Last time, in Part 1 of this series, we covered security from an infrastructure standpoint.
In this part we are going to deal with individual security. Ready to lock things down?
Let’s go.
Virus and Anti-Spyware
If I was writing this as little as 5 years ago, the discussion would pretty much begin and end with Norton Anti-Virus which was standard in anti-virus software with MacAfee running a close second. These days, I wouldn’t want to run Norton products on my computers because the footprint is just too large.
I know some ministries and churches use some free anti-virus software, but the fact is, most of that software is designated free for home use and not for use within organizations which includes churches. There are some free solutions but those do not employ real-time scanning which is critical for success in keeping a virus from activating.
The good news is, most vendors allow for a generous discount for non-profits. The other thing I are the packages are employing a mixture of protection. It used to be you had to purchase multiple programs. Not anymore.
- Avast – Avast is an excellent product offering both anti-virus and spyware protection not only offering protection for email but also for instant messaging.
- NOD32 by Eset – Another great product that combines anti-virus and anti-spyware into one package.
- AntiVir by Avira – Also contains protections for viruses and spyware.
The three items I listed are all good choices. It’s a matter of persona preference really. What I like best about all of them is:
- They are all inexpensive
- They have small footprints. I want my anti-virus software to protect against viruses, not hog drive space and memory.
- They all have strong detection rates. Your anti-virus software is worthless if the detection rate is poor.
On to backups.
Backups
Some people might argue that backups don’t necessarily fall under the heading of “security” but I would disagree. Most people who work for a business have sensitive information on their computers. Back and recovery of that data does fall into the security realm in my view.
I am amazed how many times I speak with people (particularly those with home based businesses and in churches) who do not back up their computers. Hard drives fail. It happens. Backing up critical data is crucial. More advanced users will set up RAID arrays in addition to other backups, but we’re keeping it simple at this point.
Here are a couple of hardware solutions:
CMS Backup Devices – I love these devices. I use them myself. They’re inexpensive, come in a variety of sizes and they are easy to set up. They have PC and Mac versions with the same awesome BounceBack software. The first time you run it, the software will make a full backup. After that, all changes are incremental so it only has to back up only what you did since the previous run. The best thing is, the backups are bootable so even if your hard drive fails, you can start your and run your computer directly from these drives and then restore it all back to a new drive. Sweet.
Western Digital Passport Series – The latest line of WD backup drives are really nice. They come in desktop and notebook versions and they have solutions for both PC’s and Macs.
There are online solutions as well. Difference here is pricing is ongoing and a zippy Internet connection is required but these solutions work very well.
CrashPlan – Crash Plan actually works in two different ways. You can download their software for free to perform local backups, but you can also sign up for their online backup services. CrashPlan also gives you the option of getting hard copy backups if your data goes in the ditch.
Mozy – Mozy works nice because it is an automated backup system. After the initial backup it works incrementally only backing up changes you make. You can order hard copies of your backups with this service as well.
Jungle Disk – Jungle Disk works differently than most online backup solutions in that they do not charge a flat monthly fee for unlimited storage. You pay $2 a month for your account and then pay a fee structure per GB. How that works is: $0.15 for storage, $0.10 for upload, and $0.17 for download. Jungle Disk can also be used as a network drive in addition to be a remote backup.
Dropbox – I am one of those guys that is more concerned about data than applications with regard to backup. Applications are easy to install. The data is key so I love Dropbox for the ability to easily be able to save something but just clicking and dragging. Best part is, once it is synced with the Dropbox account, I can install Dropbox on any other computer I have and easily get the data. I use this a lot at home where I have a mix of Mac and PC’s and need to move data between them. It’s better than fumbling with a thumb drive.
Browser Security
This is one that took some time for me to get used to. It’s very easy to save passwords and of course, it is more convenient going into sites that require a password and just having your browser fill it in. But you shouldn’t. Computers get lost and stolen.
It happens and if it happens and you don’t realize it right away, it is very easy for people to get into your email and other sites that contain sensitive information. Most browsers (even IE!) have the ability to turn this feature off, and you’ll be better off in the long run doing so.
In the third part of this series we’ll cover other security best practices that churches with a tight budget can implement.
[Image from loop_oh, Eneas, via Bjorn, Nedrichards]
Adam Shields says
Two comments. If you are in a windows enviroment, Microsoft’s Security Essentials is very good. It is free and works as well or better than the traditional apps. It also seems lighter weight on the system than some of your other suggestions.
Dropbox. This is still not a full fledged product for large company. But it is rapidly moving to work environments. They are beta testing selective sync now (allow you to only put some files on some computers.) This will make it really work for a small work group, since everyone will not have to have all files. The other really big feature for dropbox is only available on their paid accounts. Not only does it save your files, but it saves every version of your files (forever). So if I have a file that I deleted 3 months ago, not only can I undelete it, but I can undelete it and restore an earlier version of the file. That is what no backup program (moxy, carbonite, etc) does. I have stopped using backup programs and now just use the 100GB plan on dropbox. Everything, except pictures, lives in my dropbox. (Pictures live in the google picasa cloud.) Dropbox is also working on better shared access plans for work groups that have better permission settings.
