Over the last few years, I have been exploring methods to secure internet access in my home network without spending a lot of money or creating hassles for my loved ones. I am a lifelong computer geek and professional technologist with extensive experience in both large and and small IT shops. I am also the guy that friends and family call regularly to solve computer problems.   If you want to keep bad things like viruses from attacking your computers and also insulate your family from areas of the internet that are not necessarily “kid friendly”without spending lost of money, read on.

Contained below are some explanations of the threats to your personal cyber security, along with some common sense advice and pointers to free or extremely inexpensive tools to make yourself safe on the internet. Although intended for the home user, many of these measures would apply very nicely in a small business environment as well.

Most computer users are aware that it is important to have a secure computing environment, but do not know precisely what that means or why it is important. Anyone who has been hit by a computer virus knows well the pain of degraded performance, rebuilding the system, restoring and maybe losing important data, and possibly even paying a fair amount of money to have this done for you. Usually, this activity is followed immediately with the purchase/installation of virus protection software and forming better habits to prevent future problems — but is that enough? Understanding the nature of the various types of malware and how they attack your computer is key to getting the protection you need. The category of “virus” has expanded rapidly over the past decade to include terms such as trojan, worm, spyware, malware, etc. I prefer the term “malware” in general since all this stuff is bad in some way. More about viruses here, here, and here.

As the world at large continues to adopt the internet lifestyle, it will become increasingly important to protect your personal computing devices. Think about the potential for growth of virus targets in the age of always-on, high speed internet connections — not just at home, but right in your pocket in the form of internet connected smart phones like the Blackberry or iPhone.  While there are some fairly innocuous forms of virus out there, written by a bored teenager or computer science major working on a project, there are many very harmful or intrusive malware threats being propogated constantly as well.  Consider the types of information that you now store on a computer, or access via the internet that you did not just a few years ago.  The bad guys want to get their hands on your valuable personal information or hijack your financial accounts and are constantly creating malware to do just that.  Alternatively, some malware is written specifically to hide on your computer and wait for a signal to participate in a Distributed Denial of Service attack or send to SPAM email using your computer. Adware is another common form of malware, which usually manifests itself in the form of annoying “pop up” ads that show up while you are browsing the internet.  So, how do these various forms of malware get onto your computer to begin with and how can you stop them?

The good news is that there are common sense steps outlined below which you can take to take to protect yourself.  Most won’t cost you anything, but by taking the time to implement them you will make be secure and safe in the ever more useful but threat filled internet.  Many of the recommendations below assume that you are running Windows as your operating system. If you are rich or pretentious enough to run a MAC ;-) , then you are already better off in general since there are far fewer security exploits at this point that target the MAC. This comes down to simple market share — if a bad guy wants to distribute his malware to the largest possible audience, he writes it for Windows since that covers ~90% of the computer users on the planet. As Apple market share increases, their products will become a more appealing target as well. An even better choice would be to run a Linux system. Linux is free, secure, lower profile, and much less evil than either Microsoft or Apple.

An Overview of the threats and how to deal with them

Network Attack

If your computer is connected to the internet, it is susceptible to a constant barrage of automated attacks using a technique known as Port Scanning, to find a weak spot that can be used as a foothold to install malware.

  • A properly configured hardware router/firewall is your first line of defense
  • A 2-way software firewall installed on your computer is a further method of protection

Email

One very common avenue for malware to infect your computer is through a Phishing or Pharming email.  This is typically via a website link contained in the email, or file attached to the email.  Make sure you know and trust the sender of an email well before you open an attachment or click on a website link in the message.  There are many cases of very sophisticated email messages, crafted to look as though they are from your trusted financial institution.  Be wary of any email that asks you to follow a link and update or verify your account password, even if it is from what appears to be a legitimate source.

