A recent post by Herbalist reminded me that most discussions in these forums are about products, with not much said about security strategy. He often stresses the need for sound security policies.

Perhaps it's because most people who frequent these forums already have a sound security strategy in place, that they aren't interested in discussing the basics.

Yet, with all of the sophistication of malware these days, most people who suffer the consequences of getting infected do so because of the "click" on an attachment, being enticed to follow a malicious link, opening an unsolicted document which is infected, and so forth...

Pretty basic stuff and simple to avoid.

So, dusting off one of my favorite topics, "Adopt a User" I encourage everyone here to put to use your knowledge of computer security basics.

Instead of spending money on a gift for someone you know who is not very knowledgeable security-wise, why not volunteer your time to help her/him develop a good computer security strategy?

That will be one less statistic in the tally of infected computer users!

----
rich

Good challenge :)

-{ Quote: "A recent post by Herbalist reminded me that most discussions in these forums are about products, with not much said about security strategy. He often stresses the need for sound security policies.

Perhaps it's because most people who frequent these forums already have a sound security strategy in place, that they aren't interested in discussing the basics.

Yet, with all of the sophistication of malware these days, most people who suffer the consequences of getting infected do so because of the "click" on an attachment, being enticed to follow a malicious link, opening an unsolicted document which is infected, and so forth...

Pretty basic stuff and simple to avoid.

So, dusting off one of my favorite topics, "Adopt a User" I encourage everyone here to put to use your knowledge of computer security basics.

Instead of spending money on a gift for someone you know who is not very knowledgeable security-wise, why not volunteer your time to help her/him develop a good computer security strategy?

That will be one less statistic in the tally of infected computer users!

----
rich" }-

An excelent idea Rmus. I always try to help other with security issues. I am by no means an expert but I feel if we all help one another I believe we can make things much more difficult for those who make and spread malware.

Personally I've always set-up other peoples systems when they ask or when I've seen serious security flaws. It's easier than try to explain and teach them. But I'll join your cause, i'll do the effort.
I'm glad I ran across with Wilders, I have learned a lot since I first came to this forum... back then, I thought I knew all about security, now I realize how little I really know and how much there's to learn...(didn't even knew that such things as HIPS or sandboxes existed...)

-{ Quote: "A recent post by Herbalist reminded me that most discussions in these forums are about products, with not much said about security strategy.
----
rich" }-

Really? We talk about security strategy all the time. I seem to remember seeing people yell about "security layers" all the time. That is security strategy right?

That's all you really need to know about security strategy. i.e that you need many security layers.

The rest involves knowing enough of the products to decide if adding X to Y, is really adding one more layer or if it's the same layer.

What else is there to discuss really?

-{ Quote: "An excelent idea Rmus. I always try to help other with security issues. I am by no means an expert but I feel if we all help one another I believe we can make things much more difficult for those who make and spread malware." }-

Personally I decided not to. If everyone becomes more secure, the bad guys will have to come after the better protected people like myself when there is no more low hanging fruit. why shoot yourself in the foot? :)

So nowadays I see people with obvious mistakes and misconceptions, but I usually don't borther to point it out, let them think they know it all and have perfect defenses..... :)

As a gift of security : I emailed my brother to give him the advice to BACKUP his system, which he never did and he emailed me back "I have better things to do."

-{ Quote: "If everyone becomes more secure, the bad guys will have to come after the better protected people like myself when there is no more low hanging fruit. why shoot yourself in the foot? " }-

That's funny, and somewhat logical. My experience is that an average user will look at you like you are an alien when you start discussing security. The only people who ask for help are the ones that got owned by some malware. The response ErikAlbert received is probably the most common one.

-{ Quote: "Really? We talk about security strategy all the time. I seem to remember seeing people yell about "security layers" all the time. That is security strategy right?

That's all you really need to know about security strategy. i.e that you need many security layers.

The rest involves knowing enough of the products to decide if adding X to Y, is really adding one more layer or if it's the same layer.

