My 1 and only philosophy thought for 2012!

Happy 2012 to all firewall and fellow tweakers!

What IF? I just kept my:

1) KeyScrambler SW
2) two way firewall software (currently OP FW Pro 7.5 & it's ip block list)
3) The HOST file from MVP

AND used web site based scanners for AV and ASW 1/week rather than on my PC at all times

AND hid behind my router


Would my security be in any real way compromised?

Go ahead prove me to be a reckless %^&&R%$E!

 

Happy 2012 too you also Escalader, yes, good 1 and only philosophy thought for 2012!

Personally, I believe that you would only prove yourself to be an reckless %^&&R%$E! if you never ran those
Online Antivirus/Antimalware scans at least once an Week.


HKEY1952

 

I think you be fine with your philosophy,but you may still want to have a OD Scanner on board since some malware block internet access to secuirty sites or products if one happen to slip through.Hitman Pro or MBAM OD, I would think should suffice just in case.

 

You're assuming that your two way firewall would catch the bad stuff, but in reality, it may or may not. I think I'd drop your #2 and #3 since you have the router, and instead use a realtime AV. But that's just my preference...

 

Hi Escalader and Happy 2012!

I've abandoned realtime AV solutions about 4 years ago.
At the very beginning after that step I scheduled (in my mind) to do AV/AS/AM on demand scans once per week. During this time my security approach pretty much evolved – I removed AV (Avira Free) and used to use only on demand AM scaner and Dr.Web CureIt! (which doesn't require installation on hard disk). After all these tests during the years I've bulit security protection based on three main layers – from first line of defense:
1. Prevention (HIPS, firewalls, sandboxes, policy based sandboxes, EMET, etc)
2. Detection (AM/AS/AV software)
3. Cure (Image backup/data backup, ISR software)

My security config after many years looks like:
1. DefenseWall HIPS + L'n'S Firewall + EMET + UAC (high) + Router Firewall (NAT)
2. MBAM (scan once per few months)
3. SPD + SyncToy (once per day documents data backup to another partition)
Note that this config is very light and doesn't need to be up to date very often. Protection based on these three layers is much better that relying only on one or two from above list – I think it's obvious.

In mentioned by you security list (in my opinion) there is something missing – what will protect you against so called drive-by download threats or other running eg. from removable drives exec? HOSTS file is not good enough in this case and it need to be updated often since most of infected website are created to be online only for limited (often) very short amount of time (I wrote article about it in the past).
Keyscrambler - is good if you are infected, it's not very optimistic approach, but it's also lightweight so it can be running realtime.
Scanning once per week without good prevention config means nothing - you did scan yesterday today you've been infected so 6 more days to next scan (and remove/delete threat - of course if your scaner has appropriate signature for this kind infection...). It doesn't look good isn't it?

If your computer is using by other person I would consider to add second account with installed MS Parental Control where you can create whitelist. Other option could be added something like ShadowDefender with password protection. Since we are on passwords topic it would be also great to have password manager.

You are not reckless you just searching for optimal security setup for yourself - I know this feeling, you are on right path

 

As already suggested by others you seems to miss a bullet proof protection from web surfing, this is where most infections comes nowadays. IP blocking is ineffective for this purpose. DW or sandboxie should be able to cover that.

 

Thanks to you all who have commented! Some very thoughtful replies IMHO.

This thread is a brainstorming / learning from each other thread. It cannot degenerate into my tool is better than your tool or we all know what would happen to it!

Let's accept the consensus that I'm still exposed to drive-by malware if I removed my RT AV from my setup. 1/week is NOT enough.

Let's do a bit more work on the notion of layers! and the threats they target...

I personally really like Creer's Layer design description and suggest we adopt it.

1. Prevention
2. Detection
3. Cure

Can we agree to modify 2 to read Detection and Repair/Quarantine?

1. Prevention
2. Detection, Repair and/or Quarantine
3. Cure

These 3 layers help analysis and classify 2 items (IMHO)

A) Threats we all face on the www, eg: drive bys, Trojans, intrusion attempts, privacy leakage etc.
B) The techniques available to us to deal with these threats. (no tools yet)


Let's do threats first by simply making a list of them with no classification attempt yet (avoids me from jumping to conclusions)

So far we have:

1. Drive by
2. Virus
3. Spyware
4. Existing infected files
5. Spam
6. Evil Websites
7. Attempts to access your setup by hackers
8. Loss of private data to via 1-7
9. Hooking
10. memory injection
11. process termination
12. registry access
13. screen,clipboard logging
14. root kits
15. DNS request by non network enabled applications
16. Launch network enabled process
17. Keyboard logging/intercept keystrokes

Go ahead add your favourite threat (no solutions yet!)




