Layered Security 2010

Thoughtful User

There really is no substitute for a user with a functioning brain. People need to pay attention and be aware of unsafe behavior. I received a call a few days ago from my credit card company telling me that there was a fraud alert on my credit card and I needed to call them right away. They left a phone number. Of course, I didn't call that number. I had no way of knowing if it was legitimate. I pulled my credit card statement and called the number on that statement. I wasn't going to call and verify my identity to whoever left a phone number on my voicemail. The fraud alert phone call was legitimate, but mistaken. There was an odd, but legitimate charge.

In any case, just as you shouldn't give your credit card information to someone who calls and requests it, so also you shouldn't click on e-mail links that you can't verify. You should be suspicious of e-mails and phone calls. You should never be sharing files (movies or TV shows, or music) with other people you don't know using something like Limewire. The fact that the email was apparently sent by someone you know is not verification that it was sent by them, or that it is not otherwise infected.

You need to avoid potentially dangerous sites, because you can get infected by merely viewing a site, without actually downloading or clicking on anything.

Router

A simple physical router will block all unrequested incoming requests, thus stopping most potential attacks. You should have one in every home or office. Larger offices that can afford it and need to protect important information and many users, should purchase a full firewall like SonicWall and have it professionally installed. These will include monitoring traffic and blocking suspicious incoming traffic at the router, before it gets to your machine. They will also block suspicious outgoing traffic.

Browser Protection

I recommend using Firefox for your browsing instead of Internet Exposer. It is safer. In addition, there are extensions which will help you browser safer.

WOT: WOT stands for Web OF Trust. I have written about it in the second part of this article. WOT will alert you about dangerous sites when you are searching, warn you before entering and also give you safety information when you are at a site.
OpenDNS: I've written an article about this as well. It can be used simply as a DNS server (I setup all my clients using it as the DNS server now). Or, you can setup a free account and enable site protections. For example, in writing the section above, I tried to visit Limewire.com and got this message

I was prevented from even getting to the site. This works well for individuals, homes with children and also small businesses.
AdBlock Plus: Blocks most advertising. This improves your browsing speed and really causes no problems. I recommend it as a safety tool because so much malware infects your computer via advertising. They get into the advertising and then utilize a flash exploit to infect you from a legitimate site.
NoScript: My Noscript article was written in July of 2009. You can read about it here. Noscript is very effective, but it requires attention and is mostly useful for more advanced users.
Certificate Patrol: My article certificate authorities and SSL explaining how and why this is useful is here.

Security Updates

Microsoft Updates: Everyone knows you have to keep up with Windows updates. Microsoft believes this should be done automatically. The problem is that if you do it automatically, then sometimes your computer will want to reboot at an inconvenient time and sometimes it gets confused trying to update while you are working or shutting down. I prefer being alerted or even allowing download, but determining when to install myself. Make sure you are doing all the Microsoft updates, particularly if you are using Microsoft Office. This requires that you tell Microsoft update to update all your Microsoft programs, not just Windows.
Other Updates: Lots of programs touch the Internet and are susceptible to exploitation. Indeed, some believe that Adobe has surpassed Microsoft as a security risk. Infected websites will actually test your computer for many possible security holes and then attack with an exploit precisely designed for that flaw. When you close these flaws, you eliminate the possibility of being attacked by hundreds or even thousands of different exploits. I recommend using Secunia's PSI. My article about it is here. Secunia's personal security inspector will advise you about security updates available for thousands of programs including:

Adobe Flash and shockwave flash
Adobe Reader
PDF Xchange Viewer
Java
Microsoft office
and many more

AntiVirus

You should be running a real time antivirus program including both active protection and continuous updates and at least weekly full scans. I recommend Eset's Nod32 or Sunbelt Software's Vipre Premium.

AntiMalware

In addition to your antivirus program, I recommend a scanning program to check for malware your antivirus might miss. I do not normally recommend that this run all the time. Just do a monthly scan. My current favorite is the free Malwarebytes.

Software Firewall

Windows provides a reasonable software firewall which is improved in Windows 7. Sunbelt's Vipre Premium offers an even better one. Either is fine.

Intrusion Detection and Startup Control

If something get past all your security and gets into your machine, possibly riding along with something you really did want to install, you need a way to find out and stop it. I suggest using Winpatrol for this purpose. It alerts you of new startup programs and services and also of changes in the hosts file and file associations. It allows you to see and control both windows startup programs and browser helper objects.

Good General Practices

You should clean out your temp files and defragment your hard drive monthly. Microsoft provides acceptable programs for doing that.

Backup

This is your final line of defense. You must have good backups. I strongly recommend both local backups to an external hard drive (not the regular one on your computer), as well as off-site backups. I support both Mysecurebackup (my own OEM online backup solution) and Ibackup as offsite solutions. I recommend Second Copy for local backups.