What else is there to discuss really?" }-
I don't think it is discussed the way it should be, and they way Rich is thinking. I tried and actually started a draft to separate issues and my suggestions to counter them. I was supposed to start a thread, then anyone would criticize it, modify it and give their own sense of strategy. Some members in particular could fill perfectly some of the most important aspects.

Turns out, to make it like i wanted, it's complicated. It takes knowledge AND a good imagination to explain it to anyone (simple terms, without writing an encyclopedia). And without mentioning programs (or mentioning them without making it a "here's my setup" thread).

The document is sitting there waiting for inspiration to finish it. Probably will stay there, i don't think i know that much :)
Debian also took most of my computer time.

-{ Quote: "
That's all you really need to know about security strategy. i.e that you need many security layers.

The rest involves knowing enough of the products to decide if adding X to Y, is really adding one more layer or if it's the same layer.

What else is there to discuss really?" }-
LMAO ;D
The security layers mean nothing without a security policy. The security layers help to enforce the security strategy.
-{ Quote: "If everyone becomes more secure, the bad guys will have to come after the better protected people like myself when there is no more low hanging fruit. why shoot yourself in the foot?" }-
This is a question that always crosses my mind. We are at an arms race between blackhats and whitehats. If the good guys become way more smarter, this will create an evolution pressure on malware writers (only the betters will survive). Case in point: Linux, which is almost immune to today's malware. However, a good amount of command & control servers of botnets run on rooted Linux boxes (which run 24/7 with vast amounts of bandwidth and CPU power) managed by lazy admins running very old, unpatched, vulnerable software.

-{ Quote: "Really? We talk about security strategy all the time. I seem to remember seeing people yell about "security layers" all the time. That is security strategy right?" }-If your concept of strategy is limited to "security layers" then yes.

-{ Quote: "That's all you really need to know about security strategy. i.e that you need many security layers...The rest involves knowing enough of the products to decide...What else is there to discuss really?" }-Often, a particular vulnerability that suggests creating another layer for protection can be dealt with by reviewing basic preventative measures taken on the part of the user. To wit, Policies in place:

1) regarding email attachments (still one of the biggest suppliers of malware)

2) regarding clicking on links in emails (beginning to rival attachments as an attack vector)

3) regarding downloading of "freebies" from the internet (especially in families with children)

User policies should be the first step in creating a security strategy. Sans.org frequently addresses this topic, most recently in diaries by ISC Handlers Deborah Hale and Mari Kirby Nichols. They focus on the workplace, but the concepts can be equally applied to the home. Setting up and controlling passwords, for example. Or, learning how your financial institutions correspond with their patrons. Most institutions do not discuss security matters by email.

Once sound user policies are in place, security products can be added, tailored to the particular setup|situation of the user. Does she/he intend to do online banking? Set up a LAN? ... and so forth

-{ Quote: "As a gift of security : I emailed my brother to give him the advice to BACKUP his system, which he never did and he emailed me back "I have better things to do."" }-I don't know how your initial contact about this occurred, but my experience has been that people don't like unwanted, unsolicited advice. In "Adopting a user" it's always been after someone has mentioned a problem to me, or specifically asked for some help. Approaching a person is a delicate issue. Some want help but don't know how to ask the right question, or are embarrassed to ask a question at all. Some don't want anyone to meddle in their affairs.

-{ Quote: "I tried and actually started a draft to separate issues and my suggestions to counter them.
Turns out, to make it like i wanted, it's complicated. It takes knowledge AND a good imagination to explain it to anyone (simple terms, without writing an encyclopedia). And without mentioning programs (or mentioning them without making it a "here's my setup" thread)." }-Maybe it doesn't have to be complicated. Put yourself in the position of being asked to help set up a person's first computer. They have never used email or surfed the internet.

The challenge is to keep it simple.

-{ Quote: "The document is sitting there waiting for inspiration to finish it. Probably will stay there, i don't think i know that much" }-I hope you will finish it. You probably know more than you think. Many of today's security products are complicated to use and lead to frustration, resulting in our thinking that we don't know much. On the other hand, Basic security strategy can be simple, easy to understand and develop. With a good plan in place, lots of security products aren't necessary.


----
rich

-{ Quote: "Really? We talk about security strategy all the time. I seem to remember seeing people yell about "security layers" all the time. That is security strategy right?
That's all you really need to know about security strategy. i.e that you need many security layers." }-
Layered security apps is a means of enforcing a security strategy or policy, not the policy itself. Without an underlying strategy as a guide, it's a collection of security software.

A security policy or strategy can be simple or very detailed. Using Firefox or Opera instead of IE6 to open web pages is a part of a security policy that helps prevent drive-by infections. Blocking e-mail attachments is part of a policy to reduce infected material reaching the user. Allowing only plain text e-mail is a policy component to prevent html exploits being used against your e-mail app. Whether ads are displayed or blocked with a hosts file is part of the policy. Whether you shut down the firewall, HIPS, AV, etc when installing or updating software is part of your security policy.

A security policy is an outline of how your system is used, how different situations and events are handled, what apps are used to open which files, media, etc. It covers what users are and are not allowed to do. Users that understand the interaction of the different processes on their PC can expand this to include what each executable can and can't do, which ones can launch what other processes, which are allowed internet access and to where? The decision whether to allow automatic updates or to update everything manually is part of the security policy. It may sound overly simple, but choices like this affect how other things are configured. If your AV is allowed to update automatically, then your firewall rules must allow that updater to connect out. If you use HIPS, it must be configured to allow that AV updater to do everything it needs to. If it's updated manually, the user can use "allow once" replies to the alerts.

Using the browser for an example, your policy decides your configuration. If Firefox is your default browser, is Internet Explorer going to be used at all? If not, a rule blocking its internet access enforces the policy by preventing its connecting. A HIPS rule that prevents it from running goes further and defeats potential exploits that would launch it from another app. Lets go a bit further. Opening links to PDFs, in your browser or download first? Are links in a PDF alowed to launch your browser? These are policy decisions that affect the configuration of both apps, the firewall, and if you use one, a HIPS.

A security policy is the establishing of set procedures that covers day to day usage. It specifies how the known and unknown are handled. Building a working security policy starts with establishing the basics of how your system is to be used, then thinking thru the details and configuring your security apps to enforce the decisions or policy you've set.
Rick

Herb makes these "security policies" sound really boring..

No wonder, nobody talks about them. heh.

Still, like many in these forums, I am a believer in having a multi-layered defense that also includes elements of HIPS and process control. There's simply no subtitute for a classic layered security setup drawn from the finest HIPS, virtualization, and sandboxing technologies that the security industry can offer.

I have thrown the toughest most irresistable rootkits at my setups, delved into the deepest darkest parts of the www and have emerged unscathed. All without security policies.

Looks like Lusher 1, Security policy 0.

-{ Quote: "
Looks like Lusher 1, Security policy 0." }-
Hey, if you think so, i won't argue..

Devising a security policy or strategy is definitely not exciting. Neither is writing rules for a firewall or HIPS, or filters for Proxomitron. With many projects, the planning stage is the boring part. It's no different with a security policy, especially if you go into detail. On my PCs (all but some test units) I use a policy that has default-deny at its core, which many find even more boring and restrictive. Many of them don't understand what a default-deny policy really is. It's definitely not as exciting or glamorous as allowing a piece of malware to run just to see if your security package will contain all the malicious activities. I prefer a more straight-forward approach: If it can't run, it can't hurt you. Exciting? No. Effective? Very. Classic HIPS like SSM are the ideal tool for enforcing such a policy. In addition to specifiying which apps and processes can run, I took that further and the applied the default-deny concept to each process and executable. I limit each one to what it needs to function properly and what other processes each can start and be started by. The same applies to internet access. Each gets only what it needs. Web content also gets the default-deny policy applied to it. Whenever possible, all unwanted and undesirable content is filtered out. These types of restrictions reduce your attack surface, the number of potential entry points, and if an exploitable vulnerability is found, it severely limits what can be done with it.

