Many small business owners treat their business computers like their home computers; they run minimal security and engage in unsafe computing practices. This isn’t my opinion, mind you, it is based on my years of field experience servicing small business clients. My most recent call to one such client was to restore a PC that had become infected by malware. It was my first visit to their office and during the course of that visit, I got familiar with how lax they were in setting things up.

The office runs on a Windows 2003 domain controller. Four PCs running Windows XP Service Pack 2 are domain members and all business data is stored on the server. They’re backing up daily to tape. That’s about as far as it goes before getting ugly. Suffice it to say that even a mediocre attempt to compromise their network would probably be successful. This got me to thinking about what level of security comprises a baseline for small business networks. Here’s what I came up with, see if you agree:

• Physical access to servers, backup, and network equipment is restricted and controlled.
• Backup power sufficient to allow for graceful shutdown of servers is in place.
• The local network is isolated from the Internet by a hardware UTM device, firewall, or NAT router.
• If wireless access is in use, security is applied, preferably WPA or WPA2 with AES encryption.
• File servers are protected by appropriate anti-malware applications.
• Mail servers are protected by anti-spam software or this is implemented at the gateway.
• Password policy requires strong passwords, frequent changes, and is enforced.
• Desktops use screen savers and they are password protected.
• Unless they are required to be left on for security scanning or backup purposes, desktops are powered down at night.
• Desktops have appropriate anti-malware applications installed.
• Company policy regarding appropriate use of the Internet is in place and enforced.
• Data is backed up and media is stored securely off-site.
• Encryption is implemented and in use for the storage of sensitive information.
• Procedure is in place for denying access to personnel upon termination of employment.

Regardless of whether you are using your own laptop or a kiosk PC, there are certain precautions you can take to make your public computing session safer. Here is my top five:

• NEVER use an unencrypted wireless access point or public kiosk PC to log onto any banking, bill payment or credit card sites nor any site where you will be required to enter any sensitive personal information such as credit card numbers or bank account numbers. This applies to online shopping as well.
• If using your own device, make certain you have the latest security updates for your OS and the latest version of your preferred browser. Block all pop-ups with a program like NoScript and store passwords only in a secure password manager like LastPass, never in the browser.
• Do not, under any circumstances allow a public PC to save your logon information. Further, clear all history and temporary Internet files when you are finished browsing. If your browser allows private browsing (most do), use that feature.
• Always LOG OFF of any site, such as social networking sites or webmail before closing the browser to insure the next person to use the machine cannot open your session. You may have noticed that you can close a tab or your browser and often your session doesn’t close. Try that with Facebook and you’ll see it in action.
• Finally, be aware of your surroundings. Is someone standing behind you or watching you from the next table? Shoulder surfers can steal your login information. Believe me, it happens. Especially be wary if you see anyone with binoculars.

I love it when people “get” security and do it right from the start. What a pleasant surprise.

So, I have to plug LilyPad. Here’s info from their site:

Lily Pad is a 100% volunteer initiative, led by Give Back Cincinnati and supported by key business partners, government leaders and academic representatives. Project Lily Pad is one of many city-wide projects to create an environment that attracts mobile “creatives” to the Greater Cincinnati area. Project Lily Pad will foster a vibrant community and enhance the quality of life in the region, while allowing access to data anytime, anywhere.

Project Lily Pad is part of an effort to improve our ability to attract the creative class and raise national awareness that the Greater Cincinnati area is a tech-savvy region. Attracting and creating people to the region is critical, as it will promote economic growth, facilitate research efforts at our regional universities and businesses, and improve educational opportunities to under-represented communities.

Very cool, and something I’m going to look into further.

According to the article, experts in the UK don’t see such a ruling as affecting them anytime soon.

Asked whether a law such as this could ever transfer to the UK, Stuart Okin, managing director of Comsec Consulting, said: “I don’t ever see that coming over here as I don’t see how it could be policed in the UK.

“In Germany there is a different culture, and when rules come into play they are obeyed without question. In the UK I am not saying that no one will do it, but it is not advisable and realistic to work.”

That may very well be, but I call it a wrong target. The real culprit is the illegal downloader whose intent is clearly to hide his actions by stealing someone’s network identity – a crime in itself. Any time you assign illegal activity the wrong source, you end up with a legal quagmire that is certain to take years to sort out in the courts.

Moreover, I don’t think you can force an individual (not in this country at least) to learn a technology in order to use it. After all, one doesn’t have to learn the technology of the internal combustion engine in order to mow the lawn, one just has to know how to start the engine. Furthermore, we assume that the manufacturer has taken the necessary steps to make the device function properly and safely and if it doesn’t, the manufacturer is liable in most cases.

SANS News Bites Editor Stephen Northcutt extends this idea to the access point, “We all need to keep our eyes open, because if the access point itself has vulnerabilities that lead to filesharing then who is to blame. …if you meet the letter of the law, and “protect” your network and someone computes the WPA key and downloads files over your network, who gets sued and why?”

I won’t say it can’t happen here; that would be naive beyond belief. I will say that it’s a very bad idea to try force people into securing their access points. It would be much more workable if the manufacturers opted to make their equipment secure by default.

What do you think?

1. Don’t rely on SSID hiding. I’ve seen numerous articles that tout SSID hiding as a security measure. While this technique may serve to hide your network from casual view, there’s nothing secure about it: the SSID is transmitted in clear text in every packet and is easily sniffed by wireless packet sniffers. For example, Network Stumbler will identify the SSIDs of any network within range, regardless of whether or not the wireless access points are broadcasting.

2. WEP is broken. Using 40,000 to 100,000 packets, which can be captured in about a minute, you can crack a WEP key in about three seconds on a Pentium M 1.7 GHz PC. Don’t believe me? Check it out: This list even provides video tutorials on how to do it. Sure, it provides a small measure of security and it’s better than nothing, but why use something that’s already been proven inferior? Would you feel more secure knowing the garage where your store that vintage Corvette is protected by a Master lock or one you bought at an everything-for-a-dollar store? Your personal information is much more valuable than that car.

3. Don’t rely solely MAC address filtering . I don’t know why so many people are recommending this. MAC address filtering is equivalent to SSID hiding–it’s virtually useless, except to keep a casual user from inadvertently connecting to your wireless network. Like the SSID, MAC addresses are sent in clear text within the network packets and can easily be discovered and spoofed by anyone sniffing your network. That said, using MAC address filtering in conjunction with other measures can give an additional layer or safety.

So, what’s the right way? WiFi Protected Access, known by its acronym, WPA. There are two versions: WPA2 and WPA2-Enterprise. WPA2 relies on a pre-shared key (PSK), while WPA2-Enterprise requires a special authentication server and is therefore more suited to corporate environments. WPA2 implements 256-bit encryption and as long as you create a strong, unguessable passphrase, it’s completely secure. Configuring WPA2-PSK on a given wireless router depends on the brand, but you can find a general tutorial at this site.

And that, my dear reader, is Golden Rule #13: When it comes to securing a WiFi network, the only way is WPA.

The most dangerous flaw covered by this month’s batch of patches is a remote code execution vulnerability in the way that the JScript scripting engine decodes script in Web pages (MS09-045). A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted Web page and this could result in execution of arbitrary code on the affected system. All versions of Windows—except Windows 7—are vulnerable. Here is the list of bulletins taken from the Microsoft Security Bulletin Summary for September 2009:

MS09-045 Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-049 Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
MS09-047 Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048 Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-046 Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)

It remains to be seen how Windows 7 will fare once it’s released to retail, but so far, it appears to be more secure the previous versions of Windows. According to Wolfgang Kandek, chief technology officer at software security provider Qualys, "There are a number of additional security measures [in Windows 7] that seem to be working so far in its favor."

We can only hope.

Under the WPA/WPA2 standards, a wireless access point or router can use either TKIP (Temporal Key Integrity Protocol) or AES-CCMP (Advanced Encryption Standard, Counter Mode/CBC MAC Protocol). TKIP is an enhancement of WEP that utilizes the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for authentication; CCMP provides much stronger protection because it uses AES (Rinjdael) encryption.

Two German researchers, Martin Beck and Erik Tews, recently found a way to crack TKIP. They use what is called a chopchop attack, which attempts to decrypt packets byte by byte. You can read all about it in their white paper, “Practical attacks against WEP and WPA” so I won’t go into the details here.

While there doesn’t appear to be much an attacker can do at this point, the attack is a harbinger of things to come and now would be a good time to log into your wireless router and see what’s up. I discovered that mine doesn’t support AES-CCMP, only TKIP, so I need to upgrade the firmware. I recommend that everyone do one of the following: 1. Switch your current WPA configuration to AES-CCMP if it’s supported; 2. Upgrade the firmware in your router so it supports WPA2 with AES-CCMP;  3. If neither of those is possible, or, heaven forbid, your router only supports WEP, replace it with one that’s WPA2 compliant and use AES-CCMP.