Day 10 begins week two of Cyber Security Awareness Month. This week's topics will focus on security issues affecting children and school.
Today we solicit input on how to provide a safe browsing experience for pre-teens.
Risks specific to pre-teens that we want to address:
Installation of unwanted applications: adware, spyware, malware, either though social engineering or drive-by exploitation.
Commercial/Marketing tracking: it has been reported that children are targeted more than adults (http://online.wsj.com/article/SB10001424052748703904304575497903523187146.html)
Exposure to unwanted ideas: what those particular ideas are, I'm leaving up to the parents.
Communication with the wrong people: I'm also leaving the definition of wrong people up to the parents.
Of course, looking over that list they're also the same risks you want to protect your sales staff from as well.
In constructing our strategy we could consult these earlier CSAM entries:
Securing the Family Network (Day 2) http://isc.sans.edu/diary.html?storyid=9649
Sites you should stay away from (Day 5) http://isc.sans.edu/diary.html?storyid=9673
An initial strategy approach may look like:
Use special unprivileged account: junior doesn't need root access.
White-list: this is one of the few cases where white-listing is tenable.
Lock-down the browser: use tools such as noscript, noflash, adblock, etc. Coupled with aggressive white-listing, the admin/parent can pre-configure each site as they're added to the white-list.
Secondary filtering: web-proxy filter, openDNS, use layered protection for the whole family.
Only allow computers in in public-spaces: very young children will always need an adult, older pre-teens should have them close by to field questions and help with decisions-- which you can post humorous tales about later on facebook.
Again, that sounds a lot like a decent small-business/corporate-environment approach. Not everyone will have the tools or time to build a comprehensive system for their home network. How are parents handling this out in the field?
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.