A Primer on Computer Security
What everyone should know before Connecting to the Internet
By Rich Van Winkle
We have long passed the point where connecting to the Internet poses few risks. According to one of the world’s leading Internet security businesses there is now a 50% chance of being infected by an internet worm after just 12 minutes of being online (for an unprotected Windows based computer). It is much more likely that you will encounter adware, spyware, or other malware before you encounter a virus or worm. And, it is a certainty that some web site will install a “cookie” on your computer without your knowing it. (Most cookies are helpful and benign).
There are now hundreds of products intended to “protect” Internet users from “malware” and there are plenty of opinions about how to best protect yourself. (Including entire books on the subject). With this flood of information and product, it is growing increasingly difficult for users to make good decisions and avoid risks. Indeed, some malware presents itself as anti-malware. The “bad guys” are growing increasingly sophisticated and the simple truth is that even the best efforts to block them may fail.
It is easy to say that the problem may be avoided by not using the internet but this is a silly as saying you can avoid the risk of auto accidents by always staying at home. It is also easy to say that the problem lies with Windows (and the solution is Linux), but the reality is that Windows is what most people use and that Linux is not risk free either. And, for sure, much of one’s risk is directly related to how they “surf”. For some time limiting your surfing and applying good sense offered pretty good security. Not any more.
Now, “hackers” use automatic tools to search the web for “ports” on computers that are not protected. They enter your computer without your knowledge (or approval) and plant their seeds or take your data. Or, they simply make use of your computer to attack some other victim. They create pictures (alluring, tempting, or just interesting) with embedded code that can take control of your computer. By merely clicking on a picture, you may lose your data and your access. More likely however, is that the “worm” will lie in the background and hide – sending your private information out to the Internet. Data destruction is rarely the goal of newer malware, data collection is.
There’s money to be made – legally – by stealing your data or taking control over your computer (forcing you to look at advertising or re-directing you to an unsought web site). The risks will increase; “spyware” and “adware” may be unethical and unpopular, but they work. They are the “junk mail” of the Internet and the new game for the telemarketers. The price you pay for many of the “free” Internet services is the sharing of some data with the host. While this may be legitimate and even necessary, you are inherently trusting that host to keep your data secure. Computer security is not just about email attachments, “infected” disks, or viruses; it is about the full gambit of protection: sharing only what you want to share and seeing only what you want to see.
This “primer” is intended to cover the basics of Internet security and to get you started surfing safely. It cannot be complete as there is no such thing: Internet security is a dynamic subject since the risks keep changing, new flaws are revealed, and the Internet expands. But it is a good start and your attention to these basics will go far in offering you a better and safer Internet experience.
1. Computer security begins with knowledge and concern. If you don’t take the time to learn or if you are careless, you will suffer.
2. Computer security is a balance between access and risks: as you increase access the risks grow.
3. Computer security is every user’s job. Even the best designed, best implemented security system may be negated by an inattentive computer user.
4. Computer security requires an integration of hardware, software, and management. The best security usually comes from a balance of each.
5. Computer security is an on-going effort. You cannot simply put a system in place (no matter how good the system) and leave it alone.
1. Decide what access you need. Don’t provide or permit access that you don’t need. For a business, this might be a list of trusted websites and security software that limits all employee Internet access to those sites.
2. Determine what data you want to protect. Whether it is your personal data, a customer’s data, or “public” data, data is what computers share. Segregate your data by how secure you want it to be, by whether its loss is critical to your business, by whether you have a legal obligation to protect it, or by whatever other criteria matters to you. Know what data is at risk – and how you plan to protect it before you put it on any computer (or computer network).
3. Design a security system that properly compromises between risk and access. This invariably means that there will be different levels of security based upon different users, data access, connectivity, and functionality.
4. Develop a security plan that involves people, policies, and practices. Even a single-user on a home computer should have a plan that includes updates, software, backups, and limitations on access.
Perhaps the most daunting aspect of computer security is the number of things that should be considered. There are simply too many pieces of the puzzle and few users or managers have the time or the desire to analyze them or put them together coherently. Luckily, others have already done so. A comprehensive list (and discussion of the pieces) is way beyond the scope here. So we’ll categorize and summarize some key points.
There are eight basic security considerations:
1. Physical access and loss
2. User access
3. Non-user access
4. Data integrity
5. Data backup and recovery
6. Control and restoration
7. Shared resources
8. Policies and procedures
Physical access and loss: We tend to overlook the traditional security threats – theft, fire, and sabotage. A stolen computer is more catastrophic than any virus you’re likely to encounter. The loss of a few CDs may cause havoc and amount to thousands of dollars down the drain. A disgruntled or dishonest employee may be your greatest security threat. And the world’s best policies and procedures won’t help if the custodian (who knows nothing about them) can open your system to attack at night while he accesses his favorite porn site. Don’t forget that you must control the physical security of your hardware, programs, and data.
