Most security articles are written for network administrators charged with the security and availability of corporate networks. As computers have become a pervasive tool in the office, however, they have begun to be an indispensable one at home as well. Around 73% of US homes have a PC in them, and about half of US homes have broadband internet service of one type or another. Many of us are also administering second or third PCs for children, teens, or elderly relatives. While the home PC should definitely not contain corporate secrets, they do safeguard some data close to users' hearts. Imagine how it would feel to lose your family photos, tax records, little Janie's homework projects, emails from great-grandpa, your confirmations and boarding passes for next week's vacation and your grandma's recipe book all in one blow. The data on that home computer is important to you, if not to the network administrator at your office.
Why would anyone attack your home PC? Simply put, there is a great deal of money to be made by enslaving your computer and using it for nefarious purposes, such as sending SPAM for profit, distributing illegal files, or hacking other networks. Some hackers make a great deal of money by stealing your financial and personal information, and either reselling it to other criminals or using it to make purchases themselves. Either way, a large percentage of PC attacks are made for profit. Frankly, home computers tend to be easy targets, since they don't have professional defenders like corporate networks do.
So, without a professional defender, how can you go about assuring your computer and the rest of your family's PCs are secure? Here are some recommendations.
1. First, you should definitely consult your system support personnel if you work from home. If you use your broadband access to connect to your employer's network via a Virtual Private Network (VPN) or other means, your employer may have policies or procedures relating to the security of your home network. Those should supersede what you are reading here, so be sure to consult with your employer's support personnel, as appropriate, before following any of the steps outlined in this document. You can use the information below to prompt discussions with support staff, or to help you administer other family computers.
2. Use virus protection software and anti-spyware software. Anti-virus software is a must-have for all Internet-connected computers. Inexpensive AV software often comes packed with your new PC. Be sure to keep your anti-virus software up-to-date, using automatic updates when available. Depending on the software you choose, you may also need to renew your subscription annually to keep receiving updates. If you do not renew your subscription, you may as well not have antivirus software at all. If AV software is not up to date, it absolutely cannot work properly. Antispyware software has also become important as more and more hacks are delivered in rootkits and other non-viral means.
3. Use a firewall. There are two types of firewalls; a hardware firewall, which is a network appliance, or a software-based firewall, which runs on your computer. Intruders are constantly scanning home user systems for known vulnerabilities. Firewalls (whether software or hardware-based) can provide some degree of protection against these attacks. Software firewalls need to be kept up to date when manufacturers release patches to correct flaws or security holes. A firewall is never infallible, so it is important to continue all the other security measures after it is installed. It's also best not to 'poke holes' in your firewall if you can avoid it. If you find yourself digging through the settings to open ports without knowing exactly why you are doing it, it is time to reconsider. Most good software for the PC these days is designed to work through firewalls without disabling them. If you've downloaded a software package that is being blocked by your firewall, it's a good idea to check online for reviews of that software and make sure it's safe to use.
4. Don't open email attachments unless you can verify they are legitimate. Before opening any attachment, be sure you know the source of the attachment. It is not enough that the email originated from an address you recognize, because many hacks are specifically designed to utilize familiar email addresses to disguise their true points of origin. If you are in doubt, ask the other person whether they have sent you an attachment purposefully. Any good net citizen will be happy to verify their attachment for you.
5. Don't run programs of unknown origin. Never run a program unless you know it to be authored by a person or company that you trust. Also, don't send programs of unknown origin to your friends or coworkers simply because they are amusing -- they might contain a Trojan horse program or a rootkit. If you are wondering whether to install a program, you should try to investigate it first. There are a great many authors who post excellent software reviews online. Try running a google search on the name of the software and the word 'review'. This should give you some idea whether or not the software is legit. If you can't find a decent review, odds are you shouldn't run the software.
6. Keep all applications, including your operating system, completely patched. Vendors will usually release patches for their software when a vulnerability has been discovered. Read the manuals or browse the vendor's web site to make sure you understand how to keep the software current. Some applications will automatically check for available updates, and many vendors offer automatic notification of updates via a mailing list. Look on your vendor's web site for information about automatic notification. If no mailing list or other automated notification mechanism is offered you may need to check periodically for updates. If the PC has been turned off for a few weeks while you were away, the first thing you should do is update your software when you turn it back on. The key with updates is that they need to be performed frequently enough to 'patch' security holes before they can be exploited. Make it a rule in your house that Windows Update should always be allowed to do whatever it wants, and that the kids aren't allowed to interrupt that process. If a reboot is required, it should be performed right away.