Aaron Melton says
Virus & Anti-Spyware:
The best anti-virus and anti-spyware program is educating your users. These applications aren’t very effective against malware collected from malicious websites, etc. These days you’re less-likely to get a virus/trojan and more likely to get hijacked by a botnet.
Browser Security:
I think browser security should be approached like firewall security: explicit deny all (to everything) using applications such as Firefox and NoScript and only allow the domains you trust to run scripts in your browser. Never save passwords as you suggested (LastPass and 1Password are acceptable alternatives). Frequently delete your cache and don’t save cookies. Sure, it’s a bit inconvenient, but so is identity theft.
Adam Shields says
I went three years with not a single anti-virus or anti-spyware app on my windows computer. No issues. I only installed Windows Security Essentials to test it for some other users.
I had good software on my brothers computer and he had bad trojans in a month that deleted his user and files.
I agree, user behavior is much more important than software.
Stuart says
Then I have to say that you’ve been lucky.
And running church PC’s that way is not wise IMO. SANS frequently report on the average time taken to infect an unprotected PC. Last time I checked the average was just 20m.
However – I do agree that the big key is user education. Just beacuse you have the software it doesn’t mean you are protected from idiocy 😉
John Voorhis says
I would have agreed with you until just a couple of weeks ago. I generally ran most of the time with no a/v on my personal machine, and I judiciously kept the patches up to date.
That is until I get hit with a zero-day exploit in IE in one of TechCrunch’s ads. After a little research, MS Sec. Essentials would have caught it. would have Now I run Chrome and MSE.
Aaron Melton says
If you’re talking about malware from a Techcrunch ad, using Chrome would not have saved you.
You’d be better off with Firefox + NoScript.
The problem with browser security is that it is not approached like firewall security. Everything should be an implicit DENY ALL and accept ONLY what you need. According to NoScript, there are 11 javascripts running on this page. My browser only permits the three that I’ve allowed.
John Voorhis says
This was specifically an IE exploit that allowed code to execute.
Aaron Melton says
Ok.
I didn’t follow up on that vulnerability (since it doesn’t impact me).
But two points:
1. The past couple weeks have shown that ads are an easy attack vector.
2. Chrome isn’t necessarily any more secure than the other browsers. (Sandboxing is nice, but just because it didn’t get hacked at pwn2own doesn’t mean it’s bulletproof.)
I’ll stick with Firefox until Chrome get it’s own NoScript extension.
Will P says
Crashplan also does incremental backups. They also have a really interesting feature that will let you back up to someone else’s computer. And don’t forget about the corporate version if you have a massive SAN.
JayCaruso says
Forgot about the ability to back up to somebody else’s computer. Good catch.
austinklee says
Check out http://www.cx.com they operate a little like Drop Box…but have a pretty cool free program to check it out before you pay.
Wendy says
I have to agree with the Microsoft Security Essentials, I’ve been utilizing it for several folks including our church. The T1 supply company was charging like $35 a month for antivirus that slowed the systems down to a crawl. So far so good with Microsoft Security Essentials. Sophos is another great software but it’s not free. I have great experiences with it as well!
John Voorhis says
See my post below.
Stuart says
Another good ‘general’ post – well done Jay. I could poke holes but they’d just be about my preferences so i won’t and what you’e said is excellent.
I will just add that there are surveys around that show a business that doesn’t backup and has a major hard drive crash has a >70% chance of going out of business within two years! Not good, not good at all.
John Voorhis says
As with all free software, the EULA needs to be checked for the legality of running on Church / Ministry machines. MS Sec. Essentials is licensed for home use only.
Most of the time “personal use” does NOT mean “non-business”. Non Profits are lumped into the “Commercial / Business” category more often than not.
It’s unfortunate, but as a church we need to be conscious of being irreproachable in all we do, as to avoid the “appearance of impropriety” that can damage our witness.
Adam Shields says
I agree that we should not use software illegally, but it is not clear that this would be an illegal use. On microsoft’s message boards itself there are several staff responses that say that it is not illegal for businesses to use MSE, but that it was designed for home use, so it is not officially supported for business use. Officially supported, and illegal are two different designations.
JayCaruso says
Yes, I am going to agree with Adam here with regard to the legality vs. illegality argument. I don’t think there is anything illegal about using the software on a church based machine, but it should be noted that anything arising from the use of the software will not be supported because of the EULA.
It’s kind of like the discussion we had with jail-breaking an iPhone. It’s not illegal, but once you do it, kiss your warranty goodbye.
