CSO - A common misconception is that a shiny new computer is more or less secure because it hasn't yet been exposed to the Internet's sinister underbelly. But the truth is, these machines come out of the box needing scores of patches, some basic security software downloads and the disabling or replacing of items security pros don't typically trust.

CSOonline asked security experts about the first steps they undertake after unwrapping any new Internet-facing machine.

Step 1: Uninstall Stuff You Don't NeedA new PC is bound to come out of the box already fitted with items the security pro doesn't care for. Certain media players may cause heartburn, for example. Or the machine could simply include programs that, from the security practitioner's point of view, makes other, more important applications perform more slowly than they otherwise would. PC manufacturers have become notorious for installing trial software versions and other unnecessary programs (commonly known as 'craplets' or 'bloatware').

Martin Fisher, manager of the Computer Security Incident Response Team (CSIRT) at Delta Airlines in Atlanta, says software removal is his first task when unwrapping a new system. The simple reason is he prefers the machine to be as bare-bones as possible, only fitted with programs the user needs to do the job. Simple is also easier to secure.

He removes any vendor-provided remote help, AOL and other preloads he will never use (including whatever Adobe products came pre-loaded and all MS Office - which he will replace with OpenOffice and Mozilla Thunderbird). The goal is to strip the machine to the bare minimums.

Step 2: Install FirefoxLet's face it: Despite all the effort Microsoft has put into making Internet Explorer more secure, one is hard-pressed to find an IT security administrator who truly feels safe using it. And so one of the first things they do is install an alternative browser -- Mozilla Firefox, in most cases. [See: IE or Firefox: Which is More Secure?]

"Firefox with NoScript currently provides one of the best levels of protection against browser-based attacks," says Christophe Veltsos, president of Prudent Security and keeper of the DrInfoSec blog.

Step 3: Install NoScript and other Firefox add-onsIndeed, nearly everyone who said they install Firefox said they also grab the NoScript add-on, which only lets trusted websites (the user's online bank, for instance) run JavaScript, Java, Flash and other plug-ins, and defends users from cross-site scripting (XSS) and clickjacking attacks. It uses a whitelisting approach that blocks scripts that may attempt to exploit security vulnerabilities without loss of functionality.

Security pros have other favorite Firefox add-ons that are immediately downloaded once Firefox is on a new laptop. Not all of them are specifically for security, but they are typically tools security pros use to do their jobs.

Comment Recommend Digg Twitter ShareThis

Email Print Send Feedback Reprints

Reprinted with permission from

This story is reprinted from CSO Online.com, an online resource for information executives.
Story Copyright CXO Media Inc., 2006. All rights reserved.

Jump to comments

A common misconception is that a shiny new computer is more or less secure because it hasn't yet been exposed to the Internet's sinister underbelly. But the truth is

Additional Resources

Microsoft

DirectAccess and UAG: Better Together

Here are some of the key reasons why you would want to run Unified Access Gateway with DirectAccess.

Microsoft

Case Study: Energy Firm Tightens Protection, Simplifies IT Work

Review how one energy firm tightened protection and simplified IT work using business-ready security solutions.

Sybase

NEXT-GENERATION MOBILITY PLATFORMS

In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.

What People Are Saying

5 comments | Add new

See all comments (5) | Add new

White Papers & Webcasts

Is Collaboration the buzz word of 2010 or buzzkill?
Read this whitepaper today!

Data in Action: Making the Planet Smarter
Register Now

A Survival Guide For Portable Data Storage in a Unsecure World
Read this whitepaper today!

Hosted Security Services: Why it make budget and security sense in today's economy
Watch Now

7 Ways to Optimize VMware Server Virtualization
Download This Whitepaper Now!

The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.

IT Consolidation and Disaster Recovery- Simply, Cost-effectively, and Simultaneously
Download this complimentary white paper! Provided by 3PAR.

Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!

Oracle Accelerate - Not Just Smart but Timely
Download Now!

Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.

All White Papers | All Webcasts

Computerworld Reports

Computerworld Technology Briefing: More than Business Value

Computerworld Briefing: Staffing for Intelligence

8 Questions To Ask About Your Intrusion-Security Solution

All Computerworld Reports

Business Continuity Zone
An organization's business continuity plan helps keep critical functions running during an emergency–the power fails, a virus is unleashed on your network, a natural disaster has occurred. Even the slightest downtime or loss of data can cripple your operation. CDW can help you prevent disaster by implementing a well-planned recovery strategy.
Click here to visit the Zone

See All Zones