If you don't ever use the internet or receive email, then you have little to worry about. But if you are here viewing this document on the web and your company IT or IS department does not handle this stuff for you, well, you need to know this stuff!
NOTE: If your company's IT or IS Department has the responsibility of keeping you safe then follow their instructions. This article is meant primarily for those people without IT resources who have to take responsibility for their own computer safety.
I have written this document for the edification of my clients and friends. Many of them are very bright but the world of computers and the internet is not something in which they specialize. Even though your job or interests may be something other than computers, it has become an unfortunate reality that, if you use a computer, you need to become educated and aware of the issues surrounding "safe computing".
Disclaimer: This document is currently a "Work in Progress" and is not meant to be exhaustive. Things are constantly changing. There will always be other threats to the safety of your computer and other things that you can do to protect yourself. (In other words I am not taking responsibility for the safety of your computer just because you read this article!!!). However, to help make this a more useful document, if you have any suggestions for additions, deletions and/or corrections, please feel free to contact me with you comments.
Take personal responsibility!
When you purchase a house or a car, you realize there are certain maintenance tasks that you must perform and certain steps you must take to protect you from unlawful entry and/or malicious acts. A computer is no different. You must understand, and take responsibility for, the maintenance and safety of your data! This document speaks to the safety of your data.
Saying that you shouldn't have to do all these things to protect yourself does not change the fact that you DO have to do these things to protect yourself. Just by reading this you are taking the first step in protecting yourself. Be aware that it is nobody's responsibility but yours to insure that you have a safe computing experience.
All that being said, let's move on...
First Some definitions:
Virus:
Loosely speaking, a virus is a program or some executable code or script that runs on your computer and does things that you do not want it to do and/or have not authorized. It may pop up a silly message, causing irritation. Or it might destroy everything on your hard drive.
Since a virus is a program or script, something must happen to launch or start up that program. There are many ways to launch the program that will run the virus. The most common way is to double-click on an email attachment in Outlook or Outlook Express.
Many viruses however are disguised. They can look like friendly gifts (attachments to email) from people you know!!!
Trojan horse:
A program that includes a secret, malicious payload (A program inside of another program). You might get an e-mail with a program attached to it. You might even find the program worthwhile. But the program may also be secretly malicious. The malicious component might download viruses from the Internet. It might search out your credit-card numbers and send them to a computer on the Internet. Or it might be a virus itself.
Worm:
A program that exists for the sole purpose of spreading itself. For example a worm can be an email that when you open the e-mail attachment, this program goes to your e-mail address book. It sends itself to the addresses there. When it reaches those addresses, it repeats the process. That is how worms spread rapidly around the world. Worms are often viruses.
Hacker:
Someone who will attempt to gain access to your computer through your network connection
Spoofed email:
You may receive very authentic looking emails that look as though they come from companies with whom you do business requesting that you "Update" your information. They will provide a link to a web page to do so. The web page may look just like the one you are familiar with. The only problem is...It is NOT who you think it is. This is called "spoofing". When you visit the web page and enter the requested information, you have fallen into the trap and given your information to these thieves!
I have personally received this type of email spoofing my bank, a well know auction site and payment site.
People trying to get your personal information (Identity Theft) has become the fastest growing crime of the 21st century. They are very clever. To quote a movie ad, you need to "be afraid, be very afraid!"
Malicious Web Sites
Not everyone plays by the same rules you do. The web is an international playground available to every type of person imaginable. Protect yourself. Think before you visit any site.
Sites can contain links that will install programs on your computer. Once these programs are installed on your PC anything, and I mean anything, can take place. Hard Drives can be re-formatted. Files can be sent without your knowledge to other PCs. Your PC can even serve another PC as a SPAM Mail server.
Just like walking around and looking at the sites in a big city, browsing the internet can be fun and interesting. It can also be dangerous.
If you are walking in the city, you take certain precautions. You don't carry a lot of cash, women hold on tightly to purses, you don't walk down dark alleys. The same sort of thing applies to browsing the web.
When you are about to click on a hyperlink (That is what those spots on the pages are called that take you to another place), at the bottom of your screen you will see the command that will be issued to your browser. When in doubt, READ IT! It may give you clues as to where you will be going.
Protecting Yourself - What YOU can do!!
Never open an attachment directly from your email
The most common way of getting a virus, your email software may allow you to "Open" an email attachment rather than "Save to Disk". NEVER "Open" an email attachment even though your email software may allow you to do so. Your anti-virus software will not have the opportunity to scan it. Instead, Save your attachments to disk first and then open them up. Provided that your anti-virus is running, updated and installed, it should scan the file prior to running it and alert you of any problems.
Outlook and Outlook Express users:
Open the e-mail message that contains the attachment.
Right-click on the attachment
Click Save As
In the Save As box, find the folder where you want to store the file, and click Save.Other email software such as Netscape and AOL all have a way to save your email attachment
Don't respond to information requests
If you receive a spoofed email
1) DO NOT RESPOND TO IT
2) Alert the company that has been spoofed. Chances are others have done so already but you should let them know in case you happen to be the first to discover it. Most companies that do business on the web have a way of reporting this type of issue. Each one is specific to the company however so you'll have to discover how and follow their directions.
3) Once you have alerted the company, delete the email.
ALSO - Be aware that while filling out forms on a secure web site of a company that you trust IS a secure and private way of delivering your information (for example e-commerce on a secure site), email is NOT Secure or Private. Think of email as a Postcard. Anyone who sees the postcard, while it is making its way to you can read it. The same holds true for email. Any computer through which your email travels can copy and read its contents. Things like passwords and other confidential information should NEVER be sent via email.
Microsoft recently released a tool (Baseline Security Analyzer) that will help you (Or your computer consultant) analyze your computer for common incorrect security configurations. It can analyze one or more computers and tell you where you are vulnerable AND what to do about it!!
Back up your data - Back up your data. What's that? BACK UP YOUR DATA!!!
I know that hardware and software has become much more reliable over the past few years. If you are using a new operating system (Windows 2000 or XP), you probably rarely have the system crash as it use to in Windows 95/98 and Me. The File structure on these newer Operating systems is MUCH more reliable.
With the threat of viruses ever looming however, it is still imperative that you make a copy of your data from time to time. it is not important how you accomplish this just that you do it!
Backup vs. Copying your data.
Backing up your data
Backing up your data requires a backup program. Each version of Windows ships with its own backup program. When you use this backup program, you will select the file(s) and folder(s) that you want to back up and then select a destination (Usually some external media - CD, Zip Disk, floppy, etc.) for the program to put the actual backup.
There are some backup services (such as Backup My Info or Novastor) that now allow you to back up your data to a remote site over a secure internet connection.
The plus to using backup software to save your data is that the backup usually takes less space than the data being backed up (because it will be compressed) and it can span multiple pieces of storage media. The down side to this is that because the backup program uses its own proprietary file format, you will need the back up program that backed up the data to restore the data back on to your drive. You can't just take your files to another computer and copy them on to that system and use them.
Copy your data
Copy your data on to some external media (CD, Zip Disk, floppy, etc.) for safe keeping. The benefit to this method is that you don't need any special software to read the files. Any one who has the appropriate hardware (CD, Zip Drive or floppy drive) can copy the data on to their machine.
Use WinZip
If you know how to use the ever popular program WinZip, you can have the best of both worlds - Compressed files that take up less space than the original and no need to have a backup program available should you choose to restore your files.
This takes some understanding of WinZip however and knowing about Self Extracting Zip files. If you wanted to extract just individual files from a "Zipped" up archive, you would need to install WinZip first.
Personally, I use the Copy Your data alternative. I periodically burn a CD with copies of my data. if you don't have a CD burner on your PC, they are cheap. You can buy an external CD burner that connects through your USB port for under $100. A small price to pay for the security that it affords. Buy one and learn how to use it!
There are many effective Anti-Virus Programs. 2 of the most well known are "Norton Anti-Virus" by Symantec and "McAfee" by McAfee Security Another favorite of some consultants because f its low cost and ability to run on servers without purchasing a "Server Version" is "F-Prot" by Frisk Software International.
Be sure to keep your anti-virus software updated!!
Viruses are discovered every day and Anti-virus companies usually update their virus definitions at least once per week. Use what ever method is made available by your software manufacturer to keep your anti-virus software up to date. In most cases there is an annual subscription that you will need to pay for but having outdated Anti-virus software on your system is WORSE than having none at all. It will give you a false sense of security that your system is protected when it really isn't. So, be sure to keep your anti-virus software updated!!
A Hardware firewall (View Microsoft's "Protect your PC" page) serves the same purpose as a software firewall but it is an actual piece of equipment that you connect between your computer and the network. A "Router" can serve as a firewall. Hardware designed specifically for use as a firewall may also may provide you with addition features such as a Virtual Private Network (VPN) connection.
A couple of companies that make equipment that serve as firewalls are: Linksys and SonicWall
Keep up to date with Security patches
In most every case the patch has been available before the virus or worm has become widespread! From Internet Explorer you can visit the Windows Update Site and have it scan your system for required "Critical" security patches. Technology exists (Using Automatic Update - Go to your Control Panel and locate the "Automatic Updates" icon) to have your system check and install critical updates on a scheduled basis. Using the Automatic Windows Update will automatically install the "Critical" updates only.
You can also do this manually. From the browser menu Choose: Tools-Windows Update and it will take you there. Follow the instructions. It will also recommend other updates as well but the ones you should absolutely install are the ones marked "Critical". Don't install the other ones unless you read what they are about and know what you are doing!
This is directly from the Windows 2000 help system "Securing Shared Drives":
"In Windows 2000, all drives on your computer, such as drive C or D, are automatically shared using the name drive letter$, such as C$ or D$. These drives are not shown with the hand icon that indicates sharing in My Computer or Windows Explorer, and they are also hidden when users connect to your computer remotely.
However, any user can gain access to your computer over a network or the Internet if the user knows your computer name, and the user name and password of a user who is a member of the Administrators, Backup Operators, or Server Operators group. A user who gains access to your drive over the network or Internet can view all folders and files on that drive, even those that are protected using NTFS permissions, provided the NTFS permissions allow access to members of the Administrators, Backup Operators, or Server Operators group."
Similar help is available for Windows XP - "Securing Shared Resources"
Here is some information on how to "To set, view, or remove permissions for a shared folder or drive" for Windows 2000
The internet is nothing more than a very large network. When you connect to the internet, your hard drive may be accessible to everyone else on the internet if they can figure out where you are located (Which is not all that difficult to do!). If you have opted to "Share" your information with other computers on your network, you will need to limit that sharing to just those people you want to share it with!
Each operating system handles this task differently. Some have a global password for the entire drive. Some allow you to restrict access to specific user log ins. Find out how it is accomplished on your system by reading the help screens and do it!!
And I shouldn't have to mention this, but I will. Make you password something you can remember but something that is not easily guessed by others. Your spouse's name is NOT a good idea for a password! The most popular password is: "password" so don't use that either.
A firewall (View Microsoft's "Protect your PC" page) is something that prevents other people from connecting to your computer through the network. Most can be configured to let what you want to let through in and keep out what you don't want. (Windows XP has a built-in firewall. Service Pack 2 (SP2) of XP will automatically enable the software firewall. In versions previous to SP2, It needs to be enabled however. Click here for instructions on how to enable Windows XP software firewall). There are companies that make software firewalls for you to purchase. In general, the more configurable they are, the more expensive they are.
Note: If you install Windows XP SP2, it will automatically enable the software firewall. If you have been allowing other to access your computer from elsewhere, This may prevent you from doing things that you had been able to do prior to the installation of the service pack. If this is the case, you will need to modify the firewall settings to allow you to do those things again.
It is my understanding that Microsoft is well aware that this may cause some temporary problems for users. They are prepared for some backlash on this issue. The other choice is for them to leave the firewall OFF by default which will cause even greater backlash. So the choice to turn ON the firewall when you install Service Pack 2 is the lesser of the 2 evils and a step they feel need to be taken at this time. They see no other choice to achieve their goal of safe computing.
The challenge I see with software firewalls is that they are software and can be compromised as any other software can be compromised. You system must be healthy for these to work. Check out this article in eWeek about a recent issue with a software firewall.
The settings in your browser under the Tools-Internet Options menu choice have a lot to do with how vulnerable you are while browsing the internet. Making the correct settings will help protect you from malicious web sites. Microsoft provides you with lots of information on how to manipulate your settings and what they mean. Click Here for more information about Browser settings.
The saying goes, "There is nothing so uncommon as common sense" but if you just think before you do something you may save yourself hours and hours of time fixing what went wrong. If you think something is suspicious, assume that it is.
If you weren't expecting an email with an attachment from your long lost cousin, call her and ask if she meant to send you this "Photo.vbs" file!
Just take an extra few seconds and Think!!!
Good Luck and Safe Computing!
References
(1) "Practice safe computing and thwart online thugs" by Kim Komando located at: http://www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx