For your Information Technology Needs

Home

Services, General

Ad Hoc Services

Contract Services

Consulting Services

Terms & Conditions

Typical Clients

Resume

Security

Backup

Data Recovery

FAQs

Tech Notes

Musings

General Security Comments

Most security specialists consider your backup and recovery plan as part of your security plan. I've put that in a separate page. Please read it.

A caveat is appropriate here. I'm a generalist, ready to consider any challenge a client brings to me. However, there are times when you want a specialist. For example, I would not advise a law firm that does Mergers and Acquisitions about IT security. They need a specialist because their records are extremely sensitive. The point is, if you have serious security needs, find a true security expert, and be ready to pay for it. It is good insurance.

But everyone needs to pay attention to security. I've rebuilt more than one system (format and reinstall everything) because of spyware, viruses, and the like. It often takes too much time to try to expunge everything that shouldn't be there. The point is this--avoiding these problems is much less expensive in time and money than correcting them. And, obviously, none of us want to compromise our financial information, esp. if we do on-line banking (I don't, but I'm a belt and suspenders guy where my money is concerned).

I take security seriously, so I recommend to my clients what I do and use myself.

Steps I take

• I turn off "Enable third-party browser extensions" in Internet Explorer (Tools > Internet Options > Advanced tab > Settings: Browsing)
• I replace Microsoft's Java Virtual Machine with the latest one available from Sun's site.
• I use a good, commercial Anti-Virus product and keep it up to date--renewing the subscription!
• I keep Windows current with Automatic updates
• I use Microsoft Update so my Microsoft Office suite is kept up to date, too
• I have regular updates of Java and Adobe products
• I avoid opening attachments to e-mail, unnecessarily
• I turn off the 'Hide extensions for known file types' for all folders in Windows Explorer (Tools > Folder Options > View tab, Advanced settings)
• I stay away from scurrilous sites, esp. free games, porn, doubtful free software/music downloads
• I am very cautious about clicking web links in e-mails I receive

The final point on clicking links in emails, needs more comment. It is very easy to disguise the real web address that a link will take you to. The security tools cannot provide real protection against malicious web sites. Cautious people ignore emailed links, or open a browse window/tab and type the address in that they see in the message.

Despite my precautions my system became infected. I received an email from a friend I know well and trust. It had no subject line and only a link that looked fairly harmless. Without thinking I clicked on it--a typical viagra site, but after that my system showed strong signs of infection. I completely rebuilt my system (having to purchase an application that I'd lost the CD for).

Needless to say, my friend didn't send the email, it was created by some malware that had managed to get hold of his address book. Rebuilding my system was, in part, to protect my family and friends from my system being used to do the same to them.

I recommend these precautions and sometimes do the setup for clients who are having problems with spyware/adware. Nothing is perfect, but this seems to be the best we have available. 

Passwords

If you are anything like me, you are swimming in passwords. You really should be thoughtful about them as they are the primary method of security for the on-line world. I'm not going to lecture you about them. Better I should offer some practical advice.

Some passwords I have to look up every time I need to use them, because it is infrequent. There are passwords that I use multiple times in a day, still I've found I could forget them over a vacation. Thus, I long ago gave up and kept a written record of my passwords.

Time was when all my passwords could be written on a small piece of paper (about the size of a credit card). I had one that I carried in my wallet with my credit cards. Simple enough and much better security than something posted on my computer monitor. When necessary, I'd rewrite the list and destroy the old one. If that works for you, I recommend it.

But today I have so many userids and passwords that the list runs to four pages. I've found it unnecessary to carry a printed copy of the list, so, I keep the list in a file on my computer and on a jump drive that I keep with me. The problem with printing it is this--where to keep the printout? Well, what do you keep with you and look after (rarely out of sight)? Wallet, purse, day-timer, notebook...  Or, if you use a PDA, you might put a copy there. Whatever you decide, consider the risk of losing the purse/PDA and someone finding the list and using it. Are you comfortable taking that risk. It could mean going back and changing all your important passwords if the list is lost. And the file, how to secure it? Well, one way is to give it a completely unlikely name and subdirectory location. Even better is to encrypt it. It really depends on the environment your computer lives in and how backups are taken and stored. Can you trust the IT person who services your machine? Encryption is a very good idea if you are security conscious and have important accounts to protect. Just don't lose (forget) the encryption password (which is easy to do), that would be a disaster to recover from.

And there is the question of what to use for a password. Most of us who have been taking this seriously have learned to divide our accounts into ones requiring either a 'weak' or a 'strong' password. I find that most of the accounts that I have set up with a password don't worry me. I don't really care if someone gets into one of them. There is no great loss potential. So I use my 'weak' password, or some variant of it that gets past their rules. But, some of my accounts, I really do want protected. These get a 'strong' password.

A password that you can pronounce is easier to remember than one you can't. But using real words or names is really not adequate security for a 'strong' password. What I recommend to people is to make a couple of pseudo words. Grab a book, thumb to a page and put your finger down randomly on the page. Extract a single syllable from a nearby word. Choose a syllable that is not a word by itself. Repeat this procedure a couple of times and stick the syllables together with a single numeric digit between them. Now you have an easily remembered password that is reasonably strong. Actually I have two such passwords and I mix and match syllables from them, moving digits around. 

