Introduction to Security

Security is a process of challenge and response: blackhat hackers create new exploits, and the rest of us have the choice of becoming either responders or victims. Security is thus a knowledge-driven dynamic process : there is no "magic bullet;" there is no software that can provide users with assured, ongoing protection; there is no absolute safety in a networked environment; and, there are no <just click here> fixes that are worth a damn.

The best security depends on user knowledge.  Period.  And the best you can achieve is to be less vulnerable than average.  Fortunately, that is usually good enough.

Beginners should start by reading Bruce Schneier's cogent summary, “Safe Personal Computing,” in the May 15, 2001 issue of Crypto-Gram,†  then “Secure Online BehaviorPart One: Developing Good Security Habits,  Part Two: Secure E-Mail Behavior, and  Part Three: Using the World Wide Web  by Dr. Sunil Hazari.(†)  The more knowledgeable will find a number of familiar, standard references listed below: it is my hope that this information will allow those unfamiliar with the concepts and practices of network security to find information at a relevant level of technical detail and proceed from there.
 

Structuring Your Security
The three most important basic concepts are: 

  1. Layered security : an overlapping series of defenses, each with a differing focus. For example, your anti-virus program will probably pick up the most common trojan-horse malware but might not detect sophisticated variants or trojans with unusual configurations: you would expect more specialized anti-trojan software to handle this type of threat. But even the best anti-trojan program might not detect a trojan that exploits a brand-new system vulnerability; however, you would expect your firewall to detect its attempt to establish an outgoing connection, and you would also expect your IDS (Intrustion Detection System) to alert you to changes in critical system configuration settings and files.

  2. Monitored security : security software is not a magick ward: it requires user attention — someone who is "minding the store." For example, if your firewall detects and blocks a malicious attempt to connect to your computer, well and good; but you will not even know this has occurred unless you read the log files, and the blackhats – having failed once – are free to try again. Maybe this time they'll succeed.

  3. Knowledge-driven security : someone needs to configure the security software for your particular computing environment in order to respond to the most probable threats you will encounter; and, as above, someone has to be minding the store. For homes and small businesses, that someone is you.
     

Pragmatic Paranoia
How much security you need depends on who you are. If you are an elderly grandmother at home on a dial-up connection who wants to keep in touch with the kids by email, you face few threats: an anti-virus program and a bit of practical advice (like ‘don't preview mail’  and  ‘don't open attachments without scanning them first ’) should suffice. But, even here, you must learn how to disable the preview pane in your mail program and how to scan an attachment.

The same grandmother using a high-speed cable connection (or whose grandkids may have poor security habits) should have a firewall; and, if the kiddies are sharing files on P2P networks or chatting on ICQ, she might want to consider a basic anti-trojan program as well.

If you are running a business, you have both company and customer information to protect:[1, 2]  someone needs to install the appropriate security software and keep it up-to-date; someone must be responsible for making sure the latest security patches have been applied to the operating system and to all  network-capable software running on company machines; and, someone must be actively  monitoring the network and reading the logs. You should also have a written backup policy, with the frequency and depth of the backups depending on the size of your business and the type and value of the assets you need to protect.

Two useful references for small businesses are
  • Internet Cryptography  by Richard E. Smith (Addison-Wesley, 1997;  ISBN 978–0–201–92480–0), which is focussed on business security objectives, concepts and strategies for “people who know very little about cryptography but need to make technical decisions about cryptographic security…like…analysts and managers…[; however,] readers [should] already have a general familiarity with computers, networking and the Internet.”
     
  • Backup & Recovery  by W. Curtis Preston (© 2007 O'Reilly Media, Inc.;  ISBN 0–596–10246–1), which covers backup and recovery techniques for Windows, Linux, Unix, and OS X with special emphasis on inexpensive [less than $100] or free (open-source) software.
both of which can be found at Powell's Books (which, unlike  Amazon, does not track and profile shoppers).

And if you're managing an IT department, you must supervise the technical staff — a job you will find much easier if you have at least a basic understanding of the problems they must handle.

Your IT department is responsible for actively supervising the entire  network (not just the Internet/LAN interface) both to prevent unauthorized customer access and to insure that your employee/users adhere to necessary security procedures. In addition, you can expect both blackhat hackers and competitors to try your security: the former may try to steal saleable assets like customer credit-card records or information they can use to blackmail you; the latter may try to steal proprietary information that will enable them to compete more effectively with you — and if you're doing business internationally (which is almost a definition of online commerce) — so may government spy agencies [see (1) §2.4.1  ff.] .
See also [2]  for more on this topic.
 

