Use layered security to protect your small business PCs

The hallmark of effective security in any field, especially computers, is defense-in-depth. There is always a way around any particular defensive measure, so you need multiple defenses in order to stop attacks with a high level of confidence. Large organizations are full of multilayered defenses, but they are no less essential to small businesses.

It's never big news, but small businesses get hit all the time by cybercrime. Reporter and analyst Brian Krebs has many stories of small businesses that fell victim to attacks, losing hundreds of thousands of dollars. Specialized malware (malicious programs) named Zeus and SpyEye find ways to get into your bank accounts and steal your money. In some cases, businesses have sued their banks to get their money back, but the courts have sided with the bank. It's the business's responsibility to secure the access the bank has given to the account.

Taking your money isn't the only thing a criminal can do once they breach your computer security. Your computers and accounts can be co-opted to perform other tasks. One common abuse is to have them perform searches on Google and other engines in order to "poison" the search results of others. Abuses like this can get your company in trouble with your Internet service provider.

Build a Strong Defense

So what do you do? Let's assume that you've bought an Internet security suite with antivirus and all that because everyone knows you need one of those. But there's more to it than that. The anti-malware parts of these suites may be very good, but the sheer enormous volume of malicious programs released every day means that there are always some that will be undetected. So you have to plan for the possibility that some will get through, and you have to stop them some other way.

One general rule to follow, which almost always improves the security of your systems, is to keep your operating system and applications up to date. That definitely means applying all security updates promptly and may mean upgrading to a newer software version. For instance, while Microsoft still issues security fixes for Windows XP and will for over 2 more years, XP is far less securable than Vista or Windows 7.

The protections you get with updates and more recent software versions are from vulnerability exploits. These are errors in software that attackers can use to take control of the software and run their own programs. Windows Vista and 7 offer significant protections against exploits beyond those in XP, and to this day XP users are far more likely to be exploited than Windows Vista and 7 users.

Sometimes you can be compromised through a vulnerability in your web browser simply by surfing a web page that has been set to serve malware; this is called a "drive-by" attack. It's also common for vulnerabilities in Adobe Reader and Acrobat to be exploited through malicious PDF files. So make sure to keep your applications up to date, too. Sometimes Internet security suites can detect malicious data files.

There's another security measure you should take as a fallback position against malicious code getting through either your security suite or a vulnerability exploit: following the principle of least privilege. When you are logged in to a computer you have a particular set of permissions, usually Administrator or User (also called Standard User). Administrator, as a general rule, has permission to do anything on the computer, from installing new programs to searching files on the hard disk for anything a program wants (like your usernames and passwords). User is much more restricted; it has access only to that user's files and cannot make system-wide changes.

When you run a malicious program or are exploited through a software vulnerability, the malicious code runs in the context of the user you are logged in as. Anything you have permission to do, it can do. So if you run as an Administrator and are compromised, you're toast. The malicious program can and will take control of your computer. If you're just a Standard User, there is much less damage that they can do, although it may still be significant damage. But most malware will fail if you or your employees are running as standard users.

The final, and perhaps most important layer, is the user. There is nothing as resistant to attack as an educated user, one who knows what not to click on and how to see when something is wrong. The best tool for such users is skepticism: Before you run a new program or click on a new link, think about whether it came to you through unusual circumstances. It may be worth checking first. The user can be the weakest part of the system security, or the strongest.

Five Easy Steps

Recapping the layered-security defense every small business should take:

1. Use anti-malware software, but don't solely rely on it. Keep it up to date.

2. Upgrade to the newest software versions -- at the least that means Windows 7 and current web browser, whether Firefox, Google Chrome or Internet Explorer.

3. Apply updates as soon as they're available for your operating system, web browser or applications, like Adobe reader. Most of these programs have auto-update features. Don't turn them off!

4. Run your PCs as "standard user", an option you can set when adding new users. For you the small business owner or IT manager, let Windows Vista or 7 help you. The default setting for "Administrator" runs in a lower-privileged state.

5. Train yourself and your employees to trust nothing. Never click on file attachments in email from people you don't know. Always hesitate before clicking on them from people you do know. If you weren't expecting that email attachment, it might not be safe. Like grifters and con artists, hackers exploit your trust.

Photo Credit: OleGunnarUA/Shutterstock

Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.