John Voorhis says
From the MS Sec. Essentials Eula:
“INSTALLATION AND USE RIGHTS.
Use. You may install and use any number of copies of the software on your devices in your household for use by people who reside there or for use in your home-based small business.”
This would contradict the forums, and would be the final arbiter. An MS Employee speaking on behalf of MS would not supersede the EULA. As well, you may be tempted to shift the responsibility to that employee, “Since he’s MS, and he said so, it’s his burden”, but that’s rationalizing, and again I think we need to be above reproach in all things.
Particularly when I can get Sophos, Vipre, and the like for $10 a seat.
Aaron Melton says
You beat me to it. 🙂
http://www.microsoft.com/security_Essentials/eula.aspx
Adam Shields says
I understand your point, and if we were talking about a paid piece of software I would support you. But this is free software. And the only time the word “business” is used is saying that it is ok to use it on a home based business. There is no other use of the word business (or organization or similar term). Nothing says it is not allowed for other businesses. And when you go to the company, on their own forums and ask if it is authorized for use by larger businesses and the response positive, I just cannot understand why this is seen as inappropriate.
It is a totally other discussion about whether it is appropriate software for a large businesses or church. If you have more than a half dozen employees, then I think I would want a stronger piece of security software.
John Voorhis says
Let’s not muddy the question with a discussion of whether the technical aspects would be suitable, as you mention that’s a different discussion.
A couple of points to consider: Free vs. Paid: many Apps are offered for free for personal user or in a lite version to get you to see the value, and pay. We like think that means “Pro” features that larger orgs for more advance users would take advantage of, but often that’s just not the case. Also, free software != public domain, you still agree to their terms.
Your point not of the Eula not mentioning “Business” or “Organization” in my opinion not only proves my point, but is even more restrictive. The terms “household”, “reside-there”, “home-based” are very specific, and exclude use even further than the more generic definition of “personal” or “non-commercial” that you typically see in EULAs.
BTW, just as an anecdote, I work for a large MS Gold Partner, and we have had their Sales Engineers tell us one thing, and MS Licensing come back with something else. In the end The word from Licensing was always the final say, no matter how bitter of a pill it was to the customer to swallow and they never accepted the “so-and-so told me x” even when we had the email to prove it.
By any means, my point was not to specifically debate the EULA of MS Sec Ess. but to remind people that “Personal use only” != non-commercial, and that many apps that have a “Free” licenses for Personal Use specifically require Not-for-Profits to pay for licenses, without equivocation, so you need to double check.
Adam Shields says
Ok, I think you guys are right about this. But I do think that when we get to this point (cannot trust a company’s own support to give you a trustworthy answer) then the system might be broken.
BenJPickett says
Some things to consider, especially on the AV side, none are created equal. It’s a critical app to have, but there are some things to consider especially in a work group or domain environment. In a small network, 15 or less workstations it’s not as significant of a choice and maintenance is still relatively easy to keep up with. When you start breaking 20 workstations maintenance can become more time consuming and having a central console that pushes out updates to the software and the new definitions with full reporting is a real time saver. In so many church environments Mac’s are very prevalent so it’s important to look for a company that offers a client for both. As Mac’s become a larger portion of the market share viruses and mal-ware will become more common on them and they ship with Safari, arguably the most insecure browser there is. Another great free AV product is Panda’s Cloud AV, again though, just like MSSE it is limited to Home and Home Office use.
Onto backups. In a small organization, for profit or not, it is a critical security function as it will almost certainly be the same guy that works at attempting to recover and restore the data as it is to remove the viruses. We’re using SOS Online Backup here, it offers unlimited version history, incremental and full backups and the price point is very nice for the amount of storage you get. A few extra features made it our choice like the ability to lock out the employees of the company from the account for extra security and being able to attach an unlimited number of computers to the same account at no additional charge. However, with some new laws imposed on my employer’s type of business we’re investigating a few other options now including Rackspace who uses Jungle Disk, the compression that the Amazon S3 uses is pretty incredible.
Concerning browsers, no browser is flawless. They all have holes and problems. Chrome only survived pwn2own because not a one of the hackers challenged it. Firefox is just as exposed as IE8 without any add ons. I use IE8 mostly because of the AD support, it simplifies my job and my work environment but I don’t let it run Flash scripts without my consent.
As per the mention of Firewall’s in an early comment, if you can afford it get a firewall that supports the ability to ignore or drop incoming requests. I say this because if someone or something sniffs you and your firewall rejects the packet they know you exist. If your firewall ignores it then they have further digging to do before they can see you. It is still a much smarter decision to block all incoming than just leave them open.
Last but certainly not least, all the protection in the world does not cure a stupid user, educating them well is your best defense. If you keep beefing up security and making your network more idiot proof, it’s only a matter of time until a better idiot is built.