  • Use an email provider that scans for malware and phishing content
  • Have updated anti-virus/malware tools installed on all your computers
  • Using OpenDNS for DNS services will transparently block access to know malware sites

Instant Messaging, Social Networking, and P2P Application

Using an instant messaging, social networking site, or sharing and receiving content on a peer-to-peer network can expose you to malware.  Similarly to the Email and Counterfeit Website vulnerabilities, it is important to know and trust those that you interact with, and never open attachments or click on website links from someone that you don’t know well.

  • Use an email provider that scans for malware and phishing content
  • Have updated anti-virus/malware tools installed on all your computers
  • Using OpenDNS for DNS services will transparently block access to know malware sites

Counterfeit Websites

Similar to the fraudulent emails, there are many cases of websites created to look and act just like trusted financial institutions.  If you enter your account info and password into the bogus website, the bad guys will now have the ability to login to your account on the legitimate site.

  • Never click on a link in an email asking you to log in to your bank’s or credit card provider’s website, or sites such as Paypal that have direct access to your bank or credit card accounts.  These messages are typically an attempt to gather your account and password information
  • Install web browser add-ons like SiteAdvisor, Adblock Plus, and NoScript which block access to known malware sites
  • Using OpenDNS for DNS services will block access to known malware and phishing sites

Sneakware

There many instances in which software that is willingly installed by a user contains hidden spyware or malware.  Real examples of this range from legitimate software that you download from the internet to software installed from a CD that is needed to support computer connected items such as digital picture frames, MP3 players, kids toys, and more.

  • Having updated anti-virus/malware tools installed will provide good protection from this
  • Using OpenDNS for DNS services will block access to known malware and phishing sites

Here are the things you need to get to be more secure

Have a Hardware Firewall (low cost)

A firewall is a layer of protection that sits between your computer and the internet. It stops internet traffic that you don’t specifically invite from coming into your network or computer. It can also prevent information from getting back out to the internet which can be just as important. The first step is to have a hardware router/firewall between your primary internet connection and your computers as this provides an inbound firewall for every computer that attaches to it by default. Linksys, Netgear, D-Link, Belkin, Asus and others all make good products that are commonly available everywhere from Walmart to Best Buy to Amazon. Many people have these already in place for wireless access or to allow more than one computer in your location connect to the internet. If you don’t, it is well worth the ~$50 investment as a first layer of defense. Make sure to configure your router in a secure manner. Change the default password to something unique, change and hide the default SSID (that is the name of your wireless network), use wireless encryption — WEP is better than nothing, but use WPA or WPA2 if you can — and disable UPnP. This article has a good overview of how to go about doing much of this. If you are of the really geeky persuasion, consider installing an alternate firmware on your router for even more protection and capabilities like content filtering, intrusion protection, VPN, and more. There are many options available, most open-source and freely available. I use both DD-WRT and Packet Protector at home and will do a follow up on this topic in the future.

Have a Software Firewall (free)

You should also have a software firewall running on your computer.  Windows has a built-in firewall component — click on Start, Settings, Control Panel and then either Security or Windows Firewall depending on whether you run XP or Vista. Enable the firewall right now if it is not running already and you don’t have a different firewall product up and running. I recommend installing a better firewall product as a first step. Check out Comodo or ZoneAlarm. They are both free and have better features than the basic Windows product, such as two way protection which I highly recommend. This is a no brainer – just do it, especially if you use a notebook computer and attach to unsecured wireless networks in public locations.

Have Anti-Virus Software (free or low cost)

If you are running a computer these days without anti-virus protection, don’t even bother calling to ask me for help. I mean, I will come and help you, but I might mutter bad things while I am working. Keep that in mind. Anti-virus software runs on your computer all the time and examines files as they are used in order to prevent bad things from running on your computer. It also periodically scans everything on your computer to search for latent threat.

There are many options for software that protects you from computer viruses. If you are looking for something free and good, try AVG Free or Avast!. If you want the current most effective product, check out Avira. Here is a definitive article comparing the effectiveness of the various anti-virus software products on the market.

Have some additional Malware tools (free)

I recommend installing additional free products such as Malwarebytes, Adaware, Spybot, and Windows Defender and running them regularly as a compliment to your primary anti-virus product. This is especially important if you do not choose to use a security suite. Install them and run a scan once or twice a month whenever you think of it.

Consider a Security Suite (low cost)

If you want to cover firewall, anti-virus, and other maintenance functions all in one neat package, try a security suite. You won’t find one for free, but there are many reasonable options out there. Many (like McAfee and Symantec) are bloated and really slow down your system. My two current favorites are CA Internet Security Suite and Microsoft One Care. After using the CA product for a few years, I have switched to One Care in my home. It costs only $50/year for up to 3 computers and will be available for free later this year. One Care also handles system updates, automatic backups, system tuning, provides a two-way firewall, etc. I have never had a virus infection on my computers since running this product and I have used the backup/restore feature on several occasions to recover data after a system crash on my own computer and those of a few friends. I highly recommend it.

Here are the things you can do differently to be more secure

Create secure system accounts (free)

Windows XP computers have an account named “Administrator”. Don’t use it unless you really need to, and change its default password to something other than blank. Even better, set up a new account that has administrative privileges, then disable the “Administrator” account. Also disable the “Guest” user account. If you run Windows Vista then your administrator account is disabled out of the box and you are already halfway home. Once that is done, set up user accounts for each user, including you. These accounts should be “limited” accounts that do NOT have administrator privileges and will be used day to day. For instance, in my home we have one main computer with 5 separate user accounts, one for each member of the family. These steps are recommended as a means to prevent bad guys from hijacking an account in order to install Malware on your system. If you are not running an account with administrative privileges you are protected from a wide range of risk by default. For instance if you inadvertently click on a link in a malicious email while using an administrative account, that URL can execute code on your system that will download and install malware without your noticing — a limited account cannot — take this seriously. Running in this mode will also require that your kids, loved ones, significant others have to first discuss with you the installation of any software in general since they do not have administrative privileges on their account. While this can cause some controversy initially, it will save you countless hours of misery in the future. This Article has details on how to create user accounts in Windows XP.

Use strong passwords (free)

As a minimum measure, NEVER have an account on your system with administrative privileges that does not have a strong password. A strong password is one that does not appear in the dictionary, is not easy to guess (birthday, ssn, etc.) and typically combines numbers, symbols and letters of both upper and lower case. For instance instead of using “password” try something like “P@ssword23” or “PassWord_101”. Also use distinct passwords for the various websites that you log into so that a security breach on one website doesn’t expose you in multiple places.  Be creative and make it hard for the bad guys at the same time!  Here is a good article on ways to come up with a strong password that you can remember.

Keep your system up to date with software updates and security patches (free)

Click Start, then Settings, Control Panel, Windows Update for XP or Start, Control, Security, Windows Update in Vista and make sure that automatic updates are enabled and working. If you are running one of the above mentioned Security Suites, this should be up and running already, one less thing to worry about. You can also visit Windows Update and run an update manually. When your system indicates that updates are available, let them install right away. This will keep you current with security and other enhancements as they become available. Also, make sure that your anti-virus and anti-spyware tools are set to update automatically and verify that they are doing so successfully.  In addition, make sure commonly used add ons such as Adobe Reader, Java, Flash Player, etc. are always up to date.

Use Firefox instead of Internet Explorer (free)

There are some internet sites that absolutely require IE to be used (like Windows Update), but the vast majority do not. Internet Explorer is still the predominant web browser in use, and as such there are many more exploits written that target IE specifically. Firefox is very well integrated with key security features to prevent adware, spyware, annoying pop-ups, phishing attacks, etc. You can even install an add-on to Firefox, called IE TAB, that will open up a browser tab using the Internet Explorer engine for websites that really need it so that you don’t have to launch an IE session separately. You should understand that Internet Explorer cannot be uninstalled, because Windows uses it under the covers for many of its update functions, but these are relatively secure in general. Make sure that you are running IE version 7 or later – as previous versions are extremely unsecure. The main thing is to keep the use of IE for every day browsing to a minimum. This will reduce your exposure to the plethora of security exploits that have been written specifically for it. I am also a big fan of Chrome, which is a new browser from Google. It is still in beta and does not yet support many of the cool extensions and add-ons that Firefox does, but it is a new approach to the web browser in many aspects and is really high performance if you use any of Google’s email or office apps.

