The Internet is full of diverse, interesting, educational, and valuable resources, providing access to a wide array of experiences and knowledge, just like the physical world. Also just like the physical world, the Internet has a darker side that waits to teach you valuable lessons. Lessons about trust, control and safety. Just like in the real world, these lessons tend to be both painful and expensive.
There are steps that can be taken to lessen the risks one faces while surfing the web. Many are common sense thoughts and rules, others involve planning and technologies. This article will explore some of these thoughts, rules, plans and technologies, and make some recommendations based on lessons distilled from experience gathered over the past 25 years.
I will comment briefly on three main subject areas:
- Hardware Devices
- Typical Software
- Security Software
The debate about PC versus Mac is one for the marketeers to battle out, and I have my personal opinion. It is just that, a PERSONAL opinion, and valuable to me only because it is directly applicable to me. I find that my choice of hardware is based on 3 key factors. I like my hardware to be affordable (my wife says I’m cheap), available, and easily configurable. I avoid proprietary components that require specialized software or drivers. I prefer the PC, your mileage may vary.
Without question, the one piece of hardware that no Internet connected home should be without is a Firewall. A firewall is used to separate your network from the rest of the untrustworthy Internet. It will sit between your computer and the ISP provided modem, filtering the bulk of the unwanted traffic from reaching your PC.
Believe it or not, there are many people that prey upon new users of the Internet. They set up programs to search for unprotected computers and once found, to probe them for their weaknesses, allowing them to install software to take over the PC, steal information, and use the PC to probe and take over other PCs. Personally, I detest these scumbags, so I advise all of my family, friends and acquaintances to get a hardware firewall installed and setup.
Follow the manufacturer’s directions, login to the firewall before connecting it to the Internet, and change the passwords and settings for managing the device.
Another useful tool to invest in is a Router. A firewall is used to separate networks. A router is used to join networks together. So why would you want to join networks if you just spent a couple of hundred dollars to separate them? The router is used to join YOUR computers into a network and the firewall will keep that network separated from the less trusted Internet. That way you have better control of the network of computers that you own, and can control access to the richness of the Internet.
Same as with the firewall; do not forget to follow the manufacturer’s directions, login to the router before connecting it to the Internet, and change the passwords and settings for managing the device.
Many routers now offer both wired and wireless connectivity. This useful ability to connect to the Internet from anywhere, including your neighbors’ apartment, can be a real blessing. Of course, YOU are responsible for the files that are downloaded, servers that are put up, and data that is served over your wireless connection. If someone in your neighborhood decided to use your unprotected wireless connection to serve child porn to others, attack and gain access to other computers, or steal your information as it crosses the wireless network, you are the one most likely to go to court!
Again, secure the wireless connection well before connecting the device to the Internet. Change the SSID, select the WPA2 or better protection level, set up connection strings and passwords, and turn on MAC address filtering if it is available. These are advanced security features, so read more about them.
The choice of operating system (O/S) is another personal choice that you will have to make based on your own preferences and what you intend to use the computer for. Again, I prefer to have programs readily available, easy to use, and well supported. My personal choice is the Microsoft family of O/S for typical daily use, but as the lower cost (meaning FREE) linux based O/Ss have gained Windows’ ease of use characteristics, I have begun accepting and adopting them. I use linux in my lab, and for special purpose systems, like Intrusion Detection, Network Control and Management, or proxy stations that are not currently required in a typical home-based network. Choose whatever O/S you are most comfortable with.
Patch Management – It’s an inescapable chore. It won’t matter what O/S you have chosen, patches will become available, and you MUST download and install them as often and as quickly as possible once announced. Patches fix broken or vulnerable parts of the operating system. Often, small coding mistakes or unforeseen interactions can make an O/S or component vulnerable to exploitation. These programming gaffs are what hackers look for and exploit, in order to take over your PC or steal your confidential information. Bottom line, expect to patch, and patch often.
Rights Management – Don’t use an administrator account for everyday use. Simple as that. Setup a user account with reduced rights, and use it. This will stop a very large portion of malware and exploitation from taking place. The operating system vendor that you bought the O/S from went to a lot of trouble, and added cost to the final price, to provide you the ability to setup separate accounts for managing and for using the computer. You paid for this feature. USE IT!
Password Management – This is the same concept that you are asked to perform at work to protect your network login and company data. Pick a password that you won’t forget, won’t need to write down, and will not share with others. This is often a frustrating and challenging chore. It need not be. Think about this: If you choose one word to protect your information, I can eventually guess that word by trying every word in the dictionary. If you use the same word to protect your website identities, I don’t need to try to guess your password, just capture it.
Four simple password rules:
- Use a phrase, passage, book title, or other multi-word string that you will easily remember.
- Use punctuation, spaces, and/or symbols (& or ! are great).
- Substitute a letter for a number. (Obvious – 2 instead of to, 3 instead of E, 4 instead of for, etc.)
- Don’t use the same password for your PC or bank site elsewhere on the Internet!
I have 4 major password “groups”.
1) I use a complex passphrase, like “Mary had a 111113 lamb.” At work.
2) At home, my PC is protected by a slightly less complex password made up of numbers and the first letters of the words in a common phrase “To be or not to be” – 2bon2b.
3) On the general websites that hold no personal information, I will use a very simple password, like “Skippy!” or “sticky-fingers”
4) On webmail or websites that I want to be secure, like Facebook or LinkedIn, I use a more complex passphrase, similar but not the same as the one at work, and not the same for all secure sites. The guys that run websites are all honest chaps I’m sure, but I don’t give my little brother access to that which could destroy me. “Einy, Meiny, Miney, Moe”
Use this or a similar strategy to manage your passwords.
Software products are tools for getting a specific job done. For instance, this article was written using Microsoft Word, part of the Microsoft Office 2007 Suite of software. Software that you install in order to use your computer will need to be the most current version available and also patched as soon as patches are released. If you don’t upgrade your software and apply the required security patches, you are taking additional and significant risks.
The Browser that you choose to use is another personal choice. Do not fall victim to the argument that because it is relatively new, FireFox, Chrome, or “browser-of-the-day” is more secure than any other browser. As soon as a browser is well known or popular, it will become the target of vulnerability and exploit developers. Pick one and learn about its security features, then apply what you have learned.
There are some tools that you just should not be without. One of those tools is Anti-Virus software (A/V). You will hear arguments as to whether or not we need Anti-Virus software, or whether it does the job or not. The theoretical arguments against A/V do not stand up to the harsh realities found on the Internet. There is so much malicious software (malware) on the Internet today, that if you don’t protect against it, you will suffer the consequences. In this regard, look for an A/V vendor that updates the signature files often, and makes use of advanced detection methods, like heuristics and behavioral detection. Signature only based scanning is insufficient for protection against modern malware.
Threatfire is an add-on for A/V software, and is provided for free from pcTools. (http://www.pctools.com/) Threatfire can add behavioral protection to your standard A/V software, and increase your protection. It does use up additional memory and CPU resources, and can slow your system down, and add several pop-ups (which can become annoying) requesting access to the Internet for each application that tries to access it, though. (http://www.threatfire.com/)
PCTools also provides many of the other security tools that I am going to outline here, including a Personal Firewall, however the choice of these tools is left to you, the reader. Research your tools and choose one that is highly recommended by industry leading magazines and websites that do not rely solely on advertising as a revenue stream, or have a reputation for fair and unbiased reviews. PCMagazine, Network World and e-Week are good choices, and often have similar reviews, making the top 3 or 4 performing products clear winners.
So, if you have a hardware firewall in place, why would you need another one on your computer? Remember, the purpose of the hardware firewall was to separate the un-trusted Internet from the more trusted local area network that connects your computers together. Parts of the Internet will still be able to connect to and from your computers in order to bring to you the information and experience that you have requested. A personal firewall will inspect and filter these connections, ensuring that they really were requested by you, behave in an expected and acceptable manner, and don’t do detectably odd things. They are not fool-proof, but they are a necessary tool.
