AllBusiness.com's Paul Kilduff interviews network security expert Matt Sarrel of the Sarrel Group.
|
Dine Out for a Time Out: The Benefits of Eating Outside Your Hotel
AllBusiness.com's Chris Bjorklund interviews Ken Walker, AllBusiness.com's business travel advisor, about why it's important to ...
What Every Business Needs to Know About Customer Satisfaction
AllBusiness.com's Chris Bjorklund interviews leading customer satisfaction expert Dr. Jack West, past president of the ...
Marketing: Tell Me What You Know, Not What You Sell
AllBusiness.com's Chris Bjorklund interviews David Meerman Scott, author of The New Rules of Marketing and ...
RFID Innovation: The Best Applications for Small Business
AllBusiness.com’s Chris Bjorklund interviews Mark Roberti, founder and editor of the RFID Journal , on ...
The Challenges of Getting on the Green Bandwagon
Hoovers.com's Stuart Hampton discusses the roadblocks that certain industries and markets are experiencing in their ...
Learn About VoIP and Data Transmission Issues
AllBusiness.com's Chris Bjorklund delves into VoIP challenges such as latency and jitter with Andy Abramson ...
VoIP: How It Works and What It Can Do for Your Business
AllBusiness.com’s Chris Bjorklund interviews Andy Abramson of VoIP Watch about when Internet phones make sense ...
Match Technology Spending to Your Core Business Needs
AllBusiness.com's Chris Bjorklund gets expert advice from Heinan Landa, president of Optimal Networks, on how ...
The Difference Between IT Imperatives and IT Investments
Heinan Landa, president of Optimal Networks, divides IT spending into two different categories to help ...
The Best Way to Review Resumes
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, about how to separate good ...
How to Size Up Your Company's Data Storage Needs
AllBusiness.com's Chris Bjorklund and IT expert Matt Sarrel, founder and executive director of the Sarrel ...
Encryption and Computer Network Security
AllBusiness.com's Paul Kilduff interviews Matt Sarrel, IT expert and executive director of Sarrel Group, about ...
Technology Investments: Which Ones Save You Money?
Allbusiness.com's Chris Bjorklund asks Ramon Ray, editor of Smallbiztechnology.com, where you can find the best ...
How to Keep the Lid on Technology Costs
Brad Taylor, IT Consultant for MSI Systems Integrators, tells AllBusiness.com’s Chris Bjorklund how to keep ...
How to Pitch Your Small Business to the Media
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, about how small businesses can ...
RFID Technology: How to Manage Privacy and Security Concerns
AllBusiness.com's Chris Bjorklund interviews Elliot Maxwell, an expert on radio-based technologies and public policy, on ...
Enterprise Resource Planning (ERP) Software for Small Businesses
Ted Dively of Group D Communications talks with AllBusiness.com's Paul Kilduff about what it takes ...
The Best Way to Retrieve Lost Computer Data
AllBusiness.com's Paul Kilduff talks with data retrieval specialist John Christopher of Drivesavers. .
How to Improve Communication in an Intercultural Business World
AllBusiness.com’s Chris Bjorklund asks a leading expert in cross-cultural training, Maureen Rabotin of Effective Global ...
Using Enterprise Resource Planning (ERP) Software to Expand a Database
Ted Dively of Group D Communications discusses how using ERP he was able to turn ...
A Mom Who Made Millions
Betsy Flanagan of Startup Studio interviews Grace Welch, the founder of a baby-product company featured ...
How to Market to Hispanic Consumers - Part One
AllBusiness.com's Chris Bjorklund gets expert advice from Louis Nevaer, author of The Rise of the ...
How to Market to Hispanic Consumers - Part Two
Economist and journalist Louis Nevaer explains how to reach out to the growing Hispanic audience ...
Save Critical Data with Proper Back-Up
John Christopher, senior data recovery engineer for DriveSavers.com, discusses how a good backup system will ...
Helping Small Businesses Get Found
Betsy Flanagan of Startup Studio talks to MerchantCircle founder Wayne Yamamoto about how small businesses ...
PODCAST: Southwest CEO on Leadership, Raising Capital, and Fighting Legal...
Betsy Flanagan of Startup Studio interviews Herb Kelleher, founder of Southwest Airlines and one of ...
How to Get a Decent Airline Seat on Your Next Business Trip
AllBusiness.com's Chris Bjorklund interviews Business Travel Advisor Ken Walker on his sure-fire strategies and creative ...
The Right Credit Card for Business Travelers
AllBusiness.com's Paul Kilduff interviews travel blogger Ken Walker on what to look for in a ...
The Importance of GPS Navigation
AllBusiness.com's Paul Kilduff interviews travel blogger Ken Walker on why navigation systems have become the ...
A Close Look at Pitfalls in the Franchise Disclosure Document
Allbusiness.com’s Chris Bjorklund takes an in-depth look at what must be disclosed in a franchise ...
Franchise Investments: How to Analyze Them – Part 1
AllBusiness.com’s Chris Bjorklund interviews Nick Bibby, franchise consultant with the Bibby Group, and Bruce Schaeffer, ...
"Must Haves" in a Good Document Management System
The president of Optimal Networks, Heinan Landa, tells AllBusiness.com's Chris Bjorklund which elements are most ...
The Pros and Cons of Direct Attachment Storage
Matt Sarrel, IT consultant and executive director of Sarrel Group, explains what businesses need to ...
Stay Organized with a Document Management System
All Business.com's Chris Bjorklund talks about the latest developments in document management systems with the ...
Choosing Technology for Small Business
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, about what technology will help ...
How to Motivate and Coach Salespeople
AllBusiness.com's Paul Kilduff interviews Keith Rosen, Sales Advisor for AllBusiness.com and author of Coaching Salespeople ...
Online Payroll Services: Should You Make the Switch?
AllBusiness.com's Chris Bjorklund talks to Anu Sanghvi, product management director for PayCycle, and Michael Alter, ...
Make Sure Job Applicants Don't Fool You
Allbusiness.com's Chris Bjorklund talks to hiring expert Marty Nemko on how to screen out job ...
Live Coaching Session: How to Make Better Cold Calls
Keith Rosen, author of The Complete Idiot's Guide to Cold Calling and Time Management for ...
Franchise Investments: How to Analyze Them – Part 2
AllBusiness.com's Chris Bjorklund continues her interview with Nick Bibby, franchise consultant with the Bibby Group, ...
Using Advertising Campaigns to Promote Environmental Efforts
Hoovers.com's Stuart Hampton discusses how companies have promoted their own environmental efforts through advertising campaigns.
How to Attract Small Business Talent
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, about how to attract and ...
Harmonizing Your Sales and Marketing Departments
Hoovers.com's Tim Walker interviews Hoover's vice president of sales, Jim Currie, about how to get ...
Combating Small Business Fraud
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, about how to prevent small ...
Applying for Small Business Loans
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, about how small businesses can ...
Starting a Company: Profiting from Pets
Betsy Flanagan of Startup Studio interviews Laura Bennett, founder of Embrace Pet Insurance, which beat ...
Should Small Businesses Outsource Their Staffing Needs?
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, about when to outsource your ...
Small Businesses: How to Hire Talent
Hoovers.com's Tim Walker interviews Katie Ford, a small business expert, on the secrets of hiring ...
Eco-Tourism: A Good or Bad Idea?
Hoovers.com's Stuart Hampton talks about the fastest-growing sector of the tourism industry, Eco-tourism. |
Paul Kilduff: You’re listening to the AllBusiness podcast. I’m Paul Kilduff. If you’re getting this through iTunes and RSS feed or an online streaming-media player, you can hear interviews with other experts at AllBusiness.com.
Kilduff: Networking computers has become a commonplace business practice these days. Whether it’s just a couple of guys in a warehouse or a 12-person office, being able to have your computers talk to each other and share files and printers increases productivity. But what kind of security issues are there with networks? For the answers, we turn to Matt Sarrell, founder of Sarrell Group, an information technology consulting company. Matt is also an AllBusiness technology blogger and a contributing editor at PC Magazine. Matt, obviously wireless networks are becoming more and more popular but aren’t they more easily compromised?
Matt Sarrell: In theory, they could be more easily compromised than a wired network. This is primarily just because a wireless signal travels beyond walls and a wired signal just travels along wires so, you know, any data that travels across a wireless network is potential exposed to anyone who can pick up those radio signals. However, there are things you can do to encrypt the traffic as it goes across the network and also to authenticate users and make sure that they really belong on the network. So there are some theoretical things that you would have to take into account but in real life, wireless networks can be secured.
Kilduff: Matt, what’s the most effective encryption method today?
Sarrell: Access points today currently shift with WPA or Wifi Protected Access or even WPA2. this replaces the old standard which was WEP or Wired Equivalent Privacy. WEP wasn’t particularly good. It reused the same keys and the encryption was not very strong. So eventually, it became trivial to hack it. You could download code off the internet and break into anyone’s web-encrypted network so you know; you definitely want to avoid WEP. You definitely want to avoid having an open network. You could use WPA, WPA2, or there are even some proprietary solutions.
Kilduff: Can you still even get WEP?
Sarrell: You can get WEP. It comes, you know, it will come on all the access points and it will be available on the old access points. The old access points many times it will have a firmware upgrade to add WPA but they do, they keep WEP in there for compatibility reasons.
Kilduff: Describe encryption. What are you actually doing?
Sarrell: With encryption, you are exchanging a key that is then used to perform a complex mathematical operation to encrypt or scramble the data that is being sent across the wire or across the radio waves. This is very much like if you were to think about maybe passing notes as a kid and using a code or you know, you doing some kind of communications during wartime using ciphers, things like that. So basically, what it is now is that they can harness the power of computers to do much, much more complicated calculations, almost to the point where it’s almost a trivial amount of computing power that’s needed. So it’s basically scrambling, taking the legitimate data that used to be on your screen, scrambling it, sending it over the wire to another computer which already has the key and can use that key to unscramble it, process it, re-scramble it, send it back, you unscramble it, and run it.
Kilduff: So physically, what does it look like? Does it look like alphabet soup to someone who’s trying to pick up on your network?
Sarrell: yeah, it would just look like garbage. It would just look like gobbledygook. You couldn’t make any sense of it. You would see technically speaking, if you were sniffing the network and they was encrypted traffic on it, you would see the header information so you would know which two computers were communicating, but you would not be able to read the data in any meaningful way.
Kilduff: Are either one of these encryption methods, WPA or WPA2 hackable?
Sarrell: Anything can be hacked just; it’s going to take time. I think that ultimately, we would see weaknesses exposed in WPA or WPA2. There are none that I know of.
Kilduff: How do know your WPA2 is on? Is there an icon on your computer that flashes or something or…?
Sarrell: Yeah, if you were sitting at your computer, let’s assume you’re running Windows, you would look at the system tray, you have a wireless network icon and you double-click on that wireless network icon and it will show you a view of the available networks, a view of the available wireless networks. Look at your wireless network, if it’s open, it will say it’s open. If it’s secured, there will be a little picture with a lock and it will say it’s secured. It may say WPA secured network or WEP secured network. If you wanted to make sure, you could then click on the advanced tab and look at the settings for that network specifically and see if it’s WPA or WEP.
Kilduff: Who’s likely to try to break into your network? Is there a profile?
Sarrell: I don’t know if there’s really a profile. I think that to a certain extent, I just have this vision of hackers all being, you know, being maybe 12 or 15 years old and just screwing around with stuff. Perhaps that’s because when I was 12 or 15 years old, I was screwing around with stuff and that’s just how I see the community but I’m sure there are professional hackers, there are people who take this stuff very seriously. So you know, you have to look for and protect yourself from both the casual hacker as well as the professional hacker who may be hired by one of your competitors to come after some kind of proprietary information that you have.
Kilduff: And what about say, credit card information from your customers, is that what hackers are looking for as well?
Sarrell: Yeah, quite often they are looking for credit card information you’re your customers. There’s been a lot in the news about security breaches and stolen credit card numbers and there was a big thing with TJ Maxx last year that cost them over $15 million to clean up. That was basically because they had unencrypted credit card numbers stored on a server that was exposed to the internet.
Kilduff: So, I think I saw this report. Anybody who wanted to, who had the right computer capability could drive up into the parking lot and hack into their system and get customer credit cards, is that right?
Sarrell: Well, that’s slightly different from--I’m talking about something that was exposed over the internet. I think you’re talking about the recent thing. I forget who it was but their point of sales system was using an unencrypted wireless network and yes, people could literally just sit in the parking lot and pick up credit card numbers as they went across the wire or not across the wire, across the air as part of the transaction process.
Kilduff: And then you can, with these numbers, somebody can then go out and buy stuff in your name, correct?
Sarrell: Oh yeah. It’s an identity theft thing. The credit card numbers, they can use that credit card to apply for other credit cards. These are not good things if you’re a business. If you let people get your customers’ information and your customers ultimately find out that you’re the one who exposed their data, it’s very unlikely that they would continue to purchase things from you.
Kilduff: And you’re also liable, correct?
Sarrell: Yes, you’re liable. There are states that have passed quite a few laws requiring notification. California has, Massachusetts, I believe New Hampshire, there’s also legislation pending in many states that basically if you divulge someone’s personal information then you have to at the very least, notify them. And to a certain extent, you’re liable for damages.
Kilduff: Wow! So stores, if they knew that this was happening or a business that knew that they had this breach, would actually have to contact all the potential customers or just the ones who they know that the data was compromised from?
Sarrell: That’s unclear. It’s certainly the ones that they know were compromised. Potentially, they should contact everyone. I’ve been reading things; I think I read a paper by Symantec. They were talking about for each person whose information you divulge, it ends up costing $15,000 to $25,000 to clean up the mess so that’s to notify that person, you’ve got to have, you know, you’re going to hire lawyers to write the letter; you’re going to hire lawyers to approve all the copy on the website you set up to help them get the information. It’s actually, you can put forth a very compelling business argument that you should spend the money upfront to protect your customers’ information because it will cost you much less than what you’ll have to spend afterwards to clean up the mess.
Kilduff: I would agree. You’re listening to an AllBusiness podcast with information technology consultant, Matt Sarrell, founder of Sarrell Group. Matt, let’s say you’ve asked your IT consultation to set up your wireless network, what are the basics you need to know as far as security is concerned?
Sarrell: Well, you have to get into install WPA. That has to be there. We went over earlier how that could be done from your computer that you could check and make sure that it was done. You should also talk to him about doing a site survey. Again, you know, a wireless signal is broadcast so you would want the further that you broadcast that wireless signal, the greater risk you are at for attack just because, you know, it’s information getting around. So you want to make sure that access points are installed in a place that covers your business location but does not cover non business locations like the parking lot or the floor upstairs or something like that.
Kilduff: So you can actually direct your wireless signal to only to places where you want it to go.
Sarrell: Yes, you can. There are a variety of antennas that are available. A business class wireless access point will have replaceable antennas and they will use the industry standard connections so you can replace them with directional antenna or an omni-directional antenna, you can use different strength antennas and you can actually, you know, make sure that you’re only covering the area that you want to cover.
Kilduff: A virtual private network or VPN is even harder to crack than an WPA2. What is it and how does it work?
