(originally posted here∞)

Great post.

Quote:
Virii, trojans and the like are mostly harmless in the face of a user that is even semi-competent.

Just once and for all, I'll list the most important things a "semi-competent" user would do to stay safe, in rough order of importance:
1) don't run executables, plugins, applets, removable media, scripts, or documents that may contain scripts unless you're 100% certain of their intent.
1.1) see #1
1.2) see #1
2) patch your OS as soon as any security fix is published
3) patch all applications that use the network as soon as any security fix is published
4) get behind some kind of NAT (any cheap broadband router will do) and don't forward ports or enable DMZ unless you know what you're doing
5) use Firefox
5.5) if you must use IE: doublecheck items #2 and #3, then force ActiveX components to be whitelisted via group policy (XP SP2 does this by default)
5.7) don't send passwords or other sensitive info over unencrypted network connections like http or email
6) scan for spyware occasionally with HijackThis or similar
6.5) scan for viruses occasionally at housecall.com or similar
7) use strong passwords for all accounts on the OS and online; change them occasionally
7.5) don't store passwords in apps that don't have strong encryption (e.g. web browsers, poker programs)
8) don't run as an Administrator or Power User; lock down the default user with group policy
9) install a scanner that runs in the background like Norton and keep its definitions up to date
10) rename the default Administrator account and log invalid attempts
11) occasionally check the certificate hashes of any HTTPS, SSH, or VPN servers you interact with against a known authority, especially if you suspect a man-in-the-middle attack
12) consult with a professional network and cryptographic security auditor

#1-3 are absolutely essential
#4-5 are prudent and simple, thus recommended
#6-9 are for the paranoid and/or people who cannot trust the other users of their machine
#10-12 are for large and/or sensitive corporate enterprises

---

Back to CollectedWritings
CategoryTechnicalWritings