Skip main site navigation. Skip to main content.

Computer Security for Home and Small Business Explained

People often ask us to do things we don't advertise for. Maybe it's because we've been geeks for so long. The threats to today's computers, especially Windows computers is getting so out of hand that we feel obliged to help.

dataSpheric offers security services to Phoenix and Prescott Arizona homes and small businesses.

For those of you not fortunate enough to live in Prescott Arizona and to educate all of you in a field that's become of great concern, we give you our basic process and identify most of the tools we use. dataSpheric is a web design and web-enabled software firm serving Prescott AZ and Phoenix AZ.

Many threats exist to computer safety. These include

  • You could become an unwitting accessory to crime
  • You could suffer data corruption and lose a lot of valuable information
  • Your computer could become enslaved to the use of others
  • You could experience identity theft
  • You can be defrauded
  • You could experience unwanted attention
  • Your hardware can be damaged
  • Your privacy can be compromised
  • You could end up seeing offensive content that you did not want to be seeing

The nature of the threat:

  • The threat is unpredictable. We never know what the bad guys will do next, only what they've done in the past.
  • It evolves continually. The bad guys never stop refining their weapons and tactics.
  • It will continue forever from what we can tell. There will always be bad guys.

Security consists of three things:

  • Hardware and hardware configuration
  • Software, software configuration and patching
  • User training and user action

You are responsible for your security.

The net is opt-in and open. You bet there are people out to get you. Caveat emptor. Software manufacturers are only partially responsible. Consider this, if you leave your car in a bad neighborhood and someone steals your hubcaps, would you expect to sue Chevrolet? Of course not.

Security is subjective. There is no such thing as definitive security.

Traditionally, information is secure:

  • When no force is capable of effecting damage
  • When the cost of obtaining the object outweighs value of the object

Problems with traditional definitions:

  • The first definition is hypothetical at best: there is always something or someone who can hurt you. The second simply doesn't apply: many hackers aren't interested in the value of your data at all. They are interested in learning, bragging or being destructive.
  • Hackers: black and white hat. Many hackers are nondestructive and benign. They are interested in learning and occasionally can act as vigilantes, attempting to proprocter rest of us from ill effects of black hats. Blackhats are associated with destructive viruses, theft, fraud and destruction.
  • Distributed exploits-your particular data value low, in quantity high
  • Proxy attacks-your data/machine value low but as slave high

Business and home office security are two different bball games

  • Environmental complications exist for most business. The presence of multiple networked computers means there's more ways for hackers to get in.
  • More people have physical access to computers in a business. More people equal more threat.

Certain operating systems are at higher risk than others!

  • Windows operating systems, all of them, are a high threat to security.
  • Mac OS is a low threat in any configuration
  • Linux is very low threat in any configuration, properly configured almost bulletproof
  • Unix is a very very low threat any configuration, properly configured almost bulletproof

General administrative techniques for computer security

  • Restrictive security and permissioning. Give everybody what they need to do their job and NO MORE.
  • Restrictive configuration. Run only the services necessary to do job and NO MORE.
  • Dedicated devices or Segregated services. Separating services on multiple, specialized servers can segregate your network environment. If one goes down, the others may function.
  • Encryption seeks to render information valueless by scrambling it. Encrypted data is acaccessed by a "key".
  • Backups, backup storage is an insurance policy: if something destroys your information, you should be able to restore it from backup.

Physical access controls

The importance of restricting physical access to computers cannot be underemphasized. Physical security, bios passwords and logon passwords should be used and changed regularly. Password sharing should never, ever happen.

Network topology, physical segmentation of network segments, "inside" and "outside" boxes are another great tool in the administrator's toolkit.

Offline threats to computer security

People tend to associate computer security threats with internet connectivity. We've touched upon these but there's lots of threats to computers which aren't connected to the internet. Floppy disks, CDROMs, DVDs can all carry viruses, trojans and worms wich can infect your computer.

User habits

No discussion of computer security is complete without mementionf user habits and user training. All of the software fixes in the woworldre meaningless is our people don't do their part.

  • Clicking, in particular clicking "Yes"". Lots of pop-up windows happen in the course of a lifetime, frequently software that wants to install itself on your computer, especially on the internet. Users should not, in general, be allowed to install software at their own initiative.
  • Giving out information. How many of your people would tell someone sesensitive information if they simply called and asked?
  • SSL or Secure Sockets Layer "locks" or other browser messages should be known and understood by all employees who conduct transactions online.
  • Dropping firewall to diagnose software or network troubles is a no-no.
  • Inaction, seeing something amiss but doing nothing is a problem that can be addressed by training and communication.

Passwords

As mentioned before, passwords should be kept secret and changed regularly. Passwords have been a cornerstone of computer security forever. Let's focus on them for a minute.

  • Proper passwords are NOT found in the dictionary or in a list of proper names. Obfuscation is one technique that substitutes numbers or special characters for conventional letters. Thus, if we use the number one instead on the letter I, we can obfuscate the name illicit thusly: "1ll1c1t". Mnemonics are another great password technique. Thus, the sentence "I love my wife very much" forms the mnemonic ilmwvm"
  • Social engineering is a constant threat. Again, users should be trained that passwords are NOT shared. A favorite trick of hackers is to call one of your employees, say he is calling from the IT department and requesting a password. Many people fall for this trick.
  • Bad passwords, the opposite of proper passwords, are a constant threat. Administrators make attempts to evaluate such trends. The password "baby" remains the all-time most used password. Other popular passwords include "badboy" and all the naughty-words in every conceivable combination.
  • Storing passwords on paper allows you look it up when you've forgotten it. Who else can get to this list?
  • Sharing passwords. Don't do it. If you do, change it immediately.
  • Changing passwords at least twice a year is sound policy. Changing it immediately if you suspect trouble is mandatory.

That's the basic global view.

Now let's focus on the most common issues and what you can do to protect yourself. For the most part, we're worried about computers connected to the internet which in large part comes down to software.

To summarize, software threats include

  • Unauthorized software installs
  • Hacks
  • Vulnerabilities, viruses, worms, trojans, spyware, backdoors, easter eggs
  • Email
  • Applications, especially Windows applications such as Outlook and Internet Explorer
  • Spyware, adware
  • "Undelete", that is, the fact that "deleted" items aren't always deleted, they just look that way. Experts can recover them.

Software remediations

Remediation is our fancy word for what you do to fix things. Common remedy for software threats iinclude

  • Updates and patches from software vendors
  • Switching software. Netscape and Opera are good alternatives to Internet Explorer.
  • Password protected of MS Office files. Seldom practiced but a good idea.
  • File attributes. More a job for your technician, this involves protecting key files from being changed.
  • Shredders are software that makes sure deleted files are really deleted forever.
  • Email attachments should not be trusted anymore
  • Encrypted emails are becoming more and more popular. Email is definitively unsecure
  • Protective software-antivirus, spyware, adware have become essential.
  • Monitoring software-IDSs (Intrusion Detection Systems) and log analysis are business scale solutions.
  • Observation: URLs, SSL lock, Task Manager, Add/Remove progs are all processes or events that users should watch over and not ignore or presume.
  • Switching operating systems is becoming more and more popular. We recommend Linux Mandrake
  • Finding legitimate alternative applications is an unending chore.

Focussing on online systems

We have hardware firewalls, software firewalls, anonymous surfing and web use techniques, anonymous email and sneaky things like using multiple email accounts to "layer" who gets to you.

Impact of security protocols

Have you ever noticed that when you bring the "computer people" in, they break one thing for every thing that gets fixed? You may have noticed that IT services aren't like the McDonald's drive-through where you get your order the way you want in 3 minutes or less or your meal is free. It's a bit more complicated than that.

Computer security is one place where we luck out as technicians to a certain extent. We're not going to sugar coat anything. It's a pain in the neck, there's no guarantee it will work and it might make you change your life and habits. Common complaints or problems can include:

  • Inaccessible content or services
  • Warning messages, logs and complaints
  • Loss of functionality
  • Need to update

Choosing a level of security

Now that we've got you scared to death, you'll probably want to be as secure as possible from now on right? Well, to tell you the truth, no everybody needs the same level of protection. Some of us just don't have as much at stake. Not all of us have the same amount of money to spend either. For the cost conscious or plain strapped, be aware that any security is better than no security in this game. You don't have to spend a lot of money to become a lot safer than you are today. Let's look at the cost factors in computer security:

  • Time
  • Expertise
  • Effort
  • Changing behavior
  • Changing HW/SW
  • Expense

All of these factors are interdependent. What we try to do is balance impact of the worst case scenario against what can reasonably be accomplished.

