Security is a process of challenge and response: blackhat hackers create new exploits, and the rest of us have the choice of becoming either responders or victims. Security is thus a knowledge-driven dynamic process : there is no "magic bullet;" there is no software that can provide users with assured, ongoing protection; there is no absolute safety in a networked environment; and, there are no <just click here> fixes that are worth a damn.
The best security depends on user knowledge. Period. And the best you can achieve is to be less vulnerable than average. Fortunately, that is usually good enough.
Beginners should start by reading Bruce Schneier's cogent summary, Safe Personal Computing, in the May 15, 2001 issue of Crypto-Gram, then Secure Online Behavior, Part One: Developing Good Security Habits, Part Two: Secure E-Mail Behavior, and Part Three: Using the World Wide Web by Dr. Sunil Hazari.() The more knowledgeable will find a number of familiar, standard references listed below: it is my hope that this information will allow those unfamiliar with the concepts and practices of network security to find information at a relevant level of technical detail and proceed from there.
Structuring Your Security
The three most important basic concepts are:
Layered security : an overlapping series of defenses, each with a differing focus. For example, your anti-virus program will probably pick up the most common trojan-horse malware but might not detect sophisticated variants or trojans with unusual configurations: you would expect more specialized anti-trojan software to handle this type of threat. But even the best anti-trojan program might not detect a trojan that exploits a brand-new system vulnerability; however, you would expect your firewall to detect its attempt to establish an outgoing connection, and you would also expect your IDS (Intrustion Detection System) to alert you to changes in critical system configuration settings and files.
Monitored security : security software is not a magick ward: it requires user attention someone who is "minding the store." For example, if your firewall detects and blocks a malicious attempt to connect to your computer, well and good; but you will not even know this has occurred unless you read the log files, and the blackhats having failed once are free to try again. Maybe this time they'll succeed.
How much security you need depends on who you are. If you are an elderly grandmother at home on a dial-up connection who wants to keep in touch with the kids by email, you face few threats: an anti-virus program and a bit of practical advice (like don't preview mail and don't open attachments without scanning them first ) should suffice. But, even here, you must learn how to disable the preview pane in your mail program and how to scan an attachment.
The same grandmother using a high-speed cable connection (or whose grandkids may have poor security habits) should have a firewall; and, if the kiddies are sharing files on P2P networks or chatting on ICQ, she might want to consider a basic anti-trojan program as well.
If you are running a business, you have both company and customer information to protect:[1, 2] someone needs to install the appropriate security software and keep it up-to-date; someone must be responsible for making sure the latest security patches have been applied to the operating system and to all network-capable software running on company machines; and, someone must be actively monitoring the network and reading the logs. You should also have a written backup policy, with the frequency and depth of the backups depending on the size of your business and the type and value of the assets you need to protect.
|Two useful references for small businesses are
And if you're managing an IT department, you must supervise the technical staff a job you will find much easier if you have at least a basic understanding of the problems they must handle.
|Your IT department is responsible for actively supervising the entire network (not just the Internet/LAN interface) both to prevent unauthorized customer access and to insure that your employee/users adhere to necessary security procedures. In addition, you can expect both blackhat hackers and competitors to try your security: the former may try to steal saleable assets like customer credit-card records or information they can use to blackmail you; the latter may try to steal proprietary information that will enable them to compete more effectively with you and if you're doing business internationally (which is almost a definition of online commerce) so may government spy agencies [see (1) §2.4.1 ff.] .|
See also  for more on this topic.
A Few (Basic) Security Tips
If you use Windows,
Don't use Outlook or Outlook Express for your mail.
Don't use Internet Explorer as your default browser.
Remove or disable Windows Scripting Host.
Don't depend on the built-in MS firewall [XP+]: they've botched the security on every OS they've released (to date) and there's no reason to expect that the version you're running is any better; and, unless they've completely changed both their software and corporate policy, their firewall will not block outgoing connections.
Search Google for a list of security settings that apply to your version of Windows and apply them. Specifically,
Always use custom settings for "Security" and "Advanced" in "Internet Options." You should should use stringent, high-level settings for the (default) "Internet Zone," and add sites (sparingly and with careful consideration) that require more relaxed settings to the "Trusted Sites" list.
