IX. Actions

Being rugged means learning from other’s mistakes, being prepared, thinking through the possible risk scenarios, having a plan for them to help recover when something adverse happens.  BUT an ounce of prevention is worth a pound of cure.

Change Management

According to research done by the IT Process Institute,  planning,  strictly adhering to, and enforcing  a well designed change management program is the number one characteristic of all high performing IT shops (out of 800 examined).  The research is documented in the three Visible Ops Handbooks on their website.

If in a work situation you may have Information Technology (IT) staff whose job it is to protect work computers in which case many of these suggestions cannot be done at work by individuals.  However those who work remotely and connect to work from equipment not issued by their employer,  means there is an added responsibility to protect that (home) computer.  It can take hours to completely wipe a hard drive and boot sectors to be sure to eliminate rootkits and other “hidden” malware.  That can be expensive if you take it to commercial IT shops.   (If you don’t want to take these free steps it may be worth evaluating if it is cheaper to buy a new computer instead of paying money to “clean”, reinstall, patch and update an older computer.)

General Actions:

  • Talk to your children/grandchildren.  Short frequently repeated statements are more effective than long lectures.  Here’s how: http://www.onguardonline.gov/flash/video-player_400x335.swf
  • Establish a backup/recovery plan/process for  important files
  • Buy a fireproof safe or use a bank safe deposit box
  • Have a plan (preferably written – not stored on your computer) for various scenarios (keep one in a locked drawer at work). Store  your plan on multiple types of media (paper, USB drive, CD/DVD, portable hard  disk).
  • Do an actual preparedness exercise to make sure everyone knows what to do.  A written plan that everyone has a copy of is good, but if it’s not used and tested  weaknesses won’t become apparent until too late.
  • Share the Effort! Organize a Cyber Rugged “Pre-Planning Emergency” Party  with family or friends.
  • Subscribe to Alert Systems: FEMA and the FCC are launching citizen alert systems in cities through cell phones in the next year (April 2012)  called the Personal Local Alerting Network (PLAN).  Most major cell phone carriers will be participating.

To Protect Computers these are the top 10 actions each individual should take to protect home and small business Windows computers. This information is directed mainly to Windows but there are increasing problems with Mac, Linux and smart phone devices :

1. Email & Phishing-    2. Updates & Browsers   3. Configure-    4. Patch-  5. AntiMalware-  6.Passwords-  7.DNS Filter-  8.Host Firewall- 9.Malwarebytes-  10.Sandbox

1.  Be Suspicious of ALL Email:  If you don’t want, or think you’ll forget, to do the following simple steps,  then use a “sandbox” (see #10) to run email in.   This can’t be emphasized enough.  All the protection in the world is less effective than prevention.  The most prevalent way of compromising computers is through email.  It is safest to:

  •  delete email advertisements, and those from people you do not know, without reading them, 
  •  run anti-malware to check attachments in email before saving or opening them.   
  • People you know can unintentionally pass on malicious files and links.  Their email can be compromised and send malicious links to those in their address book.  Do not click on links in email, even seemingly from people you know,  without:
    • verifying what the link is (right click on the link and check properties to see if the link in properties agrees with what is shown)
    • Do not click on shortened URLs e.g. from “bit.ly” (LY is in Libya!) and others.  You should always check the URL to see that it looks right (do the PhishNoPhish game).
    • use a URL checker to check to see if it’s a legitimate site (newer browsers check this for you–good reason to upgrade to IE9 or Firefox with No-Script)
    • do not forward chain letters, jokes, warnings etc.  Check all warnings about scams, letters, pleas for help either http://snopes.com and/or http://hoax-slayer.com
    • NOTHING ON THE INTERNET IS FREE.  NOTHING. The cost for anything “free” is information about you, your family, your money, other personal information, a sales ploy, or loss leader to entice you to upgrade to a paid service. CULTIVATE INTELLIGENT SUSPICION.  Hear, Honor, Trust and ACT on the little warning voice in your head.
    • Phishing: Phishing Public Service Announcement Don’t click on links in email or text messages! Phishing is a crook’s attempt to make someone reveal sensitive information. The crook sends a web link via email or text message which the victim clicks, taking him or her to a “phishing” web page.     There is a current spate of email exploits that seem to come from people you know.  The subject may be something like  “Hey” or “Hey First.Lastname” and the content is a few words and/or just a very short link.  Check with the person the email seems to have come from to see if they really sent it to you because their email address may have been hijacked!  Even if they did send it to you, they could unknowingly be forwarding a link to a malicious website.  Also, a web page may look authentic (e.g. from a financial institution or store) but in reality is a clever fake that records information like account name and password.   Take the Phishing test to see if you can tell the difference between a real website and a phishing site.  Clicking on links in email or text messages is the quickest way to get to a phishing website and not clicking is the simplest way to avoid them.
    • Drive-by-DownloadsBusiness Week Article on Drive-bys  This article doesn’t use the term “drive-by” but describes exactly what they are.  It is when malware automatically downloads onto your computer, without your knowledge,  as you visit a website. The malware might be attached to a video just downloaded, or installed while in chat or while shopping.

