Usability versus Protection result of a survey

Topic: Multi layered security setup research (and advice) on usability versus protection [UPDATE]

As the comments of experienced 'wilders-posters', some of the choices were discussed. Discussing security is the same as with art, religion and beauty: there are as many opinions as there are people, everyone has his/hers own preferences and priorities.

I updated this post with the experience gained from the feedback of my colleques.

The IT-manager of the company I work for, always uses IT-students to do additional security research.
Recently he asked an IT-graduate to configure a multi layered security setup for the home PC's of our employees with the following limitations:
• use the test method Kareldjag describes in his reviews
• available budget is 50 euro's once, with no recurring annual fee's
• use as much freeware as possible
• determine setups for TWO types of users: power/geek user and advanced/normal user

After receiving the first feedback of some of my colleques, the IT-manager made some changes:
1. Simplifying the three user category to two .
To many of my colleques thought they could handle the advanced user settings (when following the
installation script). For this reason the IT-manager decided to supply only two installation scripts.
2. GeSwall ended in the study of the IT-graduate just above Sandboxie. A few of my collegues proved
that sandboxie has a higher 'drive by' protection than GeSwall. This is the reason the IT-manager now
has selected Sandboxie.



Normal/advanced user: security illiterate to security aware user, should not get pop-up messages, looks at functionality not programs, downloads music, movies and surfs the internet for information and other hobbies, occasionally tries new programs.

Security layers:
- traffic : firewall only inbound protection Microsoft firewall FREE/Nat Router firewall, (note 1 and 4)
- data : antivirus ANTIVIR FREE (note 2 and 3)
- process : Cyberhawk FREE to protect against DLL-injection, et cetera
- registry : also Cyberhawk
- threat gates : DefenseWall paid version (30 US lifetime lisence) to protect the gates of your PC
(Internet, P2P, e-mail, floppy drive, DVD/CD-Rom drives)
- data theft : non (note 1)

Total installation time on average 20 minutes
Total cost 30 US dollars


Power/Geek user: security hobbyist, can interpret info on micro level (e.g. process, registry) pop-ups, frequently improves functionality of PC by downloading new programs
Security layers:
- traffic : Comodo firewall FREE
- data : antivirus ANTIVIR FREE
- process : Antihook FREE to protect against DLL-injection, modification, mother-child related start up
- registry : MJ Registry Watcher FREE
- threat gates : Sandboxie FREE to protect the gates of your PC
- data theft : covered by firewall

Total installation time on average 3 hours
Total cost, non all freeware

Notes:
1)
In the Netherlands most banks use a token calculator besides a password user id to facilitate on-line payments. Theft of a password is useless without having the debit-card and a token calculator of that bank. Firewall protection outbound traffic are rather pop-up noisy and difficult to configure. Ashampoo firewall was considered, but slowed down the test system too much and still has some bugs. Easy setup of Ashampoo when improved would certainly qualify for normal users when improving these issues.
2)
To overcome the sometimes troublesome updates of Antivr free, 6 invisble updates were added in the scheduler spread accross the day. Although Antivir has an option to start a scheduled update when the starting time has passed, although this does not always works correctly.
3)
In the Netherlands most users have broadband ADSL. Nearly all service providers offer an e-mail virus scanner security, therefore ANTIVIR with its strong protection level, but without e-mail security qualified. To overcome the some times trouble some updates of ANTIVIR free, eight invisible updates are entered in the scheduler, spread across the day to guarantee updates of the engine and software
4)
Wireless is very popular in the Netherlands; most home users have a Nat-router. To help the (advanced) user, instructions were given to use encryption and Mac address control. Also service port 113 was sent into oblivion by redirecting it to a non-existent IP-address. When having a Nat-router with build-in firewall, Microsoft firewall was disabled to save processor load.



Closing remarks
- use IE7 was used as browser, because many music and movie download sites require internet to facilitate payment. When you did not need this IE-feature, others (Forefox, Opera) were advised.
- use SpywareBlaster for additional bad active-X/sites protection
- use Ad-ware FREE to occasionally check on spyware, During the testing period, ad-ware did not find spyware
- use of a real-time anti-spyware programs was considered not necessary, due to multi layered defence
- use a second opinion virus scanner from time to time (Bitdefender free)
- use SafeXP (we got a picture which optios to de-select)

I now use the normal user option

 

Sorry one writing mistake:

Power user frequently downloads programs to improve functionality

 

since Bubba closed the other thread, ill repeat my questions here:

how were programs chosen for each group? (example: why do the normal and advanced user get defensewall and prevx home but the power users gets geswall and mjrw?)

also, isnt prevx home discontinued?

 

Why does only the advanced user get a NAT router?
A NAT router is the most basic "idiot proof" security you can get.

Who will be doing the setup? The end user or someone knowledgeable?
This can make a big difference in both usability and protection.

