Rmus
April 3rd, 2005, 04:50 AM
I’ve been computing for only about 12 years, so I’m not an "old timer" by any means. I feel I was fortunate to have learned how to use a computer from a friend who had worked as a programmer and security consultant for NASA. He stressed the need for the user to set up "lines of defense." Although it is more common today to see the term "layers of security," I like the former description, for it calls to mind the image of "lines of protection" in front of the user. I’ve adapted this idea for my own use in working with my own system, and in helping others set up a system.
LINES OF DEFENSE (brief descriptions)
1. User Awareness and Common Sense. This is the first and most important line of defense. This can be taught to anyone. I often see on the forums and various newsgroups references to "my mom who is computer-illiterate." Well, I would prefer to work with computer-illiterate people, so-called, anytime, because they have no bad habits to unlearn. Many people starting with their first computer have a terrible fear of the unknown. This can be alleviated by showing them the insides of the computer. Not that they necessarily are going to work on the computer themselves, but that they understand that a computer is really nothing mysterious: just a combination of boards, and hardware. Handling fear is the most important aspect of computer security. You want to instill confidence in the user right from the start.
Next, we set up a filing system on paper. Most people have some type of filing cabinet with drawers in their home, so this provides a useful teaching tool in understanding how "My Computer" is organized into drives. Then we create directories according to the person’s needs/wants, and practice saving files. Important here is to show how a file extension works (and to make Windows display extensions). I’ve never had a person not be able to understand the idea of an executable. The user learns which file extensions to be wary of (we create a list). Later, we take this concept into email, and establish firm rules about attachments, etc.
There is much more in this first line of defense of course, such as establishing common sense browsing habits; setting up a daily backup system; but this will give an idea of how to start. I'm convinced that the majority of home computer security problems are due to a weakness in this first line of defense.
2. Alternatives to IE and OE. I don’t understand why anyone still uses these leaky vessels which need constant patching. With an alternative browser and email/newsreader program, one eliminates a huge number of exploits. Now, I’ve never been a Microsoft basher; if I don’t like certain products of a company, I can find alternatives. It’s one thing to not like a product, send in complaints, add to wish-lists for next versions, etc, but name-calling never contributes anything constructive. Like the bully on the playground, name-callers operate from a standpoint of weakness, not strength. And I don’t imagine Bill G. is very much bothered, anyway. I rather think of him as was Napoleon, who, upon being told that people were trashing his statue in the public square, remarked, "Why, I don’t feel a thing."
3. Microsoft WordViewer. While designed initially to enable those without MSWord to view Word documents, it’s become a useful line of defense because it will not execute code. Newer versions also have converters which allow MSWorks documents to be viewed. Prior to Word 97, macro viruses had to be written to a template (*.dot). Beginning with Word 97 (and Visual Basic) these could be embedded in a document (*.doc). In my own work, I receive Word documents by email on a daily basis. With the email program’s MIME types configured to open them in WordViewer, there is no chance of the document running code. A must on everyone’s system for viewing other’s documents.
It’s interesting how medical terms began to be used: virus; infection; injection. These terms, of course, instill fear in the user. Computer miscreants, like terrorists, play upon fear in the intended victim. This technique has also been cleverly marketed by the anti-virus, anti-spyware industries: the greater the level of fear and paranoia, the more products are sold. Now that Microsoft is in the fray, it's evident that it is in the best interests of these industries to keep the level of fear and paranoia high because of the big money involved.
For a number of years, the above three were my successful lines of defense. As miscreants began to exploit weaknesses in the Windows operating systems, it became necessary to add another line of defense:
4. A robust firewall - one with password protection, and where you can configure the rules. Blocking all port traffic both in and out, except for established permissions, is a must.
In the college district where I work, I’ve seen how the operating system can be bullet-proofed so that any changes made will be removed on reboot. So, I added a final line of defense:
5. Lock-down Program. I use Deep Freeze, but there are others. A reboot will restore the system to the state on last reboot.
In all of my years of computing, these lines of defense have been my secure protection. In the many home systems I’ve helped friends set up, using the above lines of defense, there has never been a problem. If your lines of defense are carefully thought out, there is no need to waste huge amounts of time worrying about the next infection, injection, or whatever.
I’m amazed, in perusing the various forums and newsgroups, how much time, effort, and money is spent on security products. Some users run as many as 8 or 10. Many people are so fearful, and have to work so hard to clean the infected system, that it takes all of the fun out of computing. This doesn’t have to be.
-Rmus
LINES OF DEFENSE (brief descriptions)
1. User Awareness and Common Sense. This is the first and most important line of defense. This can be taught to anyone. I often see on the forums and various newsgroups references to "my mom who is computer-illiterate." Well, I would prefer to work with computer-illiterate people, so-called, anytime, because they have no bad habits to unlearn. Many people starting with their first computer have a terrible fear of the unknown. This can be alleviated by showing them the insides of the computer. Not that they necessarily are going to work on the computer themselves, but that they understand that a computer is really nothing mysterious: just a combination of boards, and hardware. Handling fear is the most important aspect of computer security. You want to instill confidence in the user right from the start.
Next, we set up a filing system on paper. Most people have some type of filing cabinet with drawers in their home, so this provides a useful teaching tool in understanding how "My Computer" is organized into drives. Then we create directories according to the person’s needs/wants, and practice saving files. Important here is to show how a file extension works (and to make Windows display extensions). I’ve never had a person not be able to understand the idea of an executable. The user learns which file extensions to be wary of (we create a list). Later, we take this concept into email, and establish firm rules about attachments, etc.
There is much more in this first line of defense of course, such as establishing common sense browsing habits; setting up a daily backup system; but this will give an idea of how to start. I'm convinced that the majority of home computer security problems are due to a weakness in this first line of defense.
2. Alternatives to IE and OE. I don’t understand why anyone still uses these leaky vessels which need constant patching. With an alternative browser and email/newsreader program, one eliminates a huge number of exploits. Now, I’ve never been a Microsoft basher; if I don’t like certain products of a company, I can find alternatives. It’s one thing to not like a product, send in complaints, add to wish-lists for next versions, etc, but name-calling never contributes anything constructive. Like the bully on the playground, name-callers operate from a standpoint of weakness, not strength. And I don’t imagine Bill G. is very much bothered, anyway. I rather think of him as was Napoleon, who, upon being told that people were trashing his statue in the public square, remarked, "Why, I don’t feel a thing."
3. Microsoft WordViewer. While designed initially to enable those without MSWord to view Word documents, it’s become a useful line of defense because it will not execute code. Newer versions also have converters which allow MSWorks documents to be viewed. Prior to Word 97, macro viruses had to be written to a template (*.dot). Beginning with Word 97 (and Visual Basic) these could be embedded in a document (*.doc). In my own work, I receive Word documents by email on a daily basis. With the email program’s MIME types configured to open them in WordViewer, there is no chance of the document running code. A must on everyone’s system for viewing other’s documents.
It’s interesting how medical terms began to be used: virus; infection; injection. These terms, of course, instill fear in the user. Computer miscreants, like terrorists, play upon fear in the intended victim. This technique has also been cleverly marketed by the anti-virus, anti-spyware industries: the greater the level of fear and paranoia, the more products are sold. Now that Microsoft is in the fray, it's evident that it is in the best interests of these industries to keep the level of fear and paranoia high because of the big money involved.
For a number of years, the above three were my successful lines of defense. As miscreants began to exploit weaknesses in the Windows operating systems, it became necessary to add another line of defense:
4. A robust firewall - one with password protection, and where you can configure the rules. Blocking all port traffic both in and out, except for established permissions, is a must.
In the college district where I work, I’ve seen how the operating system can be bullet-proofed so that any changes made will be removed on reboot. So, I added a final line of defense:
5. Lock-down Program. I use Deep Freeze, but there are others. A reboot will restore the system to the state on last reboot.
In all of my years of computing, these lines of defense have been my secure protection. In the many home systems I’ve helped friends set up, using the above lines of defense, there has never been a problem. If your lines of defense are carefully thought out, there is no need to waste huge amounts of time worrying about the next infection, injection, or whatever.
I’m amazed, in perusing the various forums and newsgroups, how much time, effort, and money is spent on security products. Some users run as many as 8 or 10. Many people are so fearful, and have to work so hard to clean the infected system, that it takes all of the fun out of computing. This doesn’t have to be.
-Rmus