Many agree that Windows computers need to be protected with a strategy calleddefense in depth. This is not just for fighting off viruses. Clearly, network securityand Internet Explorer also need defense in depth. When Internet Explorer was recently hacked in a public contest, Microsoft responded that "...defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability."
Deb Shinder, a Windows expert, and former law enforcement officer, put it in perspective recently:
"Think about your physical security. You might have a high fence, a big dog, deadbolts on the doors and a security alarm system, but if a burglar is absolutely determined – and has enough time – he can climb the fence, shoot the dog, disable the alarm and break a window to get in. Unless you live in a fortress (and even then), your security is not fool-proof. But all those mechanisms do slow him down ... So unless he’s motivated to specifically target your house because he knows you have $1 million in cash hidden under the mattress, he’ll probably go elsewhere, where the pickings are easier."
To me, the term "defense in depth" means my having to do a lot of work. But what work? What steps offer the biggest bang for the buck?
1. To me, the most important thing you can do to protect your computer is to be skeptical. Start with the assumption that you are being lied to. No software can protect someone who lets the bad guys continually scam them.For example, that email message may not have come from the visible FROM address. Even if it did, the senders email account may have been broken into and the message could be from a scammer. Same for instant messages.
Many tricks can be played with links to make them appear to go one place when they actually go somewhere else, and that was before link shorteners made hiding the true destination even easier. You probably don't need to install a new codec to see that enticing video. Your computer is probably not infected with 314 viruses. Even notices about updating software to install the latest patch may not be legit.
2. Software-wise, techies are always advising to keep up to date on patches for your installed software. What doesn't get said often enough is that this is an all but impossible task for Windows users. Thomas Kristensen of security company Secunia reported recently "that in order for the typical home user to stay fully patched, an average of 75 patches from 22 different vendors need to be installed [every year]..." Seventy Five patches/year seems low to me.
Without a standard pipeline through which all these companies can funnel patches, Windows users are forced to deal with many different and inconsistent patch delivery systems. It's a brutal mess, and one not likely to have a good solution for a very long time.
Secunia offers three patch related products. To me, the best bang for the buck is offered by their freeOnline Software Inspector. I wrote about this in depth recently (Check (All) Your Windows Patches: Secunia). Their other products check more software, but the online service checks the most popular applications, offers a very simple and easy-to-read report and includes links to the latest software updates.
3. There is surprising resistance to my third suggestion, but it's a great way to protect yourself when keeping up to date on bug fixes is impossible: run as a limited (Windows XP term) or standard (Windows 7 term) user. I've been doing this for a while now on both Windows XP and 7. There is a small annoyance factor, but compared to the extra safety it offers, the tradeoff seems well worth it. The annoyance factor is higher in Windows XP. Much more thought seems to have gone into this in Windows 7.
Here's my approach. My current Windows userid was typically "Michael" and it was an Administrator. First, I create another Windows user called "MichaelAdmin" with the same password as user "Michael". Then I log off user "Michael", log on to user "MichaelAdmin" and drop user "Michael" down to a limited/standard user. From here on in, I continue to use user "Michael", only logging on as "MichaelAdmin" when necessary to install software or otherwise update the system.
0 commentaires:
Enregistrer un commentaire