For your Information Technology Needs

Home

Services, General

Ad Hoc Services

Contract Services

Consulting Services

Terms & Conditions

Typical Clients

Resume

Security

Backup

Data Recovery

FAQs

Tech Notes

Musings

General Security Comments

Most security specialists consider your backup and recovery plan as part of your security plan. I've put that in a separate page. Please read it.

A caveat is appropriate here. I'm a generalist, ready to consider any challenge a client brings to me. However, there are times when you want a specialist. For example, I would not advise a law firm that does Mergers and Acquisitions about IT security. They need a specialist because their records are extremely sensitive. The point is, if you have serious security needs, find a true security expert, and be ready to pay for it. It is good insurance.

But everyone needs to pay attention to security. I've rebuilt more than one system (format and reinstall everything) because of spyware, viruses, and the like. It often takes too much time to try to expunge everything that shouldn't be there. The point is this--avoiding these problems is much less expensive in time and money than correcting them. And, obviously, none of us want to compromise our financial information, esp. if we do on-line banking (I don't, but I'm a belt and suspenders guy where my money is concerned).

I take security seriously, so I recommend to my clients what I do and use myself.

Steps I take

• I turn off "Enable third-party browser extensions" in Internet Explorer (Tools > Internet Options > Advanced tab > Settings: Browsing)
• I replace Microsoft's Java Virtual Machine with the latest one available from Sun's site.
• I use a good, commercial Anti-Virus product and keep it up to date--renewing the subscription!
• I keep Windows current with Automatic updates
• I use Microsoft Update so my Microsoft Office suite is kept up to date, too
• I have regular updates of Java and Adobe products
• I avoid opening attachments to e-mail, unnecessarily
• I turn off the 'Hide extensions for known file types' for all folders in Windows Explorer (Tools > Folder Options > View tab, Advanced settings)
• I stay away from scurrilous sites, esp. free games, porn, doubtful free software/music downloads
• I am very cautious about clicking web links in e-mails I receive

I often recommend the these points and sometimes do the setup for clients who are having problems with spyware/adware. Nothing is perfect, but this seems to be sufficient. 

Passwords

If you are anything like me, you are swimming in passwords. You really should be thoughtful about them as they are the primary method of security for the on-line world. I'm not going to lecture you about them. Better I should offer some practical advice.

Some passwords I have to look up every time I need to use them, because it is infrequent. There are passwords that I use multiple times in a day, still I've found I could forget them over a vacation. Thus, I long ago gave up and kept a written record of my passwords.

Time was when all my passwords could be written on a small piece of paper (about the size of a credit card). I had one that I carried in my wallet with my credit cards. Simple enough and much better security than something posted on my computer monitor. When necessary, I'd rewrite the list and destroy the old one. If that works for you, I recommend it.

But today I have so many userids and passwords that the list runs to four pages. I've found it unnecessary to carry a printed copy of the list, so, I keep the list in a file on my computer and on a jump drive that I keep with me. The problem with printing it is this--where to keep the printout? Well, what do you keep with you and look after (rarely out of sight)? Wallet, purse, day-timer, notebook...  Or, if you use a PDA, you might put a copy there. Whatever you decide, consider the risk of losing the purse/PDA and someone finding the list and using it. Are you comfortable taking that risk. It could mean going back and changing all your important passwords if the list is lost. And the file, how to secure it? Well, one way is to give it a completely unlikely name and subdirectory location. Even better is to encrypt it. It really depends on the environment your computer lives in and how backups are taken and stored. Can you trust the IT person who services your machine? Encryption is a very good idea if you are security conscious and have important accounts to protect. Just don't lose (forget) the encryption password (which is easy to do), that would be a disaster to recover from.

And there is the question of what to use for a password. Most of us who have been taking this seriously have learned to divide our accounts into ones requiring either a 'weak' or a 'strong' password. I find that most of the accounts that I have set up with a password don't worry me. I don't really care if someone gets into one of them. There is no great loss potential. So I use my 'weak' password, or some variant of it that gets past their rules. But, some of my accounts, I really do want protected. These get a 'strong' password.

A password that you can pronounce is easier to remember than one you can't. But using real words or names is really not adequate security for a 'strong' password. What I recommend to people is to make a couple of pseudo words. Grab a book, thumb to a page and put your finger down randomly on the page. Extract a single syllable from a nearby word. Choose a syllable that is not a word by itself. Repeat this procedure a couple of times and stick the syllables together with a single numeric digit between them. Now you have an easily remembered password that is reasonably strong. Actually I have two such passwords and I mix and match syllables from them, moving digits around. 

Practical advice for practical people. True security experts probably won't tell you how they manage their passwords. It makes me nervous to post my approach. But, people have to live in the e-world and my job is to help them do it.

A final note about passwords. A friend died recently. No one knew how to get into her files and accounts. Think about it.

Security Software

Every user of a PC running some version of Microsoft Windows must have security software. I won't rely on Microsoft's products in this area. There is at least one free Anti-Virus product you can download, but I don't use it. I pay for a good, commercial product. Dealing with the threats is a big job that requires heavy continuous engineering work and we should expect to pay for it if we want something that will really provide protection.

There are many commercial products. I've used most of them at one time or another. The big names in this field are Norton from Symantec and McAfee. These, in particular, are very large packages that seem to slow the computer significantly. Yes, they work to protect you from all risks, but like any effort to heavily insure against risk, it comes at a substantial cost. I now use NOD32 exclusively. It isn't widely known in the U.S., and that is an advantage. You see, the malware programmers often incorporate defenses against AV products, but mostly focus on the big name products. Anyway, I consider NOD32 to be a superior AV product.

Even though I use a router and that gives me some firewall functionality, I like to run with a software firewall. But software firewalls can be very difficult to configure properly. Most I've worked with are frustrating at best. The exception is the firewall in ESET Smart Security, which also provides the excellent NOD32 AVl. Usually if you are trying to do something out of the ordinary, you need only put it into Advanced mode and set the firewall to Interactive Filtering mode. Then it can create the rules needed to permit what you want to do. It is really much easier than anything else I've used.

I used to use various products against adware and spyware. But I don't seem to need them with ESET since I set it to block "potentiall unwanted programs" at install time, which turns on their spyware protection. Anyway such programs can conflict with ESET.

The only downside of ESET is their distribution in the U.S. The only retailer, I believe, is Micro Center. Now I love Micro Center. It's a candy store for me, but there aren't many stores, and it can take most of an hour to drive to the closest one from my office. You can, of course, buy and download it on-line. That's all fine and good if your system isn't terribly infected. Anyway, I stock a few copies that I can resell to customers who need it. This beats an emergency run to pick up a copy. More often, I just buy it on-line with the customer and download it.

I should note that some Internet Service Providers include a licensed copy of one of the major security products as part of the service. Locally, Comcast does (based on McAfee), but Verizon doesn't. I think the ESET package is better and worth the $40 /year, but that's just a personal opinion.

Where to go to learn about Security

A good place to start is the Microsoft web site. SANS is a reputable source of the latest information. And there are many others.

I generally don't provide links to other sites. Mostly it's that I'm to busy to spend time obtaining permission, which I'm supposed to do. Most sites can be found just as quickly with a good search engine (I like Google).

Call Corzine IT Consulting at 1-781-690-0992