Setting up such a policy is very tedious and time consuming. There's a lot of planning, experimenting, and investigating involved. When it's done properly, the end result is a system that's fast, reliable, and almost bulletproof, a system that doesn't depend on the next set of patches, signature files, or the newest version of each app to remain comparatively secure, one I can deliberately visit malicious sites with and come out clean. I don't need to be concerned about a new malware breaking out of a sandbox or virtual environment. I'm not using one, save for one test box. I don't have to rely on a frozen snapshot, restore point, image, etc to put my system back the way it was (and hope nothing got stolen in the meantime, like a password for an account) because the malicious code does not run, so nothing gets changed. My registry is exactly the same as it was yesterday, last week, or last summer. Nothing added, nothing removed. I don't worry about what might happen when someone else uses my PC. They can't install or remove anything or change any important settings. IMO, the results are worth the time, effort, and boredom endured in setting up such a policy. It might take the excitement out of it when you visit a malicious site and nothing happens, but the satisfaction is just as good.
Rick

Some other thoughts about strategy, or policies:

Approaches to Default-Deny can also include,

==> setting Software Restriction Policies, based on the White-List Principle.

==> setting up Limited User accounts where in a family, several use one computer.

Working with families is rewarding. One solution I use, which I refer to as Set-and-Forget (found this phrase in an old article) is to install Anti-Executable (Default-Deny) on family computers, where the parent's policy is to approve everything that gets installed.

While these policies might seem restrictive, if presented in the right way to children at an early age, they accept that "this is the way it is in our family." Like establishing a curfew, as they get older. During these formative years the parents are instilling in their children, safe user habits regarding email and surfing the internet, for example.

One friend is now teaching his two children (ages 11, 12) how to configure the browser, how a firewall works, and how to back up their school files themselves. What I find significant in the cases I'm familiar with is that these young people are learning that "driving" a computer safely is similar to driving a car safely: you first learn safety procedures (policies, if you want). You don't need a lot of security products to have a safe computing experience.

By the time the parents give their children their first computer, basic user policies -- the begining of a sound security strategy -- are well established.


----
rich

Whitelisting is definitely at the heart of default-deny. I don't have the limited user account option, Win98. SSM can effectively do the same thing anyway, and in more detail.

A lot of people reject default-deny outright, with "too restrictive" being the most common reason given. The sad part is that in normal usage, the user wouldn't notice that there is a default-deny (or any other) policy in place. It wouldn't reveal itself until they started trying to change configurations or install something. During normal operation, everything works the way it's supposed to. The security apps sit quiet. Default-deny does not equate to a steady stream of alerts and access denied messages, unless you're tampering with it, trying to defeat it. Just because a PC is protected by a default-deny policy doesn't mean that you can't install something. It means that updating and installing is now a system administrators task, not the users. If you're one who is always installing and removing new apps, default-deny isn't for you. It's a policy for finished systems that are equipped and configured to your satisfaction. A PC on which apps are added and removed on a regular basis has a default-permit policy, aka almost anything goes. Somewhere down the line, there's a price to be paid for doing that. It might be an infection, a software conflict, or just a general degrading of performance, but eventually it will catch up to you.

You describe an excellent way to approach this in a home environment. Restrictive? Maybe in the kids eyes. I've serviced too many PCs where the kids have installed stuff the parents didn't want and tried to hide its existence. On one home PC, I ripped Kazaa and all it's bundled malware out 3 separate times. I'd much rather be bored writing rules for a firewall or HIPS than doing that.

I would assume that most of those who visit here are the administrators of the own PCs. I would like someone to explain to me how a default-deny policy that you set up on your own PC is too restrictive. It's enforcing your rules. It's limiting the system to what you want used and blocking what you don't want touched. How is restricting the PC to running what you want used qualify as too restrictive?
Rick

-{ Quote: "
I would assume that most of those who visit here are the administrators of the own PCs. I would like someone to explain to me how a default-deny policy that you set up on your own PC is too restrictive. It's enforcing your rules. It's limiting the system to what you want used and blocking what you don't want touched. How is restricting the PC to running what you want used qualify as too restrictive?
Rick" }-

You don't get it. You really don't. You can (and probably will) write a million words on the subject and you still don't understand where most of the people here are coming from.

