Tips for staying secure

What tips do you have to stay secure on the Internet?  Here are some of mine:

• Don't open email attachments unless you're expecting them.  I do not open "funny" attachments or videos or powerpoint files.  I will sometimes follow links to sites like YourTube, though.
• Don't follow links in email from people you don't know.  Be suspect of links from people you do know (their system could be compromised and sending out attacks without their knowledge)
• Use [ Firefox in Windows ] for most of your web browsing.  Its the most secure combination I know of.
• Don't run scripts or cookies on sites you don't know or trust.  The easiest way I know how to do this is to use a [ FireFox plugin called NoScript ].
• Get a copy of [ Secunia's PSI - Personal Software Inspector ].  This will keep you up to date on when vulnerabilities in many applications are found and wether or not you've updated.  Like vulnerabilities in Adobe Reader that will allow malicious software to take control of your computer from simply viewing a PDF file.  Secunia PSI also provides links to download the latest updates for the softwares in question.
• Use an AntiVirus program.  If you qualify for free AntiVirus use (subject to the terms and conditions for each vendor, read carefully), try these:  [ Avast ] or [ AVG Free ].
• Make sure [ Windows Firewall is enabled ].  Don't allow exceptions unless you have to.
• Change your [ DNS settings to OpenDNS ].

What do you do to stay secure?

Let's not forget Windows Update!  Turn on Automatic Updates and let the system install these.  If you pick a time to install, say 3:00 am (the default) and you don't leave your computer on, then these won't install.  They will wait for you to initiate the installation.  There is a little yellow shield icon in the system tray (by the clock) that will appear when updates are ready.  Also, this won't work if you're running as a limited user instead of an administrator.  You must eventually log in as an administrator user in order to install Windows Updates.

If you don't use OpenDNS as Chris suggested, install a local hosts file to block many of the bad sites, advertising and invasive analytics.

http://www.mvps.org/winhelp2002/hosts.htm  is the host file I use.

Dave

I like your multi-faceted approach and I am happy to see that according to your list I am using some pretty good security practices.  And I am grateful to learn of a couple more.  I did not know about Secunia PSI or OpenDNS.

I will add one more item to the list of things to keep oneself secure because I have found that it has proven invaluable:  Avoid complacency and stay informed.

I say this because I notice sometimes that some people have a tendency to get comfortable and assume the steps taken to secure are adequate and they stop there.  Being a busy tech fosters this complacency.  However, with this ever-changing world, one day the security steps are adequate and another, they are not.  For example, there are a lot of comments about using one browser over another for good security.   Howerver, all browsers have had serious security vulnerabilities at any given time.  In fact, I have not heard of any product (antivirus, antispyware, encryption, browsers) that has not had problems at one time or another.

I feel that staying on top of ones' game by attempting to stay informed is a good Internet security practice.  I read a lot to stay abreast of emerging threats and use US CERT to try to stay informed of vulnerabilities.  I know from your posts that you also stay informed.

Hi Chris and all on this thread,

Just to reinforce this important point... no matter what operating system you use you should not access the 'net under a logon account with administrative privileges. This is probably the most basic protection of all.

Another tip is to always make sure you use [ strong ] passwords, especially on web sites requiring authentication and any local network services or devices you may have (eg a wireless access point).

don, its funny that you mention strong passwords.  In the past 2 days, I have found some funny things on my users' computers.  On one laptop, they had their password taped on a sticky note to the blank space below the keyboard and it was 111111.  Another user created an excel spreadsheet, titled "passwords," of all their passwords to various medical websites, affiliate hospitals records systems, etc...  My point is that a strong password is only strong if the user is willing to protect it from others.  We have corrected the users use of passwords and encourage them to not use sticky notes to remember them. 

So do any of you plan to use tokens for your orgs? Or another way to phrase it may be, what is the security threshold, in terms of data protection or just ease of mind, that you would start considering eToken technologies? I think the actual hardware is fairly affordable now but not sure how complex the backend would need to be. I got an Aladdin eToken but have yet to play around with it.

The use of token securities varies - we use RSA tokens for VPN access to our network, however we do not use tokens for local PC access; although some orgs do. Most newer notebooks come with fingerprint readers and full drive encryption nowadays (bitlocker etc.)  so we haven't seen a need for tokens at this level. I also envisage that VPN token use will decline as we move more towards Exch2K7 and expand the information services we provide over a secure web Outlook connection. 

glamontagne:

On one laptop, they had their password taped on a sticky note to the blank space below the keyboard and it was 111111.

LOL - yep .. .seen that before!

glamontagne:

My point is that a strong password is only strong if the user is willing to protect it from others.

Agree 1000% - Sometimes I think we spend a disproportionate amount of time helping people develop password 'best practices', however it is worth the effort in the long run.

I am thrilled at how this discussion is growing!  Great points made by all.  I keep up to date by reading the Heise Security News Feed (RSS is nice) and listening to the Security Now Podcast.

Take a look at IronKey and Yubikey as a 2nd factor for authentication.  RSA tokens have a monthly cost assotiated with them (I think), these have a one-time fee.

I find this to be a good plugin for firefox:  http://noscript.net/.  Has anyone else tried it?  Basically no scripts can run without your consent.

I will also say that since I stopped using the computer as an admin I have had zero problems.  I think this is the best advice ever.

NoScript - yep bullet point #4 in the original post.  I love it.  :)

I run as an admin, but I don't let users on networks do so.  I've found that security has more to do with my behavior than my access level.  There are still exploits that can take over your machine and elevate their own rights by taking advantage of unpatched bugs.