This blog post is intended for those whom are basic to moderately advanced (A+) users of Windows.
I know some of you will sit here and say, “Windows!? How can you secure that!? Microsoft doesn’t know how to secure anything!” The reality of the situation is that since 2002, Microsoft has been at the forefront of security research, disclosure, and even on the offense against major spam players and bot nets. The company has been a major contributor to the overall positive health of the internet and long gone are the days of the Blaster Worm completely ravaging internet connected systems.
That said, the threat landscape has changed over the years and below are some techniques you can use to ensure that your system stays malware-free.
- UPDATE: You should be keeping all of your software up-to-date on your PC. Windows has had an automatic update procedure since 2000 SP4 and there have been continuous enhancements to make the process as painless as possible. If you don’t want to be bothered, simply set your computer to automatically download and install updates.The top attack vector for the past couple of years has been outdated and insecure versions of Java, Flash, and Reader. Adobe has made major strides to try and improve the security profile of their software but they still have a while to go. One of the more recent steps was finally the inclusion of an automatic, behind-the-scenes update mechanism for Flash (introduced in 11.2) which keeps your IE and Firefox-based plugins updated. Luckily, if you’re a Chrome user, your Flash is kept up-to-date through internal mechanisms implemented by Google.Java, however, is a different story. One improvement that was made to Java was around 1.6u10 they no longer by default kept old versions of Java around on the system. New versions now simply replace the older, less secure variants. For some developers this can cause issues. Efforts should be made by the development community to ensure that they don’t require end users to maintain insecure versions of Java on their systems.
That said, Java has a built-in update mechanism that nags you with a notification bar update. When this comes up, please run it! Not every release they push out is a security fix, as an example, 1.6u32 does not fix any security vulnerabilities over 1.6u31. But it’s better to be on the safe side.
Staying updated is imperative to improving your system’s security. While there are exploits out there known as 0-days, you are very unlikely to encounter them during regular internet browsing. At the very least, if 0-day exploits are all you have to worry about you are in great shape.
- UPGRADE: I know many people whom still consider Windows XP to be the top OS. “Windows 7 is bloated!”, they say.
Starting with Windows Vista and continually improved through Windows 7 and the upcoming Windows 8 operating system, Microsoft has added drastic changes in security measures that all contribute to a direct reduction in client-side malware infections internet-wide.
Through User Account Control (UAC), Microsoft now enforces that every user is actually a “standard user” by default, even if they are a member of the Administrators group on their PC. While it has some quirks to its behavior, it allows you to make Administrative changes to the PC while helping to prevent drive-by malware infections that have complete, autonomous access to your system. In fact, it’s so effective that one of the growing trends I’ve seen in recent years is trojans are now merely installing to a user’s profile directory while making changes only to the user’s registry. A large amount of malware is easily cleaned by merely logging in through another user and doing a clean. (Note: A whole lot of security software out there does not mount other users’ registry files in order to clean them)Regardless, you should consider upgrading to Windows 7 or Windows 8 when it becomes available. Mechanisms provided by User Account Control, such as the ability to lower a process’ privilege level make infecting a PC just that much more difficult for malware authors.
- Anti-virus: While many argue that most antivirus software is useless, signature-based, blah-blah-blah; the reality of the situation is that most malware that users will encounter is either a known item or a variant of a known item, where heuristics techniques by the software vendor can be used to detect even if it has no direct signature. This is not always true, as I often times see malware at work on a user’s system that I regularly submit to my company’s AV provider, but nonetheless why put yourself in the situation to be taken advantage of by something so trivial and stupid such as a known object? Seriously, get something, ANYTHING. I highly recommend the Microsoft Security Essentials product–it’s free, lightweight, and a very good detection solution when you don’t want to fork out the cash for a major vendor’s product. I’ve also been extremely partial to Norton Antivirus 2012, which I run on my laptop, which has caught things that I have not seen Security Essentials catch until much later (sometimes by months).
- DON’T ASSUME NOSCRIPT/ADBLOCK/SAFE-BROWSING WILL SAVE YOU: One of the most common misconceptions about keeping one’s PC security is simply this: “I don’t need AV, I don’t need Windows 7, I don’t need UAC, I don’t need all of that other junk because I don’t browse malicious sites and I run Firefox with noscript! I’m super protected!”The reality is you will inevitably allow some websites more permissions than others. Websites you trust, websites you assume to be secure. At the end of the day, the technologies you are turning off are integral to the dynamic functionality of the modern web. And as these technologies become more dynamic it opens them up ripe for abuse. A malicious iframe may be embedded in a site that you regularly visit and have disabled noscript because “Well, it’s a legit site!”–and then it’s over from there. This has happened on numerous occasions and different site operators are responsive in a variety of manners. Some will remove it instantly, others won’t know for quite a while due to a lack of critical monitoring systems, and others will flat out just not care. Why let yourself be a victim to their lack of due diligence? Follow some of the methods above to keep yourself secure even in these situations.
There are more advanced topics I can discuss in the future, but following these simple procedures should help you raise the bar on your system for malware authors to try and beat. And while no doubt goal posts on either side of the fence continuously move, that doesn’t mean you should give up because “you’ll never win”. The malware authors will continue to find ways in, and the defensive community will have to continue to adapt. In 5 years, I could be telling you completely different solutions.