Fire away, no way we can lose by working this thread

 

My "favorite" threat is visiting a mundane website that's been turned evil by a malicious party (a good website that was written badly & cracked by a bad guy). That's different than visiting an Evil Website (#6 on the list), which would have been born evil.

You didn't ask for solutions, but mine is simple: block scripts. That way the bad guy can't run his code in my browser

 

18. Human Error in Security Decision(s)


HKEY1952

 

Hi Escalader,

more info is needed:

1. What's your O/S?
2. Are you running as Standard user or Admin?
3. What browser are you using?
4. Which options are enabled in Outpost?

Also, some recent literature on drive-by download attacks Part 1 & Part 2

 

Thanks a good one... tough but good!

 

I've changed my tone since I got bitten by sality awhile back. I use something stronger, but I cannot see how anyone can say something as lite as Pandacloud in anyway hampers them, even one skerick.

 

How about looking at the possible impacts on a person


Major Life Impact

• Full Identity Theft , where someone subsequently used your Identity
• Loss of irreplaceable digital items . photos / work etc
• Large Financial Loss
• Theft of Private Data which was subsequently made Public

Serious Impact

• Credit card accessed with Financial Loss
• Bank Account accessed with Financial Loss
• Fraudulant software causing Financial Loss
• Loss of use of PC a critical time , e.g work deadline
• Private data was lost , victim uncertain how it will be used.

Minor Impact

• Credit card accessed - No Financial Loss
• Bank Account accessed - No Financial Loss

Impact would vary depending on Individual

• Loss of use of PC , due to malware
• Tracking of Online Habits .
• Unauthorized use of PC , e.g as part a botnet

Looking at this throws some new angles for whats most important:

• a backup ,
• keeping some data secure from physical and malware access,
• and knowing what are the policies of your bank and credit card company .

Thoughts ?

 

I agree, Joeythedude. The only way to know how to respond to an incident is to understand the risks and the impacts they would have on you. Corporations (that aren't stupid anyway) will assess the risks and create a recovery plan based on their risk tolerance. Why spend time, effort, & money securing something that isn't worth much to begin with? It's smart for ordinary users to do the same.

 

Escalader - you surprise me asking that queestion ^^

from my POV: secure system and all is done. any other like a software firewall or hosts or hips is hicing

i can say for me that any av or any software firewall can not protect me more than without. av assists me, but virustotal can do same. firewall suppresses unwanted update request form some software i like but cannot change - just a annoying item. (eg notepad++)

dont get confused with my icon, mbam is not really installed here.

anyway - your setup is quite impressive small in comparison with some other overkilling people here - whyever they think that more software would be more secure - which ist definitely wrong.

i assume you only execute programs you let in yourself. any actual browser is safe enough itself, plugins causes the issues (like pdf, java or flash)

so - well done.

 

You didn't answer the questions of wat and hkey.

 

Escalader you probably be secure.
It is very safe to say you are experienced and knowledgeable about these things.
My self just using windows fw. avira and peerblock plus security features from browsers and thus seems more than sufficent for my own needs. More importantly using a limited user account for daily uses. Win 7 has a built in backup feature.

another thread with a similar concept:

https://www.wilderssecurity.com/showthread.php?t=156441&highlight=sygate

 

Thanks for the link- that thread began in 2006, and the first post in it is as valid today as it was then.

 

BrandiCandi, yes and maybe this one too, without trying to go off topic

https://www.wilderssecurity.com/showthread.php?t=111888&highlight=security firewall

 

Yep, those are two excellent threads, not ot imo, the author of whom I used to feel was overly casual about his security approach, where I'd sometimes scoff at his suggestions, but in recent years I've embraced his approach completely. Whether he realizes it or not, Mrk has lots of positive influence on me

*EDIT*

That's okay, Escalader will discuss this when he's good and ready

 

Sorry, but tell me what "sality" is threat wise, a trojan?

 

This is great! Brilliant! I'm going to incorporated these into our analysis with IMPACT as a column and the various threats as rows. Will take a day or so to complete this work. The extra additional threats I will include and this impact concept!

 

Agreed!

To do a risk analysis we need to know the threats and if everybody is patient we will end up with a pretty good classified threat check list.

Let's be clear here I'm not trying to say these threats are NEW but the list will be consolidated in one place.

 

That's fine (my RT AV hasn't really been removed in case anybody thought it had been)

Are you saying a threat may be TOO many security products like they might conflict with other?

 

That's 100% right I'm going step wise here in this thread there is no rush to produce silver bullet set of solutions.

PS: I like Mrk's stuff as well! Make me think.