By "data theft" are you referring to physical data theft or remote "hacker/malware" data theft?
Encryption can protect from physical data theft but not remote data theft if your computer is compromised.
An outbound firewall does not help with physical data theft but it can help prevent some malware from "phoning home" so it can be useful for remote data theft.

Note 1 bank token calculator:
How does this help if your computer is compromised?
Instead of visiting your bank, you are directed to the fake look alike bank website.
There you enter your password and token code and the hacker has access to your account at least for one transaction.

Here's info on Port 113: http://www.grc.com/port_113.htm
You may not need to forward the port to oblivion on newer routers if you want full stealth.

Recommend WPA2 or WPA over WEP for wireless. WEP is better than nothing but it's weak.

Any type of HIPS for a "Normal" user is a bad idea.

Harden IE settings if IE must be used.

 

I see that most home pc users in the Netherlands have a broadband connection and most have a NAT router.For those who don't have a router I would make sure that they get one.Unless they have dial-up instead.

I would look seriously at Opera and Firefox instead of IE.

 

My unique comment for topic, is that would be very nice if all the companies acts like the company that you work...

 

Questions of WSFuser

What I understand from the report is the knowledge of the user, for instance the process level protection:
- Cyberhawk, after installation it works no need for further user intervention
therefore suited for the normal user
- ProcessGuard, after installation you still need to put together the white list
on application level, therefore advanced user
- Antihook, after installation besides putting together the white list you also
have to answer a few additional questions (because Antihook monitors
processes at deeper level), therefore power user

Same with DefenseWall and GesWall
- DefenseWall is also install and forget, therefore suited for the normal user,
- GeSwall sort of does the same things, but it also blocked the launch of
printer spoolers in the test. The tester had to change the settings of
GeSWall, making it a very good program for a power user, but also to
difficult for the advanced user

 

Wow... 3 hours for "power user security"? Kind of absurd if you ask me. You can't expect to build a high-security system in 3 days, let alone 3 hours. And what's "data theft covered by firewall"?! What?

 

Questions Devincio

Nat-router
That is true, but the 113 service redirection was considered to difficult to do for a normal user. The setup script also supported older routers (like mine, my 11 router does not have WPA security). I only made a small extract. Indeed WPA was advices when possible.

Setup support
Setup was supported with a few questions to determine the knowledge of the user and a script for easy installation.

Bank calculator token.
We were advised to put the https links in our favourites. Also to close all untrusted processes before starting electronic banking application. The value which the calculator (is a reel calculator in which you have to put your debet card) returns is only valid for a few seconds. At the end of your session you have to repeat the procedure (identification and confirmation). The confirmation works the other way around: first you put your card in the calculator, then you enter your private pin-code into the calculator, enter the number returned into the PC, the PC gives back a number which you have to enter in the calculator, that number has to be entered in the PC). Because phising sites do not have your debit card nor your pin-code, they can do nothing with the info.

Your statement that a HIPS is a bad idea for a normal user.
When a HIPS is so user friendly that you can install and forget (like Cyberhawk and DefenseWall), why should normal users not excluded from good protection?

 

Questions of The Tester

The IT-manager said that IE is attacked more often, Firefox also has security issues. Therefore it was more or less left to our own preferences. Since IE is installed with windows it was used as reference.

 

Questions of TNT

Setup was supported with a script. And installation was not on fine tuning level. Script said after basic security settings were okay, to go and acquire more information on Wilders and CasteCops or Kareldjag. Thats the reason I found this site.

Data theft, indeed remote hacker data theft. An outbound firewall prevents leakage. Also our IT-manager said that it is very rare for hackers to attack home users. Home user PC have a change of becoming a zombie, therefore we had to run Bitdefender free and ANTIVI scanner after installing. ProcessGuard also gives some protection because it white lists which programs are allowed to start.

 

I still don't understand the argument to use IE as a browser, especially for the 'normal user', who doesn't know how to secure IE yet, Firefox would be a good alternative.
I don't think the argument that FF has security issues too is valid, this can be said for all software, It's the way these security issues are handled what makes the difference.
And if IE is attacked more than FF or Opera it would be all the more reason not to use it.

Lamehand

 

The important point is that a normal user on broadband internet should be using a NAT router regardless of whether they are able to stealth port 113 or not. They should also have Windows Internet firewall on even with a NAT router just in case they so terribly misconfigure the router and put it into bridge mode.

The best advice given was to instruct the people to visit these security forums. The security knowledge they will gain from asking questions and learning from others will be greater than any preset multi-layered security setup.

I am not talking about the ordinary phishing site.
I am talking about the phishing proxy/relay site.
Your computer is compromised and when you click on the favorite to your bank, instead you visit the phishing proxy/relay site that looks identical to your bank.
Info you type in is forwarded through the phishing proxy to the bank. Once you are authenticated, the phishing proxy makes a bank transfer in your name. No debit card or pin code needed.

