Questions about Internet Security

The following two presentations provide an excellent overview of Internet Security, hence they may help you get a handle on the topic and prepare your presentation:

(1) "10 Things You Need to Know. About Internet Security. Presented by Steven Blanc" at:

< http://www.bowdoin.edu/it/fyi/information-security/pdf/internet-safety-presentation.pdf >

(2) "Computer and Internet Security Presentation" at:

< http://scis.nova.edu/~levyy/CyberSecurityDay/Computer_and_Internet_Security_Presentation.pdf>

Thinkpads User:

Do NOT let users be members of the admin group.

Sometimes certain proprietary software requires elevation just to launch the software.  Is there a way around this I'm not seeing?  Otherwise, restricting user accounts would require constant attention by an admin or myself; it wouldn't be feasible.

Wireless should be secured by a minimum of WPA/PSK with a strong password.

I only use WPA2/PSK with AES, does this contradict your advice?  Also, as a side note, I only allow 802.11n connections as I've found that forcing this typically results in higher throughput.  Not sure if this is recommended outside of the necessity for backwards compatibility with 802.11G-only devices, which I rarely come across these days.

Use good name brand, commercial paid Anti Virus.

What are the drawbacks of free AV?  I've been using them for years and never had any problems.  But properly trained users, like you said, is the best AV.

[Sorry for jumping in if only to make] Two comments:

(1) Using WPA2 with AES is good.

(2) In my experience a free antivirus program is sufficient, if not as good as the paid one (i.e., free ones are as good as the paid ones, in my opinion).  Starting with A, Avast, AVG, Avira ... will do. I recommend Avira, however.

There is so much to say about this topic. No ideas? What are the business consultants hoping to get an idea of? Let us have a little more info than only "business consultants" - who do they work for, what do they need the presentation for? You should also be able to judge their own knowledge a little.

One can imagine designing a presentation for grandma and grandpa, for parents, for small business owners, for webshop owners, for online-banking-powerusers, for those who always like to hear about virii, or others that like to be scared by exploit stories... - you might know, we don't :)

What are the drawbacks of free AV?  I've been using them for years and never had any problems.

The major drawback is here:

This is a company that does coaching for small business owners, so I would like to keep it relevant to that.

Make sure you read licenses. If you find good AV products that allow free commercial use, please post back here.

Tom

Some really great points here, thank you.  Here's an outline I wrote, if you care to add anything or comment:

Introduce yourself
What you want to offer.

Bring up “Internet Security”
Internet Security is a broad field.
Today we’ll be talking about some of the main concerns for small business.

Internet Security, for small businesses:

Windows UAC
Windows User Account Control
When it was implemented.
With Windows Vista, probably in response to the flood of spyware that was written for it’s predecessor, Windows XP.
But the result was too overkill for regular users.
Why it’s needed.
Today, the UAC is more relaxed, but will prevent most critical system changes.
You typically don’t want to turn this off, but some software vendors will request that you do for their software to run properly.

Strong Passwords
How hackers break passwords.
Brute force attacks and keyloggers.
What is, by definition, a strong password?
Go through calculating password strength.
Determined by how many possible combinations a password can have.
So, a three-letter password can have three symbols that are each 26-letters long: 26^3 = 17,576 possibilities.
A 6-letter password: 26^6 = 308,915,776 possibilities.
8 lowercase & uppercase, and any of the symbols on a standard keyboard: 82^8 = over 2 quadrillion different combinations - extremely difficult to break.
The greater the number of characters and possible symbols, the password will become increasingly difficult to break.
Choosing a nonsensical password vs. sensible also increases security from dictionary attacks:
p@$$w0Rd vs @@(${pJJ

Disabling the Administrator Account
Hackers know that, by default, the “Administrator” account is the super user of the machine.
Leave this account disabled, but still set it with a password.
Not just on your server; Windows desktops have administrator accounts as well.

Setting a strong Admin password
For this account, you can write down a complex password and keep it somewhere safe.

Don’t let users be part of the Admin groups.
Will help prevent damage that’s accidental or intentional.
Company administrators should normally log on with regular user accounts, and only switch to Admin when necessary.

Wireless security
Using the right protocols.
Today’s standards are:
Wireless Protected Access (WPA) version 2
Advanced Encryption Standard
Both are extremely hard to break.
Enforce the Wireless N standard.

Not sharing your WiFi passwords.
Don’t give out any WiFi passwords.
If you have a guest WiFi for your clients to connect to while they wait, have your staff type the password in for them as opposed to giving them the password.
Always ensure that routing between the networks is turned off.
Periodically changing the passwords.
At least every 6 months, if not every quarter.

If an employee leaves, disable all their accounts immediately.
Password protect all routers.
Use a complex password and keep it somewhere safe.
Picking a router (go into DDoS prevention).
Describe what a DDoS is.
Show a screenshot of a router that has denial of service.
Using VPN.
Describe what VPN is.
Security protocols used and how they work:
IPSec
SSL / TLS
SSH
How to tell what protocol a website uses.
How to calculate the bit security on an encrypted connection (ie, 128 bit creates how many possible combinations).
Picking an AntiVirus
Retail vs. Free
Licensing requirements.
User and editorial reviews.
Centralized management.
And, the most important step, train users to use common sense.

Minor added thought...

You might emphasize when specific points apply to Windows rather than Linux, Android, iOS, etc., as well as when a point applies to a server or a networking device rather than user devices (including mobile). You might even break your list into categories like those to make differences visually obvious.

If you're presenting a 'starting overview', you can make it easier for your audience if you can organize for them.

Tom

I would try to do it at a higher level of abstraction:
-what security problems do we face?
-in what segments could we divide computer security in your office? (physical security/internet security/security against in-house-attacks/device security/mail security, maybe even social engineering attacks)
...something like that.

The biggest benefit your customers can get (and therefore the best you could do for them) would be to broaden their vision. Technical details like "what is a strong password" are valuable, but remain details after all.

OK, I did the presentation, and it went be really well.  I awarded points to posts whose information I used for the presentation.

@epichero22 - Thanks for the update and I was happy to help.