Practical advice for practical people. True security experts probably won't tell you how they manage their passwords. It makes me nervous to post my approach. But, people have to live in the e-world and my job is to help them do it.

A final note about passwords. A friend died recently. No one knew how to get into her files and accounts. Think about it.

Security Software

Every user of a PC running some version of Microsoft Windows must have security software. I won't rely on Microsoft's products in this area. There is at least one free Anti-Virus product you can download, but I don't use it. I pay for a good, commercial product. Dealing with the threats is a big job that requires heavy continuous engineering work and we should expect to pay for it if we want something that will really provide protection.

There are many commercial products. I've used most of them at one time or another. The big names in this field are Norton from Symantec and McAfee. These, in particular, are very large packages that seem to slow the computer significantly. Yes, they work to protect you from all risks, but like any effort to heavily insure against risk, it comes at a substantial cost. I now use NOD32 exclusively. It isn't widely known in the U.S., and that is an advantage. You see, the malware programmers often incorporate defenses against AV products, but mostly focus on the big name products. Anyway, I consider NOD32 to be a superior AV product.

Even though I use a router and that gives me some firewall functionality, I like to run with a software firewall. But software firewalls can be very difficult to configure properly. Most I've worked with are frustrating at best. The exception is the firewall in ESET Smart Security, which also includes the excellent NOD32 Anti Virus product. Usually if you are trying to do something out of the ordinary, you need only put it into Advanced mode and set the firewall to Interactive Filtering mode. Then it can create the rules needed to permit what you want to do. It is really much easier than anything else I've used.

I used to use various products against adware and spyware. But I don't seem to need them with ESET since I set it to block "potential unwanted programs" at install time, which turns on their spyware protection. Anyway such programs can conflict with ESET.

The only downside to ESET is their distribution in the U.S. The only retailer, I believe, is Micro Center. Now I love Micro Center. It's a candy store for me, but there aren't many stores, and it can take most of an hour to drive to the closest one from my office. You can, of course, buy and download it on-line. That's all fine and good if your system isn't terribly infected. Anyway, most of the time I just buy it on-line with the customer and download it.

I should note that some Internet Service Providers include a licensed copy of one of the major security products as part of the service. Locally, Comcast does (based on McAfee), but Verizon doesn't. I think the ESET package is better and worth the $40 /year, but that's just a personal opinion.

Protecting Children

I worry about my grandchildren. They are heavy users of technology and the web is actually a dangerous place for them. When clients have asked me for advice I haven't known what to recommend. There are various products that are available, but none have seemed to me to provide the tools sufficient to protect a young person. But now I do have a suggestion--a network monitoring tool. Read on...

Monitoring

If you have children using the Web (don't they all?), you must be worried about them. News media constantly tell us frightening stories. What is a parent to do?

I attended a briefing by a forensic computer security consultant. He strongly recommended that ALL computers should have a network monitoring tool installed, so it would be possible to see where someone went and what he or she saw, said, downloaded, uploaded--everything. Facebook, email, chat, web sites--everything should be recorded for occasional review.

Sounds like Big Brother from 1984, doesn't it. This requires some serious consideration.

For companies, it is appropriate to be able to monitor how your employees are using company resources and time. You might not welcome it, but, still...

Monitoring the actions and communications of an adult, without informing them, would be highly questionable legally and ethically. Putting it on a computer that you don't own violates the license and possibly the law.

However, such a tool could enable a degree of protection of minors not otherwise available. The typical adolescent might react in horror at the prospect. But that reaction might confirm the parents fears. What is a parent to do? I think the best approach would be to implement the monitoring tool before the child is a really heavy user and has reached the serious rebellion stage. If you are past that point, good luck.

I looked around for a suitable product to test it. I settled on the one recommended by the above referenced consultant--Spector Pro from SpectorSoft. eBlaster from the same company, may also be desirable. I bought Spector Pro and have been using it on my computer. It works very well. There is no discernable impact on performance. In "stealth" mode you really don't know it is there. It has all the safeguards you could ask for and really does cover everything you might want to monitor. Also it can run on most modern computers Windows XP and later or Mac OS X

Okay, it isn't cheap ($99 to buy and $69/yr for support/upgrades), per computer. But you are talking about your children's well-being. Note that it can be a little tricky to install so that it runs properly. My Anti-Virus product, NOD32 had a hissy fit and I had to read advice on their web site and finally call for help. Turns out that in addition to disabling virus protection during installation, I must prevent the installer from rebooting and go into ESET to set some dozen or so file names in an exclusions property (not all of which exist at the time) before rebooting. To make matters interesting, on each reinstall the file names change.

After running perfectly for a week, suddenly my browsers were blocked (other protocols still worked). Uninstall fixed it. Another call to support and I was sent instructions to for special settings in Spector Pro. After another laborious reinstall it seems to be running fine. Well, the support is excellent and it really does work as advertised--when it works.

Where to go to learn about Security

A good place to start is the Microsoft web site. SANS is a reputable source of the latest information. And there are many others.

I generally don't provide links to other sites. Mostly it's that I'm to busy to spend time obtaining permission, which I'm supposed to do. Most sites can be found just as quickly with a good search engine (I like Google).

Call Corzine IT Consulting at 1-781-690-0992