Being rugged means learning from other’s mistakes, being prepared, thinking through the possible risk scenarios, having a plan for them to help recover when something adverse happens. BUT an ounce of prevention is worth a pound of cure.
According to research done by the IT Process Institute, planning, strictly adhering to, and enforcing a well designed change management program is the number one characteristic of all high performing IT shops (out of 800 examined). The research is documented in the three Visible Ops Handbooks on their website.
If in a work situation you may have Information Technology (IT) staff whose job it is to protect work computers in which case many of these suggestions cannot be done at work by individuals. However those who work remotely and connect to work from equipment not issued by their employer, means there is an added responsibility to protect that (home) computer. It can take hours to completely wipe a hard drive and boot sectors to be sure to eliminate rootkits and other “hidden” malware. That can be expensive if you take it to commercial IT shops. (If you don’t want to take these free steps it may be worth evaluating if it is cheaper to buy a new computer instead of paying money to “clean”, reinstall, patch and update an older computer.)
- Talk to your children/grandchildren. Short frequently repeated statements are more effective than long lectures. Here’s how: http://www.onguardonline.gov/flash/video-player_400x335.swf
- Establish a backup/recovery plan/process for important files
- Buy a fireproof safe or use a bank safe deposit box
- Have a plan (preferably written – not stored on your computer) for various scenarios (keep one in a locked drawer at work). Store your plan on multiple types of media (paper, USB drive, CD/DVD, portable hard disk).
- Do an actual preparedness exercise to make sure everyone knows what to do. A written plan that everyone has a copy of is good, but if it’s not used and tested weaknesses won’t become apparent until too late.
- Share the Effort! Organize a Cyber Rugged “Pre-Planning Emergency” Party with family or friends.
- Subscribe to Alert Systems: FEMA and the FCC are launching citizen alert systems in cities through cell phones in the next year (April 2012) called the Personal Local Alerting Network (PLAN). Most major cell phone carriers will be participating.
To Protect Computers these are the top 10 actions each individual should take to protect home and small business Windows computers. This information is directed mainly to Windows but there are increasing problems with Mac, Linux and smart phone devices :
1. Email & Phishing- 2. Updates & Browsers 3. Configure- 4. Patch- 5. AntiMalware- 6.Passwords- 7.DNS Filter- 8.Host Firewall- 9.Malwarebytes- 10.Sandbox
1. Be Suspicious of ALL Email: If you don’t want, or think you’ll forget, to do the following simple steps, then use a “sandbox” (see #10) to run email in. This can’t be emphasized enough. All the protection in the world is less effective than prevention. The most prevalent way of compromising computers is through email. It is safest to:
- delete email advertisements, and those from people you do not know, without reading them,
- run anti-malware to check attachments in email before saving or opening them.
- People you know can unintentionally pass on malicious files and links. Their email can be compromised and send malicious links to those in their address book. Do not click on links in email, even seemingly from people you know, without:
- verifying what the link is (right click on the link and check properties to see if the link in properties agrees with what is shown)
- Do not click on shortened URLs e.g. from “bit.ly” (LY is in Libya!) and others. You should always check the URL to see that it looks right (do the PhishNoPhish game).
- use a URL checker to check to see if it’s a legitimate site (newer browsers check this for you–good reason to upgrade to IE9 or Firefox with No-Script)
- do not forward chain letters, jokes, warnings etc. Check all warnings about scams, letters, pleas for help either http://snopes.com and/or http://hoax-slayer.com
- NOTHING ON THE INTERNET IS FREE. NOTHING. The cost for anything “free” is information about you, your family, your money, other personal information, a sales ploy, or loss leader to entice you to upgrade to a paid service. CULTIVATE INTELLIGENT SUSPICION. Hear, Honor, Trust and ACT on the little warning voice in your head.
- Phishing: Phishing Public Service Announcement Don’t click on links in email or text messages! Phishing is a crook’s attempt to make someone reveal sensitive information. The crook sends a web link via email or text message which the victim clicks, taking him or her to a “phishing” web page. There is a current spate of email exploits that seem to come from people you know. The subject may be something like “Hey” or “Hey First.Lastname” and the content is a few words and/or just a very short link. Check with the person the email seems to have come from to see if they really sent it to you because their email address may have been hijacked! Even if they did send it to you, they could unknowingly be forwarding a link to a malicious website. Also, a web page may look authentic (e.g. from a financial institution or store) but in reality is a clever fake that records information like account name and password. Take the Phishing test to see if you can tell the difference between a real website and a phishing site. Clicking on links in email or text messages is the quickest way to get to a phishing website and not clicking is the simplest way to avoid them.
- Drive-by-Downloads — Business Week Article on Drive-bys This article doesn’t use the term “drive-by” but describes exactly what they are. It is when malware automatically downloads onto your computer, without your knowledge, as you visit a website. The malware might be attached to a video just downloaded, or installed while in chat or while shopping.
Remember the national Cyber awareness slogan: Stop. Think. Connect.
2. Set it and Forget it! Windows Update: Set Windows Update to automatically pull the newest patches from Microsoft. Microsoft always issues patches and updates on the 2nd Tuesday of each month and more frequently, if it is very urgent. Set Windows Update on home computers for automatic update and installs and the Windows operating system, Microsoft Office, Internet Explorer (IE) will all be updated automatically.
If willing to configure and update it regularly, it may also be a good idea to use an alternative Internet browser such as Firefox with AdBlockPlus and No Script, Webkit with Safari or Chrome supports real ad blocking (preventing pop-up ads from being fetched) which the Microsoft IE architecture does not. If not diligent in doing regular updates, it may be safer to stay with IE (be sure to upgrade to IE9). There is no right answer, it is up to each individual and their circumstances at home.
If you are willing to put in the time at home, you may want to use a browser alternative like FireFox with no-script plugin (so it doesn’t run Java and other scripts automatically.)
3. Harden the Operating System: In businesses, large or small, use security benchmarks or Security Technical Implementation Guides (STIG) for turning off configurations that could compromise the computer. For smaller businesses or home use, run the Microsoft Baseline Security Analyzer (MBSA) and follow the configuration instructions on each computer in the business.
The following applications are suggestions only. Any products mentioned are used under the responsibility of the individual and not the responsibility of this site.
Also, use alternatives to the most commonly exploited browser add-ons like Adobe Reader (use Foxit PDF Reader http://www.foxitsoftware.com/products/reader/, or Nitro PDF Reader http://www.nitroreader.com/download/ both of which have an automatic update program ).
5. Install Anti-Malware Package: Anti-malware is like the bottle of aspirin in your bathroom cabinet. It only cures about 20% of the ailments but it is cheap and has its place in everyone’s medicine chest. (Analogy courtesy of Eric Cole, PhD, SANS Institute). Install any anti-malware (anti-virus) software. None of them catch more than 20-30% of the malicious software (malware). There are roughly 6000 new variants to existing malware, introduced daily that can bypass any of the current products which simply cannot keep up with that volume of changes. Each computer should have ONE of the anti-malware packages. The differences between the paid and free ones are minimal and become a matter of personal choice. Microsoft Security Essentials provides free anti-malware for any Windows system and Avast is another free product. Many large Internet Service Providers (ISPs) will give you free versions of McAfee or Symantec or other commercial products. Check what your ISP offers for free, before buying something. If you decide to go with a commercial product compare upgrade prices on Renewal Buddy as suggested in this article by Brian Krebs: http://krebsonsecurity.com/2011/03/renewal-buddy-comparison-shopping-for-anti-virus-software/
6. Take Passwords Seriously: Until there is a better way to authenticate to a computer or system, manage accounts containing personal and financial information very seriously and teach children, parents, grandparents, grandchildren to do the same. Practice having children say NO! to anyone but a parent, who asks for their password(s):
- Evaluate (free) KeePass or some other program that uses “AES 256 bit encryption” to record and secure account ID’s and passwords. Beware of password storage programs in “The Cloud” as one has already been breached.