Remember the national Cyber awareness slogan: Stop.  Think. Connect.

2. Set it and Forget it!  Windows Update:  Set Windows Update to automatically pull the newest patches from Microsoft.  Microsoft always issues patches and updates on the 2nd Tuesday of each month and more frequently, if it is very urgent.  Set Windows Update on home computers for automatic update and installs and the Windows operating system, Microsoft Office, Internet Explorer (IE) will all be updated automatically.

If willing to configure and update it regularly, it may also be a good idea to use an alternative Internet browser such as Firefox with AdBlockPlus and No Script, Webkit with Safari or Chrome supports real ad blocking (preventing pop-up ads from being fetched) which the Microsoft IE architecture does not.  If not diligent in doing regular updates, it may be safer to stay with IE (be sure to upgrade to IE9).  There is no right answer, it is up to each individual and their circumstances at home.

If you are willing to put in the time at home, you may want to use a browser alternative like FireFox with no-script plugin (so it doesn’t run Java and other scripts automatically.)

3. Harden the Operating System:  In businesses, large or small, use security benchmarks or  Security Technical Implementation Guides (STIG) for turning off configurations that could compromise the computer.  For smaller businesses or home use, run the Microsoft Baseline Security Analyzer (MBSA) and follow the configuration instructions on each computer in the business.

The following applications are suggestions only.  Any products mentioned are used under the responsibility of the individual and not the responsibility of this site.

4. Patch Applications:  Free Secunia PSI v 2.0 scans programs (as opposed to operating systems) for updates.  It’s a very simple install and it monitors a huge number of programs for updates and obsolescence.   http://secunia.com/vulnerability_scanning/personal.  Set it to automatically scan your computer (it scans all programs, applications, tools, utilities for the most current versions,  patches, updates). It then provides links to those that are out of support, or older versions.  This is extremely important for Adobe products (Flash, Reader), Javascript and other extensions or plug-ins that work in conjuction with browsers. 

Also, use alternatives to the most commonly exploited browser add-ons like Adobe Reader (use Foxit PDF Reader  http://www.foxitsoftware.com/products/reader/,  or Nitro PDF Reader http://www.nitroreader.com/download/ both of which have an automatic update program ).

5. Install Anti-Malware Package:  Anti-malware is like the bottle of aspirin in your bathroom cabinet. It only cures about 20% of the ailments but it is cheap and has its place in everyone’s medicine chest. (Analogy courtesy of Eric Cole, PhD, SANS Institute). Install any anti-malware (anti-virus) software.  None of them catch more than 20-30% of the malicious software (malware).  There are roughly 6000 new variants to existing malware, introduced daily that can bypass any of the current products which simply cannot keep up with that volume of changes. Each computer should have ONE of the anti-malware packages.  The differences between the paid and free ones are minimal and become a matter of personal choice.  Microsoft Security Essentials provides free anti-malware for any Windows system and Avast is another free product.  Many large Internet Service Providers (ISPs) will give you free versions of McAfee or Symantec or other commercial products.  Check what your ISP offers for free, before buying something. If you decide to go with a commercial product compare upgrade prices on Renewal Buddy as suggested in this article by Brian Krebs: http://krebsonsecurity.com/2011/03/renewal-buddy-comparison-shopping-for-anti-virus-software/

6. Take Passwords Seriously: Until there is a better way to authenticate to a computer or system, manage accounts containing personal and financial information very seriously and teach children, parents, grandparents, grandchildren to do the same.  Practice having children say NO! to anyone but a parent, who asks for their password(s):

