Defense in Depth – How You can Protect Yourself in This Digital Age

Just to note: there isn’t just one thing to do for internet security.  There are multiple things that should be done.  This is part of a layered security approach.  By having multiple layers – all of these working parts together can increase my security.  This layered security is referred to as, “Defense in Depth”.

Depending on your ISP (ATT, Comcast, Charter, etc.) they may have a FREE copy of AV as part of your internet service.

Here are a few links for the major providers in West Michigan:

  1. ATT: http://www.att.com/esupport/article.jsp?sid=KB402441&cv=801
  2. Comcast: http://customer.comcast.com/help-and-support/internet/downloading-the-norton-security-suite/
  3. Charter: http://www.myaccount.charter.com/customers/supportgeneral.aspx?pagetype=1

 

You can run those AV products.  However, they “fat” and as a result take a ton of system resources.  As a result they are slow.  I’m a huge performance guy and I want as much “oomph” as I can get.

 

For free AV software you can use:

 

  1. AVG:  http://download.cnet.com/AVG-AntiVirus-Free-2014/3000-2239_4-10320142.html?part=dl-avg_free_us&subj=dl&tag=button
  2. Avast: http://download.cnet.com/Avast-Free-Antivirus-2014/3000-2239_4-10019223.html?part=dl-85737&subj=dl&tag=button

 

I personally use Avast.  Many years ago I ran some tests on the different free AV software for Windows.  These tests included several things based on a recent blog article I had read.  To me – one of the biggest factors at that time and still yet today is whether the AV software allowed infected files to be downloaded and saved to my hard disk.  Some software allowed the infected file to be downloaded and saved to the hard disk but would block the infected file once you tried to open or run it.  Other software would block the infected file as it was being downloaded and not even allow it to be saved to my disk.

 

At the time Avast had the best feature set, the lowest impact to my machine (which means it doesn’t take as many resources as other AV software and less of a performance hit on my machine), and met the requirements that I had for AV to secure my machine.

 

Additionally, just having AV isn’t enough.  There are other things you will want to make sure you have taken care of.

 

  1. Windows needs to be updated.  When updates are released get them installed!  Myself – I personally wait 2 weeks after the update has been released.  That way, if something is up with the update and it does something bad to people’s machines – I wasn’t one of them and Microsoft has pulled the update.

 

  1. Application software needs to be updated.  From my readings – application software is the way attackers are now getting into people’s machines because they don’t keep the applications on their machine up to date!  That means keeping Adobe Acrobat, Flash, Shockwave, AIR, JAVA, Chrome, and more all up to date.

 

  1. Use firewall software.  Windows Firewall if enabled would keep a majority of attacks prevented if people leave it enabled. I remember a major worm years ago that was infecting millions of computers could be stopped by just having a firewall software enabled on a user’s computer.  Even since then I now keep Windows Firewall enabled on my machine – especially on unsafe networks such as free WiFi at coffee shops, libraries, airports, businesses, etc.  Using those open free wireless networks are the easiest for non-scrupulous people to be trying to capture credentials, infect machines with malware, etc.

 

  1. Use Anti Spyware / Malware software.  Installing it before you are infected is even better.  Software such as Ad-Aware®: http://www.lavasoftusa.com/software/adaware/

, Spybot Search & Destroy®: http://www.safer-networking.org/en/index.html

, and Malware Bytes http://www.malwarebytes.org/mwb-download/.

 

Personally, I’m a huge fan of Malware Bytes and Spybot.  Spybot allows you to inoculate your registry against known infections and also will patch your HOSTS file and block known sites that will cause damage on your machine.  Malware Bytes has a Paid / Pro version of the software.  That enables the active monitoring feature which can stop something from infecting your machine as it’s trying to do it rather than the malware getting successfully installed on your computer and now you have to remove it after the fact.

 

  1. I’m a proponent of internet monitoring – especially for family (keeping my children safe online) and for employees browsing online.  I use OpenDNS at home to restrict what type of sites based on categories are allowed or blocked.  OpenDNS also blocks not only content but sites that installing software or infecting user machines.  This is just another part of my layered security approach.

 

  1. Windows has 2 types of accounts: Administrator and User.  I recommend using the regular non privileged User account for all internet usage.  Regular users cannot install software nor can they make major system changes. You should be using the non-privileged user accounts for everyday tasks.  That alone would contain a potential virus or malware infection on your machine as non-privileged user accounts cannot install software or make major system changes.

 

  1. Use strong passwords.  Use different passwords on each website.  A few years ago I was using just a few passwords (based on the type of site such as general site vs. banking, 401K, health, etc.) for all of my sites.  Today, I’m still finding occasional non frequented sites that are still using the old password but I’m getting more and more sites using a unique password.

 

Keeping track of those passwords is difficult.  I use a password manager: www.lastpass.com to help keep track.  I update the password manger to keep track of credentials, software licenses, and more.  I can make a change and all of my devices (work, home, and even mobile phone) have access to that update.  It’s extremely handy.  Last pass even has a tool that automatically generate random unique passwords for you.

