Security Best Practices


Securing your computer is a complex issue. Possible measures are endless, and many of them impose some restriction on the legitimate user, which means there is a tradeoff between security and usability. Couple that with the fact some of them require expert knowledge for proper configuration, and it becomes obvious that it is hard for me to present a list like the one below. Not only do I have to concentrate on a single aspect of security, but such a list cannot possibly be complete. What I can do however, is to try to establish a baseline that I believe provides an acceptable basis, is general and easy enough so that I can recommend it to most end-users, and leaves most of your freedom/comfort intact so that you aren't turned off by the downsides. I strongly recommend everybody to adhere to as many of these practices as they can, for the list below is not nearly all that you can do to protect yourself, but merely a good start.

Tip #1 – Do not use a Windows older than Windows 7

Forget any Windows older than Windows 7. Really. If you are using Windows XP or Vista, I know you aren't going to be happy to follow this recommendation, because reinstalling your operating system is not only a hassle, but setting up everything else after that is a time-consuming PITA. But do please note you only have to do it once, and it is really essential. Problems with older Windows versions are plenty, and include non-existent support, security issues, outdated protection technologies, an unusable UAC, among lots of other things.

Tip #2 – Keep your software updated

After your OS and your software are installed, they should stay regularly updated. Turning automatic updaters on in your applications (or simply not turning them off) is a seamless and frustration-free method of making sure you are always up to date. Then again, some users do prefer to turn their updaters off (for also valid reasons that I'm not going to elaborate now), but it happens I also have a solution for them. Life without automatic updates wouldn't be so bad if only you didn't have to check for updates app-by-app. Well, you don't. You can use just one centralized updater for all your programs, that will automatically scan your computer (whenever you wish or at regular intervals) and will notify you of available updates. One such app I have found to work well (and even has a focus on security) is Secunia PSI. If you want a good app that will not only scan for updates but will even download and install them in one place, be sure to check out CNET TechTracker as well, though for this latter one you will need to create a free account on CNET to get the most out of it.

Tip #3 – Say „no" for crap in installers

Ever wondered how all those browser toolbars got installed on your PC? This is how. Installers of free software often try to install additional things on your computer that you never even asked for, they do it because they get payed for every such installation. If you're alert though during the setup procedure, you do can tell legitimate software not to install other crap on your machine. These additional software are not only useless most times, but are a liability for both your privacy and security – „Which software has the least holes on my computer?", you ask – „Well, of course the one that isn't even installed!" Keep an open eye, and don't just automatically click „Next" in installers, but check if the current page is asking for your permission to setup unnecessary stuff. Just say „No!", no need to feel discouraged to do so. They are trying to trick you into it.

Tip #4 – Get a router, it is kind of a hardware firewall

For your home, get a router if you don't already have one. Better routers have very good firewalls with sophisticated features, but even cheap ones provide good inbound protection due to the fact they do their NAT. They will protect you against many attacks even when all your PC's defenses are down. Besides, a router is a requirement anyway if you want multiple devices at home connected to the internet. Depending on what kind of internet connection you have, your provider might even be making you have one (in which case they throw one at you for free). Routers impose some extra configuration upon you sometimes for a small number of applications, but since these devices are so common, guides are plenty on the internet to help you out in those rare cases.

Tip #5 – You also need a software firewall

Most firewalls in routers can only filter inbound connections, and even the others who do can filter outbound are absolutely incompetent to differentiate between two applications if they use the same ports. Which means in that case they will be unable to tell your browser from malware! Software firewalls can do this differentiation. If you think it is already too late when infected, think twice. Even after you get infected, an outbound firewall can limit the activation or spread of the virus inside your computer (by disallowing control connections or the download of additional malware), or prevent it from spreading in your network. Also, don't just think of malware. Privacy is closely related to security, and pretty often limiting even legitimate software is part of protecting your privacy.

Tip #6 – Disable AutoRun/AutoPlay

It is one of the first few things I do after I install any system: disable all autoruns. See this article about the necessary steps. It protects you from your friend's infected USB drive who didn't realize yet he has a virus on it. This tip is also important for those among you with laptops. If you have autoruns enabled, all it takes is 3 seconds to infect you computer with all kinds of nastiness. Just plug in an appropriately prepared USB drive, wait a sec, and unplug it, you wouldn't even notice it because it generally takes longer when you turn around for basically anything.

Tip #7 – Antivirus are relics, but still useful

No matter what a company tells you about how advanced their antivirus technology is, antivirus software are just plainly stupid. I mean, not their principle or goal, but the way they try to detect malware. Cannot be helped, that's how current state of the art is. While one can be significantly better than others, all of them are primitive and anything else you hear is just marketing. Chances are you have already heard others say, malware and antivirus are a cat-and-mouse game. This is nothing new and has always been the case, but with the internet getting as ubiquitous as never before, innovations in antivirus technology basically non-existent, and the number, sophistication, and even funding of malware exploding rapidly, the cat is more and more behind the mouse. Get an antivirus if your computer's performance can afford it, it doesn't hurt (*cough* usually). An antivirus is a useful layer in your computer's security, but don't overestimate its value. If you rely solely on an antivirus as your only line of defense, your computer's security is pretty bad.

Tip #8 – UAC is your friend now

UAC managed to get a really bad reputation for it was unbearably unfriendly in Windows Vista. As a consequence, Vista users turn it off, but not only that, even a lot of Windows 7 users turn it off because they got used to that under Vista. And truth to be told, I cannot blame them. Though it increased security a lot, it was a disaster for the user experience. Thankfully, Microsoft learned and upgraded UAC in Windows 7, at which point it became very usable while still maintaining a sensible level of security. Importantly, what many users do not know, is that UAC is much more than just the confirmation dialog that pops up when a program is trying to gain admin rights – that is only what is directly visible to the layman. It adds a load of protection and virtualization features behind the scenes to segregate Good from the Bad, even when no UAC prompt appears. Do not turn it off.

Tip #9 – Choose your passwords well

Current research indicates, any password should be at least 8 characters long, you can make it 6 if you want to cut corners but no less. Try to have lower- and upper-case characters in it, as well as numbers. Never make personal information (like your or your love's name, birth date, address etc.) part of your password, because as unlikely as it may seem, an attacker probably already knows these, and variations of these are gonna be among the first things he tries. Oh, and do not use the same password everywhere. I know (hell, everybody knows) that good passwords are hard to remember and annoying to type in, but they are important. To ease your burden, use a password manager like KeePass. It will generate good passwords, remember and organize them, and will even type them in for you when asked. That way you only have to remember a single password (but be sure to keep it very safe), and the rest won't be a hassle anymore.

Tip #10 – Use your common sense

Possibly the most important advice I can give you. That's right, if you decide to implement only one thing from this list and no more, make it this one! The rule is simple: read, think, decide. Probably the most extreme breaches are due to user errors (yep, I'm talking about You), which also includes you being tricked. Take anything you see in internet ads with a grain of salt (or better, just ignore them completely). Deals that are too good to be true are not true. Remember that the „From" address in e-mails is easily spoofed. Carve it deep into your mind that a legitimate institution, company, or website never-never-ever asks you in mail for a password. Does a mail look different than it normally does? Then think twice before you believe anything it says. And what's the chance of an oil millionaire wanting to give you some of his shares? You are Hansel, and each suspicious story is a candy house in front of you.