Some recent dealings with non-techies reminded me how focused they are on antivirus (really anti-malware) software. This is a shame, if not a sham. Of course Windows users need antimalware software, but there are much more important things they can do to protect themselves. This is my list, in priority sequence, of the most important defensive computing steps.
1. Be skeptical
This is, to me, the most important thing any computer user can do to protect themselves.
Bad guys are out to trick us in all sorts of ways. Internet users need to be constantly skeptical of everything. This applies to email messages, of course, but also to warnings about virus infections and notices about software needing to be upgraded.
We often respond to email messages based on who sent them but, practically speaking, it's not possible to know who really sent an email message. Forging the From address is easily done and it can be hard to detect.
2. Keep software up to date
This is, sad to say, an impossible task. The process of updating software on a personal computer (Windows, Macs and Linux) is crude and disgraceful. When techies of the future look back at this era, they'll consider us as archaic as we consider cavemen.
Future techies will be rightfully incredulous that there isn't a single software updating system for all the installed software. Imagine there were gas stations for General Motors, Toyota and Volvo cars and that owners of those cars could only be serviced at stations dedicated to them. That's the disgraceful system we all live with today.
Windows users can take a huge step forward in keeping their software up to date by using Secunia's free Online Software Inspector (OSI). I wrote about this in depth last month at eSecurity Planet (Check (All) Your Windows Patches: Secunia). Truly ambitious Windows users can use Secunia's Personal Software Inspector.
3. Don't be the master of your domain
It's common knowledge that for maximum safety, personal computers should be operated with the fewest possible privileges. In the Linux world this means not running as root, in the Windows world it means logging on as a "Standard" user rather than an "Administrator".
With Windows XP this used to be impractical and I was in favor of using DropMyRights to run Internet facing applications with reduced rights, while still being logged on as an Administrator.
I haven't tested the feasibility of XP Standard users in a long time, but a couple people commented on a recent posting that it is indeed a viable alternative.
Windows 7 seems to make running as a Standard user practical. Microsoft strongly recommends it, yet they don't default to it.
Windows 7 starts out with a single Administrator class user. I suggest creating a second Administrator user, logging on as that user, then downgrading the initial/current userid to "Standard".
If, for example, your current Windows 7 userid is "Harvey", you might want to name the new userid "HarveyAdmin". Windows 7 also lets you change the account name, so ambitious folks could go so far as renaming user "Harvey" to "HarveyStandard" or something to that effect.
That said, this does not protect someone who gets tricked into installing a new version of Flash that's actually malware. That's for our next topic.
4. Antimalware software
No need to harp on the obvious: antivirus/antimalware software is necessary for Windows users. What I don't think is obvious is that, it ranks number four on my list. If you have only so much time to devote to defensive computing, the other steps are, to me, more important.
The bad guys are so good at what they do, and there is such a flood of malicious software, that any antivirus software can only be expected to catch a small percentage of bad stuff.
5. Avoid bad websites
Last on my list is software to keep you away from bad websites. As with antivirus software, no product in this category can ever do a perfect job, or even come close. But any protection is better than none.
Finally, a suggestion for Windows users: don't do online banking. Period.
I know this is extreme, but I'm far from the only person offering this advice. Firefox, running off a bootable copy of Linux on a CD, USB flash drive or SD memory card can be your best friend.
This past summer, Brian Krebs started writing about businesses that had their online accounts drained by malware. At the time I felt the handwriting was on the wall, and suggesting considering Linux for secure online banking.
Then, when man-in-the-browser attacks came to light, I again argued for Linux in Windows and Online Banking: A Dangerous Mix. This type of attack even defeats two factor authentication schemes.
Just this month, an article in the New York Times said the scare about online banking was out of proportion to the danger. This was so off the mark, I felt the need to rebut it in Online Banking: Taking Issue With The New York Times.
Anyone that does all five defensive computing steps in the list above is very likely to have a clean machine and should be safe doing online banking. Others might be best served banking on Linux.