Computer Security, Defense-in-Depth

The most popular forum in our message boards is Virus, Spyware and Trojan Removal. After we’ve helped someone remove one or more infection from their system, the most popular question is, “How can I keep it from happening again”?

One of our experts has authored a post, Preventing Malware and Safe Computing. It’s a wealth of knowledge, and people are often referred to it.

Today, I came across Diane Wilson’s comment at Ed Bott’s blog. I like it. Concise, no-nonsense advice. I  agree with most everything. It mostly mirrors my philosophy, and current configuration:

1. Stay behind a router. NAS is a great filter for many attacks.
2. Use a firewall. Windows firewall works well enough.
3. Keep your OS up to date, not just in updates, but in versions. I’m already running Win 7 RC as my primary system at home, and I’ll be on Win 7 for good as soon as it goes RTM. Remember (or learn) that security must be pro-active, and that Vista and Win7 took huge steps in this direction. Address space randomization. Array and string range-checking to limit buffer overruns. And more.
4. UAC. Live with it. It’s your friend.
5. 64-bit. Required driver signing is your friend.
6. IE protected mode.
7. Data Execution Protection, turned on for everything. No exceptions.
8. Windows Defender.
9. Oh, one more thing. Anti-virus software.

I think the first suggestion contains a typo. It refers to a NAS, or Network Attached Storage. While they have become inexpensive, and easy to configure. They offer limited security protection. However, they can help protect your data. Most likely she meant NAT, or Network Address Translation. NAT hides your system’s IP address behind another IP (the router’s). Another advantage to a wireless router is that almost all of them now contain a hardware firewall.

Next is the firewall. While the default Windows firewall only offers inbound, and not outbound protection, it’s silent. It won’t confuse users with options, and popups the way other firewalls can. Simple and effective.

Suggestions 3 through 7 involve the operating system, and settings. What’s the most secure Windows operating system? Currently, it’s 64-bit Vista, with all updates, user account control (UAC) enabled, with Internet Explorer 8 running in Protected Mode (Vista’s default settings). Data Execution Protection is a feature of the CPU, that is enabled by the 64-bit OS.

What would I change? Windows Defender is included with Vista, and doesn’t do any harm. However, it’s also not particularly effective. It is a good idea to run an application that catches what your anti-virus might miss. My recommendation is MalwareBytes AntiMalware.

The comment quoted was in response to an article on Microsoft’s new free anti-virus product, Microsoft Security Essentials. It shows great promise, but is currently in beta, and they aren’t accepting additional participants at this time. My current recommendation for free antivirus is Avira AntiVir. If you can live with the popup windows everyday as it updates, it offers a great definition database, clean interface, and is light on system resources. Avast and AVG also offer quality, free antivirus options.

What would I add? Secunia offers a free, one-stop update service for security patches. As Windows has become more secure, other applications are targeted. Recent examples include Adobe Acrobat, Java, and Flash. OpenDNS offers free protections against known phishing, and malware sites. As well as offering web filtering options that can block content where much malware originates.

Finally, a security article wouldn’t be complete without a mention of backup. There are some nasty infections out there today. We’re seeing far too much Virut and Sality, and they’re pretty much impossible to remove. Be prepared for the worse. We previously wrote a five-part series on backup options for the home user.

  • kmonk

    blah blah blah
    and i thought this was a good website, from some of the intellectuals hanging out in the forums.

    linux you nubs, bsd even. forget windows if you want to be secure. but it guess you'll just call me troll or whatever but listen, at any rate you may want to rename your header to "Computer Security, Defense-in-Depth FOR WINDOWS" before spouting off your commercially driven nonsensical carry on about microsoft and their bloodsucking antimalware companies!!

    keep fighting and support the industry that OWNS YOU.

  • kmonk

    blah blah blah
    and i thought this was a good website, from some of the intellectuals hanging out in the forums.

    linux you nubs, bsd even. forget windows if you want to be secure. but it guess you'll just call me troll or whatever but listen, at any rate you may want to rename your header to "Computer Security, Defense-in-Depth FOR WINDOWS" before spouting off your commercially driven nonsensical carry on about microsoft and their bloodsucking antimalware companies!!

    keep fighting and support the industry that OWNS YOU.

  • kmonk

    one more thing. all this crap is going to accomplish will be a system that is bloated, requires 100x as much power and 100x times as much computers resources and therefore 1000x as much money to run, and at the end of it all, your computer will be difficult to use, slow, spying on you via software that is meant to protect you, preventing the duplication of multimedia such as music and movies via Digital Rights Management, even if it's for legitimate purposes,

    locking you out of your own computer, locking the multitude of software companies rights over yours in the use of your computer and rendering most computers in use today instantly unusable. forcing people to upgrade because they think computers get slower over time. WRONG. software doesn't degrade or fail unless it's designed too.

    If you happen to have a powerful enough computer to run all this crap, then at best it will be unreliable and flaky, and at the end of it all, your pc will still be unsecure,

    why? because windows has been crippled from the start, there's even a patent to microsoft for crippling their operating system. there is no symptomatic solution here you have to get rid of the cause.

    Yes I know my stuff and i've done all this stuff before and the only reason i'm letting you know this is because whoever you are, i think that you are worth more than this....

    check this out. http://www.distrowatch.com

    every one of these systems is more secure than windows, and enhance your life. and these systems run on every computer, from the ancient old school ones to the extreme systems that run the very internet itself. what's more is that they are all FREE. Burn ISO to CD and know freedom.

  • kmonk

    one more thing. all this crap is going to accomplish will be a system that is bloated, requires 100x as much power and 100x times as much computers resources and therefore 1000x as much money to run, and at the end of it all, your computer will be difficult to use, slow, spying on you via software that is meant to protect you, preventing the duplication of multimedia such as music and movies via Digital Rights Management, even if it's for legitimate purposes,

    locking you out of your own computer, locking the multitude of software companies rights over yours in the use of your computer and rendering most computers in use today instantly unusable. forcing people to upgrade because they think computers get slower over time. WRONG. software doesn't degrade or fail unless it's designed too.

    If you happen to have a powerful enough computer to run all this crap, then at best it will be unreliable and flaky, and at the end of it all, your pc will still be unsecure,

    why? because windows has been crippled from the start, there's even a patent to microsoft for crippling their operating system. there is no symptomatic solution here you have to get rid of the cause.

    Yes I know my stuff and i've done all this stuff before and the only reason i'm letting you know this is because whoever you are, i think that you are worth more than this....

    check this out. http://www.distrowatch.com

    every one of these systems is more secure than windows, and enhance your life. and these systems run on every computer, from the ancient old school ones to the extreme systems that run the very internet itself. what's more is that they are all FREE. Burn ISO to CD and know freedom.

  • kmonk, you certainly seem to have some issues and I don't think your comments help the linux cause much - and yes I have experience with multiple distros and I'm not really a fan of any of them. Ubuntu was the very first I ever tried some years ago now, and it's about the nicest of them all. But onto this reply to your comments - my Vista system does none of what you say it does. It doesn't cost 1000x as much money to run (1000x as much as what?), my computer is not slow nor difficult to use, it does not spy on me, it does not prevent duplication of media for my legal use (backups), I have never been locked out of my computer (because I never forget my passwords, not sure what your point was there), my system is 100% stable and not flaky, and I guarantee you my system is secure! I installed Vista from the original disc about 2 years ago and my computer is still instant and running like a charm.

  • kmonk, you certainly seem to have some issues and I don't think your comments help the linux cause much - and yes I have experience with multiple distros and I'm not really a fan of any of them. Ubuntu was the very first I ever tried some years ago now, and it's about the nicest of them all. But onto this reply to your comments - my Vista system does none of what you say it does. It doesn't cost 1000x as much money to run (1000x as much as what?), my computer is not slow nor difficult to use, it does not spy on me, it does not prevent duplication of media for my legal use (backups), I have never been locked out of my computer (because I never forget my passwords, not sure what your point was there), my system is 100% stable and not flaky, and I guarantee you my system is secure! I installed Vista from the original disc about 2 years ago and my computer is still instant and running like a charm.

  • i really try not to jump in on the "dood linux roxors" comments...but you do know that linux is more secure because there aren't people writing viruses targeting linux...not because it's written any better than windows.

    linux has no inerrant security advantage over windows EXCEPT for the fact that no one writes linux viruses. the day it becomes profitable to write malware/viruses that target linux and apple (which, for apple, this is going to be soon) you will see a MASSIVE amount of infections on these machines, and these infections will be virtually unstoppable for QUITE some time because there is NO software out there to stop it...apple will probably be able to recover fast because they've got cash....linux (any distro) will be stranded on their own waiting for the user community to come up with something...which is effective, but pretty slow.

    so before you start spouting garbage about one system being more secure than the other...check your facts...saying linux is more secure (by default) than windows because it doesn't get viruses is the same as saying Israel gets bombed more by Palestinians than the USA does because Israel is less secure....that's not the case...it's because they are being specifically targeted

  • i really try not to jump in on the "dood linux roxors" comments...but you do know that linux is more secure because there aren't people writing viruses targeting linux...not because it's written any better than windows.

    linux has no inerrant security advantage over windows EXCEPT for the fact that no one writes linux viruses. the day it becomes profitable to write malware/viruses that target linux and apple (which, for apple, this is going to be soon) you will see a MASSIVE amount of infections on these machines, and these infections will be virtually unstoppable for QUITE some time because there is NO software out there to stop it...apple will probably be able to recover fast because they've got cash....linux (any distro) will be stranded on their own waiting for the user community to come up with something...which is effective, but pretty slow.

    so before you start spouting garbage about one system being more secure than the other...check your facts...saying linux is more secure (by default) than windows because it doesn't get viruses is the same as saying Israel gets bombed more by Palestinians than the USA does because Israel is less secure....that's not the case...it's because they are being specifically targeted