Just how dangerous is it out there? Here's what you need to know:
- No computing environment is immune. Every platform can be exploited by an attacker. This month's Mac OS X v10.6.5 and Security Update 2010-007 included well over 100 fixes to critical security vulnerabilities, many of which could lead to arbitrary code execution. These are exactly the same types of vulnerabilities that Windows malware writers take advantage of. Fortunately for Mac (and Linux) users, their worldwide market share is small enough that malware writers simply haven't bothered with them. If you use OS X on a Mac, I don't think you need to install security software, but that recommendation could change someday if Apple's platform continues to grow in popularity and attracts enough attention from bad guys.
- Good behavior alone is not enough to protect you from attacks. Visiting porn sites and downloading pirated software puts you at a much higher risk of infection, but even legitimate web sites can be compromised, and seemingly innocent results in a search engine can lead to hostile sites.
- Antivirus software is one layer among several. Depending on the type of threat, it can be very helpful, even if you consider yourself an expert PC user. But it is not a magic bullet, and it is no replacement for a well-rounded approach to security.
- No antivirus software is perfect. It is literally impossible for any security product to identify every possible threat, especially when malware writers are constantly updating their products to avoid detection. Most of the leading antivirus programs can identify and block the overwhelming majority of threats you're likely to encounter online. The fact that they can't reach 100% protection is why security software is only one part of a layered security strategy.
- Many types of malware are installed voluntarily. Among the most common threats are Trojans, which spread via social engineering. The job of a malware writer is to convince you to run his innocent-sounding program, which secretly does something other than its stated purpose. It might claim to be a new video playback plugin but actually turns out to be a program that hides on your PC and steals passwords or sends spam. Social engineering explains how an entire class of malicious fake antivirus programs made it onto the top 10 malware list for the first half of this year.
- Malware writers make their living exploiting unpatched systems. One of the top 10 threats found and removed from Windows PCs in the first half of this year was Win32/Conficker. The vulnerability that Conficker exploits was blocked by a Microsoft patch released in October 2008. In fact, that's true of most of the top PC malware variants found in the wild. Four of the entries on the top 10 list for 2010 are based on vulnerabilities that were identified and patched in 2007 or 2008, and none of the others could have been installed without explicit user interaction on a fully updated copy of Windows.
- It's not just Windows that needs patching. Some of the most effective malware vectors these days are coming through vulnerabilities in products like Adobe Flash and Reader, in the Java runtime, and in Microsoft Office. In most cases, the vulnerabilities were patched quickly by the software maker, but if you didn't apply that update, you remain vulnerable. Ironically, most of these exploited programs are cross-platform; in theory, malware authors can add code to their PDF or Java exploits that target Macs or Linux PCs. So far, they haven't done that.
- Attacks via zero-day exploits are rare. Zero-day exploits get a lot of publicity, but they rarely have a widespread impact. The worst variants of these attacks are the ones aimed at specific companies, like the targeted wave of attacks against Adobe, Google, and other high-profile companies in early 2010. And even those only succeeded because they exploited unpatched systems using an outdated browser.
- Use a modern operating system. Sorry, folks—Windows XP simply isn't secure enough for ordinary people to use today. It was designed more than 10 years ago, and it lacks many of the core architectural changes that make later Windows versions more resistant to attacks. Address Space Layout Randomization and Data Execution Prevention are core features that block some classes of exploits completely. File and registry virtualization (a key part of the much-maligned and misunderstood User Account Control feature) prevents hostile programs from writing to system folders. Removable drive exploits, which have represented a very common vector for spreading malware recently, do not affect Windows 7 or Windows 8.
- Keep your OS up to date and backed up. Turn on Windows Update and make sure it's running properly. That single step will protect you from virtually all widespread malware attacks these days. If you're worried about a buggy update hosing your system (highly unlikely, but theoretically possible) make sure you have a full image backup on hand. Every version of Windows 7 allows you to perform a full image backup to an external hard drive; if you schedule that operation for the day before Patch Tuesday every month (or better yet, for every Monday), you'll be able to recover from any kind of problem. Oh, and leave the Windows Firewall turned on unless you've replaced it with a third-party alternative.
- Keep applications updated also. Adobe has greatly improved its updaters in the past year. If you're prompted to update to a new version of Flash or Reader, do it. Microsoft Office updates are delivered automatically through Microsoft Update; make sure that those are being installed as well. Remove unwanted programs that could represent a security threat. Many new PCs come with Java installed automatically. If you don't use it, remove it.
- Be suspicious of any new software. As I noted on the previous page, malware authors count on tricking you into installing software that claims to do one thing but actually takes over your system, stealing passwords or adding your system to a worldwide botnet. If you're not sure a program is safe, don't install it.
- Set up standard (non-administrator) accounts for unsophisticated users. That category includes kids, parents, employees, and all of your non-geek friends and family members. With a standard account a user needs to talk to you (and convince you to enter the administrator's password) before installing any new software. That conversation is an ideal opportunity to teach your family members and employees about the warning signs of potentially dangerous programs. (This is another good reason to upgrade from Windows XP, by the way, where running with a standard account is difficult because of badly written programs that require administrator rights; both Vista and Windows 7 do a better job of allowing those programs to run without compromising the integrity of the system).
- Use a modern browser. If you're still using Windows XP and Internet Explorer 6, stop it. I think IE8 is a good alternative, especially when coupled with Protected Mode (a security feature in Windows Vista and Windows 7). If you prefer to avoid IE altogether, that's a great choice. As I continuously explain to all of my clients, there are several good reasons to prefer alternative browsers such as Firefox or Google Chrome to any version of Internet Explorer. For starters, both Mozilla and Google have generally been faster at releasing updates to security issues than Microsoft.
- Install an antivirus program and keep it up to date. There are plenty of effective programs in this category that can run with a minimum of chatter and will block the overwhelming majority of threats. I recommend ESET NOD32 Antivirus to every client.
*As an Inc. 5000 company, ESET has been pioneering the antivirus industry for 25 years. They have received awards from Information Security Magazine, SC Magazine, VMware, and countless other recognized names in the computer industry. IES is proud to be partnered with such a highly trusted and recognized company.