Remove any names appearing in the (Trusted) "Publishers" list, and check periodically (especially after software installs) to make sure none have been added 'behind your back.'
Remove any information appearing in "Wallet" and (recommended) any personal information in "My Profile" as well.
DON'T surf in "Administrator" mode and use a *secure* password to protect the Administrator profile (see #7 below). Create a web-surfing profile with minimal privileges: you only need Administrator privileges for system maintenance and software installs neither of which you should be doing online.
|Parental note |
This also applies to your kids. Specifically, children should not be allowed to register for online services or install software without parental approval. Your children are a target demographic for the advertising/profiling businesses who fund many of the trendy social websites and "cool apps." Although younger users are often more comfortable with the Internet than their elders, the all-too-common line my kids know more about computers than I do is, quite simply, an abrogation of parental/moral responsibility: it may be true and it may soothe your conscience, but it will not protect either your kids or your computer.
Learn how to construct good passwords and deploy them . NEVER select "Remember My Password" options: use Password Safe to store your passwords.
Know what software is installed on your computer: if you don't need it, use the "Add/Remove Programs" applet and uninstall it. Don't install unnecessary software, and always monitor software installations. Less is more: select a small number of powerful, flexible programs and learn how to use them instead of adding a separate app for every task. Whenever possible choose open-source portable executables (programs that don't require an installer).
|Programs whose source code is openly published and publicly distributed are described as "open source." Many (but by no means all) of these are freeware distributed under GNU Public License, which requires that the source code be supplied along with the compiled binaries as part of the download package.|
See ,  and  for more on GNU.org open source licensing and philosophy;  for a listing of GNU software; and  for a listing of GNU Win32 software ports from SourceForge.
When in doubt, use the phone book and call a few local computer service stores: ask if they specialize in security, take your machine in, and have a trained technician set up your security. Then, plan to spend time reading the 'Help' files on your new software, and be sure to ask the tech to provide you with a list of reference/links for further study.
And, for all users and all platform/versions:
Remove or disable JAVA.
Protect critical files: encrypt sensitive proprietary or personal information, and always make backups.
Always keep your OS, networking software, and security software up-to-date. Check regularly for security-related patches and updates, and pay attention to media news releases about OS/Internet security issues if a news story mentions a new virus or security hole, get the patch or update immediately.
Routinely encrypt any mail you would not publicly post.
Resist the marketing pressures to use "Cloud computing:" when you move your apps and your data to the Cloud, you lose all effective control.
|Before accepting offers of no-hassle, free online services, you should keep three important points in mind |
(1) TANSTAAFL (There Ain't No Such Thing As A Free Lunch)
Businesses offering data storage and other nominally "free" services will make their profits by selling information about you to advertisers.
[See the EPIC.org Privacy and Consumer Profiling page for a comprehensive analysis of the type of information that is being collected and how extensive the practice has become.]
(2) You don't own your data when it's in the Cloud,
Files on your own machine are (legally) your property, and you control access permissions. If, on the other hand, your data is in the Cloud, the server where it resides has both access and (in the U.S.) ownership privileges regardless of your choices.
(3) And you don't own your apps, either.
On your own machine you decide what programs to install and how they run. But, if the services you use are located in the Cloud, you can't select what software you will use and you have no control over how it operates, either and, as one tech remarked, when you double-click on an application, you are turning control of your machine over to the progammer who wrote the code.
For more information see [1 ff.], or ask Emerald Technologies for a copy of the sh reference file Lost in The Cloud .
The following list is taken from the Dr. DB Security Reference archive found on the Emerald Technologies website.
The World Wide Web Security FAQ
Users' Security Handbook (RFC 2504)
FAQ: Firewall Forensics (What am I seeing?)
Kurt Seifried's TCP and UDP Network services list and Richard Akerman's Trojan TCP/IP Ports
An Introduction to Cryptography (part of the PGP documentation) [1 ff.]
