I regularly hear variations on a theme:
- “Security vendors blow the threat out of proportion. Don’t worry so much about it.”
- “I’m a careful computer user. I’ve been using computers for years without antivirus solutions and have never been infected.”
- “There’s nothing on my computer that anyone wants. Nobody’s going to bother cracking security on this machine — and even if they did, they’d be disappointed and find someone else to bother.”
- “Security software itself introduces more problems than it solves. I’m better off without it.”
These are seductive ideas, tempting us to take them at face value — because each contains a grain of truth. The important thing to do with such statements, however, is to find that grain of truth and ignore the rest.
For instance, the fact that security vendors tend to blow the threat out of proportion, and misrepresent it to drum up more business, in no way means there isn’t a threat. There definitely is a threat out there.
As someone who has done general support, disaster recovery, and security policy planning for everything from single home users to one of the top 100 Web sites in the world (measured in visitor traffic), I have seen first-hand what’s necessary for security and the consequences of poor policy. In one case, a single receptionist’s computer in a medical office had collected more than 3,000 discrete pieces of malware in a two-month period, and it wasn’t even allowed to visit any Web sites other than two medical databases, one bank Web site, and one e-mail provider.
If you use your computer for Internet browsing enough to view this article at TechRepublic, I have bad news for you: You’re at risk. In fact, merely plugging in an unprepared Microsoft Windows computer to a cable modem can lead to immediate compromise by malicious security crackers.
Something many people don’t seem to realize is that security crackers often perform port scans on randomly chosen IP address ranges, and these port scans are usually performed automatically by already compromised computers. Your computer, then, may quickly become infected and join the ranks of port-scanning computers.
I’ve seen a fresh install of Windows become compromised in less than two minutes when nothing was done beyond attempting to use Windows Update to patch the system — even with all (unnecessary) user configurable services turned off. Make sure you have the security software you need already installed before you plug in that network cable.
The delusion that one doesn’t have anything on the computer that anyone wants is a common one. Far from involving a careful assessment of the value of the information on a computer, this sort of statement merely betrays a distinct lack of understanding of what malicious security crackers consider valuable. Even those whose primary purpose is to gain access to a massive corporate or government database of personal information, a trojan horse presence on a large number of home systems that don’t contain valuable information can prove to be tremendously useful.
“Botnet” is one of the new scare-words of the information security industry and with good reason — anyone can be a target. Even worse, however, is the threat to you in particular, even if you have nothing but an average computer without any passwords, credit card information, or other personal data on it, and it’s a threat shared by other types of systems as well, such as Web servers.
A friend of mine asked my advice a few months ago on the subject of choosing a Web host and software to use to set up a Web discussion forum. When I brought up the importance of choosing a Web host that provided SFTP access for file transfers — so communication with the server would be encrypted during transfers — he expressed the belief that his data didn’t need to be protected that much because there wasn’t really any need to hide what was going to be on the site.
I provided an example of how things could go awry that I knew would change his mind by explaining the dangers of unencrypted authentication. When you use standard FTP to transfer files, usernames and passwords are transmitted in clear text, meaning it’s unencrypted. Once an unscrupulous security cracker has “eavesdropped” on your server login, that person can then get access to the Web hosting account at will. If such a person is careful and you aren’t, you’ll probably never know — and that person could be running a kiddie porn FTP server right under your nose.
The same sort of misuse can occur with your home computer just as easily. Not only does this point out that malicious security crackers can find an unpleasant sort of value in gaining access to your system that you might not have guessed, but it also makes it clear that simply limiting access to people who have the right credentials is not going to cut it for real security.
While some security software certainly does introduce very real problems, such as the all-too-common “turn off Norton to make everything work,” that in no way suggests you should just avoid security software entirely. The key point here is that some security software is worse than other choices. You should try to be aware of what will serve your needs best and add the fewest frustrations and problems to your computer activities, rather than just give up on the idea of security software entirely.
Each and every platform requires some security software to maintain reasonable safety. Periodic rootkit checks on a Linux or BSD UNIX system are as important as daily virus scans on a Microsoft Windows system, and nobody should run a computer without some kind of effective firewall protection. Just be aware that, for instance, some antivirus software options are better than others.
Careful use is important, but not enough. Keeping your system’s security patches up to date is also important — but also not enough, as proven by the fiasco of the SQL Slammer worm a few years ago and by the tendency of some software vendors to sit on a reported vulnerability for months at a time rather than patching as quickly as possible when they can keep their customer base in the dark. Don’t trust the Internet, don’t trust that being careful is “enough,” and don’t trust your software vendors.
One thing you can trust is the statement that you are at risk. Recognizing that fact, and being diligent in protecting yourself from that risk, is the only way to be safe — but just in case, keep double-checking to make sure you haven’t been compromised, no matter how well-protected you think you are.