Top ten lists and low-hanging fruit.
I wrote this in response to a question that asked what would be the best firewall to install on a Windows 98 machine.
I like to advise people that they should look at security measures and ask "is this on my top ten list?", and not do anything that isn't on the list. Obviously, as you work through the list and discard items, something that wasn't on the top ten list before may come back onto the list and deserve to be done.
When you're on Windows 98, I think that your top ten list starts with:
1. Unplug the network cable.
2. Upgrade to Windows XP.
3. Install Service Pack 2.
4. Convert your hard drive from FAT to NTFS.
5. Upgrade your applications.
6. As much as possible, stop running as an administrator, run as a "restricted user".
7. Check that the Windows XP Firewall is enabled.
8. Plug the network cable back in.
10. Download and install patches for everything.
As you can imagine, several of the top-ten list items are “once only”, and others are “every month” or similarly require regular re-visiting.
The key here is to build your list on the basis of what the low-hanging fruit is.
Obviously the original question was posed by someone who was looking for the low-hanging fruit, but was labouring under the misconception that the low-hanging fruit in this case was that part of his system that he could most easily address. That's not a good approach, because you end up spending a lot of time making easy fixes, while the attackers are going to come in and get you through the gaping hole that you've labeled “difficult to fix”.
You have to address the low-hanging fruit as seen by your attackers. What's the easiest way to get into your system? Address that, no matter how hard it is, because that's the way that you will be breached.