A Security Guide For Non-Technical Users?

kin_korn_karn asks: "Like many of you, I am the family IT department. I cannot convince my parents to follow proper PC security procedures. I'm not talking about enterprise-level things such as card swipes and fingerprint scanners, just simple measures like logging off of the PC when it's not in use. They, like many people of their generation, seem to be willing to sacrifice security for convenience, as long as their real data isn't being impacted. I can't seem to get it through to them that it's only a matter of time until they are. Since my own arguments aren't working, I need documented proof to back it up. Can Slashdot offer up some kind of arguments or information that I can use?" "Does anyone know of a guide to IT security that:

a) Is written for a non-technical audience, but is neither condescending nor overly 'soft.'

b) Defines the various terminology (trojan, virus, zombie, etc.) clearly.

c) Explains what threats each security measure protects the user from.

d) Uses cases and examples to demonstrate the before and after scenarios, like: 'Jane's credit card number was intercepted via a non-encrypted connection. She started looking for the padlock symbol on her browser's status bar. Now, her credit card number looks like this: @*#(!@($).' (That's just an example, by the way)

It's the content that's important not the media, so your suggestions can be anything, be it an online document, multimedia presentation, or a print book."

no no, you have it all wrong

you should go outside and play catch with your son.

Re:Dude. Get real.

[Goaway]

Right, the reason nobody is listening to him about security matters is that he's batshit insane, and is going on about logging off when you are not using your home machine, possibly to protect yourself from ninjas breaking into your house and stealing your files.

The Fear

[arete]

First The Fear: I don't have the document you're looking for. But I think the basic problem is this: in the Real World, if you leave your door unlocked (I didn't say "open") in most neighborhoods it'll take years, at least, before you get broken into. Most people aren't going around trying residential doors. (Assuming you aren't conspicuously advertising more wealth than your neighbors) And if you're going to get broken into, having a locked door won't make much difference...

I would say the mean time before someone breaks into your house BECAUSE you didn't lock the door averages at LEAST years.

The mean time until your online (routable) Windows computer is compromised if you don't have a reasonable firewall is something like 15 minutes (and falling) You need to strike home the fact that that's the AVERAGE time until someone WILL try to attack their computer. If someone is trying to steal from you every 15 minutes, you NEED to be paranoid.

Second, of course, is education.
First you need to decide whether you're going to keep fixing whatever messes they're going to make - or you need to say: "I've wasted enough time on your computer. If you don't follow the rules I set out for using it safely, I'm not fixing the problems you have - or I'm at least waiting weeks before I do." - and you need to be serious. If you fix it all for free, there is no incentive.

One rule is not to download and install anything without your approval. If they see that warning screen and click "yes" - that's their problem. Those smiley toolbars don't get there by themselves.

Then you need to do what you can for them automatically. I agree with another poster that logging off is not a high priority. A good "hardware" firewall is - with the "gaming" port forward OFF. Turn on automatic updates. Getting a mac is great : )

If you can't do that, disabling ActiveX - COMPLETELY - (preferably also removing the IE icon and installing an alternate browser) helps a lot. Installing Spybot SSD and it's automatic protections helps.

You're trying to solve the wrong problem...

[Vellmont]

You seem to think that your problem is that your parents aren't technical enough to understand the threat. Your solution is to get them up to a similiar level of expertise that you're at. That's simply foolish.

The problem is you aren't communicating effectively, or your parents aren't willing to listen. I don't need to understand the reasons WHY I should change my oil in my car every 3-6 months to do it. I only need to trust that if I don't, my car will suffer. Mechanics don't give out chemical assays of oil, results of wear tests, or the breakdown of acid-inhibitors etc to convince people to change oil, they rely on communication and reputation. "Bill's a good mechanic, he always knows what's wrong with my car. If he says to change my oil every 3 months, he's probbably right". The world is too complex to try to learn EVERYTHING.

Maybe your problem is you don't really understand security yourself, so you can't explain it properly. Telling people to log off their own computer in their own household really adds no security from viruses, worms, etc. If you try to make this argument to your parents, you're just going to sound like you're (as another poster put it) "batshit insane". This destroys any credibility you have, and any sane advice like keeping up on updates, installing hardware firewalls, etc goes out the window.

So, you need to work on your communication skills, not try to get your parents to have the same amount of knowledge you do.

Nevermind your parents, I'm wondering about YOU...

[wdr1]

I'm wondering if you actually know what you're talking about, of if you're just some pedantic idiot attempting to assert he's smarter in something to his parents. Example: ...just simple measures like logging off of the PC when it's not in use.

WTF? Why do they need to log off their own damn computer in their own damn house? If someone breaks in and gets physical access, I'm betting that unauthorized surfing isn't their top concern. And if you think having them log-off with thwart a thief from getting their data, you're crazy. If the thieves want the data, they'll get it by just stealing the drive & mounting it as a secondary drive.

People like your parents are easy. They don't need to know about viruses & worms. You just set anti-virus to run and automatically update & have them use a mail client other than Outlook (e.g., Thunderbird or Euroda). You set up the firewall & just leave it. They don't need to know how to administer the fucking thing. Past that, you tell them basic things to avoid phising, never install anything without asking me. That's basically what we did with my mom & no problems. There's little chance of her fucking anything up, because, by and large, she doesn't know enough to get herself into trouble. She's not going to change the config on the firewall, as she doesn't even know what the hell a firewall is.

It's typically people with a little knowledge that are a problem. They're the ones who get themselves into trouble. And while it sounds like your parents don't fall into that category, it sounds like their son does.

-Bill