Making your personal computer safe
Security Adviser Roger A. Grimes »
July 11, 2008 Comments: (6) 15 votes
TAGS: Internet Security
I frequently give talks on the state of today's malware. In a nutshell, it is highly sophisticated, criminal-motivated, and out to steal your money. Despite the nearly universal use of anti-malware programs, tens of millions (if not hundreds of millions) of home PCs are compromised by one of these crimeware programs. Most home users are oblivious to their home PC's exploited state. Some consultants think it is simply an end-user training problem; that only inexperienced home computer users are at greatest risk. But I beg to differ. The average IT worker, even the average IT computer security worker, really has no idea whether their home PC is compromised or not. It's a problem for "experts" as well.
If you're not sure whether or not your home PC is compromised, should you be checking your bank balance online, buying movie tickets, or conducting other e-commerce transactions? Not really. So, what's a home user supposed to do?
First, if you're not sure whether your home computer is compromised, assume it is and start over. Back up your data, format the drive, and reinstall the operating system and needed programs. I know this is a huge pain, but without this step you can't be assured that your system is clean to begin with. Make sure to back up your Internet browser's favorites, personal photos, documents, and so forth. A trick I like to use is to search for all files that have changed in the last few months. You'll find hundreds to thousands of changed files, most of which you don't need to back up, but I usually find at least a few that I would have otherwise missed.
Make a list of all needed applications so you can reinstall them. In Windows, reviewing Add/Remove Programs under Control Panel is a place to start, but then also search your menu structure and hard directories to make sure you get everything. Make a list of all used and needed passwords. It's terrible to find out that you have forgotten some password used long ago because you told your software to use it automatically, and now you can't re-enter it when needed.
Smart people have all their computer's drivers (network card, video, printer, and such) saved on external media before they begin the restoration process so that they aren't hunting for critical drivers after the install begins. It's hard to download needed drivers when your network card is not functioning.
Install and/or configure your PC's host-based firewall to prevent unauthorized remote connections, if this is not already done by default (it is in Windows XP SP2 and later versions of Windows), although an OEM computer may disable or substitute the built-in Windows Firewall.
After reinstalling the operating system, run the vendor's auto-update process and install all needed patches and updates. Then reinstall your applications and do the same. This step is critical.
Make sure all your applications, even your browser add-ons (Flash, Adobe Acrobat, QuickTime, and others) are installed and updated. Turn on the OS's and application's auto-update features so that they stay updated.
Make sure any supplied passwords are not simple to guess. They should be at least 10 characters long, and you can add "complex" characters if you like. Your PC passwords should not be the same as any password you use on the Web. Make sure your administrator or root password is the strongest of all your passwords.
Create a non-admin user account to use for your daily business, and only use your admin account when needed. If you share your PC with your children, don't give them an admin account or password. If you must give your children an admin account ... give up, your PC will never be uninfected . Really, spend $400 and buy them their own PC. With few small exceptions, kids are way too eager to install everything they can, and a lot of the stuff they install is malware in disguise. If your kid doesn't ever get you infected, make sure you put them on the MIS path in college. They'll go far.
Install anti-malware software (anti-virus, anti-spam, anti-phishing). Anti-malware is far from perfect, but life without it is even worse. Which one should you choose? Personally, I say use any from the top 10 vendors. There are good products outside the top 10, but I don't know much about them, and a really good product would eventually move itself to the top 10.
Finally, back up your data on a regular basis and store it somewhere, password-protected or encrypted, outside your home. That way if something happens to your PC and home, your data is safe.
As laborious as this is, you'll usually find a much faster PC, and you know it is clean and uninfected. When you think about it, should you be computing any other way?
Posted by Roger Grimes on July 11, 2008 03:00 AM