Chris Keall of PC World NZ writes, "My personal theory is that any major security software, if kept up-to-date, is going to stop any virus or malware outbreak, since all the companies share fixes within hours."
If true, this would be great. The reality, however, is far less rosy. With ten thousand or so new malware requiring processing each day, no amount of sharing will speed things up. Brian Krebs of the Washington Post writes about this challenge in "Anti-Virus Firms Scrambling to Keep Up". Further, with threats moving to the web, discovering which malware needs immediate attention is becoming increasingly problematic for vendors which often do not have good visibility in this area.
Legitimate websites are frequent targets of attackers. Other tactics, such as social engineering scams or malicious spam, require the intended victim be tricked into taking some harmful action. As users become increasingly more savvy - and spam filters increasingly more effective - these types of attacks are less successful. By compromising a legitimate website, the attacker can take advantage of the (sometimes) millions of people who visit that site.
The most common website compromise is a form of code injection attack, in which a hidden iframe or javascript reference is placed within the normal source code for the website. On the surface, the site still looks and operates normally. Behind the scenes, however, the referenced code is silently being pulled from the attacker's site, scanning the visitor's computer for vulnerabilities which can be leveraged to secretly download malware onto the system. In most cases, the result is backdoor and password stealing Trojans, quite often intent on identity theft.
Contrary to popular belief, all browsers are susceptible to these types of attacks and thus it's important that all web browsers (including those simply installed but not necessarily in use) be properly secured. (See Web Browser Security for tips on securing Firefox, IE, and Opera).
Vulnerabilities in third-party applications completely independent of the browser and even of the operating system are also commonly exploited. For example, vulnerabilities in Adobe Flash equally adversely impacted Windows, Mac, Solaris, and Linux users. Making sure all applications are routinely patched for such flaws is a critical component of staying safe online.
Home and SOHO users are particularly vulnerable, since these users often do not have access to sophisticated proxies, intrusion detection, and patch management systems necessary to ward off web-based threats. The following advice is geared specifically to help this segment of the online population.
Secunia Software Inspector is a free online scanner that takes the pain out of checking patch levels of all vulnerable software. Secunia Software Inspector not only alerts you to missing patches on your system, it provides links and helpful advice for installing the necessary security patches.
It goes without saying that signature-based antivirus software is still a necessity. Though none can guarantee 100% protection (nor are they designed for such purpose), some of the best can offer a 95% or better detection rate. For a list of which antivirus scanners offer the best protection, check out the Top Windows Antivirus. Mac users would do well to consider Intego, which focuses solely on Mac-only threats.
Additionally, given that today's malware is often focused on identity theft, perhaps one of the most important steps you can take to beef up your online security is to take measures to protect your real-world identity.
Various companies offer monitoring and fraud protection services. Three of the best known are LifeLock, LoudSiren, and TrustedID. The plans vary, but the gist of each is to place fraud alerts on your credit profile, remove your name from prepaid credit card offers, and notify you personally if anyone tries to establish credit in your name. Costs of the service can range from $10 to $25 USD per month.
Of course, you can do all of this for free, or take the far simpler route and pay a small fee to have a credit freeze placed on your record. A special pin is used for identification purposes, so if you need to lift the freeze to apply for a mortgage, finance a new car, or sign up for a new credit card, you can. For details on free steps to protect yourself from identity theft, including putting a freeze on your account, see Ten Tips to Protect Against Identity Theft.