Consider using Sandbox software, especially for browsing. Sandbox software, like Sandboxie (http://www.sandboxie.com/) is a great (FREE) tool for protecting your system from THE single most likely vector into your computer, the World Wide Web. Every website that you visit will try to read or write something to or from your computer, whether it is a legitimate cookie to improve your experience, or a malicious file to exploit some vulnerability. By setting up a “sandbox” or temporary environment for each web surfing session that can be destroyed without leaving any traces when done, you can protect your system from exploitation.
The use of Content Filtering software is commonplace in the business world today. Products like SurfControl, WebSense and the like keep an active database of known malicious sites, compromised sites, and categorize undesirable sites by the content that they offer. There is at least one good and reliable product on the market for the home user, and it is completely free at the time of this article! Blue Coat, (http://www.bluecoat.com/) a recognized leader in network management tools, has made their K9 product available free of charge for home use. (http://www.bluecoat.com/products/k9web) I use it and highly recommend it.
Another interesting tool in the content filtering and protection space is Trusteer Rapport. (http://www.trusteer.com/solution) One of the most immediate threats that an Internet user will face is called “Phishing”. This is where you get an email that appears to come from your bank, stating that you need to click the provided link and login to your bank account. The link takes you to what LOOKS like your bank’s website, but really is just a copy, and when you type in your login information, a criminal harvests it to steal directly from you. You may not even be aware that you have been ripped off until you notice strange transactions, or your account is completely drained. A 2009 test of anti-virus vendors and anti-phishing filters revealed that more than half of active malware and phishing threats on the Internet go undetected, with an average detection rate of under 42%. Most banks these days are offering their customers specialized services in order to secure their online banking sessions and transactions. Rapport is a product that does just that, and is available from several banks for free.
Backup (B/U) Software. It is one of the most painful realities that a computer user will ever experience. Imagine, your computer has been setup, working like a champ for 6 or 7 months. Your wife got you those 2 terabyte hard drives for Father’s Day, and you have been filling them with all of your valuable research, pictures of the kids, that manuscript that you were working on, and your work that is due for review tomorrow. Everything is wonderful. You grab your Sunday morning coffee and decide to sneak into your home-office to catch up on whatever interests you at the moment. “Operating System Not Found. Boot Failure.”
Uh-oh. It has just happened to you. Your new hard drive has just failed. What do you do now? If you were clever, you would have installed AND USED backup software to prevent data loss. There is no free lunch when it comes to B/U software. Sure, Vista ships with a much improved B/U and restore capability, but it still will require a ton of DVD disks or other media to store your backups and restore from. I have found the old axiom to be true, that data will expand to fill up all available space. I don’t know how many times I have bought additional hard drives with the intention of backing up my system, only to find that when I need to restore, I have used that storage device for additional storage of live data. Buy a backup storage device, and backup whatever data is critical to you. Also, make a backup of the hard drive that your operating system and applications are running on. This will help big tiem when you finally see that dreaded Boot Failure message. And you will see it.
Behavior – Finally, avoid places that are risky. If you simply must have the latest game, buy it at Best Buy, don’t steal it using Peer-To-Peer software. People make things available for “free” for several reasons. To increase the market for their “for sale” products and services, to gain your trust, or to take advantage of your naiveté and trust. Stay out of back alleys and shady porn sites, they are usually riddled with malware, and the owners would just love to get your credit card details. Don’t believe everything that you read on the web or in your email. Try to be at least as skeptical and suspicious on the Internet as you are in the physical world.
Conclusion – Taken together, and used wisely at home, these components and actions should provide the average user with a safer and more pleasant Internet connected experience. Following the advice here, and implementing these precautions won’t guarantee that you will never become malware infected or stop your system from becoming compromised, but at least you will be better prepared to recognize the scams, fight off the attacks, and identify the symptoms of security control failure.
Mark Brunner – CISSP