Networking

Tips for small businesses who don't want to skip security

The majority of small businesses don't have the resources for a dedicated technology specialist, so barring a close friend or family member who happens to be a geek, there are a lot of businesses that don't know what to do to make their operations secure.

The majority of small businesses don't have the resources for a dedicated technology specialist, so barring a close friend or family member who happens to be a geek, there are a lot of businesses that don't know what to do to make their operations secure.  Fortunately, there are a few simple ways to make sure that your business is as secure as possible.  I will cover a number of topics in this post including security relating to routers, wireless, anti virus, and malware.

Routers

The term router may sound intimidating, but in reality routers are fairly easy and simple to deal with, particularly for a small business.  The biggest thing that a router will do is abstract, or separate, your internal network from the rest of the internet.  This helps to keep attackers from getting to the computers that are on your internal network as the routers you would use for a small business also act as firewalls.  There are a lot of different routers available including offerings from Linksys (owned by Cisco), D-Link, and NetGear, with Linksys being the market leader.

Routers come in a lot of different configurations, but the easiest situation is if you can buy a router with enough hardwired ports (Ethernet ports) to cover all of the computers on your internal network.  You connect all of your computers to the router, replacing the hub that your computers were connected to previously.  Then, you connect the router to your internet connection (cable modem and DSL are the most common these days), and follow the instructions for your particular hardware.  It is likely that you could have the router installed and working in a half hour or less, particularly if you have any technical savvy whatsoever.

Keep in mind that if you have DSL or cable modem, your modem may act as a firewall already.  Call your provider to find out if this is the case.

Wireless

Wireless security is one of the most common areas of security issues in small businesses.  It is so easy to get a wireless access point up and running that many businesses have them and don't even know it.  There are lots of workers who will just bring an access point in to work in order to give them the ability to use their laptops throughout the office.  The unfortunate part is that there are a lot of security issues to consider before deploying wireless in your network.

The a few things you want to make sure and do with your wireless access point.  The first is to make sure that the access point is not broadcasting its SSID, the name the access point advertises for people to connect.  Change the SSID to something other than the default (Linksys on their access points) and turn off SSID broadcasting.  This will force any would be attackers to guess what the SSID is when they try to connect.  Also, make sure to enable some form of encryption while realizing that WAP security is nearly trivial to break.  The manual for your access point should be able to lead you through those procedures.

Anti-virus

The single biggest threat to your small business network is viruses.  All of your computers should have some kind of anti-virus software installed.  I personally prefer Norton and McAfee, but have also used the free version of AVG Antivirus and have been satisified with it in situations where clients could not afford or did not want to spend the money on anti-virus software.  The key is to have something in place to protect your computers from virus infections.

Malware

Another major threat is malware, a generic term for software that does something to your computer that is malicious in some way.  Spyware is software that collects and sends personal information to a third party.  It could collect web history information that is used to target advertisements or it could be keylogger software that reports all of your keystrokes to send to someone, which can be particularly dangerous as this is an easy way to get a password or account number.  Adware is software that delivers advertisements to your computer, especially with pop-ups.

Whatever the threat it is important to have something in place to combat the problem.  There are two products that I like for combating malware, and they are Spybot and Ad-Aware.  I personally run both programs one at a time every so often in order to assure that my computers have not been infected.

What do you do for security in your small business' network?

