Oh heck no - share it all you want, and you don't even have to include my
name if you don't want to.
A couple of minor fixes:
"Bulgaria, China and North Dakota are as close and your next door"
should read "Bulgaria, China and North Dakota are as close as your next
door"
"you're in better shape that would otherwise be the case" should read
"you're in better shape than would otherwise be the case"
Kurt
On Thu, Nov 8, 2012 at 1:59 PM, Don Kuhlman <[email protected]> wrote:
> Very well done Kurt - Thanks for the efforts. I hope you don't mind me
> sharing it with Stu's link included?
>
> Don K
>
>
> ------------------------------
> *From:* Kurt Buff <[email protected]>
> *To:* NT System Admin Issues <[email protected]>
> *Sent:* Wednesday, November 7, 2012 11:24 PM
>
> *Subject:* Kurt's current security recommendations for your computer -
> the 2012 update
>
> All,
>
> I sent out the last version of this back over a year ago. It's time for a
> refresh. I've only done a few minor updates, as things haven't really
> changed much. However, I'd be pleased if share with me any thoughts you
> have on what I've written.
>
> The first thing to remember is that security (computer or otherwise) is
> not an end state. It's a process, and a mind set. Why do security
> professionals say that? For three related reasons:
>
> * o- The world changes*
> Trite, perhaps, but it's fundamental. For the computing world, this
> means new applications, new versions of applications, new versions of
> operating systems, patches to current operating systems and applications,
> etc. It also means new criminals and new ways of crime - they are tricksy
> beasts.
>
> * o- All software has bugs*
> Lots of them. If (when!) encountered, many of those bugs will cause
> your computer to behave in ways that are much less safe than you would hope
> or expect.
>
> * o- The computing world has more risks than the physical world*
> There are hostile actors in the computing world trying to take
> advantage of the above, which means that what might have been relatively
> safe earlier is unlikely to be so in short order. What you *MUST*
> understand is that, for these people, infecting your computer is a
> business. They make money from it, in several different ways. The specifics
> of the business are beyond the scope of this discussion, but understanding
> that should lead you to understand that you and your computer are a target,
> no matter how insignificant or obscure you think you or your computer might
> be. And, they can be anywhere in the world - Bulgaria, China and North
> Dakota are as close and your next door neighbor.
>
> *But, all is not lost, nor insuperable.* Understanding the above, and
> following a few pieces of advice, will keep you out of most trouble and
> will improve your odds of safe computing over the longer term.
>
> Understand that the situation in the computing world is fluid and that the
> enemy is mobile, agile and hostile, and you're in better shape that would
> otherwise be the case.
>
> So, the advice, in rough order:
>
> *o- Mobile devices are still more dangerous than traditional computers
> such as laptops and desktops*
> They, and the software on them, are still not mature, and methods for
> using and managing them safely are not well developed. In particular, it's
> very difficult to achieve separation of privileges between administrative
> functions and normal user functions, because there aren't any easy ways to
> use more than one account. What that means, and why this is important will
> become a bit more clear if you read this whole message. Right now I'll just
> caution you that mobile devices are under intense scrutiny by computer
> criminals for any advantage, and are the fastest rising targets for
> malicious activity. Be careful with them.
> Don't
> a) install apps without understanding what they do and what privileges
> they require,
> b) open random text messages - especially you shouldn't follow links
> in text message to web sites, or
> c) perform any really sensitive tasks on them - by this I mostly mean
> doing financial tasks or keeping financial data on the device without
> encrypting it.
>
> Do keep your eyes peeled for good security software and for unexpected or
> suspicious behavior on your mobile device.
>
> *o- Keep your machine patched*
> For your computer's operating system (Windows, Mac, Linux or other)
> and for every program that you commonly use on your machine, make sure that
> at least once a month you visit the vendor's web site and keep current with
> the latest security updates. This includes your operating system (Windows,
> Mac, Linux, whatever), and your application software - not only the major
> pieces like MS Office or OpenOffice, and your web browser, but also the
> various Adobe products (including especially Acrobat Reader, Flash and
> Shockwave), Java (if it's installed) and any other free or paid software
> you use.
