Computerworld - It's time for other people to wake up to something that security folks have long known: The Internet really is out to get us all.
On the Internet, the strong and swift prey on the weak and slow, just like in those nature shows I used to watch as a kid. I particularly remember one in which a cute little fish was swimming along, when it spied a tasty meal, and then -- WHAM! The meal was just bait dangling from the head of a nightmarish beast that popped up and ate the cute little fish in one gulp. Burp.
You'd do well to keep that image in mind whenever you're on the Internet.
Yes, that sounds alarmist, but notice that I didn't tell you to stay off the Internet. You have the right, and probably a legitimate need, to use the Internet, just as that poor little fish had a right and a need to go out in search of a meal or a mate. But you do have to be wary on the Internet if you want to avoid ending up being someone else's meal.
Just this morning, a friend asked me about a pop-up that he keeps seeing on his Mac, "inviting" him to install some "security software" for free. It promised to keep his Mac safe and clean from Internet nasties. My thought: That offer was the bait just waiting to be taken, and my friend was a cute little fish in danger of being swallowed by what was attached to it. I advised him to swim away. When I got home from walking my basset hound, a quick Internet search confirmed my fears. I found that many people had complained that this particular offer of security software was a scam. Had my friend accepted the nice invitation -- WHAM!
So what can you do to avoid being gobbled up by one of the beasties that regularly pop up when you're on the Internet? Here are a few steps I advise taking:
Step 1 -- Assume everything to be dangerous until proven safe. Don't click. Don't view. Run screaming, or approach with extreme caution. But how? Read on.
Step 2 -- Prevent active content. From a consumer perspective, Internet websites consist of static and active content. Static content includes text, hyperlinks and all sorts of other data. Active content includes JavaScript, Adobe Flash and Java applets. While these things can all provide useful functionality, and in many cases are needed for a website to function properly, any of them can contain a beast waiting for its next meal. So ...
Step 2a -- Turn off Java in your browser. Back in 1996 or so, Java applets in the browser were heralded as the next big thing. All Internet sites, we were told, would soon be using Java applets to provide neat features. The reality of it is, though, that Java in the browser never took off and provided little other than dancing pigs. (Java on the server, on the other hand, remains a huge technology safely in use today by millions of websites.) The vast majority of Internet consumers have no need for Java in their browsers. Turn it off. Go into your browser's settings/preferences and look for its security settings. There you'll almost certainly see a choice to enable/disable Java. Do it. Do it now, in fact, and then come back here to read the rest of this column. Seriously. Misconfigured browsers are actively used by attackers today via malicious Java applets.
Step 2b -- Update your Flash player and enable auto-updating. Most current versions of Adobe's Flash player automatically check for updates, but if yours is just a bit older, it may well not. On a Mac, go into system preferences, select the Flash Player icon and then "check now" for updates. Similarly, Windows Users go into your Adobe Flash settings and ensure you're running the latest.
Step 2c -- Restrict which sites you permit to run JavaScript and Flash. This one is perhaps the most difficult to accomplish, but it's well worth the effort. Most browsers require a plug-in of some sort to do this. In Mozilla Firefox, the venerable NoScript plug-in, which is available for free, does a pretty good job. In Safari, consider one or more Safari Extensions like Click2Flash and JavaScript Blocker. Internet Explorer users can also accomplish this sort of control by using IE's security zones: disable JavaScript in the Internet zone, and then add trustworthy sites one at a time into the trusted zone where JavaScript is allowed. All of these require you to spend some time training the tools regarding which sites you want to use and which you don't trust. They all default to blocking everything that you don't explicitly allow. Some users will find this to be inconvenient, perhaps too much so. On the other hand, I rejoice in them for the control they permit me in allowing/disallowing active content. I go one step further and also install an advertisement blocker, since we've seen many ads that have been used for "drive-by" attacks.
Step 3 -- Proceed with caution. The things I've listed, done in combination, will go a long way toward keeping you safe, but there are absolutely no guarantees. Complacency, even the complacency that might arise from relying on tools like these, can still have unpleasant results.
No one aspires to be the little fish who gets gulped up by something nasty in a pretty guise. In order to stay safe with a high degree of confidence, it's essential to maintain a diligent attitude about everything you touch on the Internet. Remember, it's not paranoia when everyone really is out to get you.
With more than 20 years in the information security field, Kenneth van Wyk has worked at Carnegie Mellon University's CERT/CC, the U.S. Deptartment of Defense, Para-Protect and others. He has published two books on information security and is working on a third. He is the president and principal consultant at KRvW Associates LLC in Alexandria, Va.
Read more about Security in Computerworld's Security Topic Center.
You are previewing premium content. 
Free Insider Guide