We all care about security, and we try to protect ourselves in various ways. Some of the things we do are utterly ineffective, and some are very effective. Some were once effective, but have now become useless.
Our modern technological world is a very rapidly evolving place, so it’s a good idea to take some time every few years and take stock of how you’re protecting yourself. You’ll probably want to stop doing some things that have become pointless ritual, and replace them with new practices that you didn’t engage in previously.
Let’s start by throwing some cold water on the most well known security measure: Anti-virus software, or AV. No, it is not useless, but it is a very long way from perfect. Depending on who you ask and how you test, you’ll get different answers for how effective AV is, but you’ll never get an answer of 100%.
An important thing to bear in mind is that AV’s effectiveness is heavily weighted towards the past. The longer a threat has been around, the better AV products are at detecting it. Conversely, the newer a threat, the worse AV products are at protecting you. Some studies show that AV is only about 20% effective against new threats. My advice is to think of AV as a safety net, not a shield.
If you can’t rely on AV to protect you, what can you rely on? Ultimately, you need to rely on yourself. You need to be alert, aware, and you need to practice good security hygiene.
Malicious software can’t teleport onto your computer; it must get in there through some mechanism. Broadly speaking there are two ways malware gets in, and you need to defend against both.
The first mechanism malicious software uses to get in is the digital equivalent of breaking and entering.
All software is written by humans, and all humans make mistakes, so all software has bugs in it. Newer software tends to be buggier than software that has been actively maintained for a few years, but there are still bugs found in code that dates back to the 1980s, so all software has bugs. Many of these bugs are just annoyances, and they cause apps to crash or do to unexpected things, but some create cracks in the software’s defenses that can be exploited by malware to break into your computer.
There is a constant cat-and-mouse game being played out between people trying to find bugs and people trying to fix them. Some of the techies searching for bugs are good guys, so-called security researchers, and some are criminals. As bugs are found, they are fixed, and security updates are released to users.
The more out of date your software is, the more un-patched cracks there are in the software on your computer, and hence, the more vulnerable you are. The single most important security habit to develop is applying updates as soon as they come out. Updates to your operating system are probably the most important, but they are very closely followed by updates to all apps that touch the Internet: web browsers, email clients, chat clients, and browser plugins like Flash and Silverlight. Adobe Flash in particular is being very heavily attacked these days. But all out of date software is a liability, so update, update, update! And backup, backup, backup (a topic for a future article).
The digital equivalent of breaking and entering is one way malware gets in, and the other way is through trickery.
There is a saying in security circles that the easiest way to find out someone’s password is to ask them for it. Similarly, the easiest way to get your malicious software onto people’s computers is to ask them to install it for you.
Your only defense here is suspicion. If something looks too good to be true, it almost certainly is. If a website offers you something you didn’t go there to get, you don’t want it! Random sites offering you Flash updates or new video codecs are almost certainly trying to trick you into installing malware.
Be suspicious of all email. The email protocols are very old, and they are derived from a more innocent age when only idealistic engineers and grad students used the Internet. There is no authentication of the sender, so with a very small amount of knowhow, anyone can send an email that looks like it came from anyone else. The way I like to think about email is as digital postcards. Assume everything you write can be read by anyone, and know that the return address is meaningless: anyone can put what ever they want in the From field.
If you get an email message warning you about something serious that requires immediate action, or something terrible will happen that looks like it’s from your bank, it probably isn’t. For your own piece of mind, my advice is to phone them, and ask them if the email was real. Remember, don’t use a phone number from the email. Use one you have on file, from the top of a bank statement, or from the back of your ATM or credit card. When you do this your bank will most probably tell you the email is a scam, because most banks have a policy of not using email for important communications. Why? Because they know email is utterly insecure. For the same reason, government agencies also avoid using email for important communication. The tax man will send you a letter, not an email!
From time to time you will receive email messages from websites you have accounts with informing you of a hack, and requesting that you change your password. Some of these are genuine, but many are not. Don’t click on links in the email; browse to the relevant website by entering the URL in your browser manually, and look for a notice confirming what the email says. If the site really did have a problem, and really does want you to reset your password, they usually have a notice on the site itself with instructions for users to follow.
There are other basic things you can do to protect yourself, and I’ll cover those in future articles, but they are all less important than these three cardinal rules – update update update, backup backup backup, and always be suspicious.