Get Healthy Plan for Small Business

Greg Playle’s article “The Seven Week Get Healthy Plan for Small Business” in this months ISSA Journal (ISSA Membership Required) outlines 7 security steps for small businesses to consider.
One of my friends recently received a telephone call from his doctor asking if he had an appointment. An upgrade of the appointment system had gone south and they were reconstructing the appointment book by calling all patients and asking them if they had an appointment. Whoever is handling the IT duties at these small businesses apparently doesn’t know to take a backup before starting a upgrade.
I’ve wondered many times just what the Mortgage guy or my Dentist is doing to protect my personal information. I feel like I don’t know them well enough to give them this article, at the same time as a customer don’t I have the write to be proactive in making sure my data is protected.
There are a couple of errors in the article. The first I hope was an editors mistake. While describing how to gather the physical address to use to whitelist what servers are allowed on the wireless network, the example given is an IP address.
The bigger problem is that the author has apparently not read George Ou’s Wireless Security Myths that Will Not Die. If the author had read that he would not be making some of the wireless security recommendations that he makes.
Do not broadcast the Service Set IDentifier (SSID). Kismet will reveal hidden SSIDs. Not broadcasting it doesn’t gain you much except against the causal browser. The casual browser is already stopped by your use of WPA2.
Worse yet, your client computers will now have to probe for that network everywhere you go.
See also Josh Wright’s article Issues with SSID Cloaking.
PCI 1.2 no longer requires the disabling of SSID broadcast. The message is starting to get out.
Turn on Wireless Security to at least 128 bit WEP
You’re only buying time by using 128 bit WEP over 64 bit. As the retailers have learned, NEVER USE WEP if you have something to protect. Since this article assumes you need to protect the small business, I think the recommendation needs to be a bit stronger. I think even WPA-PSK is suspect for a work environment.
It seems like some of the things suggest are belt and suspenders solutions. Others are more like belt and Hawaiian shirt. The belt is doing the work, the shirt is just there for looks. If you have WPA2 do you really need DHCP reservations and MAC address filtering? If they break your encryption are those things really going to help? Probably not.
The article over all is good. The experience of finding wide open wireless at a small business is far too common. This article will help.