Multiple Layers of Computer Security
This week I talked with a man who’s concerned about security. That’s not at all unusual — most of us have some computer-related security concerns.
But this particular man’s small business requires him to deal with some confidential customer information that he in no way wants compromised. So for him, it’s a bigger issue than it is for the typical home user.
As with most things security-related (whether it be home security, airline security, personal security or national security), there’s no single all-in-one solution. Any good solution to security (in whatever realm) is likely to involve multiple layers.
In fact, from considering various aspects of the security puzzle, I have a list of as many as 18 different potential security layers that might come into play if needed for different situations.
For most folks, I only use a few of these 18 layers. But the availability of these various options makes it possible to come up with a really good, individually-suited security solution for just about any situation, including this one.
As you may be starting to realize, there are quite a few different issues when it comes to computer security. And while this list is surprisingly long, it isn’t actually meant to be comprehensive. It’s meant instead to be more of a practical guide than an academic one. Here are the layers in my current list.
1. Having a router.
Quite a few people with only one computer are directly connected to a DSL or cable modem. If you have a router between your computer and the modem, it serves as an extra firewall to help keep out some of the hacking-type visitors.
2. A firewall.
Usually when I talk about firewalls, I’m referring to software firewalls on individual computers. These come in two kinds.
Windows Firewall is inbound only (offering protection from people trying to break in from the outside). Two-way firewalls like ZoneAlarm also let you know when a program on your computer is trying to talk to some other computer somewhere.
There’s a tradeoff here between thoroughness and convenience. Because of the convenience factor, I don’t generally tend to recommend two-way firewalls like ZoneAlarm any more for the regular user. The extra bit of protection just usually isn’t worth the hassle for most folks.
3. Intrusion prevention software.
Beyond the standard antivirus/firewall/updates trio, there are some lesser-known technologies out there that can help prevent intrusions — or at least help limit the damage that a virus, trojan or other malware can do.
Such software works on the principle of not trusting any program your computer gets from the internet (whether it’s deliberately downloaded or sneaks onto your computer) until you say the program is safe to trust.
While not entirely hassle-free, intrusion prevention software can work with existing antivirus programs, firewalls, etc. to help create stronger security where it’s desired.
This kind of software can limit the damage from threats your antivirus doesn’t even have a clue about. And these kinds of threats are more and more common.
4. Traditional, signature-based antivirus programs.
Having invested some significant research time into the various antivirus products, my two most favored antiviruses (interestingly enough) both come from Czechoslovakia.
AVG is great for its ease of use and intuitive control panel. And if you want a bit higher security (with, in my opinion, a bit less friendly interface), avast! is a good choice.
And both of these products have versions that are free for home users. The free version of AVG doesn’t include rootkit protection, but it still seems to work well for many home users, especially when combined with other layers of protection.
Norton has a good detection rate, but real users just don’t seem to like the product that well. Supposedly they took some of the bloat out of it a couple of years ago, but I tried Norton Internet Security 2010 recently and personally, I thought it was awful.
5. Windows Updates.
You need the Windows updates. Most of these are security updates, and the ones that aren’t are often there to fix the bugs that are crashing Internet Explorer.
If you’ve been running XP for quite a while and it’s not been configured right, you could be missing more than 100 of these updates. And the situation could be the same if you’ve totally wiped your computer clean and not gotten the appropriate Service Packs and other updates since then.
6. Behavior-based anti-malware.
This is another category (like the intrusion prevention software) that very few people have even heard of. But I’ve recently become aware of software that monitors your system for misbehaving programs, and then alerts you to the danger and allows you to deal with it.
Again, this is complementary to regular antivirus software.
7. Settings-based preventative.
These programs are generally anti-spyware programs, and they modify system settings to provide some preemptive protection against known threats, including known web sites that can cause problems for your computer. Spybot Search & Destroy is the best-known of these.
8. Browser choice.
From a security standpoint, Internet Explorer 8 seems to be the browser of choice… if it works without crashing on your system. If it doesn’t, use Firefox. Or, if you just want the fastest possible browser speed and aren’t as concerned about the security, try Google Chrome.
Yes, I know that’s backwards to the security perceptions that most people have of these browsers. But based on actual testing, it appears to be the case.
One more browser needs mentioning: Internet Explorer 7. IE7 isn’t that great from a security standpoint. Or a speed standpoint. But it certainly still works okay for a lot of people.
9. Running as a limited user.
I really don’t push this particular approach very much, because it seems like too much hassle to me. Nonetheless, it’s recommended by a number of other people.
In Vista and Windows 7, of course, you’re automatically kind of demoted to limited-user status for most purposes by those systems’ User Account Control (UAC). This is less of a hassle in Windows 7 than it is in the much-hated Vista.
10. Common sense.
Pretty effective overall as a security layer. Unfortunately, this sometimes goes out the window in situations involving employees or teens.
Here’s a sample:
There used to be at least some argument for using file-sharing programs like Limewire. These days, the files that you get from peer-to-peer file sharing are loaded with badware, and there are reasonably-priced legal subscription services that provide your musicon an all-you-can-eat basis.
So there’s really no reason anymore not to relegate that file-sharing program to the dustbin of history.
12. User management software.
There are programs that you can get like NetNanny that place restrictions on where you can and can’t go on the individual computer. These can also limit individual behavior in other ways, too — such as overall time limits and scheduling for particular activities.
13. Network-based surfing restrictions.
If it’s just a matter of general surfing restrictions, I have a different solution I prefer that is completely external to your computer — and free.
14. Data encryption.
Moving beyond the malware arena, encrypting your data can be useful in some higher-security situations.
15. Online backup.
A different kind of protection, and one that’s probably needed by most of us. This type of backup system allows you to recover your valuable data (business information, financial information, documents, photos, videos, music, etc.) even if your hard drive completely crashes, someone steals your computer, or the building it’s in burns to the ground.
16. Traditional backup.
Even with online backup, it can still be useful to have a traditional backup (preferably off-site) of your most important stuff, including cds and license keys for valuable software.
17. Network security.
This has to do with controlling access to your network, if you have one. Most people who have networks are already aware of and dealing with this area, so a brief mention should probably be sufficient.
18. Wireless security.
Last but certainly not least, if you have a wireless network, then that wireless network needs to be set up properly.
Now it’s important to note that if you have a wireless router that’s broadcasting a signal, even if you’re a home user who isn’t using that signal, you have a wireless network. It needs to be secure.
And there are four things you can do regarding wireless security:
a) Not have any. Unfortunately, a few people are still in this state.
b) Use a system that’s inherently insecure (this is common).
c) Use a system that is potentially secure, but set it up in an insecure way.
d) Use a system that’s potentially secure, set up properly.
Obviously, only option d) is recommended.
Scared by the Long List?
You shouldn’t be. For most people, and most situations, only a few of the layers really need to be applied.
In fact, this list should be comforting rather than scary. It means that whatever level of security you need, it’s possible to come up with a combination that should work for you.