The layers of security I use to keep criminals at bay.
Tim Anderson: SP2 debate exposes deeper problems.
ZDNet's David Berlind: SP2's new firewall: better than nothing, but not good enough.
Security is an interesting issue. How much security is good enough?
Let's get out of the computer world. Let's talk about heirloom
jewelry. My wife, Maryam, has a bit of jewelry. Does she store it here
in the house? No. Why not? It's not secure enough. Where does she store
it? In a safe deposit box in a bank. Let's talk about a bank's security
and how many layers it has.
1) The jewelry is stored in a safe deposit box with a lock.
2) There's a camera on the box area, so if something goes missing they can verify what happened later.
3) Each box is alarmed. So, if you try to break into someone else's box, an alarm will cry out.
4) The safe deposit boxes are stored inside the bank vault. Three feet
of concrete and steel with a very sophisticated lock on the door.
5) Video cameras on the vault door to verify who goes in and out.
6) The vault is behind a counter and you aren't allowed to go near it unless an employee lets you in.
7) The vault is in a building that's designed to be difficult to break
into. Alarms. Heavy duty doors. Lighting that makes it easy to see in.
I'm sure there's more layers too that I'm not even aware of. But,
let's not dwell on this. The point is that there's multiple layers of
security all to protect my wife's jewelry. Let's say any one of these
layers failed. Her jewelry would still be safe. It would take multiple
failures for a criminal to be able to steal her jewelry.
So, what's my point? Well, when it comes to computer security you
should have multiple layers as well. If you have multiple layers of
security, then any one layer — even if it's not well designed — will
prove sufficient in keeping criminals away from the digital equivilent
of your jewelry.
If you visit www.microsoft.com/protect you'll see the layers that Microsoft is recommending. For me, I go further. Here's what I'm doing now.
1) Install Windows XP Service Pack 2. This update has many
protections against attacks (recompiled code, closed APIs, firewall on
by default, all known patches, etc).
2) Get a good anti-virus program. Visit
www.microsoft.com/protect for some suggestions, including a Computer
Associates one that's free for first 12 months. Why is this important?
It'll protect your system from all the known viruses, worms, and trojan
horses.
3) Get a good two-way firewall on every machine. The Sygate Personal Firewall is free and is good. Zone Alarm is
another popular choice. Why don't I just use the firewall that's
included in XPSP2? Because it is only a one-way firewall. Sygate's
watches activity going on from both inside your computer as well as out
on the Internet. What if your company already has a firewall? That's
not enough. You need one on every machine now because if someone takes
a laptop outside of your network, gets infected, then comes back in,
they'll infect you too. In fact, I use two firewalls now, even at work
(one software that runs on all my machines, and one that hooks to the
network before I even hook a machine to it). XPSP2's firewall is
definitely better than not having a firewall at all, but for some
people like me it's not enough.
4) Get a hardware-based firewall or NAT at point of network entry.
Why? Because many of us attach unpatched computers while installing, or
want to play networked games, or have other reasons for turning off our
software firewalls (some software won't work through firewalls). Plus,
even if you don't turn them off, provides one more barrier that hackers
have to go through. Again, it's about layers of security and not
needing to rely on any one security device.
5) Turn on automatic updating. Visit
www.microsoft.com/protect so you'll always have the latest security
patches. Why do that? Because software evolves. We learn about mistakes
we made in our code. We find new ways to keep criminals out. If you
aren't running the absolute latest software, you're vulnerable (and
this is true if you're on Linux or the Macintosh too).
6) Run the latest email and Web clients. Outlook 2003 and the
latest Outlook Express, for instance, has another level of security
against running exe's (you can't even run them if emailed in the latest
versions, but if you used earlier versions they didn't have those
protections). If you are running Firefox or Netscape, they regularly
fix vulnerabilities in their products too. Always run the latest.
That's the safest.
7) Visit www.microsoft.com/security regularly. for the latest
information on security threats. That's the official place where
Microsoft will communicate about security threats and/or the latest
updates.
8) Run at least one good anti-spyware program like Adaware or Webroot's Spy Sweeper or Spyware Blaster.
That'll make sure that no spyware sneaks onto your system. With XPSP2
I've found that spyware is far less likely to get onto your system, but
I've already found one site that has some spyware that gets past XPSP2.
So, you'll need to still check, particularly if you visit “high risk”
sites (sites that aren't known to you, for instance, or adult sites
which are famous for putting spyware on your systems).
9) If you visit high-risk Websites, turn off ActiveX and scripting in your browser.
(I turn off scripting even on Firefox when I'm visiting high-risk sites
— you all can guess what I'm talking about here. It's just too risky.)
In Internet Explorer, just visit Tools/Internet Options. Click on the
security tab. Then move the security slider to “high.” That'll disable
both ActiveX and scripting.
10) Don't run in administrator mode. I'm slowly moving my
machines to not running in administrator mode. That way if something
does get through all the protection it can't do as much damage. Out of
all the steps here, this one is the hardest to do, though, because a
lot of things don't work on Windows if you're not running as
administrator.
11) Keep an install partition on each of your machines. I put
a backup version of my Windows XP install CD on the second partition so
that if all else fails and my machine is taken down, I can quickly
repair the system and get back up with nothing more than a boot floppy
that any machine can produce (since my install bits are on the second
partition I don't need to do anything fancy to get back up).
Update: Chris Coulter says that an even better thing to do is to
get a second hard drive and put an image of the first drive on the
second (he recommends Norton Ghost).
If something happens to the first drive, you can build a new image off
of the second drive and be back up and running within minutes.
12) Don't allow anonymous users on your wireless network. Why
not? Because if they have been infected then you'll have invited them
behind several layers of your security. Plus, a criminal could use your
line to send spam or infect other people. Do you really want to help
those people out?
13) Use better passwords. Come on, I know some of you aren't
using good passwords. For instance, I knew one person who'd just use
“password” as his password. That meant his machine could be broken into
very quickly (never use a single word as a password — hackers have
dictionary cracking tools that can break such passwords ). Read Robert Hensing's advice.
He's a security expert here at Microsoft and works in support and
explains a good way to choose passwords that are hard to break.
14) Backup your data regularly. It's amazing how few people
backup their stuff. Hard drives die. Things happen. If you have
backups, you'll be OK even if your machine gets wiped by something.
Personally most people don't need to do it very often. I backup once a
month. Why? I'm willing to lose a month's worth of stuff. (Most of my
important stuff is in Outlook and that's backed up automatically by the
company I work for).
Anyway, my whole thing is to treat your computers like you treat
valuable jewelry. Put up multiple security barriers. This is true, by
the way, whether you are on a Mac or Linux too. All the above except
for loading XPSP2 apply to you too. Just because the criminals aren't
attacking your systems right now doesn't mean they won't in the future.
That's like saying “well, if I hide my jewelry in a box at the North
Pole the criminals aren't going to take the time to go there.” That
might be true, but is that really a good way to approach the world?
What do you think? How many layers of security do you have? How many do you need?
You might not need all the above, by the way. At home I don't have
an alarm. I don't have video cameras. I don't have a vault with
three-feet of concrete between me and any potential criminal.
So, the 14 security layers I use for my computers might be overkill
for you. Which layers above do you choose not to have and why? [Scobleizer: Microsoft Geek Blogger]