Some General Security Advice
for Internet Users
Friday, 6 August 1999

The degree to which you take security seriously and invest in it should be proportional to the value and sensitivity of your system and its data.

Here's what I recommend for the average Netizen to protect him/herself from Internet security threats in general:

  1. Knowledge. You need knowledge. Knowledge of what the threats are and what mechanisms they use to cause you trouble. Seek out information, because there is no single comprehensive security solution in software form. No single program, nor even a combination of them, exists that confers foolproof security, nor even an approximation thereof. There are too many threats of too many kinds and a clueless user can inflict every one of them upon himself regardless of any security software. But a savvy user with a few basic tools and precautions can be very secure. Forget ever achieving total security. There is no such thing. Remember that and don't stop learning.
  2. Obtain a good antivirus scanner which scores well in independent reviews, keep it religiously up to date, and use it. Scan everything you download, every new disk you insert. If your scanner fails you, or if you learn it's inferior, get a better one.
  3. Get information. Make a point of keeping up to date on security issues. Visit security sites on occasion.
  4. Never run software downloads or email attachments from an untrusted source. "A friend" is NOT a trusted source. Your friends may be unaware of security issues, they may be duped by a slick deception. They may be mischievous, sometimes even malicious. Run only programs you have good reason to trust and from a known source. Once you fire up a process, your system is in the hands of whoever wrote it. Would you invite just anyone to drive your car? Neither should you let just anyone run your computer.
  5. Keep yourself informed about security issues relating to your particular software, such as your office applications, your browser, particularly any applications that exchange data on the Net. Know the threats and what's at risk.
  6. Become familiar with basic tools you already possess on your system which inform you about the state of your system and your network connections. My page provides a good overview of several of them for Win9x users. Learn, and use them to keep tabs on your system. Used intelligently, these tools provide the means to root out every remote-access trojan I have ever seen.
  7. Update your system software as updates become available. Upgrades which apply to networking in particular, as for example the Winsock and Dial-Up Networking upgrades for Win95, often address major security issues.
  8. Threat-specific countermeasures are everywhere. They've proliferated with the remote-access trojan trend which started in early 1998. Most of them are a waste of time for the average user if the above points are already in practice. A few of them are trojans in disguise, so be cautious. But they can be useful and in some circumstances quite practical. Try to assess the threats realistically, and DON'T be stampeded into buying anything that promises the myth of total protection. Most of the best countermeasures are free or very inexpensive.
  9. Firewalls and related measures such as the use of a proxy can be very effective. But they do little to help a careless or clueless user, and stand-alone desktops like those in most homes gain very limited benefit from such tools. If you have a home or business LAN, or use a cable modem, and if it is priced within reason for your security needs, a firewall becomes a good idea. Find one that gets good independent reviews and makes rational promises (run screaming from promises of total security); and learn to use it well.

It all really comes down to basic tools and policies, and above all knowledge. Your own security is your job, no one else's; and no program will do it for you. Unfortunately, it's a tough Net. It's like a city. There are nice neighborhoods and bad ones. Nice people and bad ones. Especially if you're surfing the seamier side, you'd better know how to watch your wallet and your back. Even if you frequent only the nicer neighborhoods, you run less risk but could still become a target and a victim (yes, you) if you're not alert to potential threats and know what is possible.

The degree to which you take security seriously and invest in it should be proportional to the value and sensitivity of your system and its data.

If you have no sensitive data on your Net-connected computer; if re-installing its entire operating system is trivial for you -- then expending vast effort on security precautions is pointless. Incidentally, having a stand-alone who-cares system just for Internet use is one really excellent approach to security.

But if you're like most people, your privacy and more is at stake. You probably have very personal communications, exploitable financial information, data which is valuable or irreplaceable, and a good deal of personal effort invested in your system and it's probably the only one you have. You probably depend on it for important work or communications; and reconstructing a destroyed system would be a significant problem or expense. You need to attend to security matters in some rational degree.