7. Turn off your computer or disconnect from the network when you are not using it. An intruder cannot attack your computer if it is powered off or otherwise completely disconnected from the network. This will also save you money on your energy bill, and may extend the lifespan of your computer.
8. Disable Java, JavaScript, and ActiveX if possible. Be aware of the risks involved in the use of "mobile code" such as ActiveX, Java, and JavaScript. A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser. Unfortunately, many legitimate sites use scripts running within the browser to add useful features. Disabling scripting may degrade the functionality of these sites. Detailed instructions for disabling browser scripting languages are available in http://www.cert.org/tech_tips/malicious_code_FAQ.html. More information on ActiveX security, including recommendations for users who administer their own computers, is available in http://www.cert.org/archive/pdf/activeX_report.pdf.
9. Disable scripting features in email programs. Because many email programs use the same code as web browsers to display HTML, vulnerabilities that affect ActiveX, Java, and JavaScript are often applicable to email as well as web pages.
10. Make regular backups of your data. Here are the basics of data backups:
A. In order to create good backups, you need to know where your files are. Organize them in some way; by type, by title, by date; it doesn't matter. It's best to store your files in a directory you create yourself, or in your “My Documents” folder.
B. Make a copy of your files on an external device. Since you know where the files are, you can simply copy entire directories and manually paste them to your backup location. Alternatively, you can use backup software, which will perform these functions for you automatically. For your backup location, you can use removable media such as ZIP disks or recordable CD-ROM disks (CD-R or CD-RW disks), an external hard drive, flash media, or any type of device on which you can store data outside the PC's case. Be sure to store the backup copy somewhere away from the computer. Send a copy to a friend for safekeeping, or put it in your safety deposit box at the bank. If you want your data to survive a house fire, you will need to store a copy away from the house.
C. Make a routine for backups to occur with regularity. If you don't save new files to your computer very often, you don't need to perform backups terribly often, either. If, however, you are adding photos of the new baby daily, you should make your backups more frequently.
11. Make a boot disk in case your computer is damaged or compromised. To aid in recovering from a security breach or hard disk failure, create a boot disk on a floppy disk which will help when recovering a computer after such an event has occurred. Remember, however, you must create this disk before you have a security event. For information on creating a boot disk, check your operating system vendor's web site.
12. Review your computer security plans with all the users of the computer. It's important to make sure everyone is playing for your team, and that no one is shutting off the firewall or delaying Windows from performing updates. They also need to know how to avoid downloading malicious software.
13. Prepare everyone in the home for social engineering attacks. A social engineering attack uses persuasion and coercion to convince users to allow access to a hacker. Unfortunately, awareness of social engineering is low, and surveys have revealed that nine out of ten people will give their password in exchange for a chocolate Easter egg. Tell your family that they should never share their passwords or give out their personal information online. Try to familiarize them with phishing tactics, too.
Unfortunately, good PC security will only defend your PC from data-based attacks. If you have children or elderly folks at home using the computer, you should be aware that they are preferred targets for the worst types of internet predators. In this case it is not just your data or your computer you must protect, but also your loved ones themselves. In the case of children, you should make sure they will absolutely never share their name, address or city, phone number, or the name of their school, their travel plans or schedule, or where they like to play. Make sure kids know they should invent usernames that do not resemble their real names or reveal any personal information. Inform your kids that they should never agree to meet an internet friend in person, and that people on the internet might not be what they seem. If anyone on the internet is being pushy with them, or making them feel uncomfortable in any way, they should report it to you immediately. Consider installing software to monitor your kids online, and make sure you're checking on them to make sure everything is okay.
The elderly are often targeted by a different breed of cybercriminal, who will attempt various cons to perform identity theft, financial theft, and other types of fraud. Respectfully recommend that your elderly loved ones check the FTC's web site at http://onguardonline.gov/index.html. This will give them many tools to detect and avoid the types of scams often aimed at them.
By Wendy Tate and Farida Ali of Dynamic Computer Corporation
Security For Ordinary PC Users
Capital Network Solutions Monday, October 01, 2007
: