PostHeaderIcon Computer Security (Updated 5 Mar 11)

PDF | Print | E-mail

...and Free Tips for Staying Secure Online

Anyone who might have spoken to us about security will know that we are extremely passionate about the subject.  For many years, the general feeling about computer security (or 'infosec' or 'cyber security' as it is often being called now) is that it is a pretty boring subject.  In fact, many of us have worked at companies that seem to believe security is getting that latest version of some paperwork (normally that you have never read or ever intend to read) signed.

That is not security.

To us, security is putting everything in place to prevent bad people doing bad things.  The way we do this is by pretending to be the 'bad guys' (with someone's permission of course!) and find the security holes before the real bad guys do.

 

It normally amazes companies when we show how trivial it is to get into their network; and its not too boring!

So when we're talking about the subject, we often get asked 'what can we do to keep ourselves safe?'.

For companies, I always have one answer.  Call us.  Get us to carry out a penetration test of your company and we'll go from there.  And if you're wondering about prices, they're on request because the requirements of each company are bespoke.  We will scope your requirements and build a team of experts specifically for your engagement.  What we do say is that we charge a reasonable rate for the skills we have and, more importantly, a fraction of the cost of the lost business and reputation when your company is compromised.

For the home user that is willing to do some research and help themselves, we have provided some helpful tips and links below that should get you going in the correct direction:

  • Patch, Patch, Patch.  Only use genuine software and keep it up-to-date ('patched').  Most virus' and malware use vulnerabilities in software to find their way in.  The best way to help prevent this type of attack is patching.
  • Install AV and Anti Malware (and keep it up-to-date).  Make sure you have some good basic antivirus (AV) and malware protection, and make sure you keep it up-to-date.  AVG and Avira both offer free versions of their AV software that is good enough for most people's needs.  There is lots of anti-malware software out there.  When I get a chance I'll list some of the better ones here (follow us on twitter - @cbrnetworks - or register on the CBR site for free, and we will let you know when we do).  Superantispyware & Malwarebytes Anti Malware (MBAM) are both recommended.  Note that AV is not a silver bullet though - we have produced a video here (link coming) that shows how only 35% of AV products detected some simple malware we created for a previous engagement.  Its just another layer of security to make it more difficult for the bad guys to get in.
  • Install a Good Software Firewall.  Windows comes with one.  There are also plenty of other free (and open source) versions.  I especially like Online Armor as it does much more than just AV too.
  • Have Good Browsing Habits.  Never, I repeat, never click on any links or open any files or emails that you do not trust.  There are many virus' and malware that will pass the antivirus check with flying colours - AV is not 100% protection!
  • Use a Good Browser.  Not all browsers are equal in the security stakes.  Take a look at the Firefox page on wikipedia.  The security section gives some evidence of why it is more secure than Internet Explorer.  We also like it because it is Open Source which we are big fans of.  It also allows you to install twoi extensions we highly recommend - NoScript and HTTPSEverywhere.
  • Strong Passwords.  Make your passwords strong, unique and change them regularly.  To make them strong and still remember them think about using passphrases instead of words or using a strong password manager such as Lastpass to remember them for you.  Lastpass also offers a mobile solution for iPhone but it's not free (it is pretty cheap for what you get though).
  • Secure Your Wi-Fi Router.  Most routers are not secure by default.  Make sure you secure it, including changing the default admin password.  If you want us to secure your Wi-Fi router on your behalf then get in touch; our prices start at £49.99+vat and significantly reduce the risk of your network being compromised.
  • Pay for a Good VPN Service (until everyone goes SSL). This is extremely important if you are using a network that you do not trust (especially public networks such as Wi-Fi in coffee shops, hotel networks, or Wi-Fi services such as those in some towns)  A VPN effectively secures the connection between you and the VPN company (normally on the internet backbone somewhere).
    • You can secure each internet application seperately instead but it is very risky.  For example did you know you can go to https://www.facebook.com and have your login secured rather than using the completely insecure http://www.facebook.com?)
    • If you do nothing then expect your email to be compromised. Very quickly.  Followed by any accounts that you login to with insecure login pages (eg. http://www.facebook.com).  And if you're happy to click on an official looking dialogue box when it pops up, then expect the online banking to be compromised too.
    • If you're wondering, the difference between HTTP and HTTPS is that when using HTTPS the communcation between your pc and the provider is encrypted.  So what does this mean?  Well, HTTP is a little like sending cash through the post, stapled to a postcard! You just don't do it!  HTTPS is like putting the cash into a secure container that only the addressee can open, then sending it by recorded delivery.  Much safer.
    • The problem with securing each 'shipment of money' seperately is that you can easily forget to put it in the secure container.  Do you know which applications on your computer send data over the internet?  Chat, Email, etc.  VPNs are like using a secure postman that only accepts securely packaged information.  You can't forget.  Hence why we recommend them.  Again there are a number of providers, one example of which is Witopia.
  • Help prevent keylogging of your passwords.  One example of software that does this is Rapport.  Its free and can be downloaded from the Natwest website.
  • Install a Host-based Intrusion Prevention System (HIPS) and/or use Virtual Machines (VMs).  This is about as good as you can get on a personal machine.  Amongst other things, they seperate each internet 'session' from another 'session' and from the rest of your computer.  The down-side is that they can slow down your machine, but they are the only way to really take security seriously.  As ever, the balance of risk vs performance sits with you.  VMPlayer is free and can have any operating system installed.  Its like having a completely different computer within a window on your screen.  One example of a free IPS is GeSWall.

In summary, there is a lot that can be done to help improve your computer security.  This problem is not going to go away, and in fact all indicators show that the problem is going to get a lot worse before it gets better.  We have just seen what is believed to be the first state-to-state cyber attack (Stuxnet) and the mainstream reporting of botnets like ZeuS has shown how the 'cybercrime' world are taking the security (or lack of security) so seriously and reaping millions of dollars in return.

If your company would like any security advice please get in touch.  Otherwise feel free to follow us on twitter (@cbrnetworks) where you will hear our views on various topics, one of which being security.

Stay safe.

Paul,
Director, CBR Networks Ltd

Last updated 6 Mar 11.

 
Home Articles Security Cyber Security

Copyright © 2010 CBR Networks Ltd. All Rights Reserved.
CBR Networks Ltd is registered in England and Wales (No. 6721705). VAT Registered (No. 942482122)

Built by CBRNetworks.com. Proudly powered by Joomla!