> Fortunately much software now is capable of updating itself. Pay
> attention though - make sure that if you get a piece of software that wants
> to update itself that it's *really* that software that's asking.
>
> *o- Simple is better*
> Uninstall any software that you don't use any more, or that you don't
> use regularly enough to make it worth keeping around. Also, don't
> gratuitously or promiscuously install software, especially if a web page
> unexpectedly prompts you do to so. This especially means supposed video
> codecs from some web sites, or special drivers to see or work with content
> on their pages. If they want you to do that, be extremely suspicious of it.
> Some software asks if you want to install addons from partners. Decline
> them. Even if they are from legitimate firms, these addons usually cause
> nothing but grief. (The free Adobe Acrobat Reader and Flash Player are two
> of the most egregious in this regard, but Sun's Java is also prone to it.)
>
> *o- Be cautious browsing the web*
> Hover your mouse over any link before clicking on it, whether in email
> or on a web page. You should see either a popup or a notification at the
> bottom of the page of what's really in that link. If the popup doesn't
> match the visible link, don't click on it.
>
> *o- Be cautious reading email*
> If you're using an email application such as Outlook, Pegasus or some
> other non-web-browser email, you should be able to set it so that by
> default it displays only plain text. Don't click on links just because they
> appear in emails that appear to come from someone you know, or from your
> bank or credit card vendor. After inspecting an email and deciding it's
> worthy, you should be able to cause it to display any web content. Most
> emails are not worthy.
>
> *o- Fortify your browser*
> Use browser-based tools to help protect you from malicious web
> content. My favorite browser is Firefox. Hands down, it's the best of the
> browsers, for one simple reason: it has the best security plugins I know
> of. I use bunches of plugins and addons for various purposes (many of them
> not related to security), but these are the ones that I absolutely install
> wherever I can - each covers a different facet of web security:
>
> NoScript
> Request Policy
> Adblock Plus
> Better Privacy
> Ghostery - new for this edition of my advice
>
> Be aware that the first two, in their default configurations, are fairly
> disruptive, until you know what they do and how to work with them. They
> extract a price, in that you must pay attention to them, and understand
> what they are doing, in order to optimise your browsing experience. They
> pay big dividends, though, in much safer browsing. They will also astonish
> you, by revealing how incredibly complex web pages are, and how many agents
> have their fingers in your browsing.
>
> Better Privacy and Ghostery in their default configurations aren't
> intrusive, but can be if you get carried away with them, although they are
> also extremely valuable.
>
> A fascinating addon for Firefox is Collusion. It aims to demonstrate
> which web sites know about you and talk with each other about your browsing
> habits. It doesn't prevent anything - it's merely shows you a graph, but
> it's really useful for understanding how the web is tied together.
>
>
> *o- Get a good antimalware package*
> I like Sunbelt Software's VIPRE. I *don't* like either McAfee or
> Symantec. I've heard good things about Kaspersky, but haven't used it.
> Trend used to be good, but I have no opinion on it currently, because I
> haven't used it in years. Microsoft's Security Essentials is free and does
> a very good job, but it's only for Windows. There are lots of others, and I
> have no way to tell you anything about them, as I haven't used them.
>
> *o- Don't panic*
> If, in spite of having a good antimalware package, your computer does
> get infected, you will need to use other software to help out. Currently,
> I'm a big fan of malwarebytes - you can get a free version from
> http://www.malwarebytes.com. Also recommended is VIPRE Live - get it from
> http://live.sunbeltsoftware.com. Don't run them at the same time - let
> one finish, then run the other. If things are really fubar'ed you'll want
> to engage a professional, as there are other tools out that require more
> expertise to use, such as UBCD4Win, various Linux-based rescue disks, etc.
> Please understand that not all situations can be remedied, so be cautious
> in your computing.
>
> *o- You are not a computer, and your memory is limited and much more
> volatile*
> You probably visit many different web sites, for many different
> purposes, many of which require an ID and password. Use a different ID and
> password for every one of them. You are going to have problems remembering
> that much account information, so use an application to help you manage
> them - there are two that I can recommend:
>
> Password Safe
> Keepass
>
> Both are good, and allow you to use a single master password to protect
> your other passwords and other account details. Both of these, BTW, have
> versions that work on smart phones, too.
>
> *o- Refresh your passwords*
> Change your passwords regularly, for all of your accounts, both on
> your computer and for the various web sites you browse. The fundamental
> rules of passwords are:
>
> - The longer and more complex they are, the better
> - Change web site passwords at least every six months
> - Change each of your passwords at least every six months - though the
> longer the password the longer you can go between password changes
>
> Wherever I can, I use a passphrase, which is really just a very long
> password, but it's easier to type and remember. It's easier because it's a
> regular sentence, with punctuation, spaces and capitalization all correct.
> If you throw in a number, you're especially well off. By way of example, I
> consider the sentence
>
> There are 23 ways to cook pasta.
>
> much easier to remember and type than something like
>
> X8&2Rdd-/az
>
> and it's stronger, too.
>
> For web pages that don't allow really long passwords/passphrases, you have
> your password manager to help generate random passwords of sufficient
> complexity.
>
> *o- Lie to web sites*
> When they are asking you to answer security questions that will be
> used to reset passwords or verify your identity in some way, don't give
> them a real answer. If, for instance, they ask for your mother's maiden
> name, use something else, like the name of your high school PE teacher or
> the kind of car you like, or your favorite sports team. Record that in your
> password management application. Lie to web sites about everything you can.
> Use different answers for different web sites. Why? Two reasons.
> 1) Because it helps keep your privacy - more than would otherwise be
> the case.
> 2) Because if hackers crack the web site and get the data, it won't
> be applicable to your other accounts.
>
> Keep your lies straight with your password manager.
>
> *o- Back up your data*
> If you have data on your machine that you would be unhappy to lose
> permanently, regularly copy that data somewhere else - perhaps even two or
> three places, and if it's *really* valuable data, make sure a copy is
> stored somewhere away from the building in which your computer resides.
> Valuable data comes in many forms: Financial records and pictures/videos
> are the two most common, but only you can judge what's valuable to you.
> Don't forget to include backups of the data in your password management
> system. Pro tip: It's not a really good idea to keep backups from your home
> computer at work. Why? Because your work might consider it *theirs* if you
> do, or you might lose your job and not have time to take it with you after
> being frogmarched out the door due to layoffs, or something stupid like
> that. It's also true in reverse. Storing work data at home is a sin. Don't
> do it.
>
> *o- Keep your passwords on paper, and on your person or another safe place
> *
> If you're away from your computer, and need use someone else's to get
> to a web site that needs a password, you can use the list of your most
> important accounts and passwords that you've printed out and keep safe in
> your wallet or purse. Then, when you get home, you'll change that password
> immediately, because you don't know what else was running on the computer
> you borrowed.
> *
> o- Understand the principle of Least Privilege, and don't be an
> Administrator all the time*
> One of the hardest practices of them all to perform well, because
> everyone (including me!) is lazy, and because operating systems don't
> always make it easy, is to use two different computer account logins on
> your personal computer. Why? Because there are two different sets of tasks
> that you perform on your computer. The first set of tasks is the set that
> you bought your computer to help with - playing games, web browsing,
> reading emails, whatever. This set of tasks should be done with an account
> that has very little power on your machine. You shouldn't be able to
> install software or change major system-wide settings with this account.
> Why? Because this is the account you'll use to do things in the relatively
> dangerous world of the Internet. The other account is the Administrator or
> root account. This is the account you use to perform the other set of tasks
> on your computer - maintenance, including installing software and changing
> major system-wide settings. Never do anything else with this account -
> don't browse the web (other than to get updates from the publishers of the
> software you use) or play games or anything else with that account. This
> approach is called, among other things, Least Privilege Computing. If
> you're running Windows, one tool that helps with this is native to the
> operating system: RunAs. It allows you to log in as your less-privileged
> user, and then run a necessary program as your higher-privileged account. I
> don't know Macs, but for Linux and other Unix variants, there are similar
> tools. And, please, don't use the same password for these two accounts.
>
> If you can follow all of the above, you'll do as well as anyone else - and
> better than many professionals.
>
> I hope this was helpful, rather than overwhelming.
>
>
> Kurt
>
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
