10 things you should do to secure every general-purpose operating system

There are key considerations for system security that apply no matter which general-purpose operating system platform you happen to be using. You should always consider the following precautions when securing your systems against unauthorized access and unfortunate disasters.

1- Use strong passwords
One of the simplest ways to improve security is to use a password that isn’t easily guessed by brute force attacks. A brute force attack is one where the attacker uses an automated system to guess passwords as quickly as possible, hoping to find the right password before long. Passwords that include special characters and spaces, numbers, and both capital and lowercase letters—as well as avoiding words in the dictionary—are much more difficult to crack than your mother’s name or your anniversary date.
Remember as well that increasing the length of your password by just one character multiplies the total number of possibilities by the number of valid characters that can be used. In general, anything fewer than eight characters is considered far too easy to crack. Ten, 12, or even 16 is better. Just don’t make it too long to remember or too difficult to type.

2- Invest in good perimeter defense
Not all security occurs on the desktop. It’s a good idea to use an external firewall/router to help protect your computer, even if you have only one computer. At the low end, you can purchase a retail router device, such as the commercial Linksys, D-Link, and Netgear routers that are available in stores such as Best Buy, Circuit City, and CompUSA. Higher up the scale, you can get managed switches, routers, and firewalls from “enterprise-class” vendors, such as Cisco, Vyatta, and Foundry Networks.
Starting somewhere in the middle and moving all the way up to direct competition with the major enterprise-class vendors, you can put together your own firewalls either from scratch or using prepackaged firewall/router installers, such as m0n0wall and IPCop. Proxy servers, antivirus gateways, and spam filtering gateways can all contribute to stronger perimeter security as well. Remember that in general, switches are better for security than hubs, routers with NAT are better than switches, and firewalls are a definite necessity.

3- Update your software
While concerns such as patch testing before deployment to production systems may be of critical importance in many circumstances, ultimately, security patches must be rolled out to your systems. Ignoring security updates for too long can result in the computers you use becoming easy targets for unscrupulous security crackers. Don’t let the software installed on your computers fall too far behind the security update schedule. The same applies to any signature-based malware protection software, such as antivirus applications (if your system needs them), which can’t be any more effective than the degree to which they are kept up to date with current malware signature definitions.

4- Shut down services you don’t use
Often, computer users don’t even know which network-accessible services are running on their systems. Telnet and FTP are common offenders that should be shut down on computers where they are not needed. Make sure you’re aware of every single service running on your computer and have a reason for it to be running. In some cases, this may require reading up on the importance of that service to your particular needs so that you don’t make a mistake like shutting off the RPC service on a Microsoft Windows machine and disallow logging in, but it’s always a good idea not to run services you don’t actually use.

5- Employ data encryption
Varying levels of data encryption coverage are available to the security-conscious computer user or sysadmin, and choosing the right level of encryption for your needs is something that must be decided based on circumstances. Data encryption can range from use of cryptographic tools on a file-by-file basis, through filesystem encryption, up to full disk encryption.
Typically, this doesn’t cover the boot partition, as that would require decryption assistance from specialized hardware, but if your need for privacy is great enough to justify the expense, it’s possible to get such whole-system encryption. For anything short of boot partition encryption, a number of solutions are available for each level of encryption desired, including both commercial proprietary systems and open source systems for full disk encryption on every major desktop operating system.

6- Protect your data with backups
One of the most important ways you can protect yourself from disaster is to back up your data. Strategies for data redundancy can range from something as simple and rudimentary as periodically saving copies to CD to complex, staggered, periodic automated backups to a server. On systems that must maintain constant uptime without loss of service, RAID can provide automatic failover redundancy in case of a disk failure. Free backup tools, such as rsync and Bacula, are available for putting together automated backup schemes.
Version control systems, such as Subversion, can provide flexible data management so that you can not only have backups on another computer, but you can keep more than one desktop or laptop system up to date with the same data without a great deal of difficulty. Using Subversion in this manner saved my bacon in 2004 when my working laptop suffered a catastrophic drive failure, emphasizing the importance of regular backups of critical data.

7- Encrypt sensitive communications
Cryptographic systems for protecting communications from eavesdroppers are surprisingly common. Software supporting OpenPGP for e-mail, the Off The Record plug-ins for IM clients, encrypted tunnel software for sustained communication using secure protocols such as SSH and SSL, and numerous other tools can be had easily to ensure that data is not compromised in transit. In person-to-person communications, of course, it can sometimes be difficult to convince the other participant to use encryption software, but sometimes that protection is of critical importance.