Date: September 2010

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Layered Security 2010 Thoughtful User There really is no substitute for a user with a functioning brain. People need to pay attention and be aware of unsafe behavior. I received a call a few days ago from my credit card company telling me that there was a fraud alert on my credit card and I needed to call them right away. They left a phone number. Of course, I didn't call that number. I had no way of knowing if it was legitimate. I pulled my credit card statement and called the number on that statement. I wasn't going to call and verify my identity to whoever left a phone number on my voicemail. The fraud alert phone call was legitimate, but mistaken. There was an odd, but legitimate charge. In any case, just as you shouldn't give your credit card information to someone who calls and requests it, so also you shouldn't click on e-mail links that you can't verify. You should be suspicious of e-mails and phone calls. You should never be sharing files (movies or TV shows, or music) with other people you don't know using something like Limewire. The fact that the email was apparently sent by someone you know is not verification that it was sent by them, or that it is not otherwise infected. You need to avoid potentially dangerous sites, because you can get infected by merely viewing a site, without actually downloading or clicking on anything. Router A simple physical router will block all unrequested incoming requests, thus stopping most potential attacks. You should have one in every home or office. Larger offices that can afford it and need to protect important information and many users, should purchase a full firewall like SonicWall and have it professionally installed. These will include monitoring traffic and blocking suspicious incoming traffic at the router, before it gets to your machine. They will also block suspicious outgoing traffic. Browser Protection I recommend using Firefox for your browsing instead of Internet Exposer. It is safer. In addition, there are extensions which will help you browser safer. WOT: WOT stands for Web OF Trust. I have written about it in the second part of this article. WOT will alert you about dangerous sites when you are searching, warn you before entering and also give you safety information when you are at a site. OpenDNS: I've written an article about this as well. It can be used simply as a DNS server (I setup all my clients using it as the DNS server now). Or, you can setup a free account and enable site protections. For example, in writing the section above, I tried to visit Limewire.com and got this message I was prevented from even getting to the site. This works well for individuals, homes with children and also small businesses. AdBlock Plus: Blocks most advertising. This improves your browsing speed and really causes no problems. I recommend it as a safety tool because so much malware infects your computer via advertising. They get into the advertising and then utilize a flash exploit to infect you from a legitimate site. NoScript: My Noscript article was written in July of 2009. You can read about it here. Noscript is very effective, but it requires attention and is mostly useful for more advanced users. Certificate Patrol: My article certificate authorities and SSL explaining how and why this is useful is here. Security Updates Microsoft Updates: Everyone knows you have to keep up with Windows updates. Microsoft believes this should be done automatically. The problem is that if you do it automatically, then sometimes your computer will want to reboot at an inconvenient time and sometimes it gets confused trying to update while you are working or shutting down. I prefer being alerted or even allowing download, but determining when to install myself. Make sure you are doing all the Microsoft updates, particularly if you are using Microsoft Office. This requires that you tell Microsoft update to update all your Microsoft programs, not just Windows. Other Updates: Lots of programs touch the Internet and are susceptible to exploitation. Indeed, some believe that Adobe has surpassed Microsoft as a security risk. Infected websites will actually test your computer for many possible security holes and then attack with an exploit precisely designed for that flaw. When you close these flaws, you eliminate the possibility of being attacked by hundreds or even thousands of different exploits. I recommend using Secunia's PSI. My article about it is here. Secunia's personal security inspector will advise you about security updates available for thousands of programs including: Adobe Flash and shockwave flash Adobe Reader PDF Xchange Viewer Java Microsoft office and many more AntiVirus You should be running a real time antivirus program including both active protection and continuous updates and at least weekly full scans. I recommend Eset's Nod32 or Sunbelt Software's Vipre Premium. AntiMalware In addition to your antivirus program, I recommend a scanning program to check for malware your antivirus might miss. I do not normally recommend that this run all the time. Just do a monthly scan. My current favorite is the free Malwarebytes. Software Firewall Windows provides a reasonable software firewall which is improved in Windows 7. Sunbelt's Vipre Premium offers an even better one. Either is fine. Intrusion Detection and Startup Control If something get past all your security and gets into your machine, possibly riding along with something you really did want to install, you need a way to find out and stop it. I suggest using Winpatrol for this purpose. It alerts you of new startup programs and services and also of changes in the hosts file and file associations. It allows you to see and control both windows startup programs and browser helper objects. Good General Practices You should clean out your temp files and defragment your hard drive monthly. Microsoft provides acceptable programs for doing that. Backup This is your final line of defense. You must have good backups. I strongly recommend both local backups to an external hard drive (not the regular one on your computer), as well as off-site backups. I support both Mysecurebackup (my own OEM online backup solution) and Ibackup as offsite solutions. I recommend Second Copy for local backups. Date: September 2010 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk