Security Watch
A Call to Arms, Continued
Letters from the security front.
- By Roberta Bragg
- 02/04/2004
After posting
my first call to arms, lots of readers responded, many with terrific ideas.
Here are some of them, mixed in with some more of mine. Anyone whose name appears
specifically gave permission, so those without names wanted anonymity.
As I read your column, it occurred to me we should write some good viruses.
Why doesn't Microsoft write some viruses that install the patches everyone needs?
Roberta respondsWhoa, that's like trying to make everyone's teeth
less susceptible to decay by putting fluorides in the water supply. Oh, wait,
we do that, don't we? Actually, "good" viruses or worms isn't a concept
I favor. Part of the problem generated by bad worms and viruses (indeed, the
point of many) is Denial of Service. Any infection of "good" worms
will have the same effect. In fact, we saw just that with the Welchia or Nachi
worm; it tried to patch systems against the RPC DCOM buffer overflow (exploited
by the Blaster worm) but became a nuisance itself. The other problem is their
ability to do wrong. Instead of writing "good" infectious agents,
better code and better patching processes are needed, for all software.
I think a great place to start when educating users is http://www.personalfirewallday.org.
The folks behind that site put some thought into simplicity, and tailored the
explanations to non-technical readers.
Yup, a great site to find information written for consumers (which I discussed
previously; see http://mcpmag.com/newsletter/article.asp?EditorialsID=242
for more information). Look below for another site that includes steps users
should take to secure their systems. Microsoft also offers such information.
Use these sites to learn how to talk "non-techie"; you're not going
to get many end-users to do security if you throw around lots of tech jargon.
For anyone on a broadband or better Internet connection, I'd set their antivirus
to update hourly, without prompting (which can be annoying). Dial-up users should
check for updates at least every time they log in. If the antivirus vendors
can respond more quickly than they did to MYDOOM.Aand I think most will
next time aroundthis will help anyone that isn't hit by the first couple
waves dodge the bullet.
Mitchell Herbert had a great idea: "Considering how busy we all are
keeping our own corporate networks (or those of our clients) secure, perhaps
there should be a tax deduction for time spent securing computers and networks
for non-paying customers. Yeah, I know it'll be a cold day in...but 'tis the
(tax) season, after all..."
Actually, I believe you can get a tax deduction for the expenses you incur
in helping not-for-profit agencies. I'm not a tax lawyer, so obtain professional
advice before attempting to use this deduction. Even I can see, however, that
it doesn't apply to just helping your neighbor. Anyone want to start a not-for-profit
that helps secure folks who can't afford to pay for their own IT staff?
Some of you, however weren't quite so enthusiastic. You've had your fill of
providing free consulting services. And I understand. We all have to make a
living and do things other than other people's work in our free time. If you
find it's hard for you to create the types of boundaries that will prevent overload,
perhaps you can provide service in another way. Maybe you'd be the perfect public
speaker? You don't have to fix things, just get others interested in doing so.
No one is suggesting that this become a second full-time job. And yes, there
really are lots of small businesses that can afford to pay for a little bit
of help. You may find that by helping home users and small businesses, you can
get a foot in the door. For example, one visit to get them started is free,
but any work afterwards you will charge for, or any work over an hour, and so
on. Maybe you can turn a desire to evangelize security into a part time business.
Martin Criminale provided his own short list, and even keeps a Web page, http://www.criminale.com/martin/computer.asp,
with helpful, consumer-oriented security advice. Martin had the following to
say:
- Make sure that the firewall is applied to all the computer's network
connections. I've seen lots of laptops that had the Windows XP firewall turned
on for the Local Area Connection but not for the wireless card.
- Disable or remove the wireless card before installing or reinstalling
the OS. I've seen tons of admins perform a "clean" install of Windows
on a laptop with the wireless card still in. And then wonder why they got
infected before they could install the service packs and patches, even though
no Ethernet cable was plugged in. Duh
- Check to make sure that the AV software subscription is still current/active.
Many PCs come with some anti-virus software installed and many users just
let it expire.
- In addition to current AV software, I also recommend that users (especially
home users, who by default are members of the Administrators group and can
write to their hard drive) install spyware-blocking software. Two really good
ones are Ad-aware, http://lavasoft.element5.com/software/adaware
and Spybot, http://www.safer-networking.org.
- Not only should the user have the most current version of their e-mail
client, they should update their copy of Microsoft Office (if they have it)
until every update is installed.
- If they're using XP, check to make sure the Guest account is disabled
and that all user accounts have a (reasonably) strong password.
About the Author
Roberta Bragg, MCSE: Security, CISSP, Security+, and Microsoft MVP is a Redmond contributing editor and the owner of Have Computer Will Travel Inc., an independent firm specializing in information security and operating systems. She's series editor for Osborne/McGraw-Hill's Hardening series, books that instruct you on how to secure your networks before you are hacked, and author of the first book in the series, Hardening Windows Systems.