S. Lamar Barnett

Top 10: Tools for Better Defense Against Malware
Seminar originally presented July 27, 2017

Get over your wishful thinking that exploits aren't being attempted on your system!

Threats from Internet miscreants are constant. The good news is there are tools available to greatly reduce your risks while you're online and in so doing, prevent being infected by malware and having your private information laid bare to attack and theft. I could provide links here to some of the sites I use for downloading tools, but I don't want to send you to sites you'll blindly trust. Instead, I want to show you how to find the best sites and protect yourself against miscreant downloads.

When I mention your system below, note that you need to consider any and all computer systems, including laptop, desktop, tablet, and smart phone.

While much of the information in this article pertains primarily to the Windows operating system, concepts generally apply to all types of systems.

You are unlikely to be familiar with all the terms used here; most can be found at the SANS Glossary of Security Terms.

Antivirus programs are the longest-running and most widely recognized tool in the PC/smart phone security arsenal. It is also one of the most important pieces. Don't neglect it, but also don't assume it will single-handedly protect you!

A firewall prevents unauthorized traffic into and out of a system. As the system owner, it is up to you to assure you have an effective firewall and firewall configuration.

Which is the best firewall for me?

Desktops/Laptops Smartphones

A Virtual Private Network (VPN) is a means to encrypt and thereby secure your data as it passes to and from your system through any local networks (by wire or by WiFi).

Your data will pass encrypted over the local network and Internet to whatever server your VPN attaches to. (In the case of the illustration on the left, the remote server is in Amsterdam.) There are no guarantees as to encryption when your traffic leaves that server, so you need to assure you're using a secured connection (HTTPS) if you are going to provide sensitive information such as passwords during your session. This will ensure traffic is encrypted from your computer to the final destination server you are attaching to.

Note that while you can use HTTPS sessions with destination servers over an unencrypted public open network, other traffic to and from non-secure servers will remain clear and visible to any hacker who chooses to listen. Exploits can more easily be used to gain access to your system if you don't use VPN to encrypt ALL your traffic.

An anti-rootkit application seeks out and neutralizes malware that's been planted in places not commonly accessible or examined by antivirus software, although more antivirus software is adding anti-rootkit capabilities.

These locations are commonly used for keystroke logging software that captures everything typed into the keyboard, of course including passwords.

It seems safe to say everyone has heard how important backing up your systems is, mostly so if you were to have your hard drive crash, for instance, you'd be able to re-create your systems and data on a new blank disk.

Similarly, a backup, especially a secured backup (a backup that's offline, or one protected by a secure passowrd), is crucial if you are hit by ransomware.

It's important to have an secured backup because when ransomware infects a system, it encrypts all data and programs it can reach. Any online backups will be encrypted as well, rendering them useless.

There are several ways to create a secured backup, depending on your needs. Much of your static, unchanging data can be stored once on a network drive or portable drive, then unplugged from the system to take it offline. Then your more dynamic data, such as spreadsheets you update routinely, can be copied to CD or DVD media, since these more dynamic files will generally be fewer in number and smaller.

Don't forget to test your backups by periodically restoring them to a test platform to prove you'll be covered if you ever need them.

Using file & memory cleaners helps reduce overhead as well as removing files which can become targets for embedding malware. This class of programs also removes memory and browser cache - various pictures and data your browser downloaded when you visited webpages.

The purpose of this cache is to speed reloading of these pages in the future. If you visit some pages frequently, the cache can be quite useful in saving the time and bandwidth it takes to re-visit the page, but for pages you visit once, this data is useless.

Note however, that unless your disk is approaching capacity, there's little impact to your system performance by removing this data beyond increasing the time it takes to load a page you've visited before.

As a general rule of thumb, when your primary disk approaches 90% of it's capacity, i.e., is 90% full, you can expect a drastic slowdown of your system. This is the point at which you need to consider alternatives to clear some data off the disk.

