Tim Anderson: SP2 debate exposes deeper problems.
ZDNet’s David Berlind: SP2’s new firewall: better than nothing, but not good enough.
Security is an interesting issue. How much security is good enough?
Let’s get out of the computer world. Let’s talk about heirloom jewelry. My wife, Maryam, has a bit of jewelry. Does she store it here in the house? No. Why not? It’s not secure enough. Where does she store it? In a safe deposit box in a bank. Let’s talk about a bank’s security and how many layers it has.
1) The jewelry is stored in a safe deposit box with a lock.
2) There’s a camera on the box area, so if something goes missing they can verify what happened later.
3) Each box is alarmed. So, if you try to break into someone else’s box, an alarm will cry out.
4) The safe deposit boxes are stored inside the bank vault. Three feet of concrete and steel with a very sophisticated lock on the door.
5) Video cameras on the vault door to verify who goes in and out.
6) The vault is behind a counter and you aren’t allowed to go near it unless an employee lets you in.
7) The vault is in a building that’s designed to be difficult to break into. Alarms. Heavy duty doors. Lighting that makes it easy to see in.
I’m sure there’s more layers too that I’m not even aware of. But, let’s not dwell on this. The point is that there’s multiple layers of security all to protect my wife’s jewelry. Let’s say any one of these layers failed. Her jewelry would still be safe. It would take multiple failures for a criminal to be able to steal her jewelry.
So, what’s my point? Well, when it comes to computer security you should have multiple layers as well. If you have multiple layers of security, then any one layer — even if it’s not well designed — will prove sufficient in keeping criminals away from the digital equivilent of your jewelry.
If you visit www.microsoft.com/protect you’ll see the layers that Microsoft is recommending. For me, I go further. Here’s what I’m doing now.
1) Install Windows XP Service Pack 2. This update has many protections against attacks (recompiled code, closed APIs, firewall on by default, all known patches, etc).
2) Get a good anti-virus program. Visit http://www.microsoft.com/protect for some suggestions, including a Computer Associates one that’s free for first 12 months. Why is this important? It’ll protect your system from all the known viruses, worms, and trojan horses.
3) Get a good two-way firewall on every machine. The Sygate Personal Firewall is free and is good. Zone Alarm is another popular choice. Why don’t I just use the firewall that’s included in XPSP2? Because it is only a one-way firewall. Sygate’s watches activity going on from both inside your computer as well as out on the Internet. What if your company already has a firewall? That’s not enough. You need one on every machine now because if someone takes a laptop outside of your network, gets infected, then comes back in, they’ll infect you too. In fact, I use two firewalls now, even at work (one software that runs on all my machines, and one that hooks to the network before I even hook a machine to it). XPSP2’s firewall is definitely better than not having a firewall at all, but for some people like me it’s not enough.
4) Get a hardware-based firewall or NAT at point of network entry. Why? Because many of us attach unpatched computers while installing, or want to play networked games, or have other reasons for turning off our software firewalls (some software won’t work through firewalls). Plus, even if you don’t turn them off, provides one more barrier that hackers have to go through. Again, it’s about layers of security and not needing to rely on any one security device.
5) Turn on automatic updating. Visit http://www.microsoft.com/protect so you’ll always have the latest security patches. Why do that? Because software evolves. We learn about mistakes we made in our code. We find new ways to keep criminals out. If you aren’t running the absolute latest software, you’re vulnerable (and this is true if you’re on Linux or the Macintosh too).
6) Run the latest email and Web clients. Outlook 2003 and the latest Outlook Express, for instance, has another level of security against running exe’s (you can’t even run them if emailed in the latest versions, but if you used earlier versions they didn’t have those protections). If you are running Firefox or Netscape, they regularly fix vulnerabilities in their products too. Always run the latest. That’s the safest.
7) Visit http://www.microsoft.com/security regularly. for the latest information on security threats. That’s the official place where Microsoft will communicate about security threats and/or the latest updates.
8) Run at least one good anti-spyware program like Adaware or Webroot’s Spy Sweeper or Spyware Blaster. That’ll make sure that no spyware sneaks onto your system. With XPSP2 I’ve found that spyware is far less likely to get onto your system, but I’ve already found one site that has some spyware that gets past XPSP2. So, you’ll need to still check, particularly if you visit “high risk” sites (sites that aren’t known to you, for instance, or adult sites which are famous for putting spyware on your systems).
9) If you visit high-risk Websites, turn off ActiveX and scripting in your browser. (I turn off scripting even on Firefox when I’m visiting high-risk sites — you all can guess what I’m talking about here. It’s just too risky.) In Internet Explorer, just visit Tools/Internet Options. Click on the security tab. Then move the security slider to “high.” That’ll disable both ActiveX and scripting.
10) Don’t run in administrator mode. I’m slowly moving my machines to not running in administrator mode. That way if something does get through all the protection it can’t do as much damage. Out of all the steps here, this one is the hardest to do, though, because a lot of things don’t work on Windows if you’re not running as administrator.
11) Keep an install partition on each of your machines. I put a backup version of my Windows XP install CD on the second partition so that if all else fails and my machine is taken down, I can quickly repair the system and get back up with nothing more than a boot floppy that any machine can produce (since my install bits are on the second partition I don’t need to do anything fancy to get back up).
Update: Chris Coulter says that an even better thing to do is to get a second hard drive and put an image of the first drive on the second (he recommends Norton Ghost). If something happens to the first drive, you can build a new image off of the second drive and be back up and running within minutes.
12) Don’t allow anonymous users on your wireless network. Why not? Because if they have been infected then you’ll have invited them behind several layers of your security. Plus, a criminal could use your line to send spam or infect other people. Do you really want to help those people out?
13) Use better passwords. Come on, I know some of you aren’t using good passwords. For instance, I k
new one person who’d just use “password” as his password. That meant his machine could be broken into very quickly (never use a single word as a password — hackers have dictionary cracking tools that can break such passwords ). Read Robert Hensing’s advice. He’s a security expert here at Microsoft and works in support and explains a good way to choose passwords that are hard to break.
14) Backup your data regularly. It’s amazing how few people backup their stuff. Hard drives die. Things happen. If you have backups, you’ll be OK even if your machine gets wiped by something. Personally most people don’t need to do it very often. I backup once a month. Why? I’m willing to lose a month’s worth of stuff. (Most of my important stuff is in Outlook and that’s backed up automatically by the company I work for).
Anyway, my whole thing is to treat your computers like you treat valuable jewelry. Put up multiple security barriers. This is true, by the way, whether you are on a Mac or Linux too. All the above except for loading XPSP2 apply to you too. Just because the criminals aren’t attacking your systems right now doesn’t mean they won’t in the future. That’s like saying “well, if I hide my jewelry in a box at the North Pole the criminals aren’t going to take the time to go there.” That might be true, but is that really a good way to approach the world?
What do you think? How many layers of security do you have? How many do you need?
You might not need all the above, by the way. At home I don’t have an alarm. I don’t have video cameras. I don’t have a vault with three-feet of concrete between me and any potential criminal.
So, the 14 security layers I use for my computers might be overkill for you. Which layers above do you choose not to have and why?