9 comments
Neon Samurai
Neon Samurai

Routers The DSL modem is where I???ve been stung once and done some learning. The local line owner provides DSL highspeed along with there own client side router/modem. Updating the firmware trashed the modem configuration and dropped it back to default modem/router so it took the external IP and gave the internal network a 192.168.* IP. This does not work well when you have an internal router supporting a webserver while protecting the rest of the internal nodes. With the useless customer support phone jockey, I instead found the solution by internet search and started the ritual and prayers in the order that worked for others. I swear, one of the steps requires sacrificing a goat before that crap modem flips back into a blind pass-through bridge so the internal router can take the external IP. I???m finding Linksys + ddWRT a great combination for providing more than factory default functions at less than enterprise commodity prices. The ability to configure the ???easy setup??? physical button as a Wifi radio toggle instead is fantastic; no guests in the office needing a wifi connection, great, turn it off easily. But that leads into your next point??? Wireless ???Yes, we can activate the wireless radio for when I???m here working (two wifi nodes) or when you???re using the mobile (owner???s monster of a personal/business notebook). We???re going to disable administration through wireless and from wired outside of the network though. We???re going to use MAC filtering to reduce the noise the router listens too. We???re going to set a good strong WPA2 key different from the router admin key; both will change regularity based on how long it takes to crack them. Lastly, here are all the visible and hidden Wifi in the area; that one is open, that one is open, that one would take an hour to make ???open???, that one is solid and here is yours also nice and solid.??? That was a fun meeting and setup. His router at home suddenly became more secure also after it. This is an area of interest though so I have questions your article did not present answers to. Change the SSID is an obvious one. Router???s should ship with an empty SSID and ask ???what name should your wireless connection use (min 5 char), what passphrase will it be using (min 8 char).??? Here???s the question though. What is the advantage in not broadcasting SSID besides giving a false sense of security to the AP owner? - SSID are as easily discovered regardless of if it???s broadcast or not. Casual users are going to see the SSID and, knowing it???s not there own, give up when it asks for a passphrase. Anyone who is going to do more than read it out of the ???available networks??? list is not even going to notice that it???s not broadcast. - Clients connecting to an AP with a broadcast SSID know it???s supposed to broadcast so they listen for it rather than ask if it???s available. Clients connecting to an AP not broadcasting it???s SSID know it is ???hidden??? so they follow the protocol and constantly call out for it; ???Are you there? are you there now? Now? How about now????. Instead of the client node listening for the AP to come in range, it travels around town announcing ???hey, I connect to a network named ???blah??? which may or may not be in range but know you have a fish so go get your sonar and start looking.??? - The extra pulse of power the AP uses to broadcast the SSID (if any) is not going to be noticeable enough to effect office expenses. It???s a business so the big sign out front is a bit of a give-away; they know your there and they can detect the wireless usually getting the SSID in the same frame. Is there a real security or operational advantage to not broadcasting the SSID? AV software Malware, Viruses and other things malicious developers should have there fingers broken and eyes gouged for allowing on public networks. Your promotion of Norton and McAfee is a little suspect since a small business is probably not buying the enterprise versions (I hear they are actually well developed but I can???t confirm personally). AV is a must if you???re using any win32/win64 platforms though. I even included on other platforms just to spot anything which may get transferred to a Windows machine. AV, Firewall, Malware active and manual scanners are all requirements of a modern OS. Most OS include a firewall of some sort though some need a third party product to do it right. All platforms have rootkits so Malware scanners are required and every platform needs to help Windows protect itself from malicious code. Malware Why distinguish. Malware is simply the next evolution of the Virus and Trogan classifications of the previous technological generation. If someone runs any code on my system beyond asking if the port is open; it???s malware which I will hunt down. If I could hunt down the developer and the shmuck that used it against my machine without authorization; I would with the technological equivalent of ???extreme prejudice???. Anyhow, I???m curious to hear about SSID broadcast as the evidence I???ve found so far shows it to be a myth of safer security by obscurity rather than a true security mechanism.

Andy J. Moon
Andy J. Moon

I have mentioned a number of things you can easily do to increase security on your network. What have you impemented?

metalmonkey
metalmonkey

I'd also think that since your connection is made with an unnamed router, your users can't tell if they realy are on your network or somebody else's unnamed network.

Ron_007
Ron_007

I re-read the article, and you missed the most obvious tip. Change the default userid and password! Now maybe you are relying on the manufacturer to include this tip in their setup manual, but I think it is important enough to make the point separately. Most people are not aware that the default userid and password is easily available for common brands on the internet. So while you are in the router, turning on the encryption WPA2/WPA, first change the userid and password. WEP, true it is trivial to hack, for a hacker. But it is better than nothing, for keeping "script kiddies" out, at least until the company takes the mandatory step and splurges $50 on a newer router. Don't forget, TJX started with a couple of guys sitting in the parking lot hacking WEP (that apparently was in the process of being updated, too bad it was too little too late). Wireless. First question to ask, for a small business, is do you really need to have wireless access in your business. If you can get buy without it, then the most secure option is to simply turn it off. Why turn off SSID? True, even if it is turned off, it is another thing that can be discovered with the right software. Once again, turning off SSID will help keep the script kiddies out. Another obvious tip is to lock up your data. If your small business is big enough to have a server, it should be secured in a locked room. eg do not sit it under the receptionist's desk, or under the cash register, where any fool can walk off with it. How about turning on auto update to pick up all windoze patches, since they don't have time or expertise to test them before rolling them out. Same for the anti-malware software they are running, update the signatures automatically. And don't forget that they should keep their software versions up to date. Running IE 4 on Windoze 98 is just begging to be owned.

