Home Users: Friend or Foe?

As a security professional I have had the opportunity to attend, appear on panels for and speak at security-related conferences and trade group meetings. It is always exciting to learn about the latest trends in the security field and to network with...


It is imperative that home users purchase and install a personal firewall product. Commonly used products include Zone Labs' Zone Alarm and Black Ice Defender. These products not only protect the computer from attack, they monitor which applications on the computer are trying to access the Internet. This is important because many types of Trojan programs exist that will attempt to send personal information to a server on the Internet. Some of these Trojans also broadcast themselves to the Internet so hackers can find them and connect to them. Any home user or business that has an "always-on" connection and does not have a firewall in place can be assured that their proprietary and personal data has been viewed and/or stolen. It is important to note, however, that firewalls are not the "be all and end all" security solutions many believe them to be. Nearly all firewalls have vulnerabilities, and if they are not patched, the firewall may as well not exist. Additional security measures need to be implemented.

Password Protection

An additional layer of protection can be offered by password protecting key documents. This includes Adobe Acrobat files, Office documents and Zip (compressed) files. If users maintain this type of security, they must understand that they are only defending against the curious or casual attacker.

Password protected files are not secure for two reasons. For one thing, users often choose a password they already use or a simple password that is easy to remember and therefore easy to guess. The second reason is that password-cracking tools exist for nearly all applications. Many of these tools are free or inexpensive. They are generally offered as "password recovery" tools that provide absent-minded users with ways of recovering valuable documents. Security professionals need to be aware of these tools because they can prove useful when investigating inappropriate employee activities. To learn more about some of these tools, visit www.lostpassword.com and www.password-crackers.com.

Encryption

If password protecting important files is not a secure way of protecting data, what can the average user do? The answer can be found in one word: encryption. But the implementation of a valid encryption program can be difficult. This is why encryption has not become widely implemented among home users.

Encryption is "simply" the conversion of data into an unrecognizable and unreadable form. Decryption then takes this unreadable form and converts it back into a readable format. The problem lies in the fact that this encryption/decryption process is accomplished using complex mathematical algorithms. Because of the complexity of the encryption process, unscrupulous developers will play on consumers' ignorance to sell their products. Several Web sites can help provide an understanding of some basic concepts. One of these sites, "Snake Oil Warning Signs: Encryption Software to Avoid," is useful, although several years old. It can be found at www.interhack.net/people/cmcurtin/snake-oil-faq.html. Another resource is the Cryptography FAQ, which can be found at www.faqs.org/faqs/cryptography-faq/.

Another reason that encryption is not more widely implemented is that it is not readily available. A quick tour of an electronics store and a computer superstore revealed no stand-alone encryption products. However, multiple products can be found on the Internet.

Encryption products will allow users to protect their data at rest (stored on their local hard drive) and/or in transit (e-mail messages and attachments). There are several ways to encrypt data at rest. A simple way is to encrypt specific files or folders. Microsoft's encrypting file system provides this functionality in Windows 2000 and Windows XP.

Another, more seamless way to encrypt files or folders is to use on-the-fly encryption. On-the-fly encryption consists of an encrypted partition that appears as a normal drive to the user. This drive receives a drive letter and files can be added or deleted from it in the normal fashion. The drive can be "unmounted" so the data it contains becomes encrypted. Multiple tools exist that can provide this functionality, including BestCrypt, DriveCrypt and PGPDisk, which is included in the commercial versions of PGP. To provide security to data in transit, most encryption tools provide the following two options.

1) Encrypt the data or file and send to a specific recipient. As easy as this task sounds, it can be somewhat cumbersome to perform (which is why everyone is not encrypting their e-mail and attachments). The recipient of the encrypted data must generally have the sender's public key, a passphrase or a password in order to decrypt the data. These items must be provided to the recipient prior to sending them any encrypted data, and they must be provided to them in a secure fashion. The recipient must also have a copy of the program used to encrypt the file.