These days data security is becoming an important part of every one’s life. Based on my experience I compiled 20 plus things you can do to ‘Be Secure, Be Happy’. I have tested all of them at my home lab and others computers. You can follow the steps in any order you like, there is no restriction.
I can write a lot about each and every option that I mentioned here, but for the purpose of this article I will briefly describe about each option. If I need to write a separate article, then I will provide a link here. Most importantly to use or implement some of the things you need to learn and understand the complications involved in every solution. For that reason I provided as many references as appropriate. Please do your homework before you try to implement any of these or comment below with your question so that I can reply.
- Scan your file with multiple free malware engines at once.
-
Scan your computer with multiple malware engines, one by one.
Please read my blog entry Malware Scans – Multiple Engines, Online Scanners for more information.
-
Use good passwords which are easy to remember and hard to guess.
To make good password, take a sentence for example ‘I was born in 1970′, remove all the spaces, or replace all the spaces with pipeline (|) making the password i|was|born|in|1970. Passwords with 14 or more characters are impossible to break. Here is a good link with good suggestions on password policy. I really liked this, very simple and informative. Please remember never write your passwords on post it notes and stick on your monitor or at some visible place. Use the same principle for all other sensitive information.
-
Change the default settings of all your equipment, mostly user names and password.
Any hacker or script kiddy with little knowledge can get you if you do not change the default settings on your computers, routers, switches or smart phones. To have better knowledge just go to Google and type ‘default passwords list’, you will be surprised to see how many sites will come up. If you go to any of the default password list pages you will know most commonly used words either for login names or passwords are admin, tech, HTTP, multi, and password. I found several devises have no password at all. Vendors do this to allow their devices work ‘out of the box’ without any additional setup as Plug and Play. This is true even for most expensive routers or switches, or hardware based firewalls and even databases. With little knowledge any one can very easily access your devices to further exploit if these settings are left as is. Please refer to your product vendor document on how to change default password.
Most importantly you should disable Guest account and change (or set) Administrator password or even better change Administrator name in your Windows OS.
-
Anti Executable – Software Restriction Policy (SRP) which allows your computer to run a white list of applications that are considered to be safe to run. This is a great option to protect your computer from most malware. You have users who use either intentionally or unintentionally install applications, or even a malware happened to install other programs. You can protect your desktops with SRP. In Windows 7 Microsoft improved this and calling as AppLocker, I need to test this feature in the beta version.
- For a very good description of SRP visit Microsoft’s TechNet page, also contains information on how to implement in XP.
- You can follow the Microsoft’s guide for XP, and
- You can follow the Microsoft’s guides for Vista.
Apart from Microsoft solutions there are also third party applications. Fraonics Anti Executable is one of them. Here are the links for product’s main page and key features comparison between Standard and Enterprise Editions, and the review. I have a feeling that Faronics Anti Executable got more functionality and ease of use. I would appreciate any comments on this.
-
Disable AutoRuns.
Sometimes disabling auto runs will definitely help to reduce the spread of malware. The recent worm Downadup which effected nearly 10 million computers worldwide, in a span of two to three weeks, uses auto runs feature to spread through removable devices. Please read my other post What are the consequences if you are not “Be Secure, Be Happy”? for more information on this worm and other important information related to security.
How to disable Auto Runs? Most of the times while you insert a thumb drive or CD/DVD, you can hold Shift key, to disable auto run. If you want to permanently disable on all drives edit the registry key NoDriveTypeAutoRun under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
and set to x0ff in both XP and Vista. It is that simple.
You may also need to remove the following entry for each user separately to remove any cashed information for the removable devices, network folders that you might have connected earlier, if the above solution is not properly working. Please remember you need to reboot your computer in order for the settings to take effect.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
I would recommend if you share your computer with many or if it is a public access computer then disable USB ports and removable drives.
The following solution to disable autoruns is recommended by many compared to Microsoft’s above solution. I found this at US Cert site and at the actual author Nick Brown’s blog Memory Stick Worms. The comments contains very good information, a good read for techies. The following is the extract from the site.
To effectively disable Autoruns in Microsoft Windows, import the following registry value:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
Note: If you see a smiley after @SYS in the above line, please replace the text with the text from the following image or follow the same instructions at US CERT web site. The Word Press is converting the text after : into emotions. I know how to disable for the entire blog, but not to a particular post. I feel emotions are important to express ourselves and I want to keep using them as needed and also for my commentators. I appreciate your cooperation in this regard. I will update the post once I find how to disable emotions for a particular post.
To import this value, perform the following steps:
- Copy the above text between HKEY… and …..DoesNotExist, including quotes
- Paste the text into Windows Notepad
- Save the file as autorun.reg
- Navigate to the file location
- Double-click the file to import it into the Windows registry
-
Install decent antimalware.