 

I have a password “policy” that I use to help keep track of my passwords.  Say, I used to use “Password” for all of my credentials.  Now, I’ve been changing that “old password” to use the first 4 characters of the website name.  So, say ebay – the password has been updated to “ebayPassword”.  Paypal would be: “paypPassword”.  This has really made it easier for me to remember each unique password for sties and allows me to have unique passwords for each site as is best security practices.

 

  1. Password reminders.  Although necessary and required by many websites to allow me to reset a forgotten password – this is highly insecure.  Things such as my mother’s maiden name, favorite vacation place, city I was born, best friend, etc. are easily found online now days because of how easy it is to search for that content online!  Social media is a treasure trove for a hacker to look for answers to those security questions!

 

I read an article about that early to mid-2014 that talked about this very thing and the author was given a challenge to reset passwords for another author that he didn’t know well at all (which eliminates an insider attack).  He was able to get the information and access to bank accounts etc.  So, now I’ve been in the process of updating my accounts on sites to use completely fake and inaccurate information for those answers to password reset questions.  I use Lastpass to help remember the answers.  If you remember the celebrity nude photo hack from 2014?  How did they do that?  I just told you!!  They found the answers to the security questions on social media!  How was Sarah Palin’s Yahoo account hacked during the 2008 presidential campaign?  Same thing – the answer to “how did she meet her spouse” was publicly posted / shared online.  How have many celeb’s phone / accounts been hacked?  You get the point.  So, instead of using “Mackinaw City” as my favorite vacation spot I use things such as “Papa New Guinea” as the answer.

 

  1. Multifactor authentication.  I recommend enabling this for every account possible.  This gives me even more added security because when logging into my Google Account (used for my phone and everything), my hotmail account, Godaddy, etc. I have it text me a 6 digit code to my mobile as I had that number supplied when I setup the account, I have an app on my phone that will generate a 6 digit code, etc.  Yes, it’s extra work and sometimes a hassle but it’s SO worth the effort.

 

 

  1. The Cloud.  I’m a huge fan of cloud storage such as Google Drive, OneDrive, Dropbox, etc.  However, there is data that I wouldn’t want someone to gain access to if my account was ever hacked, if an attacker found a vulnerability in the service and could access anyone’s data, etc.  I encrypt sensitive data (passwords, health, financial, etc.) using a tool called Axcrypt.  It can be downloaded here: http://www.axantum.com/AxCrypt/Downloads.html.  I have it installed on my home and work computers.  That way I can decrypt encrypted data at any point.

 

  1. Mobile phone security.  Mobile phones need to be protected with a PIN or pattern.  That way if they grow legs and take off on me my device is secured.  Mobile phones (specifically smart phones) have broadband internet access.  Mobile phones are being exploited in HUGE numbers.  Attackers can get software installed and use smart phones to send spam without the owner noticing as it’s done in the background and using their bandwidth.  Smart Phones have the same capability and are growing in processing power fast.  The point – they need AV software.  I use Avast on my Android phone to help protect it against attack and Viruses since they are being targeted.

 

  1. Laptop / Smart Phone.  Because these devices are small, portable, and can be easily lifted I use a free service called Prey: https://preyproject.com/.  With the free account you can install it on 3 devices.  It will acquire its GEO location, IP address, and even use the webcam / camera on the device to take photos of the person using it!  So, if it’s lifted I can mark it as stolen and all of this stuff will be used and the data uploaded online so I can find my phone, turn the data into law enforcement, etc.

 

  1. Use sandbox software. One of my newest tools in my arsenal includes a tool called Sandboxie (www.sandboxie.com).  This software allows you to run programs such as your web browsers like IE, Chrome, or Firefox and your favorite email software in an isolated space which prevents them for making permanent changes to other programs and data on your computer.  Due to malware that I’ve seen a lot of these past few years known as Cryptolocker / CryptoWall / or other names.

 

The creators of this software has been geniuses because they are buying ads on Google, Bing, Yahoo, and other Ad networks.  These ads are displayed on legit web sites & pages.  The ad grabs your attention and tricks you into installing software that you are told needs to be installed and/or updated on your computer.  Once you install this software known as Ransomware all of your files (Office docs like Word, Excel, PowerPoint, pictures, videos, etc.) are immediately encrypted.  There is absolutely NO WAY to get these back unless you pay their ransom or you have a backup.  (Remember: You are dealing with criminals and have absolutely no guarantee that you will be able to get your files unencrypted.)

Sandboxie runs pretty much any software especially email and browsers in a separate space on your machine.  Were you to accidently install the Ransomware software it would only affect the files in the sandbox – not every file on your computer and then any network drives you have access to.

This should be one software you don’t access the web or other online resources without!  Currently, they are running a promo for home users where you can purchase a lifetime license bundle to run on 3 computers (http://www.sandboxie.com/index.php?HomeUse).  I’d recommend this in a heartbeat!