8- Don’t trust foreign networks
This is especially important on open wireless networks, such as at your local coffee shop. If you’re careful and smart about security, there’s no reason you can’t use a wireless network at a coffee shop or some other untrusted foreign network, but the key is that you have to ensure security through your own system and not trust the foreign network to be safe from malicious security crackers. For instance, it is much more critical that you protect sensitive communications with encryption on an open wireless network, including when connecting to Web sites where you use a login session cookie to automate authentication or enter a username and password.
Less obviously, make sure you don’t have any network services running that are not strictly necessary, as they can be exploited if there is an unpatched vulnerability. This applies to network filesystem software, such as NFS or Microsoft CIFS, SSH servers, Active Directory services, and any of a number of other possibilities. Check your systems both from the inside and the outside to determine what opportunities malicious security crackers may have to compromise your computer and make sure those points of entry are as locked down as reasonably possible.
In some respects, this is just an extension of the points about shutting down unneeded services and encrypting sensitive communications, except that in dealing with foreign networks, you must be especially stingy with the services you allow to run on your system and what communications you consider “sensitive.” Protecting yourself on a foreign, untrusted network may in fact require a complete reworking of your system’s security profile.

9- Get an uninterruptible power supply
You don’t just want a UPS so you won’t lose files if the power goes out. There are other, ultimately more important reasons, such as power conditioning and avoiding filesystem corruption. For this reason, make sure you get something that works with your operating system to notify it when it needs to shut itself down, in case you aren’t home when the power goes out, and make sure you get a UPS that provides power conditioning as well as battery backup. A surge protector simply isn’t enough to protect your system against damage from “dirty” power. Remember, a UPS is key to protecting both your hardware and your data.

10- Monitor systems for security threats and breaches
Never assume that just because you’ve gone through a checklist of security preparations your systems are necessarily safe from security crackers. You should always institute some kind of monitoring routine to ensure that suspicious events come to your attention quickly and allow you to follow up on what may be security breaches or threats to security. This sort of attention should not only be spent on network monitoring but also integrity auditing and/or other local system security monitoring techniques.
Other security precautions may apply depending on the specific OS you use. Some operating systems provide additional security challenges because of design characteristics that produce a less-than-optimal security profile, and some operating systems grant the knowledgeable sysadmin capabilities for increased security that may not exist elsewhere. You should keep all of this in mind when securing your system, whether using proprietary systems, such as Microsoft Windows and Apple Mac OS X, or open source systems, such as your favorite Linux distribution, FreeBSD, NetBSD, or even the security-conscious OpenBSD.
Only in the rarest of circumstances is a default install of your OS, with no further thought to securing the system, truly sufficient. Start with the above enumerated security concerns regardless of your operating system and then consider the specific security needs and opportunities of your platform. Don’t leave the integrity of your system’s security up to luck.

January 12, 2008 Posted by notjustcyberview | E-Commerce, Internet | backup, data, encryption, operating, passwords, platform, protect, security, services, system, trust, Update | No Comments Yet

Microsoft in 2008

10 Predictions by Mary Jo Foley:

- First up: Expect “Fiji,” the new version of Windows Media Center, to resurface. Fiji, which probably now has a boring codename like Windows 6.5, will reemerge from information lock-down in early 2008. I wouldn’t be surprised to see Microsoft field a private test build of Fiji as soon as January (timed with the Consumer Electronics Show). Because Fiji allegedly requires Vista Service Pack 1 to work, a public beta is probably unlikely until spring. Final Fiji release: I’m betting late summer 2008 (in time for Holiday 2008 preloads).

- Apple is none too happy when it can’t maintain its shroud of secrecy. That’s why Apple still hasn’t announced — even though it would make many business customers happy — that it licensed the ActiveSync protocol from Microsoft that will make it easier to sync the iPhone with Exchange Server.
But Apple can’t hold off forever. CEO Steve Jobs might admit Apple inked the licensing agreement with Microsoft at Macworld in January. Or he might wait until later next year to acknowledge the deal. But in 2008, Apple will admit publicly that it has sought Redmond’s blessing, yet again.

- Ever since Microsoft brought in Electronic Arts executive Don Mattrick to run its Interactive Entertainment Business, there have been a lot of changes on the gaming side of Microsoft. That’s no coincidence: Mattrick is cleaning house, sources say. And one of the next casualties could be Shane Kim, Corporate VP of Microsoft Game Studios. Expect more game-related shake-ups at Microsoft in 2008.

- Now that Facebook has opened up its development platform to other social-networking vendors, it seems obvious that Microsoft would want to get onboard. So far, other than fielding a Facebook development toolkit, Microsoft hasn’t talked about its dev strategy for Facebook. But in 2008, watch for the Redmondians to announce more tools to help Facebook combat Google’s (still-vaporish) OpenSocial. (And don’t be surprised to see some patent-sword rattling by Microsoft regarding OpenSocial, in the process.)

- When Roz Ho left her post as head of the Microsoft Mac Business Unit earlier this year, she disappeared into the depths of the Mobile and Entertainment Division. Word is Ho is heading up the mysterious “Pink and Purple” project, which is all about bringing Zune features and functionality to Windows Mobile devices. It sounds like Ho also is part of the oft-denied skunkworks project to create a Microsoft ZunePhone. Word is some of the new Windows Mobile music features will see the light of day (in beta or final form) in 2008.

