Concerns about online security are widespread. No-one wants their logins and finances compromised. How to act on those concerns can be confusing.
How security pros and general users go about securing their devices is quite different. Users often rely on software such as AntiVirus. Security pros likely also use AV, but it’s not their first line of defense.
I’ll share what I consider to be good practice, and what has kept my own machines free from malware for well over two decades now.
- Patch religiously, fanatically
- Use a password safe and unique passwords
- Don’t pirate anything
- Be a little paranoid about attachments and links in email
- And sure, for defense in depth, run some AV. Chances are it’ll never find anything, though.
If you are only going to do a little, then patch and start using a password safe. That will give you the biggest bang for your effort.
Let me go into those in some more detail.
Patch religiously, fanatically
This is all about what we security geeks call “attack surface”. The fewer vulnerabilities your system has, the less likely it is to be compromised. The amount of machines that are compromised through known, long-discovered and long-patched vulnerabilities in, say, Adobe Flash, is truly staggering.
So patch religiously. Set everything you can to auto-update. That includes the OS itself, the browser, Java, Flash, Adobe Reader, and really any piece of software that can be updated.
A corollary to this is to reduce the amount of software you need to be on top of.
Not running any Java code? Uninstall Java.
Using a browser that contains its own version of Flash, such as Google Chrome or MS Edge or MS IE 11? Ditch the standalone Flash install.
The main vectors for compromise for a few years running have been Adobe Flash, Adobe Reader, and Oracle Java. Word and Excel get a (dis)honorable mention.
Use a password safe and unique passwords
Passwords are still with us, they’ll continue to be with us for a long time, and they are a terrible way to secure access to important stuff.
So, at the very least, make things easy on yourself and hard on attackers: Use a password safe. There are a number of options available, but if you don’t have very specific criteria, you can’t go far wrong with LastPass. It combines convenience with security.
Convenience is important: If using unique passwords becomes a chore, you likely won’t do it. LastPass will fill in passwords, log you in automatically, generate strong passwords for you and, if you want it to, even change passwords periodically for you.
For your “master password” for LastPass, one good idea is to choose a number of unrelated nouns. An example is “Correct Horse Battery Staple”. Just, for the love of security, do not use that actual example, because it’s a published example. Passwords only work if they are secret.
And then you can start assigning unique, strong passwords to all of your critical accounts. Eventually, all of your accounts. LastPass can help with that chore by running a check on your password database and telling you where you have duplicates and where you have weak passwords.
If you are going to run AntiVirus, there is a copy of LastPass bundled with Webroot, so that’s an option to cut down on the number of software packages you subscribe to.
Don’t pirate anything
What’s this, blogger Dad Mode? The thing about pirated content is that it often comes with something extra, that extra being malware. Once you invite malware into your system, all bets are off. The easiest way to avoid that vector of compromise is to just buy everything outright.
Adult video sites are also notorious for attempts at “drive-by” installs of malware, so browse with care.
Be a little paranoid about attachments and links in email
This is a tough one. Even security pros fall for so-called “spear phishing” attempts, emails with attachments that look legitimate and look like they come from a trusted source, but are actually carriers for malware.
That said, most of those kind of emails are pretty crude. If you’re being asked to “verify your account” or “enter your password here”, that won’t be a legitimate email. Unless you know you just initiated a password reset yourself and you expect that email. And that’s where it gets a little tough to distinguish between the two. So, be cautious. Check the sender address. When in doubt, manually browse to the site in question, don’t click on the link in the email.
For attachments, if it’s not from a trusted source and you don’t expect it, delete it. No, UPS doesn’t send you word documents. 🙂
Run some AV software
This is really dead-last. AntiVirus software will not detect a lot of malware, and this is meant only to give you one last chance to stop something if all the above defenses fail. If you are not patching religiously and using strong passwords, start there, not here.
I do run AV, as a last-ditch defense if everything else fails, and in the past two decades, my AV hasn’t picked up anything but emails I didn’t act on. I could arguably run without AV and be fine. But then I’d always be wondering whether something slipped through my defenses, after all, so out of an abundance of caution, I pay a subscription for “Medicine”.
Traditional signature-based AntiVirus software can catch maybe 18% of what’s out there, on a good day. So that’s pretty useless. Happily, the industry is evolving.
The best option for a home user – and I say this because as far as I know, it’s the only option for a home user that has modern detection mechanisms – is Webroot, as of November 2016. It happens to come with a copy of Lastpass, reskinned as Webroot Password Manager, so that’s a big plus. Webroot does not do signature-based detection, instead it’s using behavior analysis.
There are other “Next Generation AV” products out there, but nothing else that fits the budget and needs of a home user as far as I am aware.
If you want to add a little bit more protection, then Malwarebytes Anti-Exploit Free is a good choice to protect browsers and Adobe Reader. To get it free, just download the trial and wait for the trial period to expire, then switch it to free mode.
And if you absolutely want more “medicine” and don’t mind paying for it, the full Malwarebytes package is a good choice. I’m running it, but honestly, I wouldn’t install it on my mom’s PC. That’s arguably overkill when patching, secure password use, Webroot, and Anti-Exploit Free are already in place.