Sarrell: A virtual private network establishes a tunnel between two endpoints and encrypts all the data that goes between those endpoints so there is a difference where WPA encrypts the radio transmission and the VPN is actually encrypting the data within that transmission. So used together VPN encrypting the data and then encapsulating that within the WPA encryption, you can create a very strong solution that would probably meet most security needs.
Kilduff: Under what circumstances do you recommend clients use VPN?
Sarrell: If what you’re using is critical to your business then you should use a VPN in order to secure wireless networking. There’s also the angle of using a VPN to allow people to access your network across the internet and work that way but right now, we’re just talking about wireless access. So what we’re saying is that you need security above and beyond what WPA provides. So let’s say, maybe you’re a financial firm or a doctor’s office, you know, something where there are severe…a defense contractor, something where there would be severe repercussions if the data were to be leaked. There is actually, you may ask why do we want to run a VPN inside WPA? Why do we want to encapsulate inside encapsulation? So, there’s a principle in security called defense in depth and what this says is that if you have one measure that might be defeated but then if you have two security measures or three security measures or four security measures, maybe one of those can be defeated but it’s not going to be so easy to defeat all four. And it’s not going to be easy to defeat all four in a timely manner without anyone noticing. An easy way to understand this is to think of the example of World War I fighting in the trenches. So you could string up barbed wire, you could dig trenches but they did not one trench or run one run of barbed wire, they put 10 runs of barbed wire and they alternated the barbed wire and the trenches until you know, so one trench would not have stopped the enemy charge but between 10 runs of barbed wire and 10 trenches, that’s going to stop the enemy and that’s the same principle between WPA and the VPN that would perform the same layered defense and hopefully stop the enemy.
Kilduff: It almost sounds like what you’re saying though is that if you are doing any kind of financial transactions, to be 100% secure, you should have VPN. I mean, is it something that you recommend for all clients who are conducting business over the internet or through a wireless network?
Sarrell: Yes, certainly, anyone conducting business over the internet needs to use some sort of encryption. Websites commonly use SSL, secure sockets layer. That’s a different of encryption. It’s very similar to VPN in that it encrypts the data so when you’re doing your banking, you can look and see after you log in, you’ll see it now, instead of saying http, it says https, and it also at the bottom of the screen, you’ll see a little lock. And if you double-click on that lock, it will explain this server is running SSL, it’s using this key, it’s this strong, things like that. So certainly, really you need to do whatever is most appropriate to protect yourself and you know, the question always comes up, how much do I need to protect myself? And the answer is, you know, you need to protect yourself. Do whatever it takes.
Kilduff: So that decision is up to your clients in the end?
Sarrell: In the end, it is up to my clients. I usually approach consulting engagements regarding network security with a number of recommendations. I will cost them out because as you add security, you tend to add complexity and you place more restrictions on the actual workers. So it ultimately becomes a decision on the part of the business owner if they’re willing to spend the money to get that security. I always find it’s important to lay out all the options, explain what can happen, should they not use that solution and explain how that solution could protect them and then allow them to make the choice.
Kilduff: What are the safety issues you have to be aware of with a wired network? Are they by and large, safer than wireless? Do you not have to worry about anything if you’re fully wired?
Sarrell: To a certain extent, you know, by definition a wired network would be safer than a wireless network because the data is only going across the wire; it’s not being broadcast through the air. However, you do have some security concerns the wired network. You’re vulnerable to attack through the internet. Everyone’s connected through the internet these days. So whether you’re using a wire or wireless, someone could exploit your network through the internet, someone could actually gain physical access to your network switch and tap into it that way, or someone could actually splice your network cable, maybe in a location you are not, you know, where no one goes.
Kilduff: Sneak in under the cover of darkness and tap in that way?
Sarrell: Right. Or one thing that I always like to put out is how many businesses have a computer for their receptionist? And the receptionist is in front of that computer and there’s a waiting room full of people. And now she has to get up and go tell someone something. So now, her computer is sitting there totally exposed. Not only that, her network cord is exposed and there’s a waiting room full of strangers.
Kilduff: That’s how it’s done. A tip from Matt. So, it sounds like what you’re saying is you are safe to a certain extent but not completely with any of these systems. You have to always be aware of what’s going on.
Sarrell: Yes, you have to always be aware of what’s going on. I would have to say philosophically that you’re never safe. You know, how safe is safe? Nothing is too safe. Anything that can be connected to the internet can be hacked at some degree.
Kilduff: Specifically, what do you mean by that? As far as hacking in through the internet?
Sarrell: Yes, so, I mean, there are so many different attacks. Someone can attack--you’ll have a firewall which is a secure network device that monitors all the traffic that goes between your network and the internet. So the firewall will be the first target. Then after that, if people can get through the firewall, they’ll start targeting servers and they’ll start targeting work stations. They’ll probably target the servers first because they’re more likely to contain information. Another thing to think about is the recent proliferation of malware like Bots or Trojans which will compromise a user’s machine and allow someone from the outside to take control of that machine or to monitor that machine. So your user might, you know, click on a link in a spam and end up going to a website that plants, you know, a baddie on their computer and now, the bad guy can control that computer. It’s just as if he’s inside your network.
Kilduff: And you don’t even know.
Sarrell: No, you won’t even know. You won’t even know. You have to run an antivirus software, maybe an antivirus gateway…there are more products coming on the market now to monitor bots. The trouble is that the way networks work. If they use a port to communicate with the outside world that you’ve already authorized to allow to go through the firewall, then you won’t know that it’s illegitimate traffic. It’s like it still had the right, you know, the key to the door. So how do you know whether it’s legitimate or illegitimate? You really have to watch traffic, understand where the traffic is going, understand where it’s coming from, why does it exist in order to figure out whether it’s a threat or not.
Kilduff: And if you don’t recognize an email address, just ignore it or delete it?
Sarrell: Certainly don’t open an attachment from someone that you don’t know. You know, that’s like if someone walked up to you on the street and wanted to sell you a Rolex, you know...
Kilduff: I’ve actually bought these before. I know what you’re talking about.
Sarrell: You would have to treat that the same way as you would treat a link in an email from a stranger and an attachment from a stranger, no way. Don’t open that! No way!
Kilduff: There seems to be a perception that PCs are the most vulnerable to these kinds of attacks and if you have a Mac, you don’t really have to worry about this stuff coming over the internet. Am I being overly simplistic there?
Sarrell: It’s somewhat simplistic. It’s a question of probability. So if you look at the number of Windows PCs that are out there like Windows is over 90%mof the market, so if you were going to write a piece of malware, it’s going to do the most harm if you go after 90% of the market. So that’s what people do. They target Windows. They are also starting to target Linux. They’re also starting to target the Mac. We’ve seen more viruses on the Mac. Actually, I was reading earlier this week, we’re starting to see viruses on smartphones exploiting the Windows pocket PC and the Blackberry OS. So you know, Windows is the biggest target but really, anything that’s running software is a target.
Kilduff: No one is safe. You must be ever vigilant.
Sarrell: Ever vigilant.
Kilduff: Thank you, Matt. Thanks for joining us. You’ve been listening to an AllBusiness podcast with Matt Sarrell, founder of Sarrell Group, an information technology consulting company. Matt’s also an AllBusiness technology blogger and a contributing editor at PC Magazine. Send your feedback on this show and suggestions for topics and guests to podcasts@allbusiness.com. I’m Paul Kilduff, thanks for listening.
Site Map | Contact Us | FAQs | About Us | Media Kit | Reprints | RSS Directory | Sign Up for Free Newsletters | Disclosure Policy
Copyright © 1999 - 2008 AllBusiness.com Inc. All rights Reserved.
No part of this content or the data or information included therein may be reproduced,
republished or redistributed without the prior written consent of AllBusiness.com.
Use of this site is governed by our Copyright and Intellectual Property Policy, Terms of Use Agreement and Privacy Policy.


