The information contained here is offered by the author as a set of guidelines to protecting home computers and networks from unauthorized use across the Internet. The suggestions listed here do not necessarily represent any organization with which the author is affiliated but are provided here as a public service.
This page provides some suggestions to secure small office, home office, and home connections to the Internet. These rules apply to both dial-up and dedicated (DSL/cable modem) access. This document will address the following items, which are essential for securing your home systems; there is still more to do after these steps are completed but they will get your started:
- Use anti-virus and anti-spyware software
- Employ some type of firewall software or hardware
- On Windows systems, be sure to display file extensions
- Never open an attachment unless it comes from someone you know and you are expecting it
- Keep your Windows system patches up-to-date
- Lockdown your home wireless network
A note for Windows users: Windows currently provides anti-virus and firewall software in the operating system. I recommend using third-party AV and firewall software merely because of biodiversity in software. If you choose not to use third-party software, do use the Microsoft-supplied capability.
1. Employ Anti-Virus and Anti-Spyware Software
It is imperative that all users on the Internet run and maintain anti-virus (AV) software. Installing AV software alone is not sufficient; users also have to use the option to run the software at all times (sometimes called auto-protect) and to routinely update the AV signature files. There are well over 75,000 known virus signatures today and that number continues to grow; AV software vendors generally update their signature database file at least weekly. If your software has the option, consider having the software automatically check the vendor's Web site for update and automatically download and install new signature files when they are available (sometimes called live update). Note that although the vast majority of viruses target Windows operating systems, Mac, Unix/Linux, and other operating systems are not immune.
Users on the Internet also need to be protected from spyware — software that tracks where you go on the Internet and what you do, and sends that information to marketers and nefarious users. Like AV software, anti-spyware software needs to be run frequently and kept up to date.
There are many vendors of anti-spyware software, some of which are listed below; costs vary but US$35-50 is a rough estimate. Anti-spyware software often comes bundled with AV software:
2. Employ a Personal Firewall
If you are on the Internet, you should use some form of personal firewall. Personal firewall software runs on your computer and protects against attempts by outsiders to break into your computer. If you have a LAN at home, a hardware firewall might make more sense both economically and practically; most home hardware firewalls also double as a LAN hub/switch and personal firewall software might block local peer-to-peer networking which you want. You will need one copy of personal firewall software for each machine that you want to protect, while a single hardware firewall can protect all systems on the local network.
Some of the available personal firewall software products for Windows are listed below; prices vary from free to US$90. Several of the AV products listed above also have firewall options. Good, independent reference information for choosing personal firewall software can be found at the Home PC Firewall Guide (www.firewallguide.com).
- 8Signs (nee ConSeal) Firewall
- CA Internet Security Suite
- Comodo Personal Firewall
- IBM Internet Security Systems
- Norton Personal Firewall & Norton Internet Security
- ZoneAlarm
There are also a number of cable modem/DSL hardware products that provide firewall capabilities; prices here range from about US$35-100:
3. Show File Extensions
By default in Windows, Windows Explorer and other Microsoft applications do not show the extension of files if the extension is "known" to the operating system. This is potentially dangerous with the many viruses that are distributed today with a so-called "double extension"; e.g., a file named foo.jpg.exe. This is an executable file because of the .exe extension. If extensions are hidden, however, the user will only see the name foo.jpg and might open this, mistaking it for a JPEG file.
Showing file extensions in Windows XP. |
4. Take Care Opening Attachments
E-mail attachments are the most common way in which viruses are propagated on the Internet. You should never open an e-mail attachment unless it comes from someone you know and you are expecting it. An attachment coming from someone you know is not sufficient proof that it is ok to open; most of today's viruses and worms use a compromised address book to find new targets.
(The advice to "be expecting" the attachment should also be taken with a grain of salt. I would suggest that the next generation of virus/worm may employ two messages; one telling you to expect a file and the next containing the attachment.)
As a side note, some e-mail software will automatically execute some attachment types when you preview a message; this feature should be turned off, if possible. Outlook and Outlook Express are among the worst offenders in this regard; consider using another e-mail client if you can.
5. Keep your Windows system patches up-to-date
The version of Windows that came installed on your computer or on the CD out of the box is already out-of-date; new vulnerabilities have been found and exploited. The Windows Update feature should be employed so that you can stay up-to-date on all patches. You should consider installing patches even for software that you might not use; many Windows and Office components are used by other components in non-obvious ways.
6. Lockdown your home wireless network
If you have a wireless home network, be aware that anyone with a wireless network interface card (NIC) within a few hundred feet of your house might be able to hop on to the Internet via your access point (AP) — and, possibly, look at any open shares on your home network since the intruder is on your home network.
To provide some basic security for your home wireless network, consult the manual for your AP and:
- Change the Service Set Identifier (SSID), which may also be referred to as the network name. The default SSID is usually the name of your AP vendor.
- By default, most APs come with encryption disabled. Use Wi-Fi Protected Access (WPA) if at all possible; if not available, use Wired Equivalent Privacy (WEP) encryption. This will require configuring your AP and all of the wireless NICs attached to your network.
- Turn on medium access control (MAC) address filtering. To use this feature, you will need the MAC (or hardware) address of every wireless NIC on your home network.
About the Author: Gary C. Kessler is an Associate Professor and program director of the Computer & Digital Forensics major at Champlain College in Burlington, Vermont, founding chair of the Vermont InfraGard chapter, and an independent consultant and writer. More information can be found at his Web site at http://www.garykessler.net. His e-mail addresses is kumquat@sover.net.