Solved

Questions about Internet Security

Posted on 2014-01-30
13
464 Views
Last Modified: 2014-02-15
Hi,

I am doing a presentation for a panel of business consultants and the topic they'd like me to discuss is "Internet Security."  I don't know much about this field, but I'm looking to learn.  I have about a half-hour presentation to give, so I wanted to ask what topics should I discuss (ie, wireless security, man-in-the-middle attacks, DDoS attacks, etc)?

This is a company that does coaching for small business owners, so I would like to keep it relevant to that.

Thanks!
0
Comment
Question by:epichero22
  • 4
  • 3
  • 2
  • +2
13 Comments
 
LVL 24

Expert Comment

by:aadih
ID: 39821482
The following two presentations provide an excellent overview of Internet Security, hence they may help you get a handle on the topic and prepare your presentation:

(1) "10 Things You Need to Know. About Internet Security. Presented by Steven Blanc" at:

< http://www.bowdoin.edu/it/fyi/information-security/pdf/internet-safety-presentation.pdf >

(2) "Computer and Internet Security Presentation" at:

< http://scis.nova.edu/~levyy/CyberSecurityDay/Computer_and_Internet_Security_Presentation.pdf>
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 39821492
My guess is that a man-in-the-middle attack might go over the heads of your audience.

Things to address:

1. Keep UAC turned ON for all workstations and servers that use it. Do not turn UAC off.
2. Use Strong user passwords on all devices.
3. Do NOT use the administrator userid. It is hidden in modern systems.
4. Do NOT let users be members of the admin group.

Why this list? Because users click on links that say "I can help".

5. Wireless should be secured by a minimum of WPA/PSK with a strong password.
6. Password Protect ALL routers.
7. Configure routers to disallow DDOS attacks and the like. A good router can do this.
8. Use VPN for access to servers. Do not expose servers to the internet.

9. Use good name brand, commercial paid Anti Virus.
10. Load EMET 4.1 on modern systems (free from Microsoft).

11. Train users to use their common sense. This is the MOST important step.

... Thinkpads_User
0
 
LVL 11

Author Comment

by:epichero22
ID: 39821828
Thinkpads User:

Do NOT let users be members of the admin group.
Sometimes certain proprietary software requires elevation just to launch the software.  Is there a way around this I'm not seeing?  Otherwise, restricting user accounts would require constant attention by an admin or myself; it wouldn't be feasible.

Wireless should be secured by a minimum of WPA/PSK with a strong password.
I only use WPA2/PSK with AES, does this contradict your advice?  Also, as a side note, I only allow 802.11n connections as I've found that forcing this typically results in higher throughput.  Not sure if this is recommended outside of the necessity for backwards compatibility with 802.11G-only devices, which I rarely come across these days.

Use good name brand, commercial paid Anti Virus.
What are the drawbacks of free AV?  I've been using them for years and never had any problems.  But properly trained users, like you said, is the best AV.
0
 
LVL 24

Expert Comment

by:aadih
ID: 39821911
[Sorry for jumping in if only to make] Two comments:

(1) Using WPA2 with AES is good.

(2) In my experience a free antivirus program is sufficient, if not as good as the paid one (i.e., free ones are as good as the paid ones, in my opinion).  Starting with A, Avast, AVG, Avira ... will do. I recommend Avira, however.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 39822286
Sometimes certain proprietary software requires elevation just to launch the software.

In my opinion, either you or the vendor should fix this so that does not happen. I have been at this a long time on my own as a consultant and I get clients to ditch software that does not behave. I have NO users as administrators. It is a very bad practice.

I only use WPA2/PSK with AES, does this contradict your advice?

Nope. You are fine with that.

What are the drawbacks of free AV?

Some of the free stuff is adequate but much is weak because it does not have the vendor support that paid stuff has. It takes money to write serious paid AV software.

I use and my clients use the most maligned paid AV software in the world and have done for years. No outbreaks ever.

I have had to rip free AV out of clients because their machines were infested with viruses. I have NEVER been second guessed over my choice.

.... Thinkpads_User
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39822666
There is so much to say about this topic. No ideas? What are the business consultants hoping to get an idea of? Let us have a little more info than only "business consultants" - who do they work for, what do they need the presentation for? You should also be able to judge their own knowledge a little.

One can imagine designing a presentation for grandma and grandpa, for parents, for small business owners, for webshop owners, for online-banking-powerusers, for those who always like to hear about virii, or others that like to be scared by exploit stories... - you might know, we don't :)
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 27

Expert Comment

by:tliotta
ID: 39831366
What are the drawbacks of free AV?  I've been using them for years and never had any problems.

The major drawback is here:

This is a company that does coaching for small business owners, so I would like to keep it relevant to that.
Make sure you read licenses. If you find good AV products that allow free commercial use, please post back here.

