Defensive Browsing and Internet Security Basics
The safest way to drive is by assuming others may make mistakes or break rules that will have drastic consequences. In the same way, those you encounter online may be breaking rules or attempting to take advantage of you. Security tools are important, but the first line of defense is you!
Increasing Your Computing Safety and Security
Each year, tens of thousands of people will be injured or killed in automobile accidents. The costs in terms of personal loss and financial burdens is enormous. For example, the National Highway Traffic Safety Administration reports, "In 2006, 42,642 people were killed in the estimated 5,973,000 police-reported motor vehicle traffic crashes, 2,575,000 people were injured, and 4,189,000 crashes involved property damage. " They report the estimated cost of motor vehicle crashes in the year 2000 alone was over $230 billion (source: http://www.nhtsa.dot.gov). When one considers the emotional impact the intangible costs go much higher.
Of course there is an obvious solution to preventing these deaths, costs, and injuries in your own life: leave your car in the garage.
What does this have to do with computing you might ask?
As with your automobile, there's one, extremely easy method for increasing your computing safety and security (paraphrasing Microsoft engineer Charles Fitzgerald): unplug your computer from the internet. No other method has proven as effective at removing risk, reducing spam, preventing viruses, and protecting your personal data.
Unfortunately, a computer unplugged from the internet can be about as useful as, well, a fine automobile that only drives up and down the driveway. For most of us, safety and security are important but not so primary that we would be willing to sacrifice the ability to be online in order to absolutely ensure it.
Like driving, when we're computing, we want to do what we can to ensure we're in the safest situation we can afford without so restricting our experience that we either no longer enjoy it or are no longer able to do it effectively.
Computer Manufacturers & Support Services
Computer manufacturers both in the hardware and software space are working feverishly to create safer computer systems. One of the key selling points for Windows and Apple are their security subsystems. The Linux crows constantly trumpet the security built into their OS as a key reason to switch to that platform.
The support services built around keeping systems secure is growing too. IDC forecasts that the Web security market will grow to $2.3 billion in 2011 (this is just the software market -- the overall spend in terms of personnel, hardware, loss recovery and the like is much higher) (source: IDC).
So there is much work and effort being put into making the machines that connect to the Internet safer.
But there's another side to the story that isn't talked about much: the user. Just as no automobile will protect an unsafe driver, computer safety has a lot to do with you and me.
Do you Browse like you Parent?
As a parent, I’m inundated regularly with safety and security scenarios. Buckle the kids up. Where are the children? Is that safe to eat? Put the cleaning supplies out of reach. Who's that strange man at the park? Let's get this book over that book. Are the kids old enough to watch this movie? And on and on it goes. What I've found is that there are no cut and dried approaches to keeping your kids safe and secure.
I've also noticed that parents approach this "problem" very differently. I spend a lot of time observing peers who have kids and how they handle the inherent safety and security concerns all around them. I've categorized parental approaches to safety and security as follows:
1. The Paranoid Overprotectant.
These types of parents see the world as one big mousetrap from which they must protect their kids. Every label must be checked, every instruction must be followed, every situation is rife with danger, and every person is a potential molester. These parents largely are motivated by fear and tend to see a successful day as one where no one got hurt. Safety and security for these parents means avoidance and devices: avoid as many potentially dangerous situations as you can and buy safety gadgets for the rest.
2. The Carefree Freewheeler.
These parents see the world as a playground on which their children can get some exercise. Rarely is safety and security on the forefront of their minds and only the threat of legal action will get them to follow the most basic safety guidelines. These parents are motivated by freedom and success for them is a day where no one was restricted from doing what they wanted. Safety and security for these parents means having a good insurance program and a huge box of band-aids.
3. The Cautious Guardian.
These parents see the need to be aware of what they would call real safety and security concerns but also see the need to balance that with the inherent risks of being a kid. These parents attempt to educate their children on dangers, prepare their children and themselves for potential disaster, and order their lives so that obvious risks are minimized. These parents are motivated by a desire to get the most out of life and view a successful day as one where the maximum amount of good was done with the resources available. Safety and security for these parents means doing what is reasonable to minimize risk, preparing for the worst, and working towards the best.
As with parenting, I think the best approach to computing is captured in the Cautious Guardian parent.
Browsing defensively is about getting the most out of the web and using the web as a powerful tool to be harnessed not feared or avoided. Browsing defensively is about taking the necessary precautions and implemented the necessary tools to be safe on the internet but also about thinking differently about how you browse. It's about being aware, being alert, but not letting the fear of a virus or spam prevent you from getting the most out of your browsing experience. Browsing defensively is about know what tools you have at your disposal but browsing in such a way that you never have to use them.
The Three A's of Defensive Browsing
Francis Bacon is credited with saying, "Knowledge is power." No where else is that more true than in navigating the internet.
As with parenting and driving, the more about which you're aware and know, the greater your chance for avoiding dangers and being successful. You have to know what dangers exist, you have to have skills (a type of knowledge) to use the tools and techniques in order to maximize their power, and you have to know how to deal with problems.
The focus of defensive browsing is less about avoiding problems and more about maximizing your online experience. Maximizing your online experience involves minimizing the amount of time you need to spend rebuilding your computer after a virus or chasing down faulty credit card charges, or cleaning up spam. If you know how to avoid these problems, you indeed will be able to powerfully leverage the internet and all it has to offer.
In short, browsing defensively is a mindset that translate into behaviors. Browsing defensively involves three main components:
A defensive browser is aware of the potential of the internet without being fearful of the dangers.
Someone who browses defensively is aware of where potential danger may lay, is aware of what methods and tools exist to avoid those dangers, and is aware of when those measures have failed and what to do about it.
Someone who browses defensively doesn't approach the internet with the attitude, "I know there are dangers but I'm going to rely on the safety and security tools in my browser and pay no attention to what might happen." Rather, awareness itself is tool the defensive browser uses to maximize her time on the world wide web.
As with anything of importance, getting good at using the internet takes skill and developing skill takes time and practice. However, browsing defensively is less like learning to fix a car and much more like learning to drive a car.
For most of us, we're much better drivers now than we were when we hit the road for the very first time alone. Most of the skills we formed didn't come from formal education or from being mentored. It came from taking some basic instruction and applying it in real world scenarios. Over time, we got a "feel" for the road and an "intuition" about breaking distances and "safety bubbles" and how fast to take a corner etc.
The same is true with browsing the internet. Browsing defensively will be a skill that you'll acquire by applying simple ideas to your activity on the internet. Over time, you'll find yourself getting better and better at detecting the dangers and avoiding problems.
Once you've discovered a potential risk and gained the skills to deal with it, you have to be able to adapt to the situation and make adjustments to deal with the risk. For example, if you believe you have a virus on your computer but your virus scanner doesn't pick it up, do you have other ways of validating your concern? What if your system was attacked and you no longer can get on the internet? Do you have a plan for dealing with the threat offline (e.g. have other virus and malware scanners on CD)?
So there you have them: Pardi's Three 'A's of Internet Safety Rules.
The Importance of Awareness
I must be honest. I'm a bit worried about the time when I have to train my kids how to drive. I'm not worried because I doubt my kids can learn to drive or because I think my kids are reckless and irresponsible. My biggest worry is centered on the fact that I've learned that good driving involves a lot of subtleties that are learned from doing. In other words, I know good driving involves a lot of habituated or intuitive behavior that comes from doing a lot of driving.
Have you ever thought about the fact that you actually get a "feel" for how big your car is? You may not know the actual length or even care. But you do know how big it is. That feel helps you know how wide or narrow to take your turns or how big of a parking space you can fit into. You also get a "feel" for the weight of your vehicle. You depend on this to help you know how long you'll need to make a stop at a variety of distances and in a variety of different weather conditions. You acquire a feel for your brakes and your power steering and the visual span of your mirrors. Driving really is just as much of an art as it is a science.
So how does one get from novice (or noobie in online parlance) to expert or, better for my purposes, virtuoso? How will my kids go from being wide-eyed, white-knuckled new drivers, to burger-chomping, finger-steering road warriors?
How will online safety become second nature to you?
Part of the answer to these questions is to learn to be aware.
Awareness is the conscious portion of this road to virtuosity. Awareness is passing from ignorance or unconscious knowledge to conscious knowledge to habit and intuition. You need to know then what to be aware of before being aware can become second nature. Here are some example of things you should be aware of when using the internet. In future articles, we'll explore these examples a bit more closely and look at how the tools you use for browsing or reading email as well as anti-virus and anti-spyware tools can assist you.
Be Aware of Where you Are
When on the internet, you shouldn't always take what you see at face value. Hackers are getting very good at spoofing web sites in order to make you think you're one place when you're really at another (sometimes referred to as "phishing"). While most modern browsers have tools that will detect and warn you of phishing sites, being aware of your surroundings can keep you safe when the tools don't work.
All web sites are built off a domain name that forms the root of the address or URL (uniform resource locator). For example, "mywebsite.com" would be the domain that then typically, would be prefixed with a "www" (dub, dub, dub to insiders) which gets us the URL: www.mywebsite.com.
The domain name is very important to the owner of the site and is protected by secure web systems such that it is very difficult if not impossible to spoof the domain. This means that if you're at Amazon's site, all the pages of the site will be under the domain name "amazon.com." Once on Amazon, you may be directed to a series of pages that may not be under that domain but as long as Amazon has not been compromised, the home page will always have the domain name at the root of the URL.
One way to protect yourself is to make sure the name you're reading in the content of the web site matches the domain name.
For example, if you're on a page that appears to be Amazon.com--it has Amazon's logo and layout and everything on the page looks as if it is the Amazon site you're used to visiting--but the domain name is something like, "amazonsite.com," you're being fooled. You know this is not Amazon because Amazon's home page will always be (www.)amazon.com perhaps with some other pages or parameters after that.
Be Aware of Site Security
This awareness relates primarily to ecommerce or online purchasing. When buying things online, you can increase your safety by ensuring the site transmits your credit card data securely.
Typically, when information is transmitted to and from a web server, it is transmitted unencrypted. This means that some hacker wishing to read the transmission (which itself is not appropriate without the express permission of both the sender and receiver) can grab the data stream and read the data fairly easily. A secure site encrypts the data transmission making it much more difficult for a hacker to read the data being sent or received.
You can tell whether a site is secure in two ways:
First, many secure sites will use the "https" prefix in the URL of the page or site. Normally, data is transmitted by way of the normal hypertext transmission protocol (http) so a URL will look like this: http://www.brighthub.com. When the "s" is added to the end as in https://, this means that a special transmission protocol, a secure protocol, is being used and will generally increase the security of the data being transmitted which is important when submitting sensitive data, such as credit card numbers.
- Another method sites use to secure transmissions is to use certificates. The details behind certificates is complex and beyond the scope of this article. But typically many of the larger sites will use certificates that are signed by a trusted certificate authority like Verisign and you can view the certificate through your browser. I typically look for a security certificate on sites I'm not sure about. In lieu of looking at the certificate itself, modern browsers help you determine whether a site is secure by placing a little key or lock icon in the toolbar or next to the URL. Look for this lock before you send any credit card data to an online vendor.
These are just two ways you can be aware of your online surroundings. While neither are foolproof, if you learn to look for clues like these, you dramatically reduce your changes of getting fooled or having data stolen. In coming articles, we'll look at these and other examples more deeply and talk about how you can increase your awareness and thus increase your safety. Next we need to look at the second of Pardi's three internet safety rules, and that's 'Ability.'
What Do the CanSecWest Hacks Prove?
Perhaps the term "prove" is too strong in that little or nothing can really be proved from the hacks. But I do think some clear observations can be made that reinforce the foundation of my "defensive browsing" approach to computing. For those readers who may not know what the CanSecWest hacks are, in March of 2008, a security conference was held in Vancouver, British Colombia which held a contest to see who could hack into three separate machines one running Mac OSX 10.5.2, one running Ubuntu 7.10, and the final machine running Vista Ultimate SP1. The Mac fell first through a flaw in the Safari browser. Vista fell next through a flaw in Adobe's Flash control. At the end of the 3 day contest only the Ubuntu machine was left standing. See here for details.
While the results of the contents are not all the surprising, I think it is worth none of the machines were hacked on the first day of the contest. On the first day, the three machines were plugged into the network only and left there without any user interaction. The operating systems alone were not hackable by conference-goers. The Mac and Vista machines were compromised when hackers were allowed run applications as a user would. The second day, only apps installed by default on the OS could be run. The Mac fell. The third day, any third party application could be run. Vista fell. As more information comes out about the exact nature of the hacks, we'll learn how important the user was to the process of compromising the machine.
Without making too much of this, it does imply that at least some important intrusions and hacks perpetrated on today's modern operating systems probably are done with users sitting in front of their machines. While we don't yet know what exactly the flaws were that exposed the machines to the hackers, we do know that applications--web applications that ran software the exposed the machine were the culprit. The basis of "defensive browsing" is that some of these types of attacks can be prevented if users approach their internet use with more knowledge and better awareness. My argument is that while browsing defensively can't stop hackers, it will put users in a much better position to see them coming.
More To Explore