User access: First, control who can get to your computer, then control who can log on. Use passwords and implement a proper password policy. Decide what the proper uses for your computers are and implement a policy that states such. Have your employees sign the policy and enforce it. If you deal with secure or legally private data (such as health records), run proper background checks on staff who have access to it (and consider having them bonded). I frequently encounter businesses where employee records are kept on a networked system and the only security is some “honor system” (or staff ignorance). Windows has pretty good intrinsic security options. Use them.
Non-user access: This is the one everyone focuses on because it includes “hackers” and various forms of malware. Non-user access is almost always made possible because someone “left the door open” or invited the bad guy inside. In a few cases, the door was left open by Microsoft. In many cases, the “door” was opened because it needed to be open to permit some legitimate function. In most cases, non-user access is gained because someone invited it. [We’ll come back to this subject a bit later]. Brute force hacks (someone breaking into your computer) are analogous to robberies – they’re almost impossible to prevent. The goal is to hide among all the possible victims and make your system look uninviting.
Data integrity: More data is lost to inadvertent erasure and hardware malfunction than to all viruses combined. It’s just not headline news when “Joe” deletes his system directory or over-writes his overdue project with an empty file. Windows offers a group of services that are intended to help prevent loss of data integrity. Windows is also the greatest culprit in loss of data integrity. The more critical your data (or work product), the more time you need to invest in data integrity security. (The primary difference between the “single user” and “server” versions of Windows is data integrity).
Data backup and recovery: The traditional approach to data security has relied upon data backup and recovery. While still important, the nature of the need and the manner in which backing up is done are quite different. The scheduled copying of key folders to backup folders (so you can roll-back) is a great option. The making and taking (off-site) of full system backups is now easier and faster than ever. The use of encrypted web-based off-site backup services can be a life-saver. You need to give careful thought to data backup and recovery and to make the implementation of your plan a habit.
Control and restoration: This is the hot new category, both because more and more malware takes some control away from you and because restoration of control is a new money-maker for vendors. Loss of control covers the full range from complete takeover by an user or malware to the mere undesired appearance of an advertisement. It’s your computer and no other person or program should take control of it from you. Adware attacks have reached the point where they can consume 99% of the processor time – essentially making a computer a dedicated advertisement server for some malware vendor. Websites can generate code that takes control of your browser and re-directs you to unwanted sites. Email can contain embedded scripts that turn your computer into a “slave” for some other system. Restoring control from such attacks can be difficult and expensive.
Shared resources: A shared resource is anathema to security and yet modern computer systems routinely share devices and data. Computer security requires striking a balance between opening things up enough to permit desired sharing while preventing undesired access. In Windows, this is handled through “permissions” and it is one of the most often neglected areas of security. Good security software provides an easy way of dealing with permissions while allowing flexibility. Windows has gotten better at coordinating and controlling permissions, but there is still much that needs to be done.
Policies and procedures: Any business that has a computer network but doesn’t have a published computer policies and procedures manual is going to pay dearly for the mistake. Sooner or later unnecessary time will be lost, data will be improperly distributed, or functionality will be substantially cut because someone didn’t know simple dos and don’ts. Computers are key assets, your data is your business, and time is money. Invest time now, or pay plenty later. There are plenty of samples around; find one that gets you started and put together a short manual that every employee receives and acknowledges.
Things To Do:
1. You’ve already started with the first: do some studying. The fact that you’re reading this says that you’ve figured this out for yourself – and that you have both recognized the need and invested some time. Pat yourself on the back… and then read on.
2. Use the available resources. Start with your computer vendor. A good supplier should be willing to supply a system that is already configured for basic security (as below). If you’re buying from bargain basement vendors who send you a box, then you’ll need to spend extra time (and money) on security.
3. Don’t be afraid to ask for help.
Security Basics: Don’t surf the Internet until you…
1. Update your operating system: Install the latest updated version (service pack) for Windows. Like it or not, it’s time to get XP. While many dislike activation and being pushed to update, it’s obvious that the “boys in
” are not going to keep older versions of Windows safe because they are too easy to bootleg. Microsoft is going to use security as the leverage to impel use of “genuine Microsoft products” – and it will work. As soon as your Windows is installed, make sure the firewall is on and then get on the web and get it updated. This might take an hour or two and several re-starts. Do not install other software until your Windows is current. Bellevue
2. Configure Windows for higher security: Newer versions of Windows come better configured for security right out of the “box” but make assumptions that are generally incorrect. Configure “automatic updates” to download but not install the updates without approval. From the
(Control Panel), select “manage security settings for: Internet Options” and invoke a default level or custom level of security that suits your needs. Set your privacy level, content ratings, programs, and advanced settings. Then select the firewall settings and see if the exceptions make sense for your situation. (e.g. If you’re not going to share files and printers, un-check “File and Printer Sharing” and turn off “remote Assistance” until you need it…) Windows Security Center
3. Disable unnecessary Windows services: Turn off the Messenger Service unless you’re sure you can’t live without it. For a more complete discussion of which services are necessary and which aren’t, follow this link: “Windows XP Services that can be disabled”. (TechRepublic PDF Download).
4. Install your application software and update it: Doing this before you install security software allows the security programs to recognize and re-configure for your applications.
