remain so as new versions of your system are released. The key is to understand the security-related problems that you need tothink about and solve. Before diving into the tasks you need to do to secure your home computer, let’s first think about the problem by relating it tosomething you already know how to do. In this way, you can apply your experience to this new area.So, think of your computer as you would your house, your apartment, or your condo. What do you know about how that livingspace works, what do you routinely do to keep it secure, and what have you installed to improve its security? (We’ll use this“computer-is-like-a-house-and-the-things-in-it” analogy throughout, departing only a few times to make a point.)For example, you know that if you have a loud conversation, folks outside your space can probably hear you. You also routinely lockthe doors and close the windows when you leave, and you don’t give the keys to just anyone. Some of you may install a securitysystem to complement your practices. All of these are part of living in your home.Let’s now apply similar thinking to your home computer. Email,
instant m essaging
, and most web traffic go across the Internet
; that is, anyone who can capture that information can read it. These are
things you ought to know
. You should alwaysselect and use strong passwords and exercise due care when reading all email, especially the unsolicited variety.
These are thingsyou ought to do
. Finally, you can add a
, an anti-virus program,
, and file encryption to improve the level of security on your home computer, and we’ll call these
things you ought to install
.The rest of this document describes the things you ought to know, do, and install to improve the security of your home computer. One starting point for solving home computer security problems is being aware of how the Internet and some of its technologieswork. If you know how they work, you can evaluate solutions to the problems that come up. You can also use the Internet moresafely and responsibly. In this section, we’ll talk about two topics: trust and information in the clear as it crosses the Internet.
Human beings are trusting by nature. We trust much of what we hear on the radio, see on television, and read in the newspaper.We trust the labels on packages. We trust the mail we receive. We trust our parents, our partner or spouse, and our children. Wetrust our co-workers. In fact, those who don’t trust much are thought to be cynical. Their opinions may be all too quickly ignored ordismissed.The Internet was built on trust.
Back in the mid 1960s, computers were very expensive andslow by today’s standards, but still quite useful. To share the expensive and scarce computersinstalled around the country, the U.S. government funded a research project to connect thesecomputers together so that other researchers could use them remotely. This project was calledthe
, named after the government research agency – ARPA, the Advanced ResearchProjects Agency – that funded and managed the project.Key to the ARPAnet was the level of trust placed in its users; there was little thought given tomalicious activity. Computers communicated using a straightforward scheme that relied oneverybody playing by the rules. The idea was to make sharing ideas and resources easy and asefficient as the technology of the day provided. This philosophy of trust colors many of thepractices, procedures, and technologies that are still in place today.Only within the last few years, when Internet commerce (known as
) began to spread, it has become inadequate torely principally on trust. Since the days of the ARPAnet, we’ve changed the way we use computer networks while others havechanged the underlying technologies, all in an attempt to improve the security of the Internet and the trust we place on it.Let’s dig deeper into two examples of what we trust in our daily lives. When you receive mail through the post office, manyenvelopes and the letters in them contain the sender’s address. Have you ever wondered if those addresses were valid; that is, dothey match the address of the person or persons who really sent them? While you could check to see that those addresses are validand refer to the person they name, it’s not an easy task.How would you go about it? Would you call the phone number provided with the letter? That number could also be invalid, and theperson that answers the phone could be as misleading as the original address. Perhaps you could call directory assistance or thepolice department that has jurisdiction over the town where the letter was supposedly from. They might be helpful, but that is likelyto take lots of time. Most people wouldn’t bother.And it’s not just return addresses either. How about advertisements, news stories, or the information printed on groceries? Supposeyou were on a low-fat diet. You’d want to buy foods low in fat. To select the right foods, you’d read the product label at the grocerystore. How do you know that the label information is valid? What’s to say it’s not forged? And how would you know?
Thinking About Securing Your Home Computer
Things You Ought To Know
Knowledge is power — Nam et ipsa scientia potestas est — Francis Bacon (1561-1626)
Page 2 of 14Home Computer Security3/13/2008http://www.cert.org/homeusers/HomeComputerSecurity/