Happy New Year! 2010 was a big year for me in terms of learning about computer security. First and foremost, last year was the first full year I had worked in security-related research. I also took a course at the Harvard extension school and attended meetings of a local industry group for computer security. So I now feel I’m in a much better position to give security advice to non-specialists.

2010 was kind of a scary year from the point of view of computer security. One big event was the onslaught of the Stuxnet worm, the first computer attack widely believed to have been created by a nation-state for purposes of espionage. Closer to home for most users, 2010 saw a continuing parade of privacy scandals on Facebook. It may seem that last year, the state of security on the Internet was going from bad to worse.

In fact, the more I learn about computer security, the more optimistic I become that we, computer users, can do a lot to make our systems more secure. I have in mind a multi-part series of articles to explain in plain language how to go about doing that. There are some things about computer security that are out of our hands, but there are many other things we can control. The threat from black hats has never been greater, but as that threat becomes more recognized, the opportunities for users’ education and self-protection become greater.

Security for the Everyday User

Most Americans in this second decade of the 21st century use computers on a daily or at least weekly basis. Yet very few have a good grasp of the basics of computer security. I would go so far as to say that most people don’t want to know about computer security. They just want to use computers and not have to know about security or worry about security at all.

Unfortunately, the time when that attitude was reasonable has passed. The Internet has simply become too lucrative a target for criminals. The only way to safely ignore the threat is to get off the grid.

However, I don’t believe every user has to become an expert or spend a huge amount of time and effort worrying about security. In the physical world (what I like to call “meat space”), we all learn basic safety and crime-prevention habits. It starts in kindergarten when we learn to look both ways before crossing the street, and progresses into adulthood with learning to lock your car doors and avoid certain parts of town at night. Security in cyberspace (at least for ordinary users) does not have to be a lot different. The techniques I will describe are the equivalent of those basic habits. Like safety habits in meat space, they won’t guarantee that you won’t become a victim. What they’ll do is manage the risks. The future I am working toward is one where everyday computer users are equipped with the habits and tools they need to reduce their risk exposure, without much more effort and inconvenience than we exercise to manage risks in meat space.

#1 Tip: Use Anti-Virus Software

The most important thing you can do to protect yourself is to install “anti-virus” software on your computer. These days, “anti-virus” is a bit of a misnomer because viruses are not the only threat. Modern anti-virus products help protect your computer against all kinds of attacks: worms, malware, phishing, and, yes, viruses. The distinctions among these different kinds of threats are in some sense academic. The key is that you need some kind of software to provide a basic defense against the various threats, and you need to keep that software up to date.

I’ll be the first person to admit that anti-virus software isn’t perfect. The most common criticism is that it only protects you against threats that have already been detected and cataloged. That’s perfectly true, and if you are running a bank or even a commercial Web site, anti-virus software alone is not good enough. However, just because anti-virus software is imperfect is no reason not to use it. A deadbolt on the door to your house isn’t perfect, either: an intruder could always break a window instead. It remains a basic tool that is a sensible part of any risk management strategy.

Once a computer attack is written, it tends to remain active and to replicate itself over the Internet. Protecting your computer against yesterday’s attacks makes perfect sense when yesterday’s attacks are still attacking you today.

You Really Do Need Anti-Virus Software

Don’t make the mistake of thinking you are too insignificant to be a target. Computer attacks are automated; they scan the Internet for any computer that might be vulnerable. They’ll go after you regardless of whether you have valuable information. Indeed, very often your computer is not the ultimate target of the attack: the attacker only wants to take over your machine to use it to assail some higher-value target. That way, when the FBI traces that cracking attempt on Bank of America, they find it came from your computer, not the actual criminal’s.

You might think that you’re immune to “viruses” if you use a Mac. While it’s true that the majority of computer attacks are written to go after Windows, there are plenty of attacks against Mac OS as well. As recently as a couple of years ago, Apple was running TV ads claiming that Macs were less likely to fall victim to “viruses” than PCs. That was questionable to the point of being disingenuous then, and it is even less true now.

Linux users, I’m also looking at you. Most Linux users aren’t even aware that anti-virus software for their platform exists. Ponder this: with Linux becoming so prevalent as an operating system for Web servers and corporate infrastructure, does it still seem unlikely that criminals will unleash automated, self-replicating attacks against it?

Obtaining Anti-Virus Software

There are many anti-virus products on the market. In my opinion, it matters a lot more that you install something than that you pick one particular product over another.

I definitely don’t get paid to make endorsements. I have been using Norton Internet Security for the past two years and have been fairly happy with it. Before that I tried McAfee and I hated it: at the time at least, McAfee’s update mechanism required users to turn off important security features in Internet Explorer. (Specifically, it required setting IE security policy to “medium,” which enables ActiveX, a huge and unacceptable security hole).

If you are really cheap, there are several ways you can get some level of protection for free:

  1. Your Internet Service Provider may offer anti-virus software to all its users. This is in their best interest because unprotected machines can be taken over by bad guys and used to launch attacks, which messed up their network. Check your ISP’s Help page or call their tech support line.
  2. Here’s a list of several anti-virus programs you can download and use for free