5. Install and update security software appropriate to your needs: anti-virus, anti-spyware, anti-adware, internet security (firewall), parental control, anti-spam, and process tracking. I know that this may sound like a “plug” for the vendors, but you can get most (or all) of these for free. There is no best product even though there are significant differences between the major brands. Unless you want to tinker with updates, get something that has a “subscription service” so that it will keep itself current. If your product includes a firewall, you may have to re-configure it so that it doesn’t conflict with the Windows firewall or Windows networking. (If you use networked access to the Internet with three or more users, invest in a hardware firewall as well).
6. Configure your security software: The “out-of-the-box” settings may work, but they’ll rarely be just right.
7. Run a full scan of your computer: Use your security software to scan for malware: virus/worm, spyware, and adware.
8. Change the way users log on so that the “Welcome” screen appears and passwords are required. Make sure the “Guest” “Support” and “HelpAssistant” accounts are turned off. Make sure you have at least one administrative account other than the Windows default account and that the Administrator account has a very strong password (mix of at least ten upper and lower case characters, numbers, and symbols).
9. Create a separate Internet account (with limited privileges) for each user. (Avoid accessing the internet when logged in as an administrator!). Accounts can have the same password, but encourage “strong passwords”.
10. Test your security: Several vendors and other organizations offer free security scans. Use at least one (and probably several) to test your computer’s security (and adjust as needed).
11. Make a “Start-up” (bootable) CD with recovery files and programs: This CD should include all the required drivers for your hardware, your primary security programs, the Windows recovery data, and your “documents and settings” folder.
12. Get rid of all the promotional and trial versions of software that you aren’t going to use (using the Windows “Add/Remove” function). Many of these programs have intrinsic spying functions, open ports without permission, and will communicate with their “mothership” without telling you. This is especially true for AOL and other Internet Service Providers. (Such things are commonly installed on new computers when they ship).
13. Install Printers and Peripherals that will be shared then check to see if Windows has new drivers for them (at “Microsoft Update” ).
14. Set the “System Restore Point” (Windows accessories – “System Tools/System Restore” wizard). Reset the restore point after any update or significant system change.
15. Consider installing a router with hardware firewall: If your security needs are more serious than the average home-user’s and you connect to the Internet with cable or DSL, then you should invest in a router/firewall device. While somewhat redundant, a router helps hide individual computer ports from the Internet. A hardware firewall at the Internet connection serves every computer on a Windows network that connects through the router and permits easier sharing within the network without reducing security.
16. Get a browser other than Microsoft Internet Explorer. I like CrazyBrowser and Mozilla/Firefox (freebies).
17. Use a web-based mail server: Leave your email on some off-site server (such as Yahoo.com) until you’re sure you want it on your computer. Then use Thunderbird or Eudora instead of Outlook/Outlook Express as your email client.
18. Make a backup or drive image: Use the Windows backup utility to make a full system backup or use a Cd/DVD Burner to make a “drive image”.
19. Set up a backup process: Schedule backups on a routine basis. Consider using a web-based service for your most commonly accessed data. Make scheduled (hourly) copies of key folders to a separate partition/drive. Take your key data off-site every night on CD or DVD and rotate your backups so that you can fall-back at least a week.
20. Review and revise: Routinely review and revise your computer security plan. Routinely update Windows and your security software. Routinely scan your computer(s) and test your security.
21. Train yourself and your staff: Know what to do when problems happen. Know the symptoms of malware and have a plan to isolate infections. Get to know what services should be running on your systems and use Windows Task manager or other process managers to keep track of rogue applications.
22. Frequently review your installed software list (Control Panel-Add/Remove Software) to see if new programs have been installed without your knowledge.
23. Set up content controls: use your security software to limit content/access – “parental controls” or “approved sites”.
24. Isolate yourself and your important data: Consider having a separate computer (non-networked) just for internet surfing. When you (or staff) want to shop or otherwise browse risky web sites, don’t place your important data at risk. (A used computer and separate modem should cost less than $100. Tie up a phone line and use a free ISP ).
Computer security may seem like a never-ending hassle. So are keys and locks, but you’ve learned to live with them. Admittedly, the “overhead” of Internet access is higher than equipment and set-up costs and few people consider the whole picture when they decide to “get connected”. But then few people are willing to go back once they are connected and enjoy the “World Wide Web”. Happy & safe surfing!
 A computer security consultant with IT Management Services, Inc.
 AVG from Grissoft , Spybot Search and Destroy, Microsoft AntiSpyware (beta), and trial versions. Check out http://www.microsoft.com/athome/security/downloads/default.mspx.
 Since everyone asks, I use Norton Internet Security on my personal machines.
 Symantec.com (http://security.symantec.com), Shields Up (http://www.grc.com/x/ne.dll?rh1dkyd2), and Zone Labs (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp;).
Please let me know if you have comments about or corrections for this web site.
This is a Rich's Writings Articles Page. To return to the Article List, click here.
Email us at: Comments@thehumanfuture.net
Join our email list
Visit our Store
Sign our Guest Book!
This website and its contents are Intellectual Property - ALL RIGHTS RESERVED! 2010 by Rich Van Winkle