• Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint
Share this Page URL

Installing Locks in the Global Village

Installing Locks in the Global Village

(Securing Your Home or Small Business Network)


As I wrote this introduction, word of an e-mail virus was breaking in the news. As I sat to edit it, yet another virus had been found and was being fought. These viruses can take down major e-mail systems, disrupt communications, and destroy data. Worst of all, the viruses spread fast and easily through our networks, yet this is nothing new. Several e-mail viruses have surfaced prior to these, and many more are sure to follow. So how can they still be a threat? Why hasn’t someone done something to stop them? The main reason is easy to see: most people aren’t prepared to defend their computer systems from these attacks and aren’t aware of the types of threats waiting for them in the electronic frontiers of the Internet. In fact, most people are so unprepared that they don’t see any threat resulting from connecting their computers to the world.

For this reason, these virus attacks are successful. Many people connected to the Internet are not protecting themselves in any way from such threats; in fact, most are not protecting themselves at all. I don’t have statistics to back me up, but I’d guess that most home users and small businesses have no effective security on their Internet-exposed networks or computers. Because we all share the same network (the Internet), we each need to place some security around our part of it to provide some protection for our data. Otherwise, we are providing an opportunity for someone to come along and exploit our computers. With so many computers on the Net, you might be lucky enough to remain safe for months or even years without security because no one has looked your way yet. But this can work against you, too, by giving you a false sense of security when indeed you are compromised or under attack and you just don’t know it. Don’t be fooled into thinking that because you are one of many, you won’t be a victim. Probably every gazelle and water buffalo in Africa thinks that, too, but the lions still eat.

After hearing all of this, you might ask why not just move to the woods of the Rocky Mountains and hide? Or perhaps you should simply not connect to the Internet. Both of those are options, but I’m not trying to scare you away from the Internet and its great possibilities for information research, entertainment, and commerce. Rather, I mean to encourage you to use this tool wisely and securely. I hope to teach you the basics of information security so you can make decisions about the risks and benefits of doing or not doing certain things online and so you can do them as securely as possible. I don’t promise to make you an expert but to show you how to get your foot in the door and where to look for expert information.

Who Needs to Read This Book?

This book is primarily designed for home users and focuses on security issues that face these users. Home users aren’t the only ones who could benefit from this book, however. Small and medium-sized businesses with Internet connections could use this information, as well. The techniques discussed will transfer directly to such businesses, but the scale for a business is a bit larger. Additionally, anyone who wants to learn about information security and network security but doesn’t have a strong computer background can use this book as an entry point into the concepts and techniques of information security.

The content of the book ranges in nature from nontechnical examples through technical details that some readers might find hard or strange. That’s okay—not every reader will understand every item in this book. Because the book can help you put some basic security in place, some parts are rather technical. If you have to skip sections or come back later, that’s fine. My goal is to present the material in a technically accurate way while trying to make it understandable for nontechnical readers. That is a broad range to cover, and I’m sure some people will feel some areas are too technical or not technical enough. For readers who want more technical information, I’ve included links and resources that can cover nearly all topics in this book to a far greater depth. On the other hand, if you find something that is too technical for you, feel free to skip ahead a bit. As you become familiar with the topics and discussions, you can go back and read again later.

Although users of non-Windows operating systems such as Linux, Macintosh, or BeOS will find the conceptual parts of this book useful, the main focus is on the Windows family of operating systems most often found in homes and small businesses. Additionally, users seeking advanced technical discussions of security or in-depth scripting and coding analysis of tools will not find them in this book. Those areas of discussion are outside the scope of this book. I will, however, provide links and references to those subjects as appropriate throughout the text of the book.

Why the Homestead Example?

Every chapter starts with an example. I chose the homestead example for a variety of reasons. First, it is an easy analogy that captures security concepts simply and in a way that most people can relate to. By introducing the concepts without their technical aspects, I hope to make them easier to understand. Then, as the chapter progresses, I introduce the technology to you slowly, carrying the concepts from a familiar example into a potentially unfamiliar one. If you find that the example is not working for you, simply skip ahead a bit in each chapter. Concepts are introduced twice in each chapter, once in the example and once more in the technical sections. I would encourage you, though, to at least read the example and be familiar with it as the book progresses, so you can refer to it as needed.

Is the Example Important?

So really, why should you read the example? I hope because it is a good illustration of security concepts in a nontechnical setting. Even people who know computers reasonably well are usually not familiar with security issues, let alone trained in them. The example takes away any preconceived notions about technology and computers and lets you concentrate on the concepts. Then when the technology is reintroduced, I hope you will see the application of the concepts more easily. But keep a few things in mind as you progress through the example. First, it does not include any factual information about real places or village growth. If you are an anthropology or sociology person, please be forgiving about any assumptions or errors in those fields. The homestead is merely an illustrative tool for this book. Second, I have tried to make the sections about our homestead and village enjoyable reading, but they are there just to provide examples. Don’t worry if you don’t see the security issues right away in the example; the text of the chapter will help bring out the points I am making.

