I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing -- you're screwed."
But that's not true, and the reality is more complicated. You're screwed if you do nothing to protect yourself, but there are many things you can do to increase your security on the Internet.
Two years ago, I published a list of PC security recommendations. The idea was to give home users concrete actions they could take to improve security. This is an update of that list: a dozen things you can do to improve your security.
General
Turn off the computer when you're not using it, especially if you have an "always on" Internet connection.
Laptop security
Keep your laptop with you at all times when not at home; treat it as you would a wallet or purse. Regularly purge unneeded data files from your laptop. The same goes for PDAs. People tend to store more personal data -- including passwords and PINs -- on PDAs than they do on laptops.
Backups
Back up regularly. Back up to disk, tape or CD-ROM. There's a lot you can't defend against; a recent backup will at least let you recover from an attack. Store at least one set of backups off-site (a safe-deposit box is a good place) and at least one set on-site. Remember to destroy old backups. The best way to destroy CD-Rs is to microwave them on high for five seconds. You can also break them in half or run them through better shredders.
Operating systems
If possible, don't use Microsoft Windows. Buy a Macintosh or use Linux. If you must use Windows, set up Automatic Update so that you automatically receive security patches. And delete the files "command.com" and "cmd.exe."
Talkback
I like the article, except for the fact of suggesting to "not use windows". That is not an option for millions of home computer users. They just don't have the time to learn another OS, or the $.
And also suggesting to delete the command.exe and cmd.exe files is absurd. This will do nothing to proactively help secure your environment. In fact some applications may break if you delete these files.
Other than that it was good. If you would've left out the comments I razzed you on I would've sent it to my friends and family, but I don't want a million calls the next day on why their yahoo messenger or some lamo app broke after deleting cmd.exe.
Shaun
CISSP
SCSP
You missed the most effective trick.
Run a "knoppix" livecd as your OS. There are disadvantages, but it is nearly 100% foolproof, and even if compromised (theoretically possible) it starts clean with a reboot. It's free and it's easy to use. (Gosh, why doesn't Microsoft offer a livecd version?)
For any action to be useful it also has to be practical. If you were concerned by the risks associated with driving your car then you may consider a horse-drawn buggy. Statistics show that horse-drawn buggies are much safer than cars. Safe - but not really practical for getting around.
Bruce Schneier is wont to offer the same kind of advice - emminently accurate but not really appropriate for the actual world that people live and work and play in.
The systems, tools, protocols, software, methodologies, customs....... that have become the norm in the world we live in (just like cars are the norm) are not perfect, so it is better to learn to use these in an intelligent, aware, responsible way rather than go out on the fringe and seek solutions that may be statistically better but that are no more practical than swopping your car for a horse-drawn buggy.
A thought-provoking article, but it assumes a lot of prior knowledge, e.g. --
1. "Never type a password you care about, such as for a bank account, into a non-SSL encrypted page" -- how would I recognise that whether or not it is one?
2. "Turn off HTML email" -- how do I do that?
3. "If you can, hide your IP address" -- I have no idea what or where it is, or indeed where I could hide it!!
4. "Install an email and file encryption tool" -- and will my recipients be able to read my emails?