If Cyberhawk and DefenseWall are simply set and forget and they provide good protection, then it would be fine.
I am not familiar with the protection offered by either, so I can not compare them to Process Guard or SSM, which would not be good choices for normal users.

There are increasingly few websites that totally fail with Firefox or Opera.
There are a few hold outs like some antiquated banks that still require IE.

Not totally sure of the purpose of this thread.
Did you want to simply share the results of your company's research?
Are you looking for advice on how to make the individual setups better?
Do you have any questions?

 

Hello,
My questions are: What did you discover with these setups? Or are you asking for suggestions / advice? Is this mainly informative?
Mrk

 

Indeed it is, and for good reason.

Personally I don't see these setups as being particularly friendly or practical. With the programs mentioned, I'd just stick with Prevx1*, AntiVir, Comodo PFW, and do some hardening, for a totally paranoid setup to cover all bases (total cost: $20). Much beyond that is just going to be overly redundant and add a lot of potential for conflict and user error. For advanced users, just turn on the advanced options Sure you can throw in another app if you want to, but that's going to add features, not security. It also bears mentioning updates to Windows and other software, along with alternative internet software. Add encryption if you're setting up a laptop.

*- not PrevX

 

PURPOSE: SHARE
QUESTION: ARE THERE MORE USER FRIENDLY SETUPS POSSIBLE FOR THE NORMAL AND ADVANCED USER?

 

originally posted by WSFuser

This would appear to be correct based on the explanation provided on the Prevx website. Prevx Home and Prevx Pro were replaced by Prevx1. Oddly, a lot of comments left on the CNET download website complained about how CNET had the wrong link and that it should be pointing to a URL link for Prevx Home (which is supposedly obsolete now). It seems a lot of the complaints were directed at Prevx1 being not true freeware like Prevx Home. What the users don't realize is that Prevx1 is free and would only require payment if you needed to remove malware after you used the program. If you never get infected, then it will remain free.

 

Kees1958,

There is a big problem with the setups as shown.
All the members here who have provided analysis and constructive criticism of your setups are not normal users.
If we have this many questions and trouble understanding the setups, what hope does a normal user have?
Both the presentation and the content of the setup can be improved.
There is no such thing as a 100% secure setup. Every setup has weaknesses and flaws, including your IT-manager's setup.
That is the whole point of posting it here.
It may appear like we are just trying to criticize and put it down, but this is not so.
We are trying to help you make your plan better by analyzing, asking questions when ideas are not clearly presented, and offering suggestions for improvement.
So take off your caps-lock, and let's discuss how to make your setup more secure and easier to use.

Then a NAT router should not be omitted from normal user setup.
Even under the advanced user, the Windows Firewall should be on even with a NAT router. Why?
Because the NAT router will be handling all of the inbound attacks from the internet, the CPU load of running the Windows Firewall will be minimal.
Should another computer inside the LAN become infected, the Windows Firewall will provide some protection for your computer.
Also, if the user switches to dial up temporarily during a broadband outage, having the Windows Firewall on will provide seamless protection during this period.
NAT router was also omitted from the Power user setup. A power user that is using an outbound firewall like Comodo will certainly benefit from having a NAT router as all the inbound traffic will be handled by the router instead of burdening the CPU.

Thank you, I will. I'm sure I missed something.

Unfortunately, in the US, banks do not offer anything nearly that sophisticated yet.
It may very well work in the scenario of the phishing proxy/relay as you describe.
Do you know where I can learn more about the bank calculator token and the whole process explained in detail?
What is the system called, or the company that makes it?

If it works as claimed even on a totally compromised computer, then why should a user close untrusted processes?
How would a normal user even know what an untrusted process is?
A bank calculator token is still not a substitute for a NAT router.

Thank you for sharing. I learned several things. Hopefully you did too.

Yes there are. No matter how good a setup is, there is ALWAYS a way to make it more user friendly and more secure.

 

Hey, no problem.
We are here to learn and trade ideas.
If you think some of the ideas presented here will work for your plan, then implement them.
I think the Bank Calculator Token sounds like a very secure system for authenticating bank transactions. Maybe it can work securely on a totally compromised computer.
Cyberhawk and DefenseWall may be more user friendly than PG or SSM, they are certainly worth consideration.

 

Devicincio,

Reading back the post I noticed I had made some mistakes (one note with wrong reference and one forgotten). Also PrevXhome was not advised for the normal user (just CyberHawk and DefenseWall).

 

I recall reading a post regarding Cyberhawk that when the user uninstalled it and then discovered that the program left over 100 registry entries on the system. That is something that a more basic user would not discover.

 

One's own installer usually leave trash behind.
Instead of relying on one's own installer, use uninstaller tools to uninstall programs and clean up the mess.

I like snapshot-typed uninstaller since this is the best way to uninstall a program.

You may try Total Uninstall which takes snapshots before and after installation. That implies every change (which is monitored by the program) is recorded and can be reversed upon uninstallation.