PRODUCT SUPPORT ANNOUNCEMENT
Some videos and Web Editions may be returning errors on launch. Learn more.
Is your computer safe? Could an intruder sneak in and steal your information, or plant a virus? Have you locked your castle gate?
This book outlines the fundamental concepts and techniques behind information security that every computer user needs to know.
Primarily geared toward home and small business Windows users, Have You Locked the Castle Gate? is a basic yet highly effective guide to protecting your personal files, fending off viruses and hackers, and purchasing goods and services securely online. It addresses common security issues in a clear, easy-to-understand way that nontechnical users will greatly appreciate.
You will learn about
Woven throughout the text is the instructive story of the Smiths, a nineteenth-century frontier family working hard to protect their home and property from various kinds of intruders. In many ways the issues that they face reflect our contemporary need to protect our computers, networks, data—and selves—on the modern frontier of the Internet.
If you pay bills online, discuss personal matters via e-mail, use software to file your taxes, or just surf the Web, don't leave your castle gate unlocked. Have You Locked the Castle Gate? is a must read for you.
Introduction: Installing Locks in the Global Village.
Who Needs to Read This Book?
Why the Homestead Example?
Is the Example Important?
Introduction to the Homestead.
Is Your House Locked at Night?
What's Important Here?
Sidebar: Key Security Concepts.
It's Your Data.
Where to Look First.
How Secure Is Your System Out of the Box?
What Am I Protecting?
Is It Worth Protecting?
Who Am I Protecting Against?
Sidebar: Who Are They?
Risk Assessment Checklists.
Security In-Depth, or Layered Security.
Grant All versus Deny All.
Encryption or Clear.
Sidebar: Determining “Strong Enough” and Moore's Law.
Defining Access and Rights.
Users and Their Roles.
Sidebar: Who Is the Boss? Granting Administrator Privileges.
Providing File and Directory Access.
Sidebar: Domain versus Workgroup.
Selecting a Network Security Model Checklist.
Securing Your Windows System.
Sidebar: Service Packs and Hotfixes.
Sidebar: What Is the Registry?
Sidebar: Security Configuration Editor.
Why Servers Are Different.
Where to Start on Your Server Security.
Sidebar: The OSI Model.
Securing Windows NT Servers.
Sidebar: Why Protect Your Performance Data?
Sidebar: Resource Kit, MSDN, and TechNet.
Securing Windows 2000 Servers.
Server Security Checklist.
Types of Connections.
Sidebar: Why Should You Worry?
Basic Internet Security.
Advanced Internet Security.
Sidebar: More About Encryption.
Who Is Watching You?
Internet Security Checklist.
Why E-mail Is Cool.
How E-mail Works.
Security Issues with E-mail Systems.
Sidebar: Encryption in E-mail.
Sidebar: What Makes It Junk Mail?
Getting Off E-mail Lists.
E-mail Security Checklists.
What Is the World Wide Web, Really?
What They Know About You.
Cookies and Security.
Browser Security: Why Is It So Important?
Web Page Security.
E-commerce Security Issues.
Web Security Checklist.
The Extent of the Problem.
Sidebar: Signs of a Social Engineering Attack.
Can Anyone Help?
Computer Viruses and Trojan Horses.
Sidebar: Nimda, Code Red, and I Love You.
Why Should I Care?
Defending Against Threats.
Hoaxes and Why They're a Problem.
Sidebar: Crying Wolf or Real Threat?
Active Content on the Web.
Virus and Trojan Horse Security Checklist.
Where Can I Learn More?
Web and FTP Sites.
Computers Incident Response Centers.
Common Security Terms.
As I wrote this introduction, word of an e-mail virus was breaking in the news. As I sat to edit it, yet another virus had been found and was being fought. These viruses can take down major e-mail systems, disrupt communications, and destroy data. Worst of all, the viruses spread fast and easily through our networks, yet this is nothing new. Several e-mail viruses have surfaced prior to these, and many more are sure to follow. So how can they still be a threat? Why hasn't someone done something to stop them? The main reason is easy to see: most people aren't prepared to defend their computer systems from these attacks and aren't aware of the types of threats waiting for them in the electronic frontiers of the Internet. In fact, most people are so unprepared that they don't see any threat resulting from connecting their computers to the world.