AV-Comparitives.Org and Virus Bulletin are the sites you can depend on to choose a solution for your need. Once you installed your malware product, update malware definitions every day. Some vendors have the option to update every hours or even minutes. Let me assure one thing. No antimalware is perfect. If you look at the history of the vendors who responded first to provide a solution for a malware outbreak, there is no consistency. I would say which one to use is a personal preference and follow alternate solutions mentioned in #1 and #2 in this list. Most importantly install ThreatFire a free Zero-Day threat detection based on malware behavior pattern. This will help your existing AV tool to increase the detection rates. Visit their site to learn more.
HiJackfree is a free tool for advanced users who wants to scan their computer for any kind of malware – virus, spyware, worm, Trojan, etc, with no live protection. A 2 MB file is good tool to be in your sec tools box.
-
Install a decent two-way firewall.
Microsoft has a built-in firewall that most home users are not aware of. It blocks only inbound traffic. There is no satisfactory explanation from Microsoft on this implementation. Hopefully Windows 7 will be improved (I installed Windows 7 beta but not reviewed much). Again most malware vendors provide a firewall bundled, so you may not have to look separately for a different firewall. Here is PC Magazines firewall comparison.
-
Use a good (and free) anti spyware application.
There are several tools on the net claiming that they scan your PC for spyware, but the programs are ’spyware’ so be aware of the trick that the bad guys play. Before you use any tool, please check their credibility by looking for references or use Web of Trust for page ratings. The well known antispyware tools are Spybot Search & Destroy and Ad-Ware from LavaSoft. Here is PC World Magazine review of spyware in which Spybot S&D, also my favorite one, is better rated than the other.
-
Update your Windows OS with Windows automatic update.
Turn automatic updates on your Windows OS and perform regular updates so that your vulnerability level is very low. If you are a corporate user, then your system administrator would use SMS (System Management server) to update your PC. Alternatively you can go to Microsoft’s update page using your Internet Explorer (this page does not support any other browser) to perform interactive update. This page will update all installed Microsoft’s products apart from your OS.
-
Download and install only trusted applications
How to identify trusted applications? The best way is to look for any awards that the product received from an independent third party or look for reviews or Google or use Web of Trust for page ratings. Never, ever put yourself at risk by installing a tool from un-trusted sources. If you want to test some ting, isolate a PC and install on that test PC.
-
Update all your applications regularly – Vulnerability Scanning
This part is really hard. It is really difficult to keep track of all installed applications and update the patch, especially if that application does not have auto update algorithm implemented. In this case Secunia PSI (Personal Software Inspector) and F-Secure’s Heath Check online scanner become handy tools for any one. Secunisa PSI, a tiny application checks all the well known (again well known) installed applications and compares the patch level against their database. F-Secure Health Check is an online scanner and will also check for any known vulnerabilities. They will give you a report of installed version of the applications on your computer and the latest version available on the vendor’s site and with appropriate remedial solutions. You may want to run them once in two weeks to check your computer. Again do not use any tool that you may come across. Check for their credibility by visiting reference pages or by Googling or StopBadware.org
-
Avoid free Wi-Fi or Hotspot access points and turn of Wi-Fi on your mobile when not in use.
Avoid Free or Public Wi-Fi access unless you have done most of these things to immunize your computer. If someone can get hold your smart phones Wi-Fi signal, they can easily get your data. So turn of the options, in some phones you should also turn off WLAN
-
Secure your Wireless router at home or office.
Update I: Drew in his comment pointed that WPA2 in AES mode is secure, not WEP (Wireless Equivalent Protocol) and mentioned that MAC address can be spoofed. He is correct, thanks Drew for your corrections.
Use WPA2 in AES mode and set your router to accept connections only from known MAC or Physical address of your network card. MAC address is a 12 character alpha numeric number assigned to your network card by the vendor. Please refer to your user internet modem/router manual or vendors’ web on how to do this. Due to the large number of models I cannot provide how to guide here. But if you have any specific question please feel free to email me or comment below. And even most important, change your default user name and password as mentioned in #4.
To find the MAC address at a command prompt type ipconfig /all. Here is example of my MAC address. If you have more than one (wireless card and RJ45 card) then it will list all of them.
Physical Address. . . . . . . . . : 00-1B-38-14-1B-08
-
Do not share your sensitive information with strangers or publish at social networking sites.
Very important! Please read my another post what is Sensitive Information? for better understanding.
-
Implement reboot to restore tool to protect from unwanted changes to your computer.
Reboot to restore tools for personal computers exist for quite long time, but not many people know about this. In the recent years this is becoming most popular with Schools and Internet cafes and some call centers, but not with large corporations. I have a gut feeling with careful planning and implementing in the corporate environment this tool could be very useful. I would write more about this in a separate article at a later point of time. These tools help you to save the hassle from reimaging or restoring the computer after corruption. Once you setup any of these tools and then if you install any other application or make any changes to your computer including deletion of most important files, the tool will revert back the computer to its original state just like new after a simple reboot, including the changes made by a virus, spyware or any malware.