- Even most technical IT and IT security people do not know the following: the longer the password, the harder it is to crack (reveal). You want the bad guys to give up on yours and go with the easier to crack passwords. Length is the best defense because there are tables with all keyboard combinations of passwords possible up to 14 characters!; all crooks have to do is compare your password hash with a table and break it in seconds or minutes. Upper/lower case, numbers, random letters/numbers really don’t matter much and make it harder to remember the password. LENGTH IS THE BEST SECURITY! Whenever permitted, use 15 or more characters since the most common password crackers simply toss anything more than 14 characters out and don’t even bother trying to crack them. Make up easy to remember phrases — e.g. put together a color, an adjective, a noun and a number to make a easy to remember password: e.g. 9Yellow.slimey,slugs (20 characters) or use a line of a favorite song or poem. Click here for more on passwords.
- Use different passwords for each financial account, for personal email, for medical accounts and other sensitive information. Use a naming scheme that makes sense to you. Remember to record changes in a password program (that uses AES 256 encryption). On June 6, 2011, an FBI affiliate organization (an Infragard chapter) had their servers compromised and one person who used the same password for that server and for his bank account had money removed from his bank account as a result. It is VERY important to use separate and dissimilar passwords for each financial account and for email accounts. Most smartphones have free encrypted “password vault” software so your passwords can be at hand, plus be secure. This can’t be emphasized enough.
- Compromised? If you even think your password has been exposed, it can’t hurt to CHANGE IT.
7. Use a DNS filter: DNS filters prevent anyone using that computer from browsing to the malicious websites that it knows about. Again, it won’t catch all of them since thousands spring up daily, but it is another tool, another layer to make surfing a little safer. OpenDNS is a free DNS filter for home or small business computers
- NetCraft provides a list of compromised websites: http://netcraft.com
- For more advanced users use a free proxy to filter websites
- Phishtank is another free-registration resource for checking phishing websites: http://phishtank.com
8. Host based firewall: There are free host based (meaning it is installed on a personal computer) firewall program that monitors what communication takes place on a computer. Microsoft provides a built in firewall that monitors what goes IN to the computer, but does not monitor what is sent OUT to other computers/Internet. Commercial “Internet Suites” often include anti-malware, host based firewall (in/outbound), email checking bundled into one package. They can be tedious and confusing to configure. No commercial product is recommended over others (personal preference becomes a matter of “religion”). Some packages include built in sandboxes, ad blockers or other features. Check Renewal Buddy (above) for comparison shopping.
9. Malwarebytes: If you think you are infected, this site has a free version that is reported to remove malware that the commercial products do not. http://malwarebytes.org Using it is NOT a guarrantee that whatever malware installed on a computer will be removed, just that it is good at removing the malware it knows about.
10. Use a Sandbox: A sandbox is a program (application) that isolates any program (but especially email or a browser) in a separate memory area so that malware installed on the program in the sandbox can’t touch the main computer configuration. A sandbox is the number one way to protect against the increasing threat of email and browser exploits, but it requires a couple of hours to install and use. For that reason it’s put as the 10th suggestion, though it is the #1 way to protect your computer. For example running a browser in a sandbox will “trap” any malicious downloads in the sandbox so it doesn’t affect the rest of the computer. Then that “sandbox” can be deleted when the session closes. Do an internet search on “computer sandbox application isolation” to find free sandbox software. “Sandboxie” is just one option, presented here as a convenience and not as a recommendation http://www.sandboxie.com/. Here is a summary describing using sandbox programs for safer surfing:
To Prevent Identity Theft:
- Opt out from credit and insurance offers (5 years or permanently)
- Opt out of direct mail marketing
- Opt out of telemarketing (Do Not Call List) (Hint: if you have elderly parents or relatives, do this for them)
- Check your homeowners insurance for Identity Theft coverage (many include it automatically)
- Free Annual Credit reports (one from each of 3 credit
bureaus): All 3 at once (note you have 30 minutes to print the report for free from the time it is generated) are available from this site or go to each individual company and request their one report. (HINT: To check throughout the year, go to the individual company and only run the report from that company, in 4 months go to another and get that one etc. Note each may have slightly different information.) https://www.annualcreditreport.com/cra/index.jsp
To post a comment enter a Name (first, initials or an alias. Name is visible to everyone that visits this website). You must also enter your valid email address (not visible on website; only visible to IT Security) which will be used to validate RBST.