18

Inspired by a question I saw on Twitter:

As the title says, what items would you include? And to what depth?

Are there obvious topics everyone should be thinking of, or is it important to advise on areas they may not have considered but can take action on?

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321

2 Answers2

13

I would recommend that people read Consumer Report's Guide to Online Security. It is excellent and covers a lot of what people need to know.

Beyond that, here are a few more suggestions:

User behavior. I would have some recommendations for how they behave online:

  • Practice good password hygiene. I recommend that people pick two very strong passwords: one for your email account, and another for your banking and financial stuff. Don't re-use those passwords anywhere else. To select a random password, a good approach is to pick a phrase -- a sequence of four or more words -- that no one else is likely to guess or choose. Anyone who breaks into your email account may be able to gain access to all your other accounts, so it is important to protect that one carefully. And the need for a strong password for banking is obvious.

    As long as you trust the folks you live with, it is fine to write these passwords down. Writing the passwords down will make you feel comfortable choosing long and strong passwords, so it is generally a good thing (contrary to what you might hear from others).

    For other sites, I suggest you pick other throwaway passwords. They usually don't need to be especially strong. It is fine to write them down, and I encourage it.

  • Use your browser password manager. Take advantage of your browser's password manager, so you don't have to memorize your passwords. When it asks whether it should remember your password, say yes. Once you know that you can count on your browser to remember your password for you, it will free you up to choose hard-to-guess passwords.

  • Be careful where you enter your password. Bookmark security-sensitive sites, like your bank and your webmail provider. When you want to log onto them, click on the bookmark then enter the password.

    You want to avoid a situation where you are on some other site, click on a link, and then enter your banking or email password into the resulting page. That's unsafe, so get out of the habit of doing that. Similarly, avoid clicking on a link in your email and then entering your password into the resulting site. If you get an email from your bank and want to log onto your bank account, click on the bookmark to your bank and then enter your password.

    This is the equivalent of how to protect yourself offline. There's a common scam where someone calls you up, pretends to be your bank, and asks for your bank details. To avoid falling for that scam, all you need to remember is "don't call me, I'll call you": don't provide your banking details unless you called the bank yourself. If your bank calls you and wants personal information, hang up, then call the bank's phone number on your bank card. That's a good idea offline -- and it's a good idea when on the Internet, too. When using your browser, follow the same practice.

  • When browsing, look up. When you are browsing the web, if you ever have any questions about what web site you are currently interacting with, look up at your browser's address bar. You can identify the domain name of the site (the part that says, for instance, www.google.com) near the left side of the address bar. In many browsers, it will be highlighted. If you are considering entering in personal information and have any questions about who will be receiving the personal information, the address bar will tell you the answer.

  • Never download software from unfamiliar sites. Avoid downloading software from anywhere except the most trusted sites (otherwise you can get hit by malicious software). If you're browsing the web and some random web page says you need additional software to view the cool videos or something, don't do it.

System administration. I would start with some recommendations for setting up their system:

  • Enable automatic updates. This is the best way to ensure you are always running the best, patched version of all software.

  • Enable automatic backups. Set up a backup system to automatically and routinely backup your system, without your involvement. This is one of the best ways to ensure you can recover from a compromise. Security is more than just prevention; it is also about enabling rapid and reliable recovery from compromise.

  • Choose a secure browser. I would recommend Chrome. Firefox can also be good. If you use Firefox, install HTTPS Everywhere, to ensure you use HTTPS (SSL/TLS) on every site that supports it, and I recommend AdBlock Plus to many people.

  • If using Windows, install free antivirus. The number-one user error I see on Windows is that people think they have antivirus software running because it came with their system. What they might not realize is that the pre-loaded software is a trial version whose license expires after a while (a year or less); once it expires, they're not protected any longer. Therefore, I recommend that people install antivirus. To save some money, I usually recommend a free antivirus checker: Avast seems decent, and some recommend Avira.

    Alternatively, you could just buy a Mac. It's more expensive, and it isn't a silver bullet, but it tends to mean you don't have to worry about anti-virus software. (All of the other comments about user behavior still apply regardless of platform, though.)

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 3
    +1 for all of this except your last sentence. All your points are still important for Macs, *nix, Windows etc. Mac's are just as bad as all the others :-) – Rory Alsop Feb 19 '12 at 13:06
  • @d-w Can you update this? – maskin Oct 17 '21 at 15:35
  • Is this documented somewhere that is regularly updated? I assume we should add adblockers (problem with porn sites/popular sites is malware from bad ads?) Windows defender - not benchmarked against tests but probably good Hardware/updates - andriod doesn't always get updates so you need to move hardware? List of good VPN/antivirus software providers, way to vet them? – maskin Oct 17 '21 at 15:38
  • I'm aware of in the UK for advice https://www.met.police.uk/advice/advice-and-information/fa/fraud/useful-contacts-for-fraud-cyber-crime-advice/ https://www.thecyberhelpline.com/team https://www.gov.uk/government/organisations/national-cyber-security-centre – maskin Oct 17 '21 at 15:52
7

I would keep it simple.

If it is too technical - they may agree but really have no idea what they are reading.

Just go over basic protection, such as password, email, and web surfing. Social media policies and so on that keep everyone involved protected (depending what you are writing the policy for)

I would keep the technical side of it for the system administrators, such as firewall policies, outbound mail policies, spam filtering, antivirus policies and so on. Just make the non-technical users aware that they do have spam filtering, antivirus, etc.

Give them enough to help protect them selves, and understand that you do your part in protecting them, but don't give them too much as to confuse them.

Atleast that is my opinion.

Addition:

I read a book that explained a-lot of great information about writing documentation and security policies in general, you may be interested in it. 'the practice of network and system administration.'

logicalscope
  • 6,354
  • 3
  • 26
  • 39
Jeff
  • 509
  • 1
  • 4
  • 8