I don't forsee getting through to you any time this side of eternity, so I'll just say it's a matter of different objectives and focus and leave it at that.

-{ Quote: "Hey, if you think so, i won't argue.." }-

I'm not sure if I think so. But I'm sure a lot of people do, but are too bored to read this thread.... I'm posting on their behalf. ;D

Rich, Rick .... entertaining and enlightening perspective's for 'most' of the folk's visiting. Alway's a pleasure.

Steve

Well I'm not bored & I'm anything but an expert.

I'm always prepared to wait, read up on anything new or anything I don't understand and when in doubt - don't.

However the co-owner & co-user of this PC is of an opposing ideology - double-clicks a single click mouse if it's not loading fast enough to suit them. Can't be bothered temporarily allowing a site but allows it on NoScript - can't see the point of NoScript ::) & can't be bothered noticing what it has blocked, allowing the necessary ones to complete a purchase before loading the page etc etc etc ad nauseum

To make it worse, same user will boot up IE because it's "easier" than dealing with all the "security c***" that I've added to Fx (AdBlock+ & NoScript is it so far as we/I am re-setting up the PC after it got too slow, stuck with an OEM re-boot disk rather than outright ownership of XP Home unfortunately )

So I'm the De Facto Admin of a 2 user Standalone where one is security concious and the other is of the opinion that as we've been lucky so far - this luck will continue ::) *sigh*

Other user wants to switch to Linux SUSE10 & assures me it will be easy "cos their dad runs it" ( same parent that has been through several rebuilds or repurchase of pc's in a year due to fatal crashes in the learning curves and changes OS frequently ) I have no issue with switching to Linux but want to run it separately in a virtual partition while we learn it so we have a functioning PC ( my lifeline to outside world ) and can be sure of what Software we need to get before making the switchover etc - apparently this is a "defeatist attitude" as we can be talked through by the parent and just need to do a little reading :o Fact that other user is rarely here, has no spare time and no inclination to read "boring stuff" seems not to hold any weight no matter what - apparently it's "cool" - and yes both are well over 30yrs old for goodness sake!

Currently running NIS 2007 & SWS Basic 2006 as they've been paid for but will not be renewing them. Also have SS&D as a secondary layer and did have Spy Sweeper which I personally found to be lacking in the information it gave apart from "you appear to have been infected with X or Y. Quarantine, Delete or Ignore?" - both times they were FP's. (I found the lack of info as to where the "spy" was, when it had been installed etc to be less than helpful to say the least.)

Insists on going online with Word - even though has been informed many times that we need to install Office SP3 First - I'm still working my way through the instructions as Word is the only part of the program we use. I am slow I admit freely. I do like to spend a little time on the PC not focused on security but as I'm disabled never know when I can use it and when not & often when I can I'm in no state to follow a detailed instruction - half the time can't read it due to the meds etc etc blah blah blah ( anyone fallen asleep yet? 8) )

So upshot is - anyone want to adopt me? ;D Or help me setup a security policy that works no matter what fellow user clicks?

If not, thanks for the opportunity to vent at least :thumb:

peace,

~ CL ;D

-{ Quote: "You don't get it. You really don't. You can (and probably will) write a million words on the subject and you still don't understand where most of the people here are coming from.
I don't forsee getting through to you any time this side of eternity, so I'll just say it's a matter of different objectives and focus and leave it at that." }-
Apparently not. You did an excellent job of not spelling it out as well.

As for where most here are "coming from", their "objectives and focus", there's several different groups here. Some want software that does all the work for them. Some treat security apps like toys, installing as many as possible without ever understanding how or why they work, or what the consequences of all the overlapping "protection" can be. There's a whole lot of "install the latest and greatest" here, a lot of comparing products based on how many features it has, rating it based on how it does with "leaktests" and so-called product comparison sites.

There's also a group here that's come to the same conclusion I have, that to properly secure a system, you have to understand it and how it works. This group understands that how an app is configured is more important than how many features it has, that passing a leaktest is meaningless without understanding what that leaktest actually does, how it works, and how it applies to real life usage, that newer doesn't always mean better, and that layered security is much more than a collection of security apps. When I don't see any of this group here, I'll stop posting since nothing I post would be of any use to any of the other groups.
Rick

-{ Quote: "However the co-owner & co-user of this PC is of an opposing ideology - " }-That's a No-win situation, IMO.

If possible, save money to purchase your own computer and leave co-user to untangle his own mess.


----
rich

-{ Quote: "So upshot is - anyone want to adopt me? ;D Or help me setup a security policy that works no matter what fellow user clicks?" }-Well, if it's simply about clicking away on things, and program installations are not an issue (i.e. all this is unwanted dynamic stuff and not some precious screensaver purposely downloaded), just implement a password protected virtualization solution (ShadowDefender, Returnil, ShadowSurfer Pro, Deep Freeze: cost varies from $70 down to free in that list), exclude personal folders under My Documents for each user by the most appropriate mechanism (depends on solution selected - could be an explicit exclusion or a move of the folders to a non-virtualized partition), and be done with it.

Blue

-{ Quote: "...just implement a password protected virtualization solution..." }-I considered that, but if they are co-owners/co-users, the other might balk at the restrictions, leading to unpleasant situations...


----
rich

ConstantLearning,
Both of you own the PC equally? If that's the case, you two have to find a common starting point. You mention that he wants Linux, which you'd rather see run in a virtual environment first, and that his behavior with Windows is based on being lucky and that the luck will continue.

There is another option here. Since you both own the PC, how about a dual boot? You own and control Windows. He owns Linux. Each of you controls your operating system and runs as a guest on the others. You can't alter or install to Linux, he can't alter Windows. Might be a starting point.

As for learning Linux, have you checked out a liveCD? You can see what Linux is like without actually installing it. Live CDs run slow compared to an installed system but it still lets you evaluate different packages to find what you like. With some like the Knoppix (http://www.knoppix.org/) live CD, you can do a "poor mans install" (http://www.knoppix.net/wiki/Poor_Mans_Install) which basically copies the files to a hard drive without actually installing them. The CD drive is freed up and it runs faster, almost like an installed system. Removing it is as simple as deleting the files.
Rick

-{ Quote: "There's also a group here that's come to the same conclusion I have, that to properly secure a system, you have to understand it and how it works." }-Well, a simple reality is that this might be 1% of the general user population, maybe... It could be a lot less than that.

The approach of the remaining folks is probably something along the line of "I have a black box, I like what it shows on the monitor, I don't want my bank account emptied or credit card information stolen, and I don't want to be part of a botnet - whatever that really is - I don't know what it is, but I know it's bad..., What do I do?"

It's not "what do I learn?" it's "what do I do?" Five steps, ten steps, whatever number but it has to be small and it has to be "perform this action and you're done"; install this stuff and/or click these boxes and that's it. That's reality. If they then want to learn, great, but virtually nobody starts there and hardly anyone ends there.

The fact of the matter is that this scheme, regardless of how mindless it seems, can work very well for most (really all...) people if they're provided reasonable information.

Blue

-{ Quote: "I considered that, but if they are co-owners/co-users, the other might balk at the restrictions, leading to unpleasant situations..." }-Quite true - hence the qualifier around-{ Quote: "Well, if it's simply about clicking away on things, and program installations are not an issue (i.e. all this is unwanted dynamic stuff and not some precious screensaver purposely downloaded)" }-and even here one needs to be somewhat cautious. It get's complicated if the second user is a purposeful installation junkie (versus a rube who's a magnet for drive-by downloads and stealth installs)

Blue

-{ Quote: "Well, a simple reality is that this might be 1% of the general user population, maybe... It could be a lot less than that." }-
It would seem I'm in a much smaller minority that I realized. I've always worked on the assumption that most who come here are not your typical or "general public" user, an assumption that appears to be wrong. My experience has shown me that the "average user" is already infected and doesn't know it. The average user has no clue what the threats really are or just how much the internet has in common with a war zone.
-{ Quote: "The approach of the remaining folks is probably something along the line of "I have a black box, I like what it shows on the monitor, I don't want my bank account emptied or credit card information stolen, and I don't want to be part of a botnet - whatever that really is - I don't know what it is, but I know it's bad..., What do I do?"

It's not "what do I learn?" it's "what do I do?" Five steps, ten steps, whatever number but it has to be small and it has to be "perform this action and you're done"; install this stuff and/or click these boxes and that's it. That's reality." }-
I have a very hard time with that, even if it is what most people would prefer. To me, doing that is the equivalent of handing someone a new weapon with very little instructions and sending them to a battle zone. When they come back a casualty, give them bigger weapons. IMO, the only ones benefitting from this arms race in the long term are the ones selling the software.
Rick

-{ Quote: " To me, doing that is the equivalent of handing someone a new weapon with very little instructions and sending them to a battle zone. " }-
Maybe more like a map to avoid the front lines.

-{ Quote: "Herb makes these "security policies" sound really boring..

No wonder, nobody talks about them. heh.

Still, like many in these forums, I am a believer in having a multi-layered defense that also includes elements of HIPS and process control. There's simply no subtitute for a classic layered security setup drawn from the finest HIPS, virtualization, and sandboxing technologies that the security industry can offer.

I have thrown the toughest most irresistable rootkits at my setups, delved into the deepest darkest parts of the www and have emerged unscathed. All without security policies.

Looks like Lusher 1, Security policy 0." }-

A vote for Lusher's approach,which indicates common sense, is effective and simple :thumb:

Blue Zanetti has it right-even more advanced users have better things to do with their valuable time than trying to comprehensively understand how it all works, prior to properly securing a system,when the simple solutions can do it all.

Similar results from this end also.

I have fiercely opposed my own system with everything from the most notorious of malware to landing inside booby-trapped laden sites only to now, thanks in large part to HIPS + Sandboxes watch a comical show of malware trapped in suspended animation without the previous common anxieties that used to create doubt and other uncertainties.

The Layered Approach is a most formidable front that now is most educational as you can calmly observe the what & where potential infectious files are trying to move to. The SUSPEND code many HIPS employ is been invaluable in holding off these mischiefs while affording the user CONTROL in making his/her decision on them.

Hello,

I think that security begins with understanding what bad things can happen - and then trying to find the right way to prevent them from happening.

Example:
Data gets lost for some reason (virus, hard drive failure etc) - backup.
Malware gets installed - revert to system state without malware.

These are just simple crude examples, but once the person fully understands the consequences of his/her deeds and the price required to prevent the consequences, he/she will have a working and effective setup.

The price can be time, money, sometimes even loss of data, or maybe involvement with the authorities. Each vector has its countermeasures.

Once the person understands how he/she can stop the worst from occurring, the fear goes away. Once the fear is gone, the learning can really begin.

I don't think a person must fully understand how the system works, but he/she must understand:

- What leads to where
- How to identify problems and avoid them
- How to identify the consequences of problem and cure them

Using imaging software against malware is not good enough. One must understand that the current setup is corrupt and revert to a good one, otherwise that one will continue working as if nothing happened.

Using HIPS is not good enough. One must understand the prompts.

Using AV is not enough; what are false positives, for instance?

All in all, some knowledge is needed. I call that driving skills. One does not have to know how what ABS really is or how it is built - but one MUST know what ABS will affect the braking - and HOW. The same applies to driving in the rain, what slick tires can do, weight distribution etc. One does not need to know how suspension is built or the friction properties of rubber. But understanding the action-reaction is a must.

I believe in trying to teach people the following things:

0. Don't panic, rule 1 in the Hitchhikers Guide.

1. Try to explain the consequences of bad computing.
2. Avoid problems as much as possible - most people do not have the time, patience or skill to master the nuances of the web; so for them, the best way to solve problems is to stay away. In other words, I don't want them to test their AV, AS or whatever. I want their AV, AS to stay as quiet as possible. Call that a Cold War.
3. If problems somehow "slip" - what now? Here comes the cure issue. How can one assure that data / precious things remain safe, regardless of the problem type and nature.
4. Finally, getting more technical, analyzing the system and identifying problems; this is what we spend quite a lot of time as security geeks, testing and testing and testing. It can take lots of leads and it never ends.

Mrk

-{ Quote: " Instead of spending money on a gift for someone you know who is not very knowledgeable security-wise, why not volunteer your time to help her/him develop a good computer security strategy?

That will be one less statistic in the tally of infected computer users!

----
rich" }-

I haven't been able to keep up with this thread since it started almost a month ago now, but since I have some time off from work because of the holidays, I would like to add my two cents worth to this thread. In addition to Rmus' suggestion above, I would also like to suggest that either the Wilders Security Forum or posters here at this forum post Stickys or threads, respectively, that explain basic security concepts and strategies to newer members here at this forum or members who are not as technically adept as other members. There are still a lot of security concepts that I don't understand and often times when other members discuss these concepts, it sounds like greek to me. For instance, one poster mentioned something to me about "code that is scriptbased" and a "scripting flaw." Know I hate to sound unnecessarily igorant, but I really don't understand the concept about "scripting." Now I do know that javacoolsoftware has this little program that disables "scripting" in Windows Media Player to help protect your computer against the scripting vulnerabilities that are inherent to Windows Media Player, but that's about the extent of me knowing what to do to protect my computer against scripting vulnerabilities. And of course it all goes back to the thing where if you have never been taught something, you're just not going to know it. And I know that a person could always google information about "scripting," but unfortunately, most of the time that person has to plow through all the websites, information, and articles that don't answer his or her question about scripting until he or she finds the information that they are looking for and that ends up being very time consuming. But my suggestion is to create a thread or a Sticky that explains essential security concepts from "scripting" to what a "HIPS" is that many members here take for granted. Also, often times technical concepts are explained or discussed here at this site in more of a "college level" type style, however, I just thought about a scene from the movie "Philadelphia" where Denzel Washington's character just didn't understand Tom Hank's character's situation and said to him, "Now, explain it to me like I'm a four-year-old." Now, hopefully, I'm not sounding too much like an idiot, but someone in this thread said something about how the average person doesn't really want to "understand" internet security, but are content with just knowing what protection programs they should have on their computers, and that may be true, but I believe that most of the new(or relatively new) people who come to this forum(including myself) do want to understand the issues with security and would benefit greatly from the more knowledgeable members teaching them fundmental security concepts and information that the more knowledgeable members themselves take for granted.

-{ Quote: "
So nowadays I see people with obvious mistakes and misconceptions, but I usually don't borther to point it out, let them think they know it all and have perfect defenses..... :)" }-

Nice attitude for being a member of a security forum. :dry:

-{ Quote: "That's funny, and somewhat logical. My experience is that an average user will look at you like you are an alien when you start discussing security. The only people who ask for help are the ones that got owned by some malware. The response ErikAlbert received is probably the most common one." }-

Seems the case ;D They don't want help until their computer doesn't work and someone just keylogged their dad's Credit Card and used it to buy a few TVs.

-{ Quote: " ...I would also like to suggest that either the Wilders Security Forum or posters here at this forum post Stickys or threads, respectively, that explain basic security concepts and strategies to newer members here at this forum or members who are not as technically adept as other members. There are still a lot of security concepts that I don't understand and often times when other members discuss these concepts, it sounds like greek to me.... someone in this thread said something about how the average person doesn't really want to "understand" internet security, but are content with just knowing what protection programs they should have on their computers, and that may be true, but I believe that most of the new(or relatively new) people who come to this forum(including myself) do want to understand the issues with security and would benefit greatly from the more knowledgeable members teaching them fundmental security concepts and information that the more knowledgeable members themselves take for granted." }-

I would like to know if any of the newer members or less knowledgeable members find any merit in or agree with my suggestion above. Or if I'm a "lone ranger" on this matter.(And no offense ronjor...although he did recently change his avatar. :dry: ;) )

-{ Quote: "I would like to know if any of the newer members or less knowledgeable members find any merit in or agree with my suggestion above. " }-

I fully agree.