Default software installations are composed by the software vendor to include the pick of an application’s most useful components or services and are intended as a hassle-free way to install software. The SANS Institute explains, "Software vendors’ philosophy is that it is better to enable functions that are not needed than to make the user install additional functions when they are needed.”
However, components that will be actively employed by the purchaser are often grouped together with those that will lie idle. These dormant components are unlikely to be maintained by users and provide clear and easy paths for attackers to take over computers. Jack Dahaney, vice-president of the server security division at Watchguard Technologies asks, "If users don’t know what applications or services are running on their machines, then how will they know to apply patches to fix critical issues?"
Dahaney voices the opinion that, “software vendors have got to start opting for security over convenience.”
Failing a new approach by vendors, however, it will be left to purchasers to protect themselves.
In order to avoid creating vulnerabilities, security consultant Nicholas Versan recommends users opt for custom installation when installing software and then choose carefully from the list of software and services to be installed. Versan also suggests that those who have purchased computers with pre-installed Windows 2000 or NT operating systems and applications should scan their machines with Microsoft’s web-based MPSA security tool.
The NIPC has posted a companion list of simple security tips based on the errors presenting the greatest security threats. The list includes: using strong passwords, making regular backups of critical data, using virus protection software, avoiding e-mail attachments from strangers, regularly downloading security patches from software vendors, and avoiding keeping computers on-line when not in use.
In addressing the root problems causing the system and software holes exploited by all viral and hack attacks, the research warns that security enemies may be closer to home than imagined.