How might I get infected....?

That isn't really my experience. One thing often brought up is the fact that we spend more money than ever on security and we lose more money than ever on compromises - not exactly great returns.

I think it's fair to say that someone's doing something very wrong when the numbers constantly show worse returns on investment every year.

 

That's really what I think comes down do, at least with the present threat landscape.

 

Whether that is the case or not, the response to the issues has been a complete failure - compromises are larger and more costly than ever.

 

As I said, we spend more money every year than the previous year, but compromises are costing more money than ever. Canalys has a report on it.

Cost per incident:

2006 - 168,000

2008 - 500,000

2010 - 1.5m

2013 - 5.4m

I'm not going to dig through the entire report but part of it should be discussed here:
http://www.canalys.com/newsroom/it-security-spend-reach-301-billion-2017

 

This would be a good time for me to point out that running this

- Firefox with NoScript plugin on a Windows XP SP3 limited account behind a firewalled router -

configuration is actually pretty safe, assuming the user is "smart" (that is to say, smart about computer security).

What kind of attacks would be effective against that config? Most, perhaps all, of the social engineering attacks would fail due to superior user. "What, I should click on this random link to see some celebrity private parts? Sounds legit. Oh wait, and I should download some file to see them, too? Boobies.gif.exe? Yeah, sure I will, not like it could possibly be malicious, naaah." Since the user is smart, they'll be patching their browser & other software in a timely fashion, so anything that targets a patched vulnerability will also fail spectacularly. So, that leaves us with unpatched stuff, perhaps stuff that cannot be patched due to end of support issues for some software or another, maybe even the OS itself. Interestingly, much of that unpatched stuff is quite likely to work against much more cumbersome security configs as well. Especially if we assume it's not just a random blind attack, but an attacker that actually intends to succeed against targets that actually take some protective measures and don't fall into the traditional lowest-hanging fruit segment. AVs and such will not reliably stop such attacks - obviously such a dedicated attacker would double-test to make sure most AVs fail to detect his malicious code before starting the attack. To reliably improve security against such attacks, you'd have to skip AVs and go for the sandboxing/HIPS/virtualization type of solutions, which are pretty much as heavy as anything is likely to get for most even remotely regular users.

So, where I'm going with this all is, that setup isn't half bad in terms of security, if the user is smart. I know a lot of people who run a setup similar to that, without issues. Would I recommend it to everyone, or the average user? Hell to the no. Would I recommend it after XP's support ends? Not really, no.

 

Thanks for your feedback, Windchild

Yes, although I feel I could probably get by unscathed with this setup, I would not use it only, and nor would I recommend it to other seasoned security conscious XP users, and there are a few in these forums. So after taking all things into consideration, I would likely add the following:

• Sandboxie - tightly configured of course using many of the typical recommendations found in these forums.
  
• EMET - apply mitigations to all internet-facing apps.

With XP Pro I would also use SRP with a whitelist approach, including dll's.

And of course it goes without saying an image routine would be in place as well, just in case of a breech.

None of this actually applies to me anymore, as I have migrated away from my XP setup (although I still have it installed + one VM) and replaced it with Linux as per my signature. I'm just interested in how the XP diehards might continue with the O/S long after it's been left abandoned on the side of the road by MS

 

I don't know if this would interest you or not, but I now run XP in virtualbox. I have comodo ISP installed there, but most of the time I have the nic disabled so there is no internet access inside the vbox. I use this to run windows based applications like office. On the outside, I run mint linux (an ubuntu variant) and all of my web based applications run from there.

This setup works well for most things except for gaming. If you want to keep using xp, this might be the best way to go. You don't have to worry that much about security on rigs that aren't connected to the internet and you can create that inside the vbox. Even if you do get your xp infected from a flash drive or something like that, you can just revert to a clean snapshot of the VM.

Just a thought or two.

I see that many here have referenced Software Restriction Policies. Is not Comodo defense+ the same thing more or less? I also have a rule that internet access from my computer is white list by hash, so if a non-listed program attempts to connect out, the connection is blocked and I get an alert.

LMHmedchem

 

@LMH,

yes, I'd say you have yourself an ultra-secure setup As long as the hardware isn't noticeably strained running the vm on the Linux host, you're laughing.

As far as CIS, yes, similar, although 3rd party, but even more granularity to restrict. It looks as though you know what you're doing, for sure. Very nice setup. Not everyone could go this route, of course, because hardware would have to be up to snuff to handle the additional load of the vm, but it's a nice approach if the resources are available.