Two most popular tools are a free tool from Microsoft is Steady State and a third party tool is Faronics Deep Freeze. There is some initial work is required to setup any of these and some initial planning too. So I will give you details in a separate post Reboot to Restore. In the meanwhile you can visit Microsoft SteadyState and Faronics DeepFreeze pages on how to install and for further instructions. Please read ‘Before you install Reboot to Restore’ tool.
-
When on the net habituate STOP, THINK and CLICK procedure.
This is most difficult to habituate, but easy if you install a web page rating tool link Web of Trust. WOT will provide you feed back about the site you are visiting. This tool got a very good rating 4.5/5 at CNET.Com. Most recent versions of “Total PC Protection” solutions from several vendors also incorporated a way to inform the user about the rating of the web page being visited and even block the page completely.
File Advisor service by Bit9. With a simple upload this service will give you every detail about the file including original name, size, creation date and much more. A good service to use!
F-secure claims that their Exploit Shied tool will protect you from web based malicious exploits and stops malware at the first point of infection, which protects your computer. This is in beta and you can test this by downloading.
-
Encrypt your computers’ HD, not just your important data files.
Why encrypt your entire hard drive? Now-a-days portable computers are highly targeted. In case if a laptop is stolen, then data will not be accessible. Now which encryption is best? Software based or Hardware based? There are pros and cons in every solution. Please read the article Whole disk vs. file based encryption. I would choose Hardware based. The main reason is that on a long run, you need not face support issues, just install and know that the data is encrypted and accessible only through a key card. The best solution in the market is SecureD with complies with FIPS 140-2 Level 3 (Federal Information Processing Standards). For Windows XP and Vista Home edition you can use Encrypted File System (EFS) option is available to encrypt at various levels. Here is a simple step by step guide for your reference. In certain editions of Vista you can use BitLocker and visit Microsoft page for EFS implementation guide. TrueCrypt is a third party free open source disk encryption solution, which is trusted by many hackers in the community. It is important to remember that implementing encryption may cause performance degradation.
-
Use encryption to store your data on removable devices or use encrypted removal devices.
TrueCrypt is one free solution you can use to store or backup your sensitive data apart from Windows EFS (as explained above). But remember you need to remember the key or password to be able to use the data at a later point of time. IronKey manufactures removable devices with ‘Self-destruct sequences using advanced “Flash-Trash” technology’ to erase data if someone is trying to access the data without proper key. Ironkey’s products are one of the best products available.
-
Use encryption to communicate your sensitive data via email and for VoIP
There are several solutions to send data securely. A web based free solution is Hushmail. Every Email client Outlook 2003 and 2007, Mozilla Thunderbird, Novell Evolution have a built in option to send encrypted emails. Click on the respective links. Both sender and receiver need to have some knowledge on how to send and receive encrypted emails. For web based email clients, some support is there with GPG/ PGP protocols. You may want to Google for the same.
For your VoIP calls Zfone is available from the creator of PGP Phil Zimmerman. Update II: A recent study concluded that many employees undermine laptop security mainly due to implementation of encryption. Please read it here, a good read for non-IT security personal.
-
Shred everything beyond recoverable state.
How many times you saw someone shredding very important document before discarding? You need to use a very good document and CD/DVD shredder before you through them in garbage. Most importantly, you may never want to send out your old hard drives. A single hard drive needs to be formatted 7 times if you do not want anyone to recover the data. Even better, destroy it if you feel that it contains very sensitive information. Update III: There are other tools and methods to secure erase your hard drive. I found a good article for the same.
-
Finally shut down your computer when not in use, even for an hour.
It is always good idea to shut down your computer when you leave your work or go out at your home after using for a while. Never leave your Internet connection unless you really need to. I see some of my friends’ login in to their IMs and leave it as is, even weekends and midnight.
-
Disable unnecessary services in Windows XP and Vista
This may not be related to security, but I felt that if you choose to implement several solutions in the list, they may slow down your PC. I hope this helps to speed up your PC a bit more. You can also use Autoruns tool from Microsoft SysInternals to disable some programs from loading. Be careful and backup your important data before you make any changes from this section. To access windows services type services.msc at run command prompt (Windows Key + R or Start-> Run) and press enter key.
Windows Vista: There are over 130 services in Windows Vista. The biggest question is which services can be disabled? I thought that I would write my BIG BOOK on that. Fortunately someone else had done that in a better way, so I would simply redirect you to TweakHound.Com page. Need more info, for the list of all vista services and their descriptions to SpeedyVista.Com (have better description in one page) and for step by step instructions and the list of services you can disable to VistaWired.Com.
Here is the list of services that you can disable for your quick reference with direct link on why you can disable the service to VistaWired.Com page.
Windows XP: There are over 110 services in XP by default all of them are not started. Some of the services are started by the depending program at the time of execution, then stops automatically. I would like you to direct you to BlackViper.Com site for list of all XP services. Please visit this page for the list of 25 services that you can safely disable listed at Freelist.Org post.
Finally a caution, if you choose to implement SteadyState, Antivirus, Encryption and Anti-Executable you will experience significance performance degrade. So you need to play and decide what you actually need.
