Enterprise security on a small business budget


If I really want to click through, I will highlight the URL and paste it first into the Google search bar of my Web browser. If nothing else, this removes any HTML or rich-text formatting that my clipboard picked up and leaves me with a pristine plain-text URL. This strips away most of the obfuscation tricks such as www.yahoo.com.com.attacker.evil.ru, where you might not realize that the DNS (domain name server) will read a URL from right to left (meaning you are visiting a site at evil.ru) and humans will read the URL from left-to-right (perhaps thinking they are visiting a sub-section of yahoo.com).

Furthermore, submitting the URL to a search engine also protects me from homograph attacks where someone could send a link to www.paypa1.com (the numeral 1 instead of lowercase "L"). It would be obvious from the first few links that something was not quite right, though Internationalized Domain Names can add complications. Total cost to allow Google to run a sanity check on the link and remove rich-text formatting: zero.

Patch Early, Patch Often

Patching is absolutely necessary and (almost always) absolutely free. It's amazing to have to say this, but the first thing to check--right now--is whether you are up to date on all your patching. Set an iCal/Outlook reminder and do it monthly. A good time would be the second Wednesday of each month, since Microsoft releases its security updates on the second Tuesday. Or you can tie the task mentally to paying your mortgage or rent--as you're writing that check, also "check" for updates.

I don't mean just double-click on Windows Update, either. If you haven't activated Microsoft Update (a variation of Windows Update), you won't receive any Microsoft Office updates. But don't stop there! Make sure you visit Adobe to update your Flash plug-in and PDF Reader software. Firefox does a good job of pushing out updates without user intervention, but it won't upgrade you to a major new release, so check the Firefox site as well.

I continue to light candles and wait for the day when Microsoft will open up its Windows Update infrastructure for all Windows software publishers to push their updates through one centralized location, automated, and with just one click. Until that day, try using software like Secunia's Personal Software Inspector (free for personal users) that will scan all software on your computer and give you a consolidated look at where security patches are missing.

Join us:






Answers - Powered by ITworld

Ask a Question