Many agree that Windows computers need to be protected with a strategy called defense in depth. This is not just for fighting off viruses. Clearly, network security and Internet Explorer also need defense in depth. When Internet Explorer was recently hacked in a public contest, Microsoft responded that "...defense in depth techniques aren't designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability."
Deb Shinder, a Windows expert, and former law enforcement officer, put it in perspective recently:
"Think about your physical security. You might have a high fence, a big dog, deadbolts on the doors and a security alarm system, but if a burglar is absolutely determined and has enough time he can climb the fence, shoot the dog, disable the alarm and break a window to get in. Unless you live in a fortress (and even then), your security is not fool-proof. But all those mechanisms do slow him down ... So unless hes motivated to specifically target your house because he knows you have $1 million in cash hidden under the mattress, hell probably go elsewhere, where the pickings are easier."
To me, the term "defense in depth" means my having to do a lot of work. But what work? What steps offer the biggest bang for the buck?
1. To me, the most important thing you can do to protect your computer is to be skeptical. Start with the assumption that you are being lied to. No software can protect someone who lets the bad guys continually scam them.
For example, that email message may not have come from the visible FROM address. Even if it did, the senders email account may have been broken into and the message could be from a scammer. Same for instant messages.
Many tricks can be played with links to make them appear to go one place when they actually go somewhere else, and that was before link shorteners made hiding the true destination even easier. You probably don't need to install a new codec to see that enticing video. Your computer is probably not infected with 314 viruses. Even notices about updating software to install the latest patch may not be legit.
2. Software-wise, techies are always advising to keep up to date on patches for your installed software. What doesn't get said often enough is that this is an all but impossible task for Windows users. Thomas Kristensen of security company Secunia reported recently "that in order for the typical home user to stay fully patched, an average of 75 patches from 22 different vendors need to be installed [every year]..." Seventy Five patches/year seems low to me.
Without a standard pipeline through which all these companies can funnel patches, Windows users are forced to deal with many different and inconsistent patch delivery systems. It's a brutal mess, and one not likely to have a good solution for a very long time.
Secunia offers three patch related products. To me, the best bang for the buck is offered by their free Online Software Inspector. I wrote about this in depth recently (Check (All) Your Windows Patches: Secunia). Their other products check more software, but the online service checks the most popular applications, offers a very simple and easy-to-read report and includes links to the latest software updates.
3. There is surprising resistance to my third suggestion, but it's a great way to protect yourself when keeping up to date on bug fixes is impossible: run as a limited (Windows XP term) or standard (Windows 7 term) user. I've been doing this for a while now on both Windows XP and 7. There is a small annoyance factor, but compared to the extra safety it offers, the tradeoff seems well worth it. The annoyance factor is higher in Windows XP. Much more thought seems to have gone into this in Windows 7.
Here's my approach. My current Windows userid was typically "Michael" and it was an Administrator. First, I create another Windows user called "MichaelAdmin" with the same password as user "Michael". Then I log off user "Michael", log on to user "MichaelAdmin" and drop user "Michael" down to a limited/standard user. From here on in, I continue to use user "Michael", only logging on as "MichaelAdmin" when necessary to install software or otherwise update the system.
Windows 7 is pretty good about prompting standard user "Michael" for the password to user "MichaelAdmin" when necessary. Hardly ever do I have to actually logon as "MichaelAdmin". Windows XP often requires limited user "Michael" to switch to user "MichaelAdmin" but at least its a switch, user Michael can remain logged in.
On a new computer, I would start out with users "MichaelRestricted" and "MichaelAdmin".
4. Windows users should avoid Internet Explorer. You can't delete it, but you can ignore it. IE suffers both from having a target painted on its back, because it's so popular, and from Microsoft's being slow, in general, to issue patches. Plus, it has its fair share of bugs and design flaws. I run Internet Explorer once a month on my XP machine, just for Windows Update. Independent security expert Steve Gibson does this too.
Firefox is my preferred browser, but I also use Chrome. In both cases, I opt for portable versions from portableapps.com. A normally installed copy of Firefox can not be updated by a limited/standard Windows user, but the portable version can.
5. The Adobe Reader also best avoided. Like Internet Explorer, the Adobe Reader is extremely popular, so bad guys focus on it. Like Microsoft, Adobe is slow in issuing bug fixes. At least Microsoft issues IE patches monthly, Adobe thinks that every three months is a good idea. You are safer using software that is updated when bugs are found, not when corporate needs dictate.
Among alternatives, the Foxit PDF Reader is probably the most popular. I also like the free and portable Sumatra PDF Reader because it seems to be a low end product. Fewer features means fewer bugs and a smaller attack surface. Plus, by being relatively unpopular, bad guys have no reason to exploit any bugs the Sumatra Reader may have.
Malicious PDFs are very common. If someone sends you a PDF, stranger or not, you are much safer opening it with the Sumatra PDF Reader than with the Adobe Reader.