  • Evaluate (free) KeePass or some other program that uses “AES 256 bit encryption”  to record and secure account ID’s and passwords.  Beware of password storage programs in “The Cloud” as one has already been breached.
  • Even most technical IT and IT security people do not know the following: the longer the password, the harder it is to crack (reveal). You want the bad guys to give up on yours and go with the easier to crack passwords.  Length is the best defense because there are tables with all keyboard combinations of passwords possible up to 14 characters!; all crooks have to do is compare your password hash with a table and break it in seconds or minutes. Upper/lower case, numbers, random letters/numbers really don’t matter much and make it harder to remember the password.  LENGTH IS THE BEST SECURITY!   Whenever permitted, use 15 or more characters since the most common password crackers simply toss anything more than 14 characters out and don’t even bother trying to crack them. Make up easy to remember phrases — e.g. put together a color, an adjective, a noun and a number to make a easy to remember password: e.g. 9Yellow.slimey,slugs (20 characters) or use a line of a favorite song or poem.  Click here for more on passwords.
  • Use different passwords for each financial account, for personal email, for medical accounts and other sensitive information.  Use a naming scheme that makes sense to you.  Remember to record changes in a password program (that uses AES 256 encryption).  On June 6, 2011,  an FBI affiliate organization (an Infragard chapter) had their servers compromised and one person who used the same password for that server and for his bank account had money removed from his bank account as a result.  It is VERY important to use separate and dissimilar passwords for each financial account and for email accounts.  Most smartphones have free encrypted  “password vault” software so your passwords can be at hand, plus be secure.  This can’t be emphasized enough.
  • Compromised?  If you even think your password has been exposed, it can’t hurt to CHANGE IT.

7. Use a DNS filter:   DNS filters prevent anyone using that computer from browsing to the malicious websites that it knows about.  Again, it won’t catch all of them since thousands spring up daily, but it is another tool, another layer to make surfing a little safer.  OpenDNS is a free DNS filter for home or small business computers

  • NetCraft provides a list of compromised websites:  http://netcraft.com
  • For more advanced users use a free proxy to filter websites
  • Phishtank is another free-registration resource for checking phishing websites: http://phishtank.com

8.  Host based firewall:  There are free host based (meaning it is installed on a personal computer) firewall program that monitors what communication takes place on a computer.  Microsoft provides a built in firewall that monitors what goes IN to the computer, but does not monitor what is sent OUT to other computers/Internet.  Commercial “Internet Suites” often include anti-malware, host based firewall (in/outbound), email checking bundled into one package.  They can be tedious and confusing to configure. No commercial product is recommended over others (personal preference becomes a matter of “religion”).  Some packages include built in sandboxes, ad blockers or other features.  Check Renewal Buddy (above) for comparison shopping.

9.  Malwarebytes: If you think you are infected, this site has a free version that is reported to remove malware that the commercial products do not.  http://malwarebytes.org  Using it is NOT a guarrantee that whatever malware installed on a computer will be removed, just that it is good at removing the malware it knows about.

10.  Use a Sandbox: A sandbox is a program (application) that isolates any program (but especially email or a browser) in a separate memory area so that malware installed on the program in the sandbox can’t touch the main computer configuration.  A sandbox is the number one way to protect against the increasing threat of email and browser exploits, but it requires a couple of hours to install and use.  For that reason it’s put as the 10th suggestion, though it is the #1 way to protect your computer.  For example running a browser in a sandbox will “trap” any malicious downloads in the sandbox so it doesn’t affect the rest of the computer.  Then that “sandbox” can be deleted when the session closes.  Do an internet search on “computer sandbox application isolation” to find free sandbox software. “Sandboxie” is just one option, presented here as a convenience and not as a recommendation http://www.sandboxie.com/.  Here is a summary describing using sandbox programs for safer surfing:

To Prevent Identity Theft:

  • Opt out from credit and insurance offers (5 years or permanently)
  • Opt out of direct mail marketing
  • Opt out of telemarketing (Do Not Call List) (Hint: if you have elderly parents or relatives, do this for them)
  • Check your homeowners insurance for Identity Theft coverage (many include it automatically)
  • Free Annual Credit reports (one from each of 3 credit
    bureaus): All 3 at once (note you have 30 minutes to print the report for free from the time it is generated) are available from this site or go to each individual company and request their one report.  (HINT: To check throughout the year, go to the individual company and only run the report from that company, in 4 months go to another and get that one etc.   Note each may have slightly different information.)  https://www.annualcreditreport.com/cra/index.jsp

Humorous Summary

To post a comment enter a Name (first, initials or an alias. Name is visible to everyone that visits this website).  You must also enter your valid email address (not visible on website; only visible to IT Security) which will be used to validate RBST.

Advertisements

32 Responses to IX. Actions

  1. govworker says:

    “Plan” is the most useful section. Great resources!