- Even though Windows 7 isn’t expected to ship until 2010, word is that Office 14 is still on track to be released to manufacturing in 2009. If Microsoft sticks to schedule, the company could field Beta 1 of the product in 2008.

- Microsoft is slowly but surely fielding more Microsoft-hosted enterprise services that it is marketing to large enterprises. In 2007, Microsoft made a push for Microsoft-hosted Office Communications Server, SharePoint and Exchange. In 2008, expect Microsoft to add Forefront security and a business-intelligence bundle to its Office Online price list.

- In February, Microsoft’s Open Office XML will be up for ISO standards consideration. Despite the best attempts of Microsoft’s adversaries and critics to derail it, OOXML is finally going to get the ISO nod. That doesn’t mean the OOXML vs. ODF/CDF battle won’t continue, given that big government contracts stipulating “open” formats are at stake. But one more hurdle for OOXML’s acceptance will be behind Microsoft in the new year.

- Windows 7 exists. Folks inside Microsoft are running early builds already. Does that mean we can count on seeing test builds of Windows 7 in 2008? I bet not. I’d be very surprised to see any kind of broad tech preview out next year. The only thing that would surprise me more: Istartedsomething.com blogger Long Zheng being appointed as Microsoft’s new Director of Windows Client Disclosure. Bottom line: If you’re hoping to see 7 in 08, don’t hold your breath.

- Bruce Chizen, Adobe’s CEO who abruptly resigned in 2007, has been mum on his future plans. But sources say Chizen is going to join Microsoft to run the Expression team in the new year. As Microsoft watchers know, Adobe and Microsoft are competing head-to-head in the design-tool space. If the sources are right (and there are no non-competes in the way), Chizen may have a new roost to rule soon.

January 12, 2008 Posted by notjustcyberview | E-Commerce, Internet | 2008, Apple, CEO, Facebook, Fiji, Forefront, gaming, iphone, microsoft, Office, Windows, xbox, XML, ZunePhone | No Comments Yet

Will startups or big companies have a bigger impact on tech in 2008?

For the past four decades, the tech industry has had a romantic infatuation with startups. Much of that is due to the fact that many of today’s biggest billion dollar tech giants began as fledgling startups in basements and garages. In the 1970s and 1980s, it was mostly startups involved in the rise of the PC. In the 1990s it was startups hitched to the birth and growth of the Internet. During the past few years, the infatuation has transferred to the startups powering the Web 2.0 revolution, which is basically the transformation of the Internet into an application, services, and social collaboration platform.

While startups have an enchanting aura of energy, passion, and innovation, big companies — even the ones that used to be cool startups — are often saddled with the stereotype of being boring, bogged-down, and conservative. Nevertheless, the best, coolest, and most important work in tech is not reserved for startups. The truth is that startups and big businesses typically operate with two distinctly different sets of priorities and challenges.

All of this begs the question of whether startups or big companies will have a larger impact on business technology in 2008. The answer is complicated since startups are about new ideas and innovations and big companies are about people and processes. To take it one step further, startups are usually about launching new ideas to successfully gain a following and show the potential to become a big idea, while big companies are about about building the right teams and processes to systemically deliver successes again and again.

With that in mind, here are some predictions for tech startups and big tech companies in 2008.

In 2008, tech startups will …

* Use their nimbleness and focus to take advantage of specific opportunities that big companies have not figured out how to crack (e.g. Web video and online collaboration).
* Struggle with resources as a result of the credit crunch and the slowing world economy.
* Witness a major consolidation of Web 2.0 vendors, with some going under as they run out of money and/or don’t have a product that has differentiated itself in the market and others being acquired by competitors or big companies
* Create new markets and new opportunities with ideas that fly in the face of conventional wisdom

In 2008, big tech companies will …

* Use their experience and deep pockets to patiently wait for markets like WiMAX, UMPC, and VoIP to mature, become profitable, and eventually revolutionize certain aspects of work and play.
* Take ideas that had big potential as a startup and do the hard work of building an infrastructure to systematize and channel that potential into a sustainable success.
* Repeatedly fail to execute on ideas that they should be able to get right because of a lack of focus and/or having too many cooks in the kitchen — for example, simplifying security configuration for users and IT.
* Use their resources and scale to successfully bring great ideas to the masses and thereby make a major impact on culture and daily life (e.g. the Tablet PC and touch-based interface).

So which will have the larger impact on tech in 2008? Because the Web 2.0 movement has reached the point where it’s time for consolidation, commoditization, and monetization, the pendulum is going to be swinging toward big companies in 2008. In fact, many of the Internet’s long-promised revolutionary advances (for example, in telephony, video, conferencing, and collaboration) are at the point where they need capital, organization, and systemization — all of which play to the strengths of big business.

January 11, 2008 Posted by notjustcyberview | E-Commerce, Internet | 2008, E-Commerce, startups, tech, web 2.0 | No Comments Yet