A Security Guide For Non-Technical Users?

kin_korn_karn asks: "Like many of you, I am the family IT department. I cannot convince my parents to follow proper PC security procedures. I'm not talking about enterprise-level things such as card swipes and fingerprint scanners, just simple measures like logging off of the PC when it's not in use. They, like many people of their generation, seem to be willing to sacrifice security for convenience, as long as their real data isn't being impacted. I can't seem to get it through to them that it's only a matter of time until they are. Since my own arguments aren't working, I need documented proof to back it up. Can Slashdot offer up some kind of arguments or information that I can use?" "Does anyone know of a guide to IT security that:

a) Is written for a non-technical audience, but is neither condescending nor overly 'soft.'

b) Defines the various terminology (trojan, virus, zombie, etc.) clearly.

c) Explains what threats each security measure protects the user from.

d) Uses cases and examples to demonstrate the before and after scenarios, like: 'Jane's credit card number was intercepted via a non-encrypted connection. She started looking for the padlock symbol on her browser's status bar. Now, her credit card number looks like this: @*#(!@($).' (That's just an example, by the way)

It's the content that's important not the media, so your suggestions can be anything, be it an online document, multimedia presentation, or a print book."

no no, you have it all wrong

you should go outside and play catch with your son.

Re:no no, you have it all wrong

[Timothy+Brownawell]

They're not singling you out, you're in the path of their drag-net.

It's not like someone breaking into your house or tapping your phone where they have to go to a lot of trouble to get to you specifically. I'm not sure that they understand that you don't have to be targeted specifically to be a victim of identity theft or have your PC zombied.

So talk about that kind of security (caution with email attachments and websites asking for personal info), rather than things like logging out ("proper PC security procedures. ... just simple measures like logging off of the PC when it's not in use.").

Logging out has approximately nothing to do with net safety, it has to do with "someone breaking into your house" safety. Which you've just said isn't what this is about, and which they'd be very reasonable to not worry too much about. I don't bother to log off either -- if someone has physical access, that means they broke into my apartment and can just take everything anyway.

The Fear

[arete]

First The Fear: I don't have the document you're looking for. But I think the basic problem is this: in the Real World, if you leave your door unlocked (I didn't say "open") in most neighborhoods it'll take years, at least, before you get broken into. Most people aren't going around trying residential doors. (Assuming you aren't conspicuously advertising more wealth than your neighbors) And if you're going to get broken into, having a locked door won't make much difference...

I would say the mean time before someone breaks into your house BECAUSE you didn't lock the door averages at LEAST years.

The mean time until your online (routable) Windows computer is compromised if you don't have a reasonable firewall is something like 15 minutes (and falling) You need to strike home the fact that that's the AVERAGE time until someone WILL try to attack their computer. If someone is trying to steal from you every 15 minutes, you NEED to be paranoid.

Second, of course, is education.
First you need to decide whether you're going to keep fixing whatever messes they're going to make - or you need to say: "I've wasted enough time on your computer. If you don't follow the rules I set out for using it safely, I'm not fixing the problems you have - or I'm at least waiting weeks before I do." - and you need to be serious. If you fix it all for free, there is no incentive.

One rule is not to download and install anything without your approval. If they see that warning screen and click "yes" - that's their problem. Those smiley toolbars don't get there by themselves.

Then you need to do what you can for them automatically. I agree with another poster that logging off is not a high priority. A good "hardware" firewall is - with the "gaming" port forward OFF. Turn on automatic updates. Getting a mac is great : )

If you can't do that, disabling ActiveX - COMPLETELY - (preferably also removing the IE icon and installing an alternate browser) helps a lot. Installing Spybot SSD and it's automatic protections helps.

You're trying to solve the wrong problem...

[Vellmont]

You seem to think that your problem is that your parents aren't technical enough to understand the threat. Your solution is to get them up to a similiar level of expertise that you're at. That's simply foolish.

The problem is you aren't communicating effectively, or your parents aren't willing to listen. I don't need to understand the reasons WHY I should change my oil in my car every 3-6 months to do it. I only need to trust that if I don't, my car will suffer. Mechanics don't give out chemical assays of oil, results of wear tests, or the breakdown of acid-inhibitors etc to convince people to change oil, they rely on communication and reputation. "Bill's a good mechanic, he always knows what's wrong with my car. If he says to change my oil every 3 months, he's probbably right". The world is too complex to try to learn EVERYTHING.

Maybe your problem is you don't really understand security yourself, so you can't explain it properly. Telling people to log off their own computer in their own household really adds no security from viruses, worms, etc. If you try to make this argument to your parents, you're just going to sound like you're (as another poster put it) "batshit insane". This destroys any credibility you have, and any sane advice like keeping up on updates, installing hardware firewalls, etc goes out the window.

So, you need to work on your communication skills, not try to get your parents to have the same amount of knowledge you do.

Analogies

[Captain+Spam]

One major problem is that many non-technical people try whatever is humanly possible to relate technical scenarios to "real-world" analogies. This goes for computer security, too; As other posters have mentioned, they try to line it up with their house in the neighborhood, and all too often come up with the line, "Well, why would they attack ME? I don't have anything valuable!". This, to them, equates with security. I should know, I've had that pulled on me before.

And this may be the problem you're experiencing. Try explaining that, in many cases, the computer itself is what "they" want (botnets, zombies, etc). Problem being, you'd be forced to come up with a real-world analogy for it. "It's like if someone could break into this house undetected, loaf around and steal food regularly, take your credit cards and use them freely, then start prank-calling the neighbors and blaming it on you, and everybody thought it WAS you."

The whole issue of a Windows machine being broken into in 15 minuts of a fresh install is even more difficult to put in non-technical terms. "Imagine there was an army of zombies [or robots, or people] roaming the neighborhood. They're going around trying everyone's front door to see if it's locked, and if it isn't, they walk right in and take over the place. Sometimes they try to pick the locks. They don't care if anyone calls the cops on them, there's far more of them than there are cops. And they don't care how long it takes, there's enough of them to try each and every door. And they don't talk to each other, so they'll keep trying the same doors over and over with different lockpicks. And each house they take over produces more zombies [or robots, or people]."

Now, both of those would just absurd to a non-techie, to say the least. So what I'm saying is that you need to try to draw analogies they can understand but don't sound ridiculous. You can provide documentation to back up your claims, but you'll need to convince them to read said documentation first, and that's where your creative storytelling skills come in.

Just my two units of fractional currency.

What does staying logged in have to do with it?

[wsanders]

I stay logged in all the time. The only way someone is going to hack my system because of that is if they break into my house. If they break into my house (and survive) they stuff they get off any computer is the least of my worries.

Even if my computer is turned off, and they run away with the hardware, it doesn't take much skill to recover data off it. If you have physical access to the device, you can read it, regardless of the OS.

Which is why you need to use an encypting file system.

Nevermind your parents, I'm wondering about YOU...

[wdr1]

I'm wondering if you actually know what you're talking about, of if you're just some pedantic idiot attempting to assert he's smarter in something to his parents. Example: ...just simple measures like logging off of the PC when it's not in use.

WTF? Why do they need to log off their own damn computer in their own damn house? If someone breaks in and gets physical access, I'm betting that unauthorized surfing isn't their top concern. And if you think having them log-off with thwart a thief from getting their data, you're crazy. If the thieves want the data, they'll get it by just stealing the drive & mounting it as a secondary drive.

People like your parents are easy. They don't need to know about viruses & worms. You just set anti-virus to run and automatically update & have them use a mail client other than Outlook (e.g., Thunderbird or Euroda). You set up the firewall & just leave it. They don't need to know how to administer the fucking thing. Past that, you tell them basic things to avoid phising, never install anything without asking me. That's basically what we did with my mom & no problems. There's little chance of her fucking anything up, because, by and large, she doesn't know enough to get herself into trouble. She's not going to change the config on the firewall, as she doesn't even know what the hell a firewall is.

It's typically people with a little knowledge that are a problem. They're the ones who get themselves into trouble. And while it sounds like your parents don't fall into that category, it sounds like their son does.

-Bill