For this reason, these virus attacks are successful. Many people connected to the Internet are not protecting themselves in any way from such threats; in fact, most are not protecting themselves at all. I don't have statistics to back me up, but I'd guess that most home users and small businesses have no effective security on their Internet-exposed networks or computers. Because we all share the same network (the Internet), we each need to place some security around our part of it to provide some protection for our data. Otherwise, we are providing an opportunity for someone to come along and exploit our computers. With so many computers on the Net, you might be lucky enough to remain safe for months or even years without security because no one has looked your way yet. But this can work against you, too, by giving you a false sense of security when indeed you are compromised or under attack and you just don't know it. Don't be fooled into thinking that because you are one of many, you won't be a victim. Probably every gazelle and water buffalo in Africa thinks that, too, but the lions still eat.
After hearing all of this, you might ask why not just move to the woods of the Rocky Mountains and hide? Or perhaps you should simply not connect to the Internet. Both of those are options, but I'm not trying to scare you away from the Internet and its great possibilities for information research, entertainment, and commerce. Rather, I mean to encourage you to use this tool wisely and securely. I hope to teach you the basics of information security so you can make decisions about the risks and benefits of doing or not doing certain things online and so you can do them as securely as possible. I don't promise to make you an expert but to show you how to get your foot in the door and where to look for expert information.
This book is primarily designed for home users and focuses on security issues that face these users. Home users aren't the only ones who could benefit from this book, however. Small and medium-sized businesses with Internet connections could use this information, as well. The techniques discussed will transfer directly to such businesses, but the scale for a business is a bit larger. Additionally, anyone who wants to learn about information security and network security but doesn't have a strong computer background can use this book as an entry point into the concepts and techniques of information security.The content of the book ranges in nature from nontechnical examples through technical details that some readers might find hard or strange. That's okay&38212not every reader will understand every item in this book. Because the book can help you put some basic security in place, some parts are rather technical. If you have to skip sections or come back later, that's fine. My goal is to present the material in a technically accurate way while trying to make it understandable for nontechnical readers. That is a broad range to cover, and I'm sure some people will feel some areas are too technical or not technical enough. For readers who want more technical information, I've included links and resources that can cover nearly all topics in this book to a far greater depth. On the other hand, if you find something that is too technical for you, feel free to skip ahead a bit. As you become familiar with the topics and discussions, you can go back and read again later.
Although users of non-Windows operating systems such as Linux, Macintosh, or BeOS will find the conceptual parts of this book useful, the main focus is on the Windows family of operating systems most often found in homes and small businesses. Additionally, users seeking advanced technical discussions of security or in-depth scripting and coding analysis of tools will not find them in this book. Those areas of discussion are outside the scope of this book. I will, however, provide links and references to those subjects as appropriate throughout the text of the book.
Every chapter starts with an example. I chose the homestead example for a variety of reasons. First, it is an easy analogy that captures security concepts simply and in a way that most people can relate to. By introducing the concepts without their technical aspects, I hope to make them easier to understand. Then, as the chapter progresses, I introduce the technology to you slowly, carrying the concepts from a familiar example into a potentially unfamiliar one. If you find that the example is not working for you, simply skip ahead a bit in each chapter. Concepts are introduced twice in each chapter, once in the example and once more in the technical sections. I would encourage you, though, to at least read the example and be familiar with it as the book progresses, so you can refer to it as needed.
So really, why should you read the example? I hope because it is a good illustration of security concepts in a nontechnical setting. Even people who know computers reasonably well are usually not familiar with security issues, let alone trained in them. The example takes away any preconceived notions about technology and computers and lets you concentrate on the concepts. Then when the technology is reintroduced, I hope you will see the application of the concepts more easily. But keep a few things in mind as you progress through the example. First, it does not include any factual information about real places or village growth. If you are an anthropology or sociology person, please be forgiving about any assumptions or errors in those fields. The homestead is merely an illustrative tool for this book. Second, I have tried to make the sections about our homestead and village enjoyable reading, but they are there just to provide examples. Don't worry if you don't see the security issues right away in the example; the text of the chapter will help bring out the points I am making.
