As you probably know all too well, most IT pros are nothing more than walking help desks when it comes to their friends, families, and even coworkers. How many times have you ended up installing—or recovering—the system of someone who knows next to nothing about computers, let alone security? I admit it: I, too, am not immune to the pleas for help from my nongeek friends.
I recently found myself in one such situation. I was helping a non-computer-savvy friend set up his new Windows computer, and he and I started discussing Windows and security. While I was copying his files from his ancient Apple Macintosh IIcx to his new Windows PC, I noticed that the file sizes of the applications on his old hard drive were miniscule compared to Windows. In addition, his programs were much easier to use. (He still used Word 5.1 for the Mac.)
Even more comical was the size of his hard drive: 120 MB! Of that, he was only using about 30 MB for his programs and the document files he needed me to recover. Windows uses more than 120 MB just for the base operating system, but then again, that's because it's a much more complex and feature-rich OS, right?
When we began the process of setting up the new Windows machine, I told my friend that it would take about two hours to fully update and secure Windows and Office. After hearing this, he wasn't so sure he wanted to get rid of the Mac. All of this got me thinking about the increasing complexity of computer systems and their underlying security.
Internet and information security is the No. 1 issue for most corporations, and that's because they have no choice. Ignoring security means risking the loss of information and business intelligence, not to mention the potential legal, human resources, and public relations issues.
I'm never surprised when I read that more and more companies are making the move away from Windows. Windows is an expensive operating system to secure and support. And I think that Microsoft is failing to deliver on its promise of better security.
By this point, you would think that Microsoft would have at least included an administrative ability to disable or not install any Internet features, but it hasn't. More times than not, Windows systems are vulnerable right out of the shipping box.
In my opinion, regardless of what the so-called experts claim, we owe the majority of Internet insecurity to Microsoft. As the company added Internet feature after feature to the already bloated and buggy code of Windows, it opened the door to massive distributed exploits. In addition, it made the software too complex for the average user to use safely—or, for that matter, for the average corporation to maintain.
And Microsoft isn't the only vendor making its products increasingly complicated—security products are also becoming more complex and more prevalent. It's my job to worry about Internet security, and yet there are plenty of products out there that I've never heard of.
Members frequently send me feedback about this newsletter to recommend an Internet security product they use in their shops. Quite often, the product is something I haven't heard about. And, of course, I occasionally stumble across a product on the Internet that catches my eye.
Because I'm a cynic, I typically find software that doesn't make promises or quote favorable media reviews much more interesting. These days, any software product that claims to be revolutionary, especially when it comes to Internet security, will likely convince me otherwise.
The simpler and the more specific an Internet security product is, the better I like it. I'm convinced that the more feature-rich Internet software is, the more bugs it's going to have—and some of those bugs could be exploitable.
Unfortunately, many organizations fail to use their security tools well, and the problem only seems to be getting worse. Falling victim to hostile attachments, phishing scams, or fake e-mail unsubscribe links should be a thing of the past by now, but these are very real threats.
I believe that the best Internet security tool out there is the one between your own ears. You can implement all the layers of Internet security that you want, but they're all useless unless the user has some form of understanding of how to safely operate a computer.
As for my friend, I ended up fixing his Mac, and he's back to using it to manage his business. And as for the new Windows system, he decided against it: He was too concerned about the security, and it was too complicated for him to learn to use.
Instead, his Windows PC's sole purpose is for surfing the Web, which he does with no fear. He doesn't care about viruses, worms, spyware, exploits, or phishing scams; there's nothing important on the computer anyway. For his purposes, simplicity is the ultimate sophistication—something that Microsoft no longer provides, which a 9-year-old outdated Macintosh still does.
Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.