A Few (Basic) Security Tips
If you use Windows, 

  1. Don't use Outlook or Outlook Express for your mail.

  2. Don't use Internet Explorer as your default browser.

  3. Remove or disable Windows Scripting Host.

  4. Don't depend on the built-in MS firewall [XP+]: they've botched the security on every OS they've released (to date) and there's no reason to expect that the version you're running is any better; and, unless they've completely changed both their software and corporate policy, their firewall will not block outgoing connections.

  5. Search Google for a list of security settings that apply to your version of Windows and apply them.  Specifically,

    • Always use custom settings for "Security" and "Advanced" in "Internet Options."  You should should use stringent, high-level settings for the (default) "Internet Zone," and add sites (sparingly and with careful consideration) that require  more relaxed settings to the "Trusted Sites" list.

    • Remove any names appearing in the (Trusted) "Publishers" list, and check periodically (especially after software installs) to make sure none have been added 'behind your back.'

    • Remove any information appearing in "Wallet" and (recommended) any personal information in "My Profile" as well.

  6. DON'T surf in "Administrator" mode and use a *secure* password to protect the Administrator profile (see #7 below). Create a web-surfing profile with minimal privileges: you only need Administrator privileges for system maintenance and software installs — neither of which you should be doing online.

    Parental note –
    This also applies to your kids. Specifically, children should not be allowed to register for online services or install software without parental approval. Your children are a target demographic for the advertising/profiling businesses who fund many of the trendy social websites and "cool apps." Although younger users are often more comfortable with the Internet than their elders, the all-too-common line ‘my kids know more about computers than I do’ is, quite simply, an abrogation of parental/moral responsibility: it may be true and it may soothe your conscience, but it will not  protect either your kids or your computer.

  7. Learn how to construct good passwords and deploy them [1].  NEVER select "Remember My Password" options: use Password Safe to store your passwords.

  8. Know what software is installed on your computer: if you don't need it, use the "Add/Remove Programs" applet and uninstall it. Don't install unnecessary software, and always monitor software installations.  “Less is more:” select a small number of powerful, flexible programs and learn how to use them instead of adding a separate app for every task. Whenever possible choose open-source portable executables (programs that don't require an installer).

    Programs whose source code is openly published and publicly distributed are described as "open source."  Many (but by no means all) of these are freeware distributed under GNU  Public License, which requires that the source code be supplied along with the compiled binaries as part of the download package.
    See  [1],  [2]  and  [3]  for more on GNU.org open source licensing and philosophy;  [4]  for a listing of GNU software; and  [5]  for a listing of GNU Win32 software ports from SourceForge.

  9. When in doubt, use the phone book and call a few local computer service stores: ask if they specialize in security, take your machine in, and have a trained technician set up your security. Then, plan to spend time reading the 'Help' files on your new software, and be sure to ask the tech to provide you with a list of reference/links for further study.

And, for all users and all platform/versions:

  1. Remove or disable JAVA.

  2. Protect critical files: encrypt sensitive proprietary or personal information, and always make backups.

  3. Always keep your OS, networking software, and security software up-to-date.[†]  Check regularly for security-related patches and updates, and pay attention to media news releases about OS/Internet security issues — if a news story mentions a new virus or security hole, get the patch or update immediately.

  4. Routinely encrypt any mail you would not publicly post.

  5. Resist the marketing pressures to use "Cloud computing:"  when you move your apps and your data to the Cloud, you lose all effective control.

    Before accepting offers of no-hassle, free online services, you should keep three important points in mind —

    (1)  TANSTAAFL (There Ain't No Such Thing As A Free Lunch)
    Businesses offering data storage and other nominally "free" services will make their profits by selling information about you to advertisers.
    [See the EPIC.org Privacy and Consumer Profiling” page for a comprehensive analysis of the type of information that is being collected and how extensive the practice has become.]

    (2)  You don't own your data when it's in the Cloud,
    Files on your own machine are (legally) your property, and you control access permissions. If, on the other hand, your data is in the Cloud, the server where it resides has both access and (in the U.S.) ownership  privileges — regardless of your choices.
    [What the service provider will do with your information is outlined in the website “Privacy Policy” and the “Terms of Service” (which, until a court decides otherwise, is a legally binding contract) — either or both of which may include language allowing them to be changed at any time.]

    (3)  And you don't own your apps, either.
    On your own machine you  decide what programs to install and how they run. But, if the services you use are located in the Cloud, you can't select what software you will use and you have no control over how it operates, either — and, as one tech remarked, “when you double-click on an application, you are turning control of your machine over to the progammer who wrote the code.”

    For more information see  [1 ff.], or ask Emerald Technologies for a copy of the sh reference file “Lost in The Cloud ”.
     

Online References
The following list is taken from the Dr. DB Security Reference archive found on the Emerald Technologies website.

    Files (General)
  1. The World Wide Web Security FAQ

  2. Users' Security Handbook (RFC 2504)

  3. FAQ: Firewall Forensics (What am I seeing?)

  4. Kurt Seifried's TCP and UDP Network services list  and  Richard Akerman's Trojan TCP/IP Ports

  5. An Introduction to Cryptography (part of the PGP documentation)  [1 ff.]

  6. Blended Threats, by Peter Gutmann

  7. Sniffing (network wiretap, sniffer) FAQ

  8. Hacking Lexicon

  9. (Windows) 
  10. Dangerous File Extensions

  11. Autostart Methods (see also below)

  12. Microsoft Security Patches  (manual update)

    Patches for all currently supported Windows platforms are posted on the second Tuesday of each month. Patches for critical vulnerabilities are posted as soon as they are ready for release, and often apply to other MS software (such as Office and older/unsupported versions of IE/Windows).
    (1)  Because an 'update' is whatever the vendor says it is, you are always better off manually updating your software: that way you can check what is in an update package and decide if you need it or not (but see below).
    (2) The term "critical" is a technical evaluation largely based on the severity of the vulnerability (how much havoc it can cause on an individual machine), the number of machines at risk, and, to some extent, how difficult it is to exploit; so you should always download and install critical security patches.

  13. Websites 
  14. ShieldsUp (online test with documentation explaining basic technical concepts: highly recommended for beginners)

  15. SANS Top 20 Internet Security Vulnerabilities

  16. Computer Emergency Response Team (CERT)

  17. Computer Vulnerability Evaluations

  18. ICAT Vulnerability Index

  19. SecurityFocus

  20. Wilders.org

  21. Packet Storm

  22. iNFOSYSSEC

  23. Crypto-Gram (Bruce Schneier's free monthly newsletter)

  24. Peter Gutmann's website  and  security resource link farm

  25. Start-Up Applications (list)

  26. NIST Computer Security Standards (FIPS/NIST publications)
     

Security Software
Before selecting and installing any security software you should always find and carefully read independent  product reviews. (Curiously, most vendor reviews tend to show their product with superior ratings.)

That said, the best software for you is software that you can and will use knowledgeably, so you should always *carefully* check out a vendor's website before installing their product: many vendors offer their 'Help' files online or as a stand-alone download — if so, read them; look for screenshots, especially the default user interface and configuration screens (do you understand the options?  will the 'Help' files allow you to make the settings?); look for 'Known Issues' information/pages (will the program cause problems on your platform/version or conflicts with other software you've installed?); and, what support options does the vendor offer (email?  phone?  do you have to pay for support?  are there user bulletin boards?).

Users are also encouraged to check the Security Products page at Peter Gutmann's  Link Farm (and the "Snake Oil" section for a few good laughs); the CERT page with security tips for home networks; and, to check Google for current security software information (but avoid the "Sponsored Links" !).
 

A final point to consider
It is in everyone's interest that our networks are secure; and, since every unsecured network machine represents a risk to all machines, there are now and always will be relatively high-quality freeware security apps available. But programming is a high-level skill and good  programmers are in short supply, so — except for encryption programs — payware software/versions will always offer greater flexibility, more support options, and more granular user control. Speaking as both a firm believer in open-source freeware and a notorious cheapskate, I (usually) pay for my security software and consider it money well spent.
 


You can save this page for offline reference by right -clicking the screen and selecting "Save Page As/(type) Web Page, HTML only" (Firefox, Mozilla), or clicking the File button and selecting "Save As/(type) Web Page, HTML only" (Internet Explorer).
Note: On most Windows® systems, pages saved using IE6+ will be re-formatted and will not open offline.[12]