Top ten security tips for non-technical users

Question

I'm giving a presentation later this week to the staff at the company where I work. The goal of the presentation is to serve as a refresher/remidner of good practices that can help keep our network secure. The audience is made up of both programmers and non-technical staff, so the presentation is geared for non-technical users.

I want part of this presentation to be a top list of "tips". The list needs to be short (to encourage memory) and be specific and relevant to the user.

I have the following five items so far:

• Never open an attachment you didn't expect
• Only download software from a trusted source, like download.com
• Do not distribute passwords when requested via phone or email
• Be wary of social engineering
• Do not store sensitive data on an FTP server

Some clarifications:

• This is for our work network
• These need to be "best practices" tips for the end-user, not IT policy
• We have backups, OS patches, firewall, AV, etc, all centrally managed
• This is for a small business (less than 25 people)

I have two questions:

1. Do you suggest any additional items?
2. Do you suggest any changes to existing items?

Answer 1

It sounds like you may be a person outside of IT attempting to educate your peers. While this is a good thing and something I would encourage, your IT department should be driving the security standards and policies.

This training should serve as a means to re-enforce and educate on the reasons behind the security policies already in place. If there is not a written security policy document, there should be.

Many of the things you list should not be within the end-users control. For example, the average less technical end-user should not be able to install software on their workstation. I suspect there are numerous support, configuration, and malware issues within the company that could easily be prevented by policy if they can.

If the fundamentals are not already written and enforced by IT policy, these are issues that should be addressed before attempting to educate the users. Some of the end-user focused policies include:

• Least privileges necessary to perform job function
• Software updates automatically performed with attention to security risk
• Security standards enforced by policy (IE. Web browser settings)
• Password expiration (90-days)
• Password strength enforcement (Alphanumeric, mixed case, 9+ characters, et cetera)
• Unable to use last 5 passwords
• Portable device (laptop) storage encryption
• Data classification policy
• Policy dictating handling restricted and confidential data as defined within classification policy.
• Data disposal policy
• Data access policy
• Portable device policy

There are a myriad of additional policies and procedures that apply to both proper development and technical maintenance within the infrastructure groups. (Change control, code review, system standards, and much more.)

After all the foundation is in place, employees should be provided copies of the written security policy and training surrounding that policy would also be appropriate. This would cover end-user best practices both enforced technically and not. Some of these include:

• Handling of restricted and confidential information as part of business.
  • Don't e-Mail or transmit unencrypted, dispose of properly, et cetera.
• Handling of passwords.
  • Don't leave written under keyboard, on post it notes, share, et cetera.
• Don't share accounts or authentication data. (Again)
• Don't leave workstations unlocked or company property (data) unsecured (laptops)
• Don't run software without consideration
  • Such as e-Mail attachments.
• Risks and scenarios surrounding social engineering
• Current malware trends applicable to the business or industry.
• Policies and risks specific to the business or industry.
• General education regarding how (if) they are monitored
• How IT enforces the security policies technically and administratively.

The PCI DSS examples many best-practices concerning security policies. Additionally, the book the Practice of Systems and Network Administration covers fundamental best practices regarding IT security.

Answer 2

My top tip (that I am slowly managing to teach people) is a variation of your #1:

Know how to check where an email really comes from, and check any message that's the least bit strange.

For Outlook, that means knowing how to display the Internet headers and what the Received-From lines mean.

For non-technical staff, downloading and installing software isn't (and I'd say shouldn't be) an option, they shouldn't have admin access to install software. Even for programmers who we do give admin access to, we strongly, strongly urge them to check with IT before downloading and installing.

For passwords, I always repeat Bruce Schneier's advice: passwords should be strong enough to do some good, and to deal with the difficulty remembering them you can write them down on a piece of paper and keep that in your wallet - treat your password card like a credit card and know how to cancel (change) them if you lose your wallet.

Depending on how many laptops you have and how you back them up, I'd include a tip about keeping the data on laptops secure. If you don't have a system in place to back up/replicate data on laptops to your network, you should, and if you do have a system, you should make sure the laptop users know how it works. A lost or stolen laptop full of data is - at the very least - a pain in the ass.

Answer 3

Define what a weak and strong password are and give them some good ways of coming up with and remembering strong passwords.

Your second point seems to indicate that users are allowed to install software on their computers. I would say that's a problem in most cases. But if they are allowed to install software then its a good point to cover.

Make sure you have examples of social engineering. This helps them know what to look for and scares them a little to be more paranoid. I like asking people to think about what they would do if they found a USB thumb drive on the sidewalk just outside the office. Most honest people would pick it up and plug it into their computer to see if something on the drive would identify who the owner is. Most dishonest people will do the same thing...but probably just to see if there's anything good on it before erasing it to use it. Either case via autorun, malicious pdf's, etc it's a pretty easy way to own a computer inside a company of your choice, install a keystroke logger, etc.

Answer 4

What about

• Keep your OS and apps fully up to date. This includes major versions too, at least once a major version has had a few months to mature. A fully patched XP SP3 running a fully patched IE6 is still much less secure than Windows 7 running IE8 (or better yet, Chrome).
• Avoid popular OSes and apps -- they are far more likely to be exploited. If you can avoid key Microsoft (Windows, IE, Outlook, Office, WMP), Apple (iTunes, Quicktime), and Adobe (Flash, PDF reader) products, you'll be far less likely to be compromised by the vast majority of active exploits out there.
• Keep your antivirus (anti-malware suite) up to date and scanning regularly.
• Keep your personal firewall up to date and running.
• Use secure email protocols (i.e. make sure your POP/IMAP/SMTP is SSL-secured).
• Don't enable Windows file sharing (SMB) or sshd (those are the two most attacked ports).
• Enable WPA2 encryption on your home Wi-Fi network.
• Do not even visit untrustworthy websites.

Answer 5

You have a good start, but as others have mentioned you're starting at a disadvantage if users can install software. I would not suggest using download.com; instead, users should ask IT for a program that solves their problem rather than trying to find one themselves (unless most are developers or fairly savvy). Removing admin rights solves this problem.

Additions:

1. Use different passwords for most sites, and use a Password Safe of some kind to keep track of them (KeePass, PWSafe, etc.). Walk through how MediaDefender's email got hacked and ask the users what measures would have prevented the intrusion. Never ever use your work domain password anywhere else, and don't forward company mail/traffic through untrusted systems.
2. Choose decently complex passwords. Do a live crack using John the Ripper on a sample password hash (make sure to get permission to use cracking tools IN WRITING from the company first, in case people overreact). Showing users that 'PRISCILLA1' is cracked in <2 seconds is an eye opener. We use Anixis' Password Policy Enforcer here to make sure lousy passwords don't get in.
3. Don't plug in anything that is not provided to you by IT. Illustrate the point by plugging in a Keylogger USB stick or one autorunning a Trojan (autorun should be disabled, but that's another story).
4. Assume all traffic on all networks is tracked and logged at both ends, even if encrypted to prevent MitM attacks. WikiScanner is a good example of using IP addresses to finger who did "anonymous" edits.