Secure Better, Not Harder – Part One – Anti-Virus?


We all care about security, and we try to protect ourselves in various ways. Some of the things we do are utterly ineffective, and some are very effective. Some were once effective, but have now become useless.

Our modern technological world is a very rapidly evolving place, so it’s a good idea to take some time every few years and take stock of how you’re protecting yourself. You’ll probably want to stop doing some things that have become pointless ritual, and replace them with new practices that you didn’t engage in previously.

Let’s start by throwing some cold water on the most well known security measure: Anti-virus software, or AV. No, it is not useless, but it is a very long way from perfect. Depending on who you ask and how you test, you’ll get different answers for how effective AV is, but you’ll never get an answer of 100%.

An important thing to bear in mind is that AV’s effectiveness is heavily weighted towards the past. The longer a threat has been around, the better AV products are at detecting it. Conversely, the newer a threat, the worse AV products are at protecting you. Some studies show that AV is only about 20% effective against new threats. My advice is to think of AV as a safety net, not a shield.

If you can’t rely on AV to protect you, what can you rely on? Ultimately, you need to rely on yourself. You need to be alert, aware, and you need to practice good security hygiene.

Malicious software can’t teleport onto your computer; it must get in there through some mechanism. Broadly speaking there are two ways malware gets in, and you need to defend against both.

The first mechanism malicious software uses to get in is the digital equivalent of breaking and entering.

All software is written by humans, and all humans make mistakes, so all software has bugs in it. Newer software tends to be buggier than software that has been actively maintained for a few years, but there are still bugs found in code that dates back to the 1980s, so all software has bugs. Many of these bugs are just annoyances, and they cause apps to crash or do to unexpected things, but some create cracks in the software’s defenses that can be exploited by malware to break into your computer.

There is a constant cat-and-mouse game being played out between people trying to find bugs and people trying to fix them. Some of the techies searching for bugs are good guys, so-called security researchers, and some are criminals. As bugs are found, they are fixed, and security updates are released to users.

The more out of date your software is, the more un-patched cracks there are in the software on your computer, and hence, the more vulnerable you are. The single most important security habit to develop is applying updates as soon as they come out. Updates to your operating system are probably the most important, but they are very closely followed by updates to all apps that touch the Internet: web browsers, email clients, chat clients, and browser plugins like Flash and Silverlight. Adobe Flash in particular is being very heavily attacked these days. But all out of date software is a liability, so update, update, update! And backup, backup, backup (a topic for a future article).

The digital equivalent of breaking and entering is one way malware gets in, and the other way is through trickery.

There is a saying in security circles that the easiest way to find out someone’s password is to ask them for it. Similarly, the easiest way to get your malicious software onto people’s computers is to ask them to install it for you.

Your only defense here is suspicion. If something looks too good to be true, it almost certainly is. If a website offers you something you didn’t go there to get, you don’t want it! Random sites offering you Flash updates or new video codecs are almost certainly trying to trick you into installing malware.

Be suspicious of all email. The email protocols are very old, and they are derived from a more innocent age when only idealistic engineers and grad students used the Internet. There is no authentication of the sender, so with a very small amount of knowhow, anyone can send an email that looks like it came from anyone else. The way I like to think about email is as digital postcards. Assume everything you write can be read by anyone, and know that the return address is meaningless: anyone can put what ever they want in the From field.

If you get an email message warning you about something serious that requires immediate action, or something terrible will happen that looks like it’s from your bank, it probably isn’t. For your own piece of mind, my advice is to phone them, and ask them if the email was real. Remember, don’t use a phone number from the email. Use one you have on file, from the top of a bank statement, or from the back of your ATM or credit card. When you do this your bank will most probably tell you the email is a scam, because most banks have a policy of not using email for important communications. Why? Because they know email is utterly insecure. For the same reason, government agencies also avoid using email for important communication. The tax man will send you a letter, not an email!

From time to time you will receive email messages from websites you have accounts with informing you of a hack, and requesting that you change your password. Some of these are genuine, but many are not. Don’t click on links in the email; browse to the relevant website by entering the URL in your browser manually, and look for a notice confirming what the email says. If the site really did have a problem, and really does want you to reset your password, they usually have a notice on the site itself with instructions for users to follow.

There are other basic things you can do to protect yourself, and I’ll cover those in future articles, but they are all less important than these three cardinal rules – update update update, backup backup backup, and always be suspicious.

3 thoughts on “Secure Better, Not Harder – Part One – Anti-Virus?

  1. Hi Bart

    All very very true. Many years ago my driving instructor told me to “drive like everyone else on the road is an idiot or deliberately out to kill you” – a little extreme perhaps but in this context treat everything as insecure until you know better, and assume everything is a scam unless you can prove otherwise.

    As for the passwords thing – we are all constantly urged to use “hardened” passwords – but no lock is any good if you give the burglar the keys!

    Many/most people don’t really “get” passwords – but at the very worst use a good half dozen proper hardened ones (I like to use the literature trick, take a line you know from a poem, song, speech, whatever and turn for example “Tyger Tyger, burning bright, In the forests of the night;” into “TT,bb,Itfotn;” or even “TTbbItfotn”…) and at best use a good password manager – iCloud Keychain has made this a lot easier for everyone, and more featured ones such as 1Password are available for a fee.

    Always like your work… and glad to see you writing here.

  2. Hey Bart,

    Love your work on Let’s Talk Apple and the various other places I know you from.
    Great to have you writing on here for a bit… Keep up all the good work.

  3. Serenak – love your anecdote about your driving instructor – spot on!

    I cycle a lot, and I’ve found out the hard way that you have to assume every driver doesn’t see you, because many of them don’t 🙁

    Assuming all email is out to get you until you’re sure it’s not is definitely wise.

    Password hygiene is the next thing I plan to tackle in this series – wish me luck, because it’s a hard topic to communicate well!

    Simon – thanks!

Leave a Reply