Remember when computer security was simple? Advice was as easy as, "Don't boot with a floppy drive in your A: drive" and "Don't enable the macro to run." Boy, do I long for the days of yesteryear.
[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]
More and more, application vulnerabilities are being announced every day, whether it's something attacking Apple QuickTime, Macromedia Flash, YouTube videos, Adobe Acrobat, or Microsoft Office. And telling people not to open untrusted content is like telling them not to open e-mail from people they don't know. It's not bad advice, but you can't stop there.
You've got mail
On the "don't open e-mail from people you don't know" recommendation, malware has been using e-mail address books for nearly a decade now. Malicious spam and e-mail often comes from our friends, parents, and coworkers. The better advice is not to open e-mail that is unexpected, seems out of character for the sender, and contains links or content to click. When in doubt, e-mail or call the sender and confirm that they really meant to send it. Or do like me, and just delete it when there's a shadow of a doubt. I can't trust my friends and associates to thoroughly validate the stuff they send me. To them it's a cute little animated GIF or a YouTube video of a hot girl dripping barbeque sauce over a less hot car. To me, it's probably malware. It's just the way my mind works.
All these years later, you still can't tell people to open e-mails from only people they trust. Targeted spearphishing is becoming more common. You can't count on mispellings (sic) and bad grammar to alert you to a phishing attack. They have your name and your interest [for example, your bank account, Better Business Bureau complaint, 401(k) provider, and so on]. I won't give you my bank logon info, but there's a good chance that I'll respond, strongly, to my Dell laptop warranty expiring earlier than what I paid for or object to an unauthorized change in my 401(k) portfolio. Those malware guys are sneaky.
Today, the frequent advice you'll get, in the face of application malware, is to not open content from or visit untrusted Web sites. That is so 20th century! Unless you've been hiding under a rock for the last few years, security article after security article has been detailing how malware is being served up by the Web sites we trust most. It's the NFL Web site, travel site, news site, political gabfest site, and blog that we all love. They get compromised, we visit, and we get infected.
The popular Web site is compromised through its own application vulnerability and ends up serving malware to visiting users. Or it has banner ads that push malicious content. Or the favorite search engine contains highly ranked results that are thoroughly malicious. If you haven't gotten the memo, malware is infecting us from sites and people we explicitly trust! And this isn't something new. Years ago, during the initial minutes of the Nimba worm outbreak in 2001, one of the world's most popular news Web sites tried to infect me. I was reading that hour's news when all of a sudden Notepad kept popping up, displaying gobbledygook (that's a technical term). I had closed Notepad a few times before I realized that what was happening was a result of my computer security defense. In an effort to render malicious scriptable content harmless, I had remapped the Windows Scripting Host file extensions (such as ".vbs") to be reassociated with Notepad instead of Wscript.exe or Cscript.exe. I finally realized that my defense was actually working. What I thought was ASCII character gobbledygook was instead encrypted executable content.
Patch and learn
The advice I give family, friends, and readers is this: Stay fully patched, with both your OS and your applications. If you don't check your entire patch status on a regular basis, you're probably not completely patched. Run Secunia's Software Inspector as a check if you don't have anything else. It isn't enough just to check your OS and biggest vendor's patching status. Run anti-malware and firewall software on the computer and keep it up to date. Perimeter security won't suffice.
Educate your end-users about the risk of attacks from Web sites they know and love. Users should be encouraged to be skeptical about all downloads, whether or not they come from a "trusted" site. Tell your users to never install video codecs, even if they promise to let them see the latest cool video. Explain to them that free software is rarely ever free. Teach them how to recognize malware warnings from their legitimate anti-malware software and, conversely, how to spot fake advertisements telling them that they're infected. Tell them not to download and run anti-malware programs that appear to detect the threat first and then require the download. That's backward.
Tell them that they should not run those funny videos and click on joke e-mail links sent to them by well-meaning friends. They should do that at home. They shouldn't be downloading music at work. Tell them how many music networks and peer-to-peer file sharing programs are big agents of infection. Remind them that they should not install software without prior approval. Tell them you (or your staff) will be glad to review their download choice to make sure it doesn't contain malware.
There are lots of ways to help users be more secure, but not telling them to remain skeptical on the Web sites they love and trust isn't one of them.