I'll take a stab at a few things here, and maybe we can assemble a good How-To from this and other posts.
There are four basic areas where I believe most SOHO users can do the most good in protecting themselves. Besides making backups, being aware of the electronic landscape, and educating yourself beyond reading the latest headlines:
1. Run anti-virus and anti-spyware utilities often, and keep them up to date.
2. Reduce the footprint of what is exposed to the Internet to begin with.
3. Stay up-to-date with patches and new versions of software, and scan for known vulnerabilities.
4. Be aware that social engineering is a very lucrative way to get sensitive information from otherwise security-aware people. Even posting to forums like this, a savvy hacker can gain lots of knowledge about a person from reading the vaious posts. A tidbit here and there eventually adds up to a pretty good picture.
#1: First and foremost, a home user needs to have a working, up-to-date copy of an anti-virus program. There are many, but you should use one that is known and respected, has automatic updates, and automatic scanning of your entire system. Now, some of the IT guys here may differ in this opinion, but I believe that automating it as much as possible helps in the SOHO environment. Just remember if you set the AV software to scan your machine every Tuesday morning at 2:00am, that your machine needs to be left on Monday night through Tuesday morning so the scan can kick off at 2:00am!
Second, get a copy of Ad Aware and/or Spybot Search and Destroy, or similar. These programs work to help eliminate spyware, which can cause just as much, or maybe even worse trouble for you in terms of information leakage and system slow-downs. Ad Aware even has a resident blocker just like most AV software, for a price. Set it up to automatically get updates, as well.
Finally, note that each of these products use signature files to recognize viruses and threats. You can still be hit by a virus/spyware that is completely new and unknown, and these products may not stop it.
Which leads us to the next area to look at: Reducing your online footprint, and firewall your system(s).
#2: Most SOHO users will now be using a wired or wireless router/firewall for their Internet conneciton to their ISP. They have come down so much in price, and features are ramping up, so no one should be without one these days. For best results, configure the device to not answer ICMP pings from outside, making you more invisible. This can be a problem if some outside service uses pings to insure you are still alive, but you can usually get around that.
Most router/firewalls work by allowing any outbound connection out, but limiting inbound connections to a specific set of ports that are either open by default, or can be set to be open in the router config.
The most attacked serices today are the ones that are most vulnerable - DNS, web servers, ftp servers, email, and the like. If possible, don't run these types of services at the expected ports. This makes you less of a target for most scripted interrogations.
If you do run a web server at port 80 (the expected port), for example, make sure your web server software of choice is patched with the latest security pathces and keep it up to date. Enable logging and check it periodically to make sure you aren't being targeted or any hacking attempts were successful. You may also want to run this on a separate machine that doesn't have personal information on it to further reduce possible information leakage.
Ok, now on to patches and scanning for vulnerabilities. Some people dont' like to do vulnerability scanning. While you don't have to launch a complete hacking attempt at your systems, it does help to use a scanner that can detect possible problems. You are keeping your patches up, right?
As soon as patches are available, read about what they fix and how they do it. Determine if they will interfere with your existing system and programs, and if not, install them and test them. be able to roll back if problems are noted, but if not, you are good to go.
Now, get a free security scanner such as Nessus. It runs as a server, and you will get a client to access it. It also needs to be updated with rules and scan info, and run it against your whole network (which will take some time) and take a look at the output.
Invariably, there are some checks that *appear* to be vulnerabilities, but upon closer inspection you'll find that they simply can't fully determine whether the problem is actually an issue or not. These you will have to determine through other means. For example, running IIS 5 for a web server and using URLScan to block some access, the Nessus check for the WEBDAV vulnerability will still think it is possible, when actually URLScan is blocking the access and sending back a message as such. In this case you are protected but Nessus can't determine that.
This is one reason why scanning is difficult. Another is that for some scsans, you need admin permissions on the system being scanned. So be sure you understand what the scan is doing and how it is being used or you could miss a significant issue because of a poor scan config.
When you do find a problem, follow up on it and determine what the fix or workaround is, taking into consideration the risk factor as you see it. Then apply the solution or accept the risk.
On to #4 - Social Engineering.
We;ve all seen it on the news or heard about it somewhere. You read the subject of an email and know you shouldn't open it, but you do, and BAM! you're letting the virus into your system and soon the entire network. Well, they fire people for that now. Social engineering is the act of using social means to persuade someone to reveal info they shouldn't. Even if you think revealing a small piece of info is not a problem, it could be, because the hacker could have several other small pieces and eventually they get enough of the puzzle to put it together.
We see most social engineering in emails these days, but it can also be on the phone, in person, in stores, etc. You know the drill, like the phishing schemes that say this email is from your bank, we need you to verify your account and password... Even if it IS from your bank, don't email them back. Call your customer service line and deal with them - that way you know who you're talking to and it probably isn't going to be intercepted.
Pasting passwords to the bottom of your keyboard, or on a post-it note on your monitor is NOT something you should do! Also, keeping them in a file on your system in plain text, or even a protected Word document, is easy to search for and break into. The first requires local physical access (or a good telescope from the neighbor's house), but the second requires only access to your system, which can be done remotely.
Personal info once revealed is very difficult to hide again. Usually it must be changed and the new info not exposed. This is not very easy with your social security number, upon which all credit and most identification is based. Do not reveal your SSN so easily. In fact, challenge the company/person, etc. and find out why they want it. In many cases it is within your rights to have them use some other number for an internal account number, for example. Stall them and say you'll call them back, what's their number? It's a lot like phone fraud.
If you bank by web or access billing accounts, be aware of the need to close all of your browser windows after using your banking web site, or any SSL-enabled site. Only after closing and restarting your browser will the cookies and session data be cleared properly so that no malicious script at another site can gain access to the contents of the banking info. You are making sure that the site IS SSL-enabled, right?
Don't do business with sites that appear to have broken or outdated SSL certificates, or don't use SSL for transactional data such as credit card purchases. SSL encrypts all transmissions from your browser to the remote site so no one will be able to sniff the information on the wires (like eavesdropping on the phone).
Have a plan about what you will reveal and what you won.t and stick to it. If you frequent forums like this, limit what is visiable and if you MUST make something visiable that you feel uncomforatble about, make up something BUT REMEMBER IT and use it in many places. This makes it appear to be true even if it is false, and a hacker is more likely to believe it - and then you've thrown them off. I don't care if a license agreement says you must be truthful - the the truth is that this info is revealed to the public, my privacy is more important than the truth in this cyberspace! Yours should be, too.
Next time I'll put some tips together on everyday things, like how to set Outlook to reduce the possibility of getting a spam email that the spammer can use to confirm you are an active account.
In the meantime, if you have questions, post and I'll try to answer them.