And how do we do that? We don't know about you, but we run it through a little probability matrix that rates the various threats and indicates the level of threat they present. What's that you say? You don't have a risk probability matrix? Don't worry, you can use ours.

dataSpheric Basic/Home Computer Security Assessment:

FactorHighMedLow
Operating systemWindowsLinuxMac
Net ConnectionCable/SatteliteT1DSL, ISDN, Dial up
Commerce or online banking?LotsYesNo
Email?LotsYesNo
Shared system?Public/businessHouseholdSingle
Data valueNecessaryImportantTrivial
ProactivityNotSomewhatQuite
Privacy requirementHighMedLow

How to use the computer security matrix

Usually we use a more complicated tool that does numerical weighting but that would take all night to explain. This simplified tool will do the basic job for you. Run down the list and circle the right answers for each question or risk factor. When you are done, look at it this way. If you are seeing a lot of circles in the high category you might be well advised to put a security policy on your home or business. If all your circles are to the right in the low threat column you might not have that much to worry about. But that doesn't describe many of us does it? Look at the low threat level. The only way this person could be safer is not to have a computer at all!

Let's face it, most of us have Windows computers hooked up to the internet on a boradband connection. We've got a lot to be worried about.

At this point, if you aren't in the Phoenix Arizona or Prescott Arizona locale, we can't help you directly. What we do requires physical access to the systems in question. You can, however, follow along and build your own solution, you can determine if your present security company is doing the job they should be doing or you can make a list of things for your local computer person to follow.

Levels of security offered

  • 1. Basic software package for single computers at home. Includes our standard software suite for your operating system and popular software. This can be considered our "low" security option.
  • 2. Basic SW/HW package for home and home office networks includes the basic software package plus a hardware firewall and standard topological changes. This is our "medium" security option.
  • 3. Advanced SW/HW package includes the Basic SW/HW package plus research and remediation of all of your favorite non-standard or unusual applications. It also includes advanced observation/monitoring tools and file shredding. This is our "high" security option.
  • 4. Pro Package for small business and networks includes our Advanced SW/HW package as well as encryptionware, anonymous webuse techniques, passive testing, regular monitoring/updates and active testing. This is our paranoiac level of security. We should note that the paranoiac levels utilize different tools and techniques than are described here. If we did describe them here it would be completely counter productive.
  • 5. Training is used as necessary for your situation.

I should note here that the level of training and ongoing work required increases with each level of security.

Now for the final part of our discussion we'll cover some of the most popular and available tools that are used to acheive the security levels described above.

Clientside Toolset

Tool:SourceCost
Updates, patches and fixesVendorFree
Antivirus-NAV Pro2004Symantec$40-69.95
SW firewall-ZL Pro4 w/web filterZoneLabs$40-59.95
Antispyware-SWB*, SBSD*Javacool, Kolla$Donation
Pop up stopperPanicware$25-29.95
All in one-NIS2004Symantec$58-65.00
Registry analysis-RegistryToolRegistryTool$24.00 (personal ed.)

*Note: SWB and SBSD and for Spyware Blaster by JavaCool and SpyBot Search and Destroy, by Kolla, two fantastic applications that have never casued us problems. Although both are free for download, we recommend that you make a donation of at least $10.00 to each of them. Keeping up with spyware takes a lot of time and these folks are doing a great job of protecting all of us.

There's lots of other tools, many of these involve more complicated considerations that simple software installs, but they include hardware firewalls, IDS, logging and logfile analyzers, drive encryption, encrypted-email and shredders

dataSpheric Computer Security Services Policy For Phoenix and Prescott Arizona Clients

  • We backup everything first
  • We cannot predict software conflicts or instability especially with Windows updates
  • We cannot guarantee security. Only God can do that.
  • We cannot guarantee safety or stability of installed software
  • Our services are not definitive, nor do they imply permanent safety. You need to keep updated.

dataSpheric offers the following computer security services to Presscott and Phoenix Arizona clients:

  • Security evaluations
  • Training and education
  • Install/config HW/SW
  • Regular updates
  • Security review and testing

dataSpheric will work with your in-house IT staff or your regular "computer people" wherever necessary to get the job done right.