[This webpage is designed for the average home user.]
This webpage is inspired by an article called Four simple steps to protect the US from hackers by Geoff Collins. The article refers to enterprise networks like businesses and other organizations, but home users can use similar risk reduction measures. Here is the relevant quote from the article:
Australia's Defense Signals Directorate (DSD) and the U.S. National Security Agency (NSA) independently surveyed the techniques hackers used to successfully penetrate networks. NSA, in partnership with private experts, and DSD each came up with a list of measures that stop almost all attacks.
DSD found that just four risk reduction measures block most attacks. Agencies and private companies implementing these measures saw risk fall by 85 percent and, in some cases, to zero.
So what are these measures? First is "Application white-listing," which allows only authorized software to run on a computer or network. Second and third are very rapid patching of Operating Systems and software. The fourth is minimizing the number of people on a network who have "administrator" privileges.
If we combine the second and third defensive measures into one and change the order for home users, then we have a list of three measures that will stop most attacks against enterprise networks. Here are the three measures:
We can now make a list of simple security measures for home users based on the three measures that work for enterprises and other organizations. We will also extend the list so that a user can implement as many as they find reasonable. It is assumed that many home users will not be comfortable with all the measures. Implementing the majority of easy measures will provide good protection.
A lot of malware attacks software that is not up-to-date. In other words, it attacks known vulnerabilities that have already been fixed. Rapid updating (or patching) of software will stop most attacks, especially when vendors patch their software quickly.
The more widespread an attack is "in the wild", the greater the probability of infection but also the greater the probability that the vulnerability has been detected and patched. The only malware that can attack an up-to-date computer is new malware that exploits a vulnerability that the software vendor has not yet patched. Attacks are discovered quickly today and publicized, which usually leads to a fix before an attack can become very widespread.
An attack that exploits an unknown vulnerability is called a "zero-day attack" because it is used on day zero of the public becoming aware of the vulnerability. Zero-day attacks are valuable to attackers because they are unknown and un-patched. They tend to be used sparingly for that reason, and are often used in a targeted manner. Therefore, the odds of your computer being hit by a zero-day attack are lower than the odds of being hit with an old attack that has already been patched.
For all these reasons, automatic updates are good for users. They are faster and more convenient. Hopefully, automatic updates will become standard. That would greatly decrease the number of successful attacks. Until then, update your software as fast as possible even if it seems like an annoyance.
[Microsoft recommends the following procedures for Windows. Apple does the same for Mac OSX. Also note that "Administrator", "Root", "Superuser", and "Admin" are all related terms depending on your OS.]
Most users should normally use an account that does not have administrator privileges. They should have a separate admin account. The details vary in each operating system (OS), but the principles are the same. The main reason is that malware generally has the same privileges as the user and requires a second exploit to elevate its privileges if it wants to make significant changes to the system or install software.
Setting your computer up this way is usually pretty easy, and will only require you to enter the Admin password when you perform certain functions. (You can even use the same password on your Admin and non-Admin accounts.) Of course, kids can also be setup without administrative privileges (or root privileges) on their account.
One additional advantage of not running as Admin or root is that you will be reminded when you are installing something or making significant changes. Some people believe that they are too tech-savvy for this precaution; they are mistaken. Others feel that it is too inconvenient or that it is too easy for malware to elevate its privileges. Neither argument is very convincing. This strategy is not difficult and it adds another barrier to malware.
In 2010, Elinor Mills reported on CNET the following findings:
Ninety percent of critical Microsoft Windows 7 vulnerabilities can be mitigated by configuring the operating system for standard user rather than administrator, according to a new report released on Monday.
Removing administrator rights would also protect against exploitation of all of the Office holes reported last year, 94 percent of Internet Explorer flaws and 100 percent of IE 8 flaws reported last year, and 64 percent of all Microsoft vulnerabilities reported in that time period, according to BeyondTrust's 2009 Microsoft Vulnerability Analysis (PDF).
Depending on your OS, the general procedure is to create a second account with Administrator privileges, log into that account, then remove Admin privileges from your previous account. (The key is to be certain you have an accessible account with Admin privileges at all times.) Create non-Admin accounts for other users also.
Unfortunately, many people install malware themselves either because the malware is advertised as legitimate or because it is legitimate software that has been altered. That is why it is critical that users be certain that the software is reputable AND comes from a reputable source.
As discussed at the top of this webpage we are trying to implement 3 simple effective measures for the home user, before adding others. Note the third item:
Application white-listing basically amounts to only installing (and running) trusted software. Operating systems are starting to implement white-listing for the home user. (Mac OSX is implementing a feature that only allows signed, trusted apps to be installed.) The whole "app store" movement is also designed to raise the trust of apps. Hopefully, malicious apps will not remain in a legitimate app store for long.
Currently though, the user must still do much of the white-listing. In other words, the user must ensure that they only install trusted SW from trusted sources. For example, only download apps widely known to be legitimate from a legitimate source. Check reviews in tech magazines or ask around. Be very suspicious of software (SW) that is offered for download in ads. "Free music app", "free games", "speed up your computer", and similar advertisements should not be trusted!
We have now covered the three steps for home users. We can add some more easy security measures in the following sections.
NoScript is a free and open-source extension for the Firefox web browser.
Per Wikipedia, NoScript blocks JavaScript, Java, Flash, Silverlight, and other "active"
content by default in Firefox. This is based on the assumption that malicious websites can
use these technologies in harmful ways. Users can allow active content to execute on trusted
websites, by giving explicit permission, on a temporary or a more permanent basis.
NoScript is great protection for users of the free Firefox web browser. (You may find similar extensions for a different browser like Chrome.) "HTTPS Everywhere" is another great security add-on for Firefox that forces secure links on websites that have an HTTPS version. Security advocate Steve Gibson uses NoScript & HTTPS Everywhere.
If you don't wish to use Firefox or another browser with a NoScript-like extension, then blocking Java and Flash, if you can, is a another good option. Java is currently being exploited more than anything else. Flash also has a poor history though it is no longer in the lead. Fortunately, the web community is trying to replace Flash with HTML 5.0, though Flash is still used for video. Java is not a bad technology; it is just too powerful for the web.
NoScript takes a little practice to use. For example, the functions on your banking site probably won't work until you allow the scripts. Once allowed, your banking site will always work. The same goes for all trusted websites with active content. Once you allow them, they will work fine.
Choosing an operating system (OS) is an individual decision and beyond the scope of this web page. However, many users would be better off using a different OS, not just for security reasons but for many others.
Religious feelings aside, the best thing to do is to learn what you can about another OS from someone who uses it. You can also research online. The things you do on your computer should be considered, as well as how they are done on the other OS.
As discussed at the top of this webpage we are trying to implement a few simple effective security measures for the home user. Combining everything discussed above gives us a good list that home users can use to secure their computer. Here are the simple, effective security measures:
The above list covers the most effective security measures with the least amount of drawbacks for the average computer user. The fourth measure listed, disabling Java & Flash, is an alternative for the third measure in the list. Full disk encryption of your HD is meant to protect your data in case of theft or tampering. Most of the measures can be done by the average home user with very little technical assistance. The last two may require more effort depending on what you have available. For instance, some OS's have built in hard drive encryption.
Some of the other security precautions you can take are widely discussed elsewhere. These include using strong passwords, antivirus software, firewall SW, etc. Such measures can only add security to those listed above. Strength of passwords is definitely worth considering since most of us could improve in our password strength.
Here's a quick look at wi-fi setup: (These are usually done from the web interface of the router.)
Phones: Phones are generally secured by the manufacturer. The big issues with phones are malicious apps & theft/tampering. The best things you can do are to only download trusted apps from trusted sources & configure your settings for security and privacy. You should be fairly safe by doing those things.
Privacy & security are related. Security will prevent intrusions into your system and help to prevent theft of your private data. Beyond that Privacy would require at least one webpage in itself and is beyond the scope of this webpage. However, some generalizations can be made. A few ideas follow below.
Encryption always raises security and increases the level of effort for an eavesdropper. All private communications (email, IM, cell phone, landline, etc) should be encrypted by default so that only the sender & receiver can decrypt the messages. There is no upside to sending communications unencrypted. (Bandwidth is not a serious consideration.) The fact that no cell phones or landlines in the world have decent encryption can not be accidental. It doesn't appear that phone calls will ever be encrypted for the masses - by design.
There are some means of encryption in the computer world. Many IM clients can use the Off The Record (OTR) protocol. Cryptocat is an especially nice client. Email has GPG which is well-respected. There are also websites that will encrypt text. Various methods exist for encrypting attached files. The problem is that none of these things are default and widely used, especially for email. GPG is supported by most clients but both parties must set it up & use it. It seems that few people encrypt email, and both parties must participate. IM encryption is a little easier and more widely used.
Hopefully, standard & easy encryption will become the default for most email & IM clients. There has been some progress as of late. Also, it is hoped that cloud storage will default to encryption only the customer can decrypt or "Trust No One (TNO)" encryption. Unfortunately, companies and governments have interests that do not align with yours.
It is a good viewpoint to see the world as a dream. When you have something like
a nightmare, you will wake up and tell yourself that it was only a dream. It is
said that the world we live in is not a bit different from this.
-- Hagakure: The Book of the Samurai by Yamamoto Tsunetomo