Blended Threats, by Peter Gutmann
Sniffing (network wiretap, sniffer) FAQ
Dangerous File Extensions
Autostart Methods (see also below)
Microsoft Security Patches (manual update)
|Patches for all currently supported Windows platforms are posted on the second Tuesday of each month. Patches for critical vulnerabilities are posted as soon as they are ready for release, and often apply to other MS software (such as Office and older/unsupported versions of IE/Windows).|
|(1) Because an 'update' is whatever the vendor says it is, you are always better off manually updating your software: that way you can check what is in an update package and decide if you need it or not (but see below).|
(2) The term "critical" is a technical evaluation largely based on the severity of the vulnerability (how much havoc it can cause on an individual machine), the number of machines at risk, and, to some extent, how difficult it is to exploit; so you should always download and install critical security patches.
ShieldsUp (online test with documentation explaining basic technical concepts: highly recommended for beginners)
SANS Top 20 Internet Security Vulnerabilities
Computer Emergency Response Team (CERT)
Computer Vulnerability Evaluations
ICAT Vulnerability Index
Crypto-Gram (Bruce Schneier's free monthly newsletter)
Peter Gutmann's website and security resource link farm
Start-Up Applications (list)
NIST Computer Security Standards (FIPS/NIST publications)
Before selecting and installing any security software you should always find and carefully read independent product reviews. (Curiously, most vendor reviews tend to show their product with superior ratings.)
That said, the best software for you is software that you can and will use knowledgeably, so you should always *carefully* check out a vendor's website before installing their product: many vendors offer their 'Help' files online or as a stand-alone download if so, read them; look for screenshots, especially the default user interface and configuration screens (do you understand the options? will the 'Help' files allow you to make the settings?); look for 'Known Issues' information/pages (will the program cause problems on your platform/version or conflicts with other software you've installed?); and, what support options does the vendor offer (email? phone? do you have to pay for support? are there user bulletin boards?).
For most users, the threat from trojan infections is negligable in personal terms: the main problem is caused by 'bots using infected machines on high-speed connections as a platform to attack other machines (DDoS attacks that 'take down' a website/server) or to hide their trail when they break into a system for other reasons (moving from infected machine to infected machine before 'cracking' a commercial server to steal credit-card numbers, for example); and, the dynamic nature of trojan attacks makes a programmed or automated response problematic at best.
That said, anti-trojan software falls broadly into two generic categories: those programs which are scanning ports and those programs which are looking for trojan signatures. Some AVPs are reported to have relatively good records managing trojans, among them AVG, NAV, and F-Prot; likewise, Spybot Search & Destroy (the anti-spyware scanner) will pick up trojans and keyboard loggers based on their hooks to the OS. Most AVP rating/comparison sites (above) will indicate the relative success of various programs in detecting and removing trojans, and vendors will almost always include a signature database on their websites listing the various forms of malware their product detects. Although none of these is a specialized anti-trojan tool, you should already have an AVP and at least one anti-spyware program installed (I recommend using both Spybot S&D and Ad-aware), and depending on your computing environment and the nature of the assets you are protecting this may suffice.
Likewise, you should (already) have a firewall installed that monitors outgoing connections (which will detect a trojan that has opened a port to 'listen for instructions'), which is yet another line of defense.,  There are also built-in network-monitoring tools like netstat; but, as above, the benefit from both these tools depends on learning to use them and on reading the logs.
More specialized automated tools usually combine both signature and port scanning capabilities, among which are The Cleaner and Tauscan. Point-and-click users will find both to be very similar to typical AVPs; and, for many these may be the best choice as a secondary ('belt and suspenders') line of defense.
For critical computing environments and those with significant assets to protect, the Trojan Defense Suite from DiamondCS is in a class by itself: this complex, multi-layered tool is the only software that allows users to combat trojans on their own ground for system-level control, and is *highly recommended * for those who are capable of using it or willing to learn.
In addition to the above, there are also specialized tools for removal of specific threats (search Google), and website instructional step-throughs on detection and manual removal for some trojan programs (PCHelp's website is a good place for beginners: see his pages on Back Orifice and NetBus). More knowledgeable users and those attempting manual removal will find the TLSecurity Removal Database [archived] helpful.
Firewall configuration options will vary by vendors: all will open/close service ports; but in addition a good firewall should allow you to authenticate apps and control outgoing connections; create custom rulesets; block specific protocols (for example, incoming [Internet] IGMP packets and ICMP/types); block/allow IP subnets (address ranges); and apply a different ruleset for home and small-business LANs. For most users, a stateful firewall with password-protected ruleset(s) that allows/defaults to stealth mode will be the best choice., 
PCHelp's page What is a firewall?
Firewalls For Beginners
TruSecure Firewall Ratings
Home PC Firewall Guide (n.b.: commercial website)
LeakTest (freeware firewall-testing utility)
([ng posting:] ZA is a good firewall requires little work to configure, has a lot of good built in protection. Only the payware/Pro version meets the minimum criteria listed above; but, even the freeware version offers users more protection than the Microsoft default.)
Tiny Personal Firewall
([ng posting:] TPF is a complex firewall requires a lot of knowledge of ports and sites to use well. Configured well, it is a much, much more secure setup than ZA. Configured badly, you might as well not *have* a firewall. Freeware for personal use.)
Sygate Personal Firewall
Norton Internet Security
(IMOP the enormous size, limited configuration options, and high price makes this, at best, a bottom-of-the-list choice.)
(Included for completeness: IMOP McAfee security products generally offer inferior performance; but, in the end, potential customers should be guided by product comparison ratings. If, however, you are considering McAfee/NAI products, I strongly advise that you carefully read both the EULA and any applicable Privacy Policies first.)
Intrusion Detection Systems
Network intrusion detection systems are unreliable enough that they should be considered only as secondary systems designed to backup the primary security systems.1, (2) For those considering deployment, the NIST Special Publication on Intrusion Detection Systems by Rebecca Bace and Peter Mell provides a good summary of IDS approaches and tradeoffs.
FAQ: Network Intrusion Detection Systems [March 2000 version quoted above ]
SANS Intrusion Detection FAQ
COAST Intrusion Detection System Resources
Snort home / SourceForge project page (freeware)
(command line pre-compiled/Win32 port available; requires the appropriate platform/version WinPcap driver)
ISS RealSecure (commercial/payware)
(Included for completeness: this is not a full-blown IDS, but a scanning tool that checks files/directories to ensure they have not been modified since the last audit/run. [See below.] ) Integrity Checker (Win32)
(Included for completeness: this is not a full-blown IDS, but a scanning tool that checks files/directories to ensure they have not been modified since the last audit/run. Win32 PE can be run from an encrypted container, and command-line parameters allow the program to run at startup.)
[See Robert Graham's FAQ for more options.]
Personal Encryption Programs
Using encryption software can be difficult for beginners because it is designed to withstand attacks from both blackhat hackers and government/military intelligence agencies rather than for ease of use. And because you need to understand how the software works in order to use it effectively, you should plan to spend some time studying the references listed below before installing it.
|Encrypted information is only as secure as the key used to encrypt it, and the key is protected by the password you choose. So, before you install the software, you need to understand what makes a good password. (The bonus in learning this is that all of your online accounts from email to banking will be more secure.)|
See [1, What is a passphrase?], , [3 §2.0 4.1],  and [5, Is 1024 Bits Enough?] for more information, and  for recommended password management software.
For covenience, the encryption software is divided into two categories: general encryption services email, digital signing and authentication; and OTFE (On-The-Fly Encryption)/local file encryption.
The general programs will create user keys allowing you to sign and authenticate files, and they have email plugins that work with most major browser/mail programs to automatically encrypt and sign or decrypt/authenticate email messages . The OTFE programs create an encrypted volume on your hard drive which, when you enter your password, acts like a(nother) hard drive installed on your machine.
Unless otherwise noted, all recommended programs are open source.
|Most users don't trust cryptography programs unless they are open source for two reasons:
(1) since the source code is available for public scrutiny, it can be examined by experts to make certain the cryptographic functions are correctly implemented and to assure there are no back doors [government "master keys"]; and,(In addition, all program bugs including platform incompatibilities and software conflicts are typically found and fixed much sooner.)
Info (in approximate order of technical detail):
Learning About Cryptography
Snake Oil Warning Signs
An Introduction to Cryptography (part of the PGP documentation)
Tom McCune's PGP Pages
(1), Software/documentation/links, and
(2), PGP Questions & Answers.
Ritter's Crypto Glossary
Peter Gutmann's Godzilla Crypto Tutorial
The iNFOSYSSEC Cryptography, Encryption
and Steganography pages: (1), (2) and (3)
Software email, digital signing/authentication
[Freeware archives for Win9x/NT/2K with links to current versions at PGP.com. Because the source code is no longer publicly available, I do not use or recommend NAI (McAfee) versions of
[My recommended version for Win9x/NT/2K; however, (1) there are known issues with the C-KT version(s) in Windows XP+, and (2) they are no longer supported. See also (1) and (2) for another opinion.]
[The GNU Privacy Guard is a complete and free replacement for PGP for all Win32 platforms. Recommended if you have no legacy issues (old keyrings/PGP Disk files) and for new users. See also (1) and (2).]
Software OTFE (file) encryption
[Enabled in the PGP C-KT version freeware; disabled in all NAI (McAfee) PGP freeware versions (see above). Be sure to read this before installing.]
[Open source freeware for Windows 2000/XP/2003 (and probably, by now, Vista and Windows 7); recommended for users without legacy issues.]
[For MS Windows 2000/XP/Vista and PDAs (Windows Mobile 2003/2005). The program has a very short track record, but its author's credentials (S. Dean, below) are generally recognized. Another good choice for users without legacy issues.]
® See also: S. Dean's page, On-The-Fly Encryption: A Comparison.
|For more information see the Dr. DB Security References archive and the sh Cryptography Compilation CD-ROM database available from Emerald Technologies, which also has an extensive collection of crypto and crypto-related software, source code, and reference archives.|
[Wherever possible, program versions were downloaded from recognized international archives, some before passage of the USA Patriot Act (see Title I, Sec. 105106 and Title II for privacy/government surveillance concerns). In all cases, download documentation is provided so users can decide for themselves if they trust the archived software/versions.]
Password Management Software
Your passwords protect your encryption keys and function as your proof of identity in the digital world, so you should always use good ones. Unfortunately, strong passwords are long, random strings composed of upper and lower case letters, numbers, and special symbols (in short, every possible character on your keyboard) and therefore difficult to remember. The solution to this dilemma involves using software to generate strong passwords and store them in encrypted form: that way, you only have to remember one password the one you need to access the encrypted password file.
[Open-source freeware Win32 portable executable generates secure passwords with options to select either the password strength (number of bits) or the length (number of characters). When the password is generated, the program will display its actual, measured entropy (how random/strong it is, measured in bits) with the option to automatically copy it to the clipboard.]
[Open-source freeware Win32 portable executable uses Blowfish encryption to store your passwords. Once opened by entering the "safe combination" (the master-password used to access the database), double-clicking an entry copies the selected password to the clipboard.]
Secure Delete Software
Securely deleting files (and backup/copies) is part of general file security and closely allied with encryption because hard drive files are difficult to completely erase.1, (2) In Windows, files that have been deleted (and emptied from the Recycle Bin) may be easily recovered.1, 2 Even files that have been overwritten can be recovered with specialized software: the (US) Department of Defense uses a seven-pass overwrite standard for UNclassified material, and the "gold standard" for complete erasure is a 35-pass overwrite using a particular sequence of bit patterns
[Open-source Win32/GUI, recommended for most users]
[16-bit/command-line especially good for large files such as swap/paging]
[16-bit/command-line wipes data in unallocated disk space and the slack cluster space at the end of files]
® See also: S. Dean's page, Disk and File Shredders: A Comparison.
Snake Oil (personal opinions)
Lockdown/Lockdown 2000; BlackICE Defender; Conseal Desktop/PC Firewall
Users are also encouraged to check the Security Products page at Peter Gutmann's Link Farm (and the "Snake Oil" section for a few good laughs); the CERT page with security tips for home networks; and, to check Google for current security software information (but avoid the "Sponsored Links" !).
A final point to consider
It is in everyone's interest that our networks are secure; and, since every unsecured network machine represents a risk to all machines, there are now and always will be relatively high-quality freeware security apps available. But programming is a high-level skill and good programmers are in short supply, so except for encryption programs payware software/versions will always offer greater flexibility, more support options, and more granular user control. Speaking as both a firm believer in open-source freeware and a notorious cheapskate, I (usually) pay for my security software and consider it money well spent.