Tom
0
 
LVL 11

Author Comment

by:epichero22
ID: 39844823
Some really great points here, thank you.  Here's an outline I wrote, if you care to add anything or comment:

Introduce yourself
What you want to offer.

Bring up “Internet Security”
Internet Security is a broad field.
Today we’ll be talking about some of the main concerns for small business.

Internet Security, for small businesses:

Windows UAC
Windows User Account Control
When it was implemented.
With Windows Vista, probably in response to the flood of spyware that was written for it’s predecessor, Windows XP.
But the result was too overkill for regular users.
Why it’s needed.
Today, the UAC is more relaxed, but will prevent most critical system changes.
You typically don’t want to turn this off, but some software vendors will request that you do for their software to run properly.

Strong Passwords
How hackers break passwords.
Brute force attacks and keyloggers.
What is, by definition, a strong password?
Go through calculating password strength.
Determined by how many possible combinations a password can have.
So, a three-letter password can have three symbols that are each 26-letters long: 26^3 = 17,576 possibilities.
A 6-letter password: 26^6 = 308,915,776 possibilities.
8 lowercase & uppercase, and any of the symbols on a standard keyboard: 82^8 = over 2 quadrillion different combinations - extremely difficult to break.
The greater the number of characters and possible symbols, the password will become increasingly difficult to break.
Choosing a nonsensical password vs. sensible also increases security from dictionary attacks:
p@$$w0Rd vs @@(${pJJ

Disabling the Administrator Account
Hackers know that, by default, the “Administrator” account is the super user of the machine.
Leave this account disabled, but still set it with a password.
Not just on your server; Windows desktops have administrator accounts as well.

Setting a strong Admin password
For this account, you can write down a complex password and keep it somewhere safe.

Don’t let users be part of the Admin groups.
Will help prevent damage that’s accidental or intentional.
Company administrators should normally log on with regular user accounts, and only switch to Admin when necessary.

Wireless security
Using the right protocols.
Today’s standards are:
Wireless Protected Access (WPA) version 2
Advanced Encryption Standard
Both are extremely hard to break.
Enforce the Wireless N standard.

Not sharing your WiFi passwords.
Don’t give out any WiFi passwords.
If you have a guest WiFi for your clients to connect to while they wait, have your staff type the password in for them as opposed to giving them the password.
Always ensure that routing between the networks is turned off.
Periodically changing the passwords.
At least every 6 months, if not every quarter.

If an employee leaves, disable all their accounts immediately.
Password protect all routers.
Use a complex password and keep it somewhere safe.
Picking a router (go into DDoS prevention).
Describe what a DDoS is.
Show a screenshot of a router that has denial of service.
Using VPN.
Describe what VPN is.
Security protocols used and how they work:
IPSec
SSL / TLS
SSH
How to tell what protocol a website uses.
How to calculate the bit security on an encrypted connection (ie, 128 bit creates how many possible combinations).
Picking an AntiVirus
Retail vs. Free
Licensing requirements.
User and editorial reviews.
Centralized management.
And, the most important step, train users to use common sense.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 500 total points
ID: 39844834
Windows UAC
Windows User Account Control


These are the same thing.

But the result was too overkill for regular users.

The inflexible nature (only one "on" option) caused many users to defeat it.

You typically don’t want to turn this off, but some software vendors will request that you do for their software to run properly

Decent software today does not require this at the user level. Change software vendors if they do not comply.

Leave this account disabled, but still set it with a password.

I do not think you can set the password of a disabled account. Check this. If disabled, it should not be enabled to set a password. Just leave it disabled.

Enforce the Wireless N standard.

You can use WPA with G also. Not everyone has N wireless cards.

You have lots of good points there, and I trust the above helps some more.
0
 
LVL 27

Expert Comment

by:tliotta
ID: 39848999
Minor added thought...

You might emphasize when specific points apply to Windows rather than Linux, Android, iOS, etc., as well as when a point applies to a server or a networking device rather than user devices (including mobile). You might even break your list into categories like those to make differences visually obvious.

If you're presenting a 'starting overview', you can make it easier for your audience if you can organize for them.

Tom
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39850304
I would try to do it at a higher level of abstraction:
-what security problems do we face?
-in what segments could we divide computer security in your office? (physical security/internet security/security against in-house-attacks/device security/mail security, maybe even social engineering attacks)
...something like that.

The biggest benefit your customers can get (and therefore the best you could do for them) would be to broaden their vision. Technical details like "what is a strong password" are valuable, but remain details after all.
0
 
LVL 11

Author Closing Comment

by:epichero22
ID: 39861009
OK, I did the presentation, and it went be really well.  I awarded points to posts whose information I used for the presentation.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 39861238
@epichero22 - Thanks for the update and I was happy to help.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now