I get asked this from time to time, “How do I keep my computer / network safe?” My response, depending on the nature of the question, is sometimes “un-plug it from the internet.” If you have a computer that has important information to you, don’t expose it to the internet; and that may mean buying two computers. One computer would be used for internet browsing connected to a printer. The second one that is intentionally kept off the internet, and you can use the same printer for both computers.
Then the question becomes—how do I update the computer that is off-line? You don’t need to! If the computer is not connected to the internet, then you don’t need to update it if it is running well. The only reason why you would need to update it is to apply updates to the operating system that fixes vulnerabilities the OS manufacturer found, or new program functionality.
You maybe thinking—that is not practical! Well, think about it like this, using pictures as the example. Paper photos are still used, but digitized pictures are a lot more common now. If these are housed on a computer with no internet access, then how likely is it this computer will get infected and loose these pictures? Not very likely. The computer may have a hardware failure of some sort, but you can backup the pictures and the OS and restore that if you need to.
How would it work?
Here is an example of how this might work in real life. I met a financial planner that did this. The computer that she stored all her data on, never saw the light of the internet. She had a network printer connected to it by an intranet LAN, and never updated the computer. All input was manual, only new out-of-box USB drives went into the computer.
If a USB drive was used to transfer information from the intranet computer to the internet, the drive was marked and not used on intranet computers again. She ran no antivirus on it—did not need it. She also had separate computers in her office to access the internet, but the network that stored the data never physically touched each other.
What I am describing is an intranet and an internet put together, and each network was separate. The internet modem connected the PC’s to the internet so they could get mail, read the news, and do video conferencing, etc. The Intranet PC’s were connected to a network switch, and the switch was not connected to the internet Modem. So, the intranet PC’s got no communication from the outside world. They only communicated with themselves and the server which held the confidential data.
The only way the bad guys were getting this information would be from an inside job. They would have to be physically present, in her office, to steal the data. Small to medium sized business can use this technique. If there is data that absolutely can not be in the wrong hands—think about using an intranet / internet configuration.
The key is the two networks are never linked together, and they don’t talk to each other. There is no software routing, no hardware router shunting traffic, no connection between them at all. There is no possibility of zero-day exploits being used—its just not possible because there is nothing to exploit.