Also note that removing cookies can sometimes cause customizations you've performed on a website to be lost.

(Windows) The task manager is a program that allows you to not only see what's running, but shut down frozen or misbehaving applications, see whether your system performance is being impacted by applications you have open, and a host of other things.

Windows provides a task manager that's slowly getting better, but Microsoft also bought a bushelful of programs including a much better version of this functionality from Mark Russinovich some years ago. They've given the suite of applications the name sysinternals and now provide it for download.

Once you've downloaded the suite, you can replace the default Windows task manager with the Sysinternals version, and have better control and view into your Windows performance.

One of the key aspects of this software is to find out if one program is hogging resources and slowing down your system.

Browser extensions add functionality to your browser. These little programs help you do things with your browser that you couldn't do otherwise, some quite useful.

Note that they can have a tendency to accumulate and then gather dust if you don't use them as much as you thought you might.
Key practice: Don't forget to remove all programs you don't need. Every program on your system provides an attack surface to your system!

With the need to keep passwords complex and varied, it's nearly impossible to meet the need without a password manager. These programs are simple databases of the passwords you create for your logins.

When you create a new login, a password manager can generate a complex password for you, then store it in association with the login so it's easy to find.

Ad blockers prevent advertisements as you're surfing the web. As more sites become sensitive to the loss of revenue, however, you'll notice them preventing your view of their pages unless you disable your ad blocking software.

From a security viewpoint, avoiding ads helps prevent you from following an ad to a site that may be compromised, thereby decreasing your risk by sheer probability. Very useful from an annoyance viewpoint, too.

How to Safely Download

Many of the programs metioned above can be downloaded free from the Internet, but safely downloading files requires you pay attention to some key details and adhere to some safe downloading practices.

In simplest terms, downloading a file involves three basic steps: Find where the program is kept for download, go there, and download the install file. Each of these steps must be done with care to avoid ending up with malware.

Finding the program to download is done by using your favorite search engine, like Google. Once you've entered your search terms, look through the list of locations where you can find the download. The best site to download any program is from the company or person who wrote it and maintains it, but sometimes the author will rely on a third party to provide hosting for the download.

Once you have a short list of locations where you can download the install program, evaluate them for reliability and safety using programs like WOT. Also, when given the option between a site which provides checksums and one that doesn't always use the one that does. (Examples of checksums commonly provided include MD5 and SHA.)

Download the install program, but don't run it without using your antivirus program to scan it for known threats. Note that antivirus programs generally look for known virus signatures, and can't detect zero day exploits.

Once you've checked the checksum (if available) and run your antivirus scan, you're ready to install. The Windows operating system will challenge you with a question to assure you've initiated the install and want to grant permission to the program to be installed.

In short, follow these methods to minimize your risk, but always know something might slip through. This is why it's important to keep an eye on your network traffic and open ports. Changes in either of these aspects is a key indicator of unwanted activity.

  1. Watch where you're going. When you hover over a link before clicking on it, you'll see the destination URL appear in the lower left of your browser window. The URL should be consistent with what you'd expect, as in the case below.

    Avoid shortened URLs, such as those which are provided by bit.ly. These shortened URLs are sometimes used to hide the true destination, allowing a hacker to infect you with malware without your awareness.
  2. Use hover
  3. Use reliable sources. Websites gain their reputation based on user experiences, and these reputations are reported by services like WOT and Netcraft. Use this type of service to understand the risk before you go there.
  4. If you have a choice, use a site where checksums are available.
    • SHA
    • MD5
  5. Be aware of redirects by watching for briefly displayed changes to the URL. Sometimes hackers will hack a legitimate webpage, and redirect you from the legitimate page to one where they host the malware they want to download to your system. So, while you were careful to check the destination URL when you hovered on the link, you can still be taken to an infected system, and then redirected back to the legitimate site.

Copyright © 2018. All rights reserved.