brutusandsven
brutusandsven

Yes buy a router, A MANAGED ROUTER Plug your machines into a SWITCH WEP is easily broken not WAP Leave the friggin SSID on, like someone else said at least your users will see it. If I can recieve your signal it doesn'tmatter if SSID is on or off. The free version of AVG is stricly for HOME USE NOT BUSINESS, oh by the way have you tried V8? Spybot and Adaware were the original malware detectors, but they have been vastly surpassed by other products, even the one mentioned for antivirus. It just bothers me we so called professionals re-iterated outdated, wrong and poor information. The total cost for a small business to have adequate security for 1 to 12 machines should be less than $500 for hadware investment, and $50 to $1500 a year for subscription.

metalmonkey
metalmonkey

I'm sorry but I think you might have made a mistake, from what I understood, WEP is trivial to break but WPA is still the best choice on the encryption side (especially WPA2). (sorry, mixed up WAP and WPA)

Neon Samurai
Neon Samurai

.. client side is a good point also though. It's the little things like simply disallowing all ad-hoc wifi through Windows policy. Once the client node connects, the notice or connection icon should indicate the SSID though. As a connected client node, it knows the SSID. One could potentially use a secondary router with same SSID and other AP details trying to get valid clients to join the spoofed AP rather than the valid AP. It's less easy than it sounds but justifies wifi enabled IDS and some cool lucient hardware (think that's the one's who make the wifi hunters anyhow).

Neon Samurai
Neon Samurai

If SSID broadcast is enabled then the clients configure themselvs to listen for it. If SSID broadcast is turned off then each of your wireless clients walks around the city calling out for the router. Even the fearsome script kiddies have the basic tools to spot an unbroadcasted SSID. As a result, not broadcasting your SSID increases rather than providing any security benefits. One could always use a randome string of characters rather than "bobsbusiness". WEP is that critical an issue. If there is hardware that only supports WEP forcing the router to be left unsecured with it then the company needs to decide how important that bit of hardware on wireless is. Popping WEP is a five minute job, faster for those more capable than a kiddie. If it is the router that only supports WEP then it needs to be replaced as a business expense or the wireless turned off. Physically securing the server is definately high on the list of things to do like you mention. changing default names and passwords along with selecting strong different passwords is also top of the list for a router config. Automatic updates can go either way. One school of thought is to not let Redmond choose what updates go onto business machines where the other one is that the updates come from MS so if they are broken, your screwed anyway. I wouldn't automate my home machine updates but I do manual checks regularly too. For a small business, basis windows software update server is a free app and will easily manage your network updates from a central place.

Neon Samurai
Neon Samurai

It depends on how noise the wireless network is but with on AP and one client node, WEP can be popped in less than five minutes. If the network is nice and active, you may not need the active step of forcing the under five minute method; sit passively and quietly waiting an hour and your in. It is persistence and patients that inevitably opens networks or keeps levels of security high. WPA can also be popped but it is still multiples harder than WEP. Given the amount of effort it can take, WPA2 is generally considered the minimum safe standard. Use of random keys rather than passphrase (WPA-PSK) is even better. I think it's about time I threw the spare router into a wall socket with SSID = "hackthissucker" (well, something similar to that but more obvious of course ;) ) just to see who in my area wants to play. If I fully trusted virtual LAN separations, I?d even attach the secondary router to an outside connection and see what people are foolish enough to move over an unknown network. My primary router may start getting random 8 char SSID (mostly for fun) and the maxed out random passkey is going to take longer than my change interval to pop.