The only two things you need to know about home computer security

I frequently give talks about the current state of malware. It ain’t pretty. Global bands of corporate thieves are spending lots of money to steal even more of your money. They use sophisticated bots and Trojans designed to hide and take. The programs they use are professional, polymorphic, server-side, one-off, malicious software that will only exist for the lucky victim. Antivirus programs aren’t getting any better at detecting malware than they were 20 years ago, and perhaps they are worse at it.

Hundreds of thousands to millions of computers are controlled by bad hackers, and whether or not your identity or money gets stolen is essentially a reverse lotto you don’t want to win. The bad guys (or girls) are stealing millions of dollars over the Internet every day. While my talk is intended to be a bit exciting, what it teaches is all true.

With that said, in general, business machines are far better protected than home machines. The infection rates for business computers are measured in the single digits for hundreds of computers. You can thank vendors, enterprise security administrators, and technicians for the relative security of enterprise machines.

The odds at home are far more daunting, something like 1 in 4 to 1 in 2 are infected in a given year. It is especially hard in home environments where the adults share computers with their kids. Kids may often know more about computers than their parents, but as a whole, they care about computer security a whole lot less. Most kids will bypass any number of security warnings to get the latest music or to see the latest viral video. I know many adults who are at the same risk level, but for my purposes, I’ll classify them all as kids.

After I give my talk, people often ask me what to do to prevent malware from invading their computer. Their question usually begins by asking me what anti-virus program I recommend, as if there is a single program everyone should use that would defeat all malware. Unfortunately, it doesn’t exist. I do recommend that users buy and use a well-known anti-virus program that has a good track record of being highly accurate. I’m not a big fan of new, unpopular, or free programs. Not because these latter programs aren’t good, but I like to see a long-term track record of success before I recommend a security product. Plus, you never know when the new ones might just be malware programs in disguise.

But the reality is that I’ve rarely run anti-virus programs in my 22 years of PC computing, and I’ve never been exploited (except when intentionally playing around with malicious code during testing). My “secret” isn’t a product. It’s a philosophy based upon the facts.

The No. 1 way end-users are infected these days is by installing anti-virus software that is, instead, malware. Several studies have shown that a majority of your risk comes from being socially engineered into installing malicious programs. Nearly all the rest of the risk comes from an unpatched operating system or programs, which then allow silently installed “drive-by” downloads.

A very small percentage of attacks comes from zero-day attacks. Although the following table isn’t scientific, I believe client-side risk is somewhat represented like this:

• User socially engineered into running malware: 95%
• Unpatched software allows silent install: 4%
• Zero day hole: 1%

Everything else is essentially rounding error. I’ll stake my 20-year career on that guess.

And if that claim is true, then you can significantly reduce your risk by doing two things and doing them well. First, don’t allow yourself, or your kids, to be tricked into installing malicious software. That means not installing anything that you can’t confirm is a 100 percent legitimate. When in doubt, chicken out.

Second, make sure your system is fully patched, both OS and application software. My frequent readers know that I’m a big fan of Secunia’s Software Inspector product for identifying and applying missing patches. It’s worth paying for the commercial version. It’s not perfect, but I don’t know of anything at the same price for home users with the same functionality.

That’s it. There are lots of things you can do to minimize your risk, including running anti-malware software, using strong passwords, and not being logged in as Administrator or root all the time. But if you want the two best things you can do to avoid compromise, there you have it: Don’t run malware, and be fully patched.

Of course, we educated computer security readers can do this with no problem. We know how to spot the malicious stuff. But can your kids, your spouse, and the people you care about be as accurate?

I’m not a big believer in end-user education. It has a tendency to not work in large environments. It only takes one idiot — err, end-user — to infect the whole network. But this is absolutely an instance where end-user education is the best defense. Teach your spouse and kids and those you care about (heck, maybe your end-users at work if you feel so inclined) about the new threats and how tricky they are. Show them related articles with lots of pictures. If you can’t find one, here’s a good article on fake anti-virus programs by my friend Jesper Johansson. If one article’s not enough, here’s another, similar article.

Do whatever it takes, but educate those who rely upon you about the two best defenses they can take to protect their computers. It doesn’t take fancy software, new defense methodologies, or a hundred different defense-in-depth rules. All it takes is being a lot better at the primary two defenses.