Security Soup, or, Why I Don't Pay for Security Software

PC security is like a good recipe. There are a million ways to mess it up, and just as many ways to do it right. I like to keep the recipes simple, mostly because I'm lazy, but also because: it's easier to reproduce good results, I tend to make them more often, and they're generally better for me. And that simplicity is why I don't pay for security software.

The first ingredient for my security soup is...my brain. More specifically, the left hemisphere. The right brain really, REALLY wants to see the cute kitten video, or find out how much I'll get from that foreign prince if I just send him a few hundred for the paperwork. The left brain MUST win this battle, every time, in order to stay secure. "Cold" messages that come from an unknown source go directly to my trash bin without passing Go or collecting $200. So do messages from friends and family that begin with a "FW:" (or 3, or 25) in the subject line (sorry), unless it's obviously a legitimate thread. Sometimes others can get attacked and I'll get messages from them that might seem kosher or harmless, but want me to click a link or open an attachment. Trash. Sounds harsh, and sure, I miss out on the occasional chuckle or great deal, but it's one of the smoothest, best-tasting ingredients once it becomes second nature. It's also a low-calorie ingredient -- the more you adopt this philosophy, the less spam you'll get in your inbox.

The second ingredient would have to be, well, also my brain. This time, using the same sort of discernment for web sites. It's probably a truism that web sites that are bad for you will also likely be bad for your computer. Hacking sites, porn sites, shopaholic sites, you name it -- if it feeds your carnal nature or is geared toward folks that struggle with self-control, it is likely a carrier of digital disease. This comes in the form of offchute links, ads, or can even be embedded directly in the photos displayed on the site. Even though some of these are "drive-by" or "passive" infections, they can still wreak all manner of carnage on your PC and possibly even breach your privacy, sending your personal information who-knows-where. Control yourself by using your brain, and stick to sites that are major players. Yes, they can still pass along something stinky, but it's much less likely because they have much more to lose than you do.

The next ingredient, and the one that can vary a bit according to personal taste, is the software. Yes, I do use software, I just don't pay for it. I've used Symantec, McAfee, and Trend Micro in the past, but I always found them annoyingly intrusive and too complicated. I got tired of wrestling with pop-ups and subscription reminders and false alarms and extra menu bars in my browser. There are several major packages that are free (maybe except for committing you to look at ads as you use them), such as ZoneAlarm, Avast, and Hijack This. They tend to perform well in tests against their costly counterparts, even if they might be less configurable. They also can suffer from some of the same sickness of being overcomplicated. I find that you don't need fanciness or super-spicy software if your brain is a high-quality ingredient. I've settled on Microsoft Security Essentials. It's free, it's effective, it doesn't bug me, and it's produced by arguably the most desirable hacking target in the world.

The last ingredient is pretty straightforward -- a reputable home broadband router, like those from Linksys/Cisco, D-Link, Asus, or Netgear. Almost all come with the main settings security folks care about pre-configured. You just need to change the admin password to one that's hard to guess, set a wireless passphrase, and that's usually it unless you have specific requirements for your home network. You clearly aren't protected by this when you travel, but that's OK, because you're a moving target when you're mobile (and, of course, you're using your brain). Your home network is online all the time, usually with the same address on the internet, so it's a much easier target. The home router rejects anything from the outside you don't explicitly ask for, which is why they're so effective. Sure, a serious attacker could make it through most, but we're just not that important in most cases, so it's not worth their time after a few cursory attempts fail.

Truthfully, the topic of security is extremely broad, and "power users" could have specific requirements that drive bigger or more delicate appetites, and therefore require more complicated recipes. This is not the be-all and end-all approach. However, my wife is similarly trained, and with just the tools above, neither of us have had any virus issues in the last, well, ever. And having cleaned up the digital entrails after others have been attacked, I have to say that my recipe tastes pretty darn great.