Introduction to the Homestead

To help put the security discussions in a context that most users can understand, I have used an analogy of a homestead to demonstrate certain points and introduce concepts in the book. The homestead was started by the Smith family and grew into a village over time. Using this example, I introduce each chapter’s security concepts in a noncomputer-related way so you can focus on the security points before grappling with the computer terms or concepts. Then I revisit each point to reinforce the learning and provide a computer-specific application to take you from concept to practice. And that brings us to the homestead itself.

On a small hill, near a river, was a fine patch of land with plenty of room for farming on the gentle slopes of the hill. The winters were not too harsh here nor the summers too dry. It was the perfect place for small animals and a small patch of grain and vegetables. And so they came. We’ll call them the Smiths: John, Katie, Jennifer, and Carl. They packed up everything they owned, spent nearly all their money on livestock and supplies, and headed out here for the chance at something better. “Owning our own home and farm has to be better than working on someone else’s,” they thought. They spent several days building a small log cabin—just enough space for the four of them—and a pen for the animals. The pen was as much to keep the animals in as to keep other things out, but—as John’s father always told him—it never hurts to have some protection. They then began clearing a plot of land for the garden. Soon things settled into a daily routine of farming and tending the livestock.

John Smith was no fool. He wasn’t expecting trouble, but he came prepared for it. He had heard of foxes that might try for the chickens, wolves that hunted sheep, and bears that might go after a cow or even the family. He kept his shotgun handy, cleaned it nightly, and reloaded it before going to bed. Out this far, a loss of an animal could make the difference between getting through the winter or not. As John drifted to sleep each night listening to the wolves howling in the distance, he wondered how many were even closer than the ones he could hear.

John and Katie Smith came to their new home knowing little about it. They had heard about foxes, wolves, and bears being around but had not seen any yet. The Smiths had built their new home and so far had been safe from intruding animals, but John and Katie were also cautious. Living this far from help and with winter coming on, they could not afford to lose an animal, have eggs stolen from the chickens by a weasel, or see their crops eaten by deer and elk. John built a fence around the property to help keep animals out and to show where the boundaries were. The loose-log fence was not the most effective at keeping out small animals, but it was good for the larger ones. John and his son Carl then built a stone wall around most of the close property, including the house, barn, and vegetable garden. This was a much better structure for keeping out the smaller animals. Katie and daughter Jennifer used this time to make winter clothing and blankets from the wool they sheared in the spring, and they built a small chicken coop near the house. The Smiths did have a lock on the door but not on the gates; locks weren’t needed this far out. John did, however, teach everyone in the family how to use the shotgun, just in case.

John checked the stone wall every day and rode the horse out to the wood fence at least once a week, watching for animal tracks or signs of something trying to get across the fence. Normally there was nothing, and he then went about the tasks of maintaining the crops and livestock. Some days he was even able to relax. Katie spent her days cooking and sewing the necessary items for the family to continue living out here. She tended the garden, fed the livestock, and kept the house clean. The children helped where they could. They drew water from the well and assisted their mom and dad with the other chores. They also played in the fields and woods around the house. It was a good summer.

One day, however, John found fox tracks near the stone fence. When he looked closer, he saw that the tracks came near the chicken coop, but he couldn’t see any way for the fox to get into the coop. John spent the rest of the day inspecting and repairing the chicken coop to prevent any small holes from giving the fox an entrance to it. The rest of the summer passed uneventfully, but John didn’t let his guard down. Many days he found deer tracks in the crops, and once he even found bear tracks just outside the wooden fence. Certainly there were many threats out here, but so far the Smiths’ preparations had paid off.

Is Your House Locked at Night?

Odds are you are reading this in your home or office, located in a town or village or maybe even a big city. The idea of a community isn’t strange to us. Many of us know our neighbors, wave to them as they walk their dog, and feel safe in our homes at night. Even so, you probably lock your doors when you go to sleep. Why? Do you need to do that if you’re safe and among friends? The truth is that most people are trustworthy and would never break into your home, but you know that not everyone is that nice. Some people, given the chance, will come in and take things from your home, or worse. You probably don’t think twice about locking your doors at night or when you plan to be away from home for any length of time. You might even have a fence or wall around your yard to keep people from getting in there. Most of us like our private spaces and will take some measures to protect them.

Why, then, do most of us connect to the Internet and not provide any protection for our computers? For a large number of us, our personal lives are becoming very closely tied to computers. By exposing your computer to the Internet, you are indeed living a life without locks or gates. On the surface, that sounds fine—maybe even a bit desirable. But let’s take a closer look at what that means.

How many of you have online banking or pay your bills online? How many of you use e-mail to talk about personal issues with friends and family? How many use software to file taxes or do other activities related to a home business? Leaving your computer unprotected with your personal and financial information on it is like carrying your medical records and checkbook to a park and spreading them out on the grass to review them. It might even be worse, because in the park you probably would notice if someone began to look over your shoulder. Most people, however, will never notice the person watching in the computer world. Providing security for your home computer is like locking your door at night or looking over your shoulder in the park. It isn’t all you need to do, but without it, you are an easy target.

What’s Important Here?

Before you go on, here are some suggestions for getting the most out of the chapters.

  1. The example is a good place to start in each chapter. Read the example through completely, and then read the rest of the chapter. You might even want to read the example once more after you read the chapter to see the concepts in action after getting them in the security context.

    Key Security Concepts

    Here is a quick list of security-related concepts used throughout the rest of the book, with brief explanations.

    Absolute security: The state where a system can be called secure regardless of what it is exposed to. This is largely thought to be an impossible state for any system that is useful and being used. Certainly it is impractical.

    Acceptable risk: The level of risk allowed or accepted by the owner of the item or data at risk.

    Access control: The process by which access to items is granted or denied to requestors.

    Authentication: Determining who a user is through a trusted mechanism.

    Crack: Using a hack to infiltrate computer systems that do not belong to the cracker.

    Cracker: Someone who is out to access your computer system without your permission; usually know they are breaking into a system.

    Denial of service (DoS): Causing a condition where a computer system can no longer respond to valid network communications.

    Deny all, grant explicit: Security philosophy of denying all access to a system and then granting access only to specific things for specific reasons (opposite of Grant all, deny explicit).

    Encryption: Mathematically changing data so it can be read by the intended receiver but not read by anyone else.

    Grant all, deny explicit: Security philosophy of granting access to everything and then removing access rights from specific things that need to be controlled (opposite of Deny all, grant explicit).

    Hack: A clever or creative use of computer code to solve a problem.

    Hacker: Someone who uses computer code or security holes creatively and is out exploring for curiosity’s sake.

    Obfuscation: Hiding information or methods of accessing information so they are not obvious to the user or intruder.

    OSI model (Open Systems Interconnection model): Framework for computer system communication so everyone is working from the same basic model.

    Ports: Used in TCP/IP to allow different applications to communicate on a TCP/IP connection.

    Relative security: The idea that all security is a measure of risk and that security is never perfect but can be tight enough for the stated purpose.

    Security in depth: Using more than one layer of security to ensure that an exposure doesn’t occur even if one layer fails.

    Social engineering: Talking your way into a desired result. Also called a “con” or “grift.” (Discussed in greater detail in Chapter 8, “Defending Against Hackers.”)

    Unsolicited commercial e-mail (UCE) or “spam”: E-mail sent to you from someone you do not know, usually in an attempt to sell you something. Many UCE mailings have been traced to scams.

    TCP/IP (Transmission control protocol/Internet protocol): Dominant networking protocol used for the Internet and networking. A protocol is a set of rules that enable computers to speak to each other.

    User Privilege: The list of actions and access that a user has on a given system.

    Virus: A self-replicating, stealthy computer program that performs some action (typically malicious) on your computer when it is run.

    Worm: A self-replicating program that moves through networked computers on its own, with little or no interaction from users. Not always malicious: some search engines use worms to crawl links and find pages for their search engines.

  2. This book was designed around teaching information security concepts and principles as well as applying those concepts to the Windows family of operating systems. If you use another operating system, I will assume you understand the differences well enough that you won’t be confused by them.

  3. Only apply what you feel you need. Security is a strange subject, because you can always have more. Some level of security will probably meet your needs without being all you could possibly do. After you read this book, I hope you won’t feel you need a full-blown firewall system and packet filtering router just to protect your kid’s game machine. Please read and understand Chapter 1, Assessing Risk, before jumping into securing your home system.

  4. Don’t be afraid to experiment, but make backups just in case. As with anything in computers, feel free to learn by doing. But I also encourage you to go through the steps slowly so you can assess the impacts of the changes on your system. Making regular backups of data is always highly recommended, but you should certainly make a backup before changing security settings on your system. I’ll tell you how to undo certain actions where appropriate, and I’ll let you know when you would not be able to undo something easily.

  5. A checklist appears at the end of most chapters. You can use these checklists to track any changes you make to your system and what the settings used to be. They also include some questions designed to help you understand the security needs of your system. I encourage you to use the checklists, but don’t feel obligated to do every step. Simply use the checklists as a way to track what you did and didn’t do.

Starting Out

Everyone who knows anything about security had to learn it somewhere. No one is born with this information. It is okay to have questions and to not understand a few things. Security is a complex field. I have tried wherever possible to make it easier for you and to provide examples to help clarify. Even so, you will probably find times through the course of this book when something will not make sense immediately. This is especially true if you are less familiar with the technology side of things.

So what should you do when you don’t understand? My first suggestion is to continue to read. Some concepts are addressed multiple times through each chapter, with some additional information each time. Also, the chapter might help clear up concepts as it progresses. Second, mark the place where you have a question and go to the Web to search for more information. The chapter on additional resources contains links and information for getting security information on the Web, and you can check there. Finally, try reading the example again if you have a conceptual question, or refer to the Windows Help system if your question is specific to the computer. By trying all these things, you should be able to get the information you need to answer your question.

Important Assumptions

While writing this book, I have made some assumptions that I will mention here so you can understand them. Not all of these assumptions will be true for everyone, but I want you to understand where I’m coming from.

First, I assume that you, the reader, are an average computer user, with no special skill or knowledge of computers. I explain concepts through the course of each chapter and present information in a way that I feel can best be understood by the average person. However, I do expect you to know what tasks you do on your computer and how important each task is to you.

Second, I assume that most home users are on a Windows platform. Although most of the concepts presented in this book apply to any platform, the details and checklists are tailored to Windows-based systems. Security is needed on any operating system, but I chose to focus on the systems most people are probably using. If you use another operating system, you can use the book for concept learning and even use the checklists and examples, but you will need to know enough to translate the Windows-based information to your operating system.

It’s Your Data

Throughout this book you will find many suggestions for securing your computer. More than likely, you will not implement every one of them on your system. You might not need some settings; others might not even apply to your computer. If you feel uncomfortable or unsure about a setting, you might choose not to implement it. In rare cases, some settings might, in fact, cause problems on your computer. Think of your computer’s security as a continuum, with usability on one end and security on the other. A completely secure computer might be unusable, and an extremely usable computer might be completely unsecured. You must feel comfortable with where your computer fits on this continuum. Investigate each setting to ensure that it does not have a negative impact on your computer. You should always maintain backups of data stored on your computer, but I strongly encourage you to back up data before making serious security changes to your system. That way you will always have a recent backup from which you can restore your system if the unpredictable happens. Chapters 3, Securing Your Computer, and 4, Securing Your Servers, offer detailed steps for securing your Windows system, and Appendix A is a large collection of links for more information about security.

Note that although hackers and crackers can damage data, they are not a threat to your hardware. You might want to buy backup drives and other devices to be more secure, but you’ll never need to replace hardware as the result of an attack.

Where to Look First

Where do you start? Assessing security for your computer can seem confusing at first, but a simple method will help keep things under control. Start by asking yourself the following questions:

  • What are you using your computer for? Buying things online? Electronic banking? Electronic trading? E-mail? Do you know how secure these services are? What would it mean to you if your access to these functions was compromised? Keep in mind that not all the risk is monetary. By impersonating your identity, a hacker can also damage your reputation.

  • What are you connecting your computer to? Most people connect their computers to the Internet, but some connect to private networks such as corporate remote access for their company.

  • How are you connecting? Is it a full-time connection, or do you control your computer’s connection (and disconnection)? Connecting via an analog modem has been the only method available to most users, but newer technologies such as DSL and cable modem are enabling many people to connect at much higher speeds. Using these new technologies carries certain security considerations, so you need to know your connection type.

  • Who has physical access to your computer? Do you authorize these people to use your computer? Do you want to control the access these people have to your computer or local network?

  • Who do you trust? Do you open an e-mail attachment from a friend? From someone you don’t know? How do you choose secure Web sites for online shopping?

  • What operating system are you using? Some operating systems are inherently more secure than others.

Answering these questions will move you down the path toward securing your system. Once you have an assessment of your computer, you can weigh the risks you are open to versus the usability you require. If you don’t know the answers to any of these questions, don’t worry. I will help you through them as you read this book.

How Secure Is Your System Out of the Box?

When you purchase a computer, it typically arrives with a default configuration. The company from whom you purchased the computer sets this configuration, usually by installing the operating system and choosing all the default settings the operating system offers at installation. This company is usually more focused on selling computers than on your computer security, and they make some assumptions about what the “average” user will be doing and needing from a security and usability perspective.

You can change the default settings to harden (make more secure) or relax (make less secure) your computer’s security settings. Additionally, you might want to use some third-party programs that can extend the functionality and security of your operating system. The makers of most computers leave that all up to you. They have to do that because most users prefer usability to security. Why? Because they don’t know any better or don’t think they are a target. The goal of this book is to show you why you need security and then to help you get the information you need to achieve that security.

  • Creative Edge
  • Create BookmarkCreate Bookmark
  • Create Note or TagCreate Note or Tag
  • PrintPrint