I'm often asked to explain information security to non technical computer users and when I do it generally overwhelms them so that instead of anxiety they react with numbness. The problem is that information security is largely a technical problem, with technical solutions. Anyone who advocates user training is blissfully ignorant of the wealth of academic research that clearly demonstrates user education is fairly useless in the face of modern security threats. If educating a user about security threats isn't sufficient, however, where should one turn in an effort to make the average computer user's experience safer?
Information security is a technical concern. Flaws in technical systems allow attackers to compromise machines. Problems with Flash players, PDF readers, e-mail programs and office software allow attackers to install malicious software without user consent. Sadly, though, many of these issues are blamed on users. When reporting a virus infection to technical support, I overheard one user say repeatedly: "No, I didn't click on a link in e-mail." Consider, for a moment, the sheer absurdity of this accusation leveled against the user. The technical support person was blaming the user for utilizing their e-mail program in the way it was designed. Why, if it is dangerous to click on links in e-mail, does the e-mail program allow the user to do just that? PICNIC - Problem In Chair Not In Computer is not adequate once computers become consumer products. You can't blame a user who went to a big box chain, bought a laptop off the shelf, came home and plugged it into their cable box, for not knowing how to be safe on the internet. It simply isn't the users responsibility!
Personally, I blame developers for the state of computer security today. Not lazy developers, or irresponsible developers, but developers who are rushing products to market without considering the implications of the code they write. If you've ever read a EULA (End User License Agreement) you'll notice that software manufacturers completely abdicate any responsibility for the effects of the software they sell or distribute. Why is that? My conjecture is that if the situation were otherwise software developers would drown in liability. The reality, however, is that because of this indemnity, software manufacturers simply don't concern themselves with the ramifications of the software they write, merely the utility.
All of this is well and good, and is perfect rhetoric in the echo chamber of a purely infosec audience, but doesn't help the average computer user. Recognizing that people have to use computers in their daily life, and recognizing they expect the same utility from their computers as from their cars (i.e. get in, turn the key, go to work) I have tried to compile some suggestions for end users to help keep them safe online. These tips cover both security and privacy, from the abstract to the concrete. Any suggestions or feedback about this list is greatly appreciated.
1. Being part of the herd actually makes you a target.
Sadly, computer users aren't like zebra. Unless you posses some unique access to valuable information, attackers will not single you out for compromise. Rather, they will perform a cost benefit analysis and try to determine the easiest way to compromise the largest number of targets in the shortest period of time possible. Exempting yourself from the largest taget pool will, in fact, keep you safe. It isn't true that Macs get no viruses, but it is true that at this time Macs make up a smaller population of computers on the internet, and thus are less of a target for bad guys. Using alternatives to popular software will help to keep you out of the largest pool of targets. Consider using a web browser like Google Chrome, Mozilla Firefox, or Apple Safari. These are by no means 100% safe but they constitute a smaller percentage of the web browsers out there at the moment (although the rise of mobile technology such as smart phones and tablets could change this fact so beware). For e-mail consider using Mozilla Thunderbird or a web based e-mail client. For office products check out LibreOffice. Think about maybe using a Mac.
2. Keep your software up to date.
It's a hassle, I know. You turn on your computer and you just want to see if you got a good deal on the shoes you bought at the mall and all of a sudden you're being prompted to update your software, and it makes your computer slow. Keeping your software up to date, and enabling automatic updates is a proven, effective, way to keep your computer safe from attack. This is problematic when you don't leave your computer on all the time though because some updates can be really large. Sadly, there isn't a way to get around this at this time.
3. Stay safe online.
By far the best way to stay safe online with your web browser is to download and install the HTTPS Everywhere plugin from the Electronic Frontier Foundation. This plugin will ensure that you use encrypted connections to websites where available, without any demands on you as a user.
4. Protect your privacy.
Download and install the Better Privacy and Flash Block plugins if you're using Firefox (or look for alternatives for other browsers). Flash is a technology that allows video to work on the web. It is also used to track users and invade your privacy. You'll be shocked at how many little instances of Flash you see on the web once you block it. The Flash Block plugin doesn't stop Flash, but it allows you to choose which Flash movies run, so you can still use online movies and music services.
5. Don't give away your personal information.
Don't sign up for mailing lists with your real name, don't fill out online surveys, and don't follow links to unsubscribe from e-mail. Be aware that data about you has value, and treat it like a valuable resource. Companies buy and sell information about your name, address, contact information, gender, profession, likes and dislikes, and so on. This data is valuable to marketers and according to US law as soon as you provide that data to a company they own it, not you. That means they can distribute it, resell it, or use it to track you.
6. Be aware that anti-virus software doesn't work.
That's right, it's an open secret that anti virus programs just don't work. They're overwhelmed. They will stop the most basic attacks if you're running on the most common platforms, but in reality they won't keep you safe. If you're going to use anti virus software, consider using free ones, such as Microsoft Security Essentials. It may not work either, but at least you're getting what you pay for.
7. Passwords are pretty much the keys to the kingdom.
Choose good passwords. As a general rule a longer password is better. Write your password down, just not in a place where an attacker could get it. Writing your passwords on a sheet of paper and keeping thta in your desk drawer at home is perfect. Don't leave passwords on notes near your computer in your office or in other areas where someone else might see them (keep them in your drawer at least). Don't write your passwords down in a file on your computer, as a virus could steal that file. If you need a helping hand search for a password management application that you can install on your computer, or on your smart phone. Also be sure to delete e-mails that have your password in them. If your e-mail account gets hacked you don't want other accounts to be compromised as well.
8. Create a separate user account.
Generally when you first set up a computer you log in with a default account that has administrative privileges. This means that you can do *anything* you want. If you're infected by a virus it will run with the same privileges as your user account. Creating a new user account that doesn't have admin rights means you have to hassle with entering the admin password when you want to install new software, but it also means that a virus can't install malware.
9. Users are the front line of security.
You use your device more than anyone else. As a user you're most able to spot something fishy going on. Be aware that you're the expert on your computer, if you suspect something is amiss then it probably is!