Install malware blocking browser addons (free)

Install Siteadvisor, Adblock Plus, and NoScript to help you avoid visiting malware sites inadvertently.

Use Google’s Gmail as your email provider (free)

It is fast, secure, and stable. You can access it securely using SSL encryption via a web browser or an email client like Outlook or Thunderbird. I have used Gmail exclusively for over 2 years now and couldn’t be happier. I will never have to rebuild an email catalog from backup ever again, because my data is always safe and accessible on Google’s servers. Whether I am using a friend’s computer, a blackberry, iPhone, Internet Tablet, etc., I have consistent access to my email. You can even set it up to pull email from other accounts and read all of them from one place.  Gmail starts you out with 5+ gigabytes of storage, and that allotment increases incrementally every day and has fantastic SPAM and Virus filtering capabilities built in, so by the time email hits your inbox it has already been scanned and filtered. During a bad month, I see 3-4 SPAM items in my inbox which I can identify and remove with the click of a button, and all downloads are scanned for viruses before you open them. You can open and read document attachments right in the browser environment without installing any additional software. You can extend the capability of Google Mail by taking advantage of Google Docs and Calendaring. Google will even host and provide these services seamlessly for your private domain. They offer IMAP support and integration with mobile devices such as iPhone and Blackberry. You can even access Google’s own chat system as well as AOL and other chat services right in the web mail interface. All of this is available for free, unless you are a large organization or just want to pay for more storage. In general, I always recommend getting an email address that is not associated with your internet service provider. If you ever have to move or change providers for any reason, it is one less hassle you will have to deal with.  Windows Live Hotmail and Yahoo Mail are decent options as well, but do not offer nearly the amount of integration, capability and security of Gmail. Zoho Mail is also an interesting alternative that provides a robust, integrated email and groupware environment.

Use a separate email account when registering website accounts (free)

It doesn’t cost anything to setup a second (or third, fourth, etc.) webmail account with any of the email providers mentioned above. Keep your personal email account for truly personal use and have another one (or more) for doing online purchases, setting up online accounts, etc.

Use OpenDNS for DNS Services (free)

If you are not familiar with DNS (Domain Name Services), think of it as the internet phone book that you use every day. When you type a website name in your browser it must be looked up on a DNS server and then converted to an IP address that is corresponds to that website name. For instance 208.67.217.23 is the current IP address for google.com. If you don’t believe me, cut and paste those numbers and dots into your internet browser (Firefox not Internet Explorer) and see where it takes you. Whether you realize it or not, your computer and your router (wireless or otherwise) have settings that tell you which DNS server to use when asking for internet addresses. Typically, you will be using your internet service provider’s DNS servers, which probably do a pretty good job of providing this service, but OpenDNS does it better in several ways. They are faster and more up to date, and most importantly, they are more secure. Unlike your ISP’s DNS servers, OpenDNS’ will not allow you to get to websites that are known phishing or malware destinations, and they maintain a very up to date list of these sites so you are always protected. They also offer very good content filtering capabilities that are configurable and easy to use. Whether you want to block access to pornography, gambling, adware, tasteless humor, or any other of the 50+ other categories available, you can choose how to filter content that makes it to your network and computers. OpenDNS has a significant community aspect that allows you as a user to participate in helping build and vote on the categorization of webites. You can make the setting to use OpenDNS on your router, which will affect all computers on the network (my recommendation), or you can configure individual computers as you see fit. The change is very simple and well documented here.