To help put the security discussions in a context that most users can understand, I have used an analogy of a homestead to demonstrate certain points and introduce concepts in the book. The homestead was started by the Smith family and grew into a village over time. Using this example, I introduce each chapter's security concepts in a noncomputer-related way so you can focus on the security points before grappling with the computer terms or concepts. Then I revisit each point to reinforce the learning and provide a computer-specific application to take you from concept to practice. And that brings us to the homestead itself.
On a small hill, near a river, was a fine patch of land with plenty of room for farming on the gentle slopes of the hill. The winters were not too harsh here nor the summers too dry. It was the perfect place for small animals and a small patch of grain and vegetables. And so they came. We'll call them the Smiths: John, Katie, Jennifer, and Carl. They packed up everything they owned, spent nearly all their money on livestock and supplies, and headed out here for the chance at something better. "Owning our own home and farm has to be better than working on someone else's," they thought. They spent several days building a small log cabin&38212just enough space for the four of them&38212and a pen for the animals. The pen was as much to keep the animals in as to keep other things out, but&38212as John's father always told him&38212it never hurts to have some protection. They then began clearing a plot of land for the garden. Soon things settled into a daily routine of farming and tending the livestock.
John Smith was no fool. He wasn't expecting trouble, but he came prepared for it. He had heard of foxes that might try for the chickens, wolves that hunted sheep, and bears that might go after a cow or even the family. He kept his shotgun handy, cleaned it nightly, and reloaded it before going to bed. Out this far, a loss of an animal could make the difference between getting through the winter or not. As John drifted to sleep each night listening to the wolves howling in the distance, he wondered how many were even closer than the ones he could hear.
John and Katie Smith came to their new home knowing little about it. They had heard about foxes, wolves, and bears being around but had not seen any yet. The Smiths had built their new home and so far had been safe from intruding animals, but John and Katie were also cautious. Living this far from help and with winter coming on, they could not afford to lose an animal, have eggs stolen from the chickens by a weasel, or see their crops eaten by deer and elk. John built a fence around the property to help keep animals out and to show where the boundaries were. The loose-log fence was not the most effective at keeping out small animals, but it was good for the larger ones. John and his son Carl then built a stone wall around most of the close property, including the house, barn, and vegetable garden. This was a much better structure for keeping out the smaller animals. Katie and daughter Jennifer used this time to make winter clothing and blankets from the wool they sheared in the spring, and they built a small chicken coop near the house. The Smiths did have a lock on the door but not on the gates; locks weren't needed this far out. John did, however, teach everyone in the family how to use the shotgun, just in case.
John checked the stone wall every day and rode the horse out to the wood fence at least once a week, watching for animal tracks or signs of something trying to get across the fence. Normally there was nothing, and he then went about the tasks of maintaining the crops and livestock. Some days he was even able to relax. Katie spent her days cooking and sewing the necessary items for the family to continue living out here. She tended the garden, fed the livestock, and kept the house clean. The children helped where they could. They drew water from the well and assisted their mom and dad with the other chores. They also played in the fields and woods around the house. It was a good summer.
One day, however, John found fox tracks near the stone fence. When he looked closer, he saw that the tracks came near the chicken coop, but he couldn't see any way for the fox to get into the coop. John spent the rest of the day inspecting and repairing the chicken coop to prevent any small holes from giving the fox an entrance to it. The rest of the summer passed uneventfully, but John didn't let his guard down. Many days he found deer tracks in the crops, and once he even found bear tracks just outside the wooden fence. Certainly there were many threats out here, but so far the Smiths' preparations had paid off.
Odds are you are reading this in your home or office, located in a town or village or maybe even a big city. The idea of a community isn't strange to us. Many of us know our neighbors, wave to them as they walk their dog, and feel safe in our homes at night. Even so, you probably lock your doors when you go to sleep. Why? Do you need to do that if you're safe and among friends? The truth is that most people are trustworthy and would never break into your home, but you know that not everyone is that nice. Some people, given the chance, will come in and take things from your home, or worse. You probably don't think twice about locking your doors at night or when you plan to be away from home for any length of time. You might even have a fence or wall around your yard to keep people from getting in there. Most of us like our private spaces and will take some measures to protect them.
Why, then, do most of us connect to the Internet and not provide any protection for our computers? For a large number of us, our personal lives are becoming very closely tied to computers. By exposing your computer to the Internet, you are indeed living a life without locks or gates. On the surface, that sounds fine&38212maybe even a bit desirable. But let's take a closer look at what that means.
How many of you have online banking or pay your bills online? How many of you use e-mail to talk about personal issues with friends and family? How many use software to file taxes or do other activities related to a home business? Leaving your computer unprotected with your personal and financial information on it is like carrying your medical records and checkbook to a park and spreading them out on the grass to review them. It might even be worse, because in the park you probably would notice if someone began to look over your shoulder. Most people, however, will never notice the person watching in the computer world. Providing security for your home computer is like locking your door at night or looking over your shoulder in the park. It isn't all you need to do, but without it, you are an easy target.
Before you go on, here are some suggestions for getting the most out of the chapters.
Everyone who knows anything about security had to learn it somewhere. No one is born with this information. It is okay to have questions and to not understand a few things. Security is a complex field. I have tried wherever possible to make it easier for you and to provide examples to help clarify. Even so, you will probably find times through the course of this book when something will not make sense immediately. This is especially true if you are less familiar with the technology side of things.
So what should you do when you don't understand? My first suggestion is to continue to read. Some concepts are addressed multiple times through each chapter, with some additional information each time. Also, the chapter might help clear up concepts as it progresses. Second, mark the place where you have a question and go to the Web to search for more information. The chapter on additional resources contains links and information for getting security information on the Web, and you can check there. Finally, try reading the example again if you have a conceptual question, or refer to the Windows Help system if your question is specific to the computer. By trying all these things, you should be able to get the information you need to answer your question.
While writing this book, I have made some assumptions that I will mention here so you can understand them. Not all of these assumptions will be true for everyone, but I want you to understand where I'm coming from.
First, I assume that you, the reader, are an average computer user, with no special skill or knowledge of computers. I explain concepts through the course of each chapter and present information in a way that I feel can best be understood by the average person. However, I do expect you to know what tasks you do on your computer and how important each task is to you.
Second, I assume that most home users are on a Windows platform. Although most of the concepts presented in this book apply to any platform, the details and checklists are tailored to Windows-based systems. Security is needed on any operating system, but I chose to focus on the systems most people are probably using. If you use another operating system, you can use the book for concept learning and even use the checklists and examples, but you will need to know enough to translate the Windows-based information to your operating system.
Throughout this book you will find many suggestions for securing your computer. More than likely, you will not implement every one of them on your system. You might not need some settings; others might not even apply to your computer. If you feel uncomfortable or unsure about a setting, you might choose not to implement it. In rare cases, some settings might, in fact, cause problems on your computer. Think of your computer's security as a continuum, with usability on one end and security on the other. A completely secure computer might be unusable, and an extremely usable computer might be completely unsecured. You must feel comfortable with where your computer fits on this continuum. Investigate each setting to ensure that it does not have a negative impact on your computer. You should always maintain backups of data stored on your computer, but I strongly encourage you to back up data before making serious security changes to your system. That way you will always have a recent backup from which you can restore your system if the unpredictable happens. Chapters 3, Securing Your Computer, and 4, Securing Your Servers, offer detailed steps for securing your Windows system, and Appendix A is a large collection of links for more information about security.
Note that although hackers and crackers can damage data, they are not a threat to your hardware. You might want to buy backup drives and other devices to be more secure, but you'll never need to replace hardware as the result of an attack.
Where do you start? Assessing security for your computer can seem confusing at first, but a simple method will help keep things under control. Start by asking yourself the following questions:
Answering these questions will move you down the path toward securing your system. Once you have an assessment of your computer, you can weigh the risks you are open to versus the usability you require. If you don't know the answers to any of these questions, don't worry. I will help you through them as you read this book.
When you purchase a computer, it typically arrives with a default configuration. The company from whom you purchased the computer sets this configuration, usually by installing the operating system and choosing all the default settings the operating system offers at installation. This company is usually more focused on selling computers than on your computer security, and they make some assumptions about what the "average" user will be doing and needing from a security and usability perspective.
You can change the default settings to harden (make more secure) or relax (make less secure) your computer's security settings. Additionally, you might want to use some third-party programs that can extend the functionality and security of your operating system. The makers of most computers leave that all up to you. They have to do that because most users prefer usability to security. Why? Because they don't know any better or don't think they are a target. The goal of this book is to show you why you need security and then to help you get the information you need to achieve that security.
Click below to download the Index file related to this title: