security measures or four security measures, maybe one of those can be defeated but it’s not going to be so easy to defeat all four. And it’s not going to be easy to defeat all four in a timely manner without anyone noticing. An easy way to understand this is to think of the example of World War I fighting in the trenches. So you could string up barbed wire, you could dig trenches but they did not one trench or run one run of barbed wire, they put 10 runs of barbed wire and they alternated the barbed wire and the trenches until you know, so one trench would not have stopped the enemy charge but between 10 runs of barbed wire and 10 trenches, that’s going to stop the enemy and that’s the same principle between WPA and the VPN that would perform the same layered defense and hopefully stop the enemy.

Kilduff: It almost sounds like what you’re saying though is that if you are doing any kind of financial transactions, to be 100% secure, you should have VPN. I mean, is it something that you recommend for all clients who are conducting business over the internet or through a wireless network?

Sarrell: Yes, certainly, anyone conducting business over the internet needs to use some sort of encryption. Websites commonly use SSL, secure sockets layer. That’s a different of encryption. It’s very similar to VPN in that it encrypts the data so when you’re doing your banking, you can look and see after you log in, you’ll see it now, instead of saying http, it says https, and it also at the bottom of the screen, you’ll see a little lock. And if you double-click on that lock, it will explain this server is running SSL, it’s using this key, it’s this strong, things like that. So certainly, really you need to do whatever is most appropriate to protect yourself and you know, the question always comes up, how much do I need to protect myself? And the answer is, you know, you need to protect yourself. Do whatever it takes.

Kilduff: So that decision is up to your clients in the end?

Sarrell: In the end, it is up to my clients. I usually approach consulting engagements regarding network security with a number of recommendations. I will cost them out because as you add security, you tend to add complexity and you place more restrictions on the actual workers. So it ultimately becomes a decision on the part of the business owner if they’re willing to spend the money to get that security. I always find it’s important to lay out all the options, explain what can happen, should they not use that solution and explain how that solution could protect them and then allow them to make the choice.

Kilduff: What are the safety issues you have to be aware of with a wired network? Are they by and large, safer than wireless? Do you not have to worry about anything if you’re fully wired?

Sarrell: To a certain extent, you know, by definition a wired network would be safer than a wireless network because the data is only going across the wire; it’s not being broadcast through the air. However, you do have some security concerns the wired network. You’re vulnerable to attack through the internet. Everyone’s connected through the internet these days. So whether you’re using a wire or wireless, someone could exploit your network through the internet, someone could actually gain physical access to your network switch and tap into it that way, or someone could actually splice your network cable, maybe in a location you are not, you know, where no one goes.

Kilduff: Sneak in under the cover of darkness and tap in that way?

Sarrell: Right. Or one thing that I always like to put out is how many businesses have a computer for their receptionist? And the receptionist is in front of that computer and there’s a waiting room full of people. And now she has to get up and go tell someone something. So now, her computer is sitting there totally exposed. Not only that, her network cord is exposed and there’s a waiting room full of strangers.

Kilduff: That’s how it’s done. A tip from Matt. So, it sounds like what you’re saying is you are safe to a certain extent but not completely with any of these systems. You have to always be aware of what’s going on.

Sarrell: Yes, you have to always be aware of what’s going on. I would have to say philosophically that you’re never safe. You know, how safe is safe? Nothing is too safe. Anything that can be connected to the internet can be hacked at some degree.

Kilduff: Specifically, what do you mean by that? As far as hacking in through the internet?

Sarrell: Yes, so, I mean, there are so many different attacks. Someone can attack--you’ll have a firewall which is a secure network device that monitors all the traffic that goes between your network and the internet. So the firewall will be the first target. Then after that, if people can get through the firewall, they’ll start targeting servers and they’ll start targeting work stations. They’ll probably target the servers first because they’re more likely to contain information. Another thing to think about is the recent proliferation of malware like Bots or Trojans which will compromise a user’s machine and allow someone from the outside to take control of that machine or to monitor that machine. So your user might, you know, click on a link in a spam and end up going to a website that plants, you know, a baddie on their computer and now, the bad guy can control that computer. It’s just as if he’s inside your network.

Kilduff: And you don’t even know.

Sarrell: No, you won’t even know. You won’t even know. You have to run an antivirus software, maybe an antivirus gateway…there are more products coming on the market now to monitor bots. The trouble is that the way networks work. If they use a port to communicate with the outside world that you’ve already authorized to allow to go through the firewall, then you won’t know that it’s illegitimate traffic. It’s like it still had the right, you know, the key to the door. So how do you know whether it’s legitimate or illegitimate? You really have to watch traffic, understand where the traffic is going, understand where it’s coming from, why does it exist in order to figure out whether it’s a threat or not.

Kilduff: And if you don’t recognize an email address, just ignore it or delete it?

Sarrell: Certainly don’t open an attachment from someone that you don’t know. You know, that’s like if someone walked up to you on the street and wanted to sell you a Rolex, you know...

Kilduff: I’ve actually bought these before. I know what you’re talking about.

Sarrell: You would have to treat that the same way as you would treat a link in an email from a stranger and an attachment from a stranger, no way. Don’t open that! No way!

Kilduff: There seems to be a perception that PCs are the most vulnerable to these kinds of attacks and if you have a Mac, you don’t really have to worry about this stuff coming over the internet. Am I being overly simplistic there?

Sarrell: It’s somewhat simplistic. It’s a question of probability. So if you look at the number of Windows PCs that are out there like Windows is over 90%mof the market, so if you were going to write a piece of malware, it’s going to do the most harm if you go after 90% of the market. So that’s what people do. They target Windows. They are also starting to target Linux. They’re also starting to target the Mac. We’ve seen more viruses on the Mac. Actually, I was reading earlier this week, we’re starting to see viruses on smartphones exploiting the Windows pocket PC and the Blackberry OS. So you know, Windows is the biggest target but really, anything that’s running software is a target.

Kilduff: No one is safe. You must be ever vigilant.

Sarrell: Ever vigilant.

Kilduff: Thank you, Matt. Thanks for joining us. You’ve been listening to an AllBusiness podcast with Matt Sarrell, founder of Sarrell Group, an information technology consulting company. Matt’s also an AllBusiness technology blogger and a contributing editor at PC Magazine. Send your feedback on this show and suggestions for topics and guests to podcasts@allbusiness.com. I’m Paul Kilduff, thanks for listening.