  2. W says:

    one of the things I do is use the local HOST file to block unwanted or known bad sites, there are many places on the net to get “black lists” or preconfigured host files and instructions for installing them

    • Lydia says:

      Yes, that’s one way to do it.

      ClearCloudDNS is a free one click (set it and forget it!) resource that will do it for grandma’s computer automatically without you having to go over to her house on a regular basis to do it for her.

      • hacker says:

        but remember: “NOTHING ON THE INTERNET IS FREE. ” ( it says so up there ^^^^^^^ )

        They’re tracking every DNS lookup you make….don’t you think that might be valuable to someone? (read: Marketers)

  3. GTM says:

    This is the best free back/recover software that I could find for home use:
    http://www.todo-backup.com/products/home/free-backup-software.htm
    After the Norton home-use product failed me, and the posts on the web confirmed that, I went to something I could rely on….

  4. EP says:

    I never heard of sandbox methodology until now. What a great recommendation. I will definitely follow up on this piece of info.

  5. ava shaw says:

    Never heard of using a Sandbox for your personal PC. When I get home, I’m setting it up.

  6. xyzzy says:

    one of the biggest risks is using the same, or similar, passwords for all online accounts (banks, credit cards, facebook, amazon, etc.) one gets hacked, and now your favorite userID/password is known and can be tried on other sites.

    I recommend LastPass both for login/password storage as well as generating secure and DIFFERENT passwords for each site. (this site’s mentions LastPass being breached, but that’s not true; it was probed, but nothing was compromised.) there are a number of other tools as well, like KeePass, as mentioned here.

    and while making up weird phases and replacing letters with numbers or symbols is good, passwords that are just random collections of letters, number, and symbols is best.

  7. Chris says:

    The Clearcloud product looked promissing but it appears that it’s going away without a clear replacement. The one that is suggested is also an anti-virus product, which I don’t want. Is there a known alternative that provides the same URL verification without the overhead of a new anti-virus product?

    • Lydia says:

      Thanks for mentioning it — there are others, but ClearCloud was one click configuration. Sign up for updates to the page and you’ll get notified when there is a replacement posted here.

  8. Lizzy says:

    Useful information on Sandbox and Clear Cloud DNS.

  9. The Eye says:

    Excellent info about malware–appreciate it.

  10. 87251 says:

    A sandbox at home… I like it!

  11. Ein2card says:

    I agree with “govworker” in that the plan section is the most useful of all the sections. The link “summary describing using sandbox programs for safer surfing:” is a great article describing the sandboxing process.

  12. protectmydata says:

    Great resources available here!

  13. leewelch32 says:

    NOTHING ON THE INTERNET IS FREE. NOTHING.

    all I could think of is “There is no such thing as a free lunch”

    good point, good section, still not a scary as convergence section

  14. Sydney says:

    I took the phishing quiz….I did pretty well, however, the phishing sites look almost identical to the real deal.

  15. Pam Perret says:

    I can’t believe people still fall for some of those emails.

  16. Longshot9 says:

    I like the Sandbox idea, but that’s a bit more complicated that the article implies. I’m not sure I could set one up cold without impacting the RAM.

  17. jk says:

    Although the site’s TED videos were interesting, this section seemed to have the best security-related ‘news you can use.’

  18. B P says:

    Regarding the .ly extensions, if you’re given the option from the site itself to make a short-link, it’s a little out of your control most times from what or where the abbreviation is grabbed. One of the short-links on here which seems to be a youtube link is .be (which is Belgium) … so does that mean we trust them more or do they get the benefit of the doubt because we’re not attacking them?

  19. DEG says:

    Great information, sandbox at home. Just put it on my list of things to do when I get home.

  20. Tim says:

    Good information that everyone needs to know about at work and home.

  21. concerned says:

    There is no doubt planning is key when it comes to security. BUT failure can easily come about if the plans aren’t updated and used.

  22. AID says:

    Very good information about the top ten actions of ‘How to protect computers’.

  23. Guest says:

    This section was great, never heard of the sandbox.

  24. Kevin says:

    Good section. I did not know about setting up a sandbox. I will try this on my personal computer.

  25. J R says:

    The Plan section was the most useful and thought provoking. Good information and reference material.

  26. JRB says:

    My mother would like to read this material.

    • Freddie says:

      I know many people who use the same password for all logins. Didn’t realise until now what a bad idea that is. 15 chacters is a lot but better safe than sorry.

  27. Corbyn says:

    The key to any sucessful mission is to have a plan, a backup plan, and a backup plan to the backup plan!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s