Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Cyber Security Awareness Month - Day 10 - Safe browsing for pre-teens SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 10 - Safe browsing for pre-teens

Day 10 begins week two of Cyber Security Awareness Month. This week's topics will focus on security issues affecting children and school.

Today we solicit input on how to provide a safe browsing experience for pre-teens.

Risks specific to pre-teens that we want to address:

  • Installation of unwanted applications: adware, spyware, malware, either though social engineering or drive-by exploitation.
  • Commercial/Marketing tracking: it has been reported that children are targeted more than adults (http://online.wsj.com/article/SB10001424052748703904304575497903523187146.html)
  • Exposure to unwanted ideas: what those particular ideas are, I'm leaving up to the parents.
  • Communication with the wrong people: I'm also leaving the definition of "wrong people" up to the parents.

Of course, looking over that list they're also the same risks you want to protect your sales staff from as well.

In constructing our strategy we could consult these earlier CSAM entries:

An initial strategy approach may look like:

  • Use special unprivileged account: junior doesn't need root access.
  • White-list: this is one of the few cases where white-listing is tenable.
  • Lock-down the browser: use tools such as noscript, noflash, adblock, etc. Coupled with aggressive white-listing, the admin/parent can pre-configure each site as they're added to the white-list.
  • Secondary filtering: web-proxy filter, openDNS, use layered protection for the whole family.
  • Only allow computers in in public-spaces: very young children will always need an adult, older pre-teens should have them close by to field questions and help with decisions-- which you can post humorous tales about later on facebook.

Again, that sounds a lot like a decent small-business/corporate-environment approach. Not everyone will have the tools or time to build a comprehensive system for their home network. How are parents handling this out in the field?

Kevin Liston

292 Posts
ISC Handler
I believe there are some very reputable hardware products that filter the entire network unless the "guard" is let down by IP/MAC with a parental password. I know Leo Laporte talked about one of these that he personally used on his TV show ("Lab with Leo" or "Call For Help", can't remember which) one time, but not having kids myself, I didn't note it, and now I can't seem to find a reference. Perhaps those with better Google-Fu can find it. In the mean time, I did find these links:

http://childparenting.about.com/od/familycomputer/a/kidsafeinternet.htm
http://www.rcmp-grc.gc.ca/is-si/
Anonymous
I finally found the item I was looking for, the iBoss from http://iphantom.com/residential.html .

The other important thing is that the child should never have their own computer in their own room... it should be in a shared space, and as much as possible the parent should supervise its use.
Anonymous
Blue Coat has a free software product for patents. Easy to use. http://www1.k9webprotection.com/
icurnet

1 Posts
The above implies a, to me, disturbing lack of trust in, and responsibility from, pre-teens which they should have been taught, however, protecting against the drive-by, mislabeled and deceptive is very reasonable - and, as implied, a good practice for the staff generally. Supervision or, even better, participation, by the caregivers during browsing sessions is almost always best, both to protect and to inculcate acceptable behavior and morals, however, that does depend on caregivers knowledge, behavior and morals themselves.

On a more practical note, protecting the entire home, school or business network is the first, and, in my experience, strongest line of defense. DansGuardian is a great general web filter. I usually configure the router to enable transparent proxying of port 80 traffic through it. Coupled with OpenDNS, malware domain blocking and appropriately tuned filter lists in DansGuardian, very good protection can be achieved. Adding anti-malware defanging is my next goal in our general filtering. By protecting more heavily at the Internet face, rather than on the individual computers, we can prevent a lot from ever making it to the end user (pre-teen). The logging functions in DansGuardian can be very helpful in reviewing where someone has been going, and, how they may have gotten off-track - intentionally or not.

We have built such filtering for schools, businesses and home networks. In the latter, we usually can take an older computer, install Linux, DansGuardian, iptables and DNS on it and make it be the router as well. In the former, we use an appropriately powered, though sometimes older computer as well, sometimes as the router as well, though decoupling routing from filtering is preferred, except in the smallest of networks.

On the end user computer, we usually use Firefox with AdBlock. We simply have found that NoScript requires too much interaction to allow effective use and security. (Visiting one web page, I had to allow or deny 45 different elements to get the page to function.) Tech folk might follow that path, however, normal users, and pre-teens especially, can't. Microsoft Security Essentials has been adequate on home systems, and is free. Windows 7 or Mac OS X are our recommended operating systems. We have found that it is still extremely hard to have many programs operate in a non-administrator account, as much as we would like to. This is one of the reasons we put so much emphasis on protection at the perimeter. We still need security in depth, but a little less depth on the inside.

Also, a good, convenient backup & restore mechanism for the PC. We use Acronis, either Home or True Image Workstation. Making it easy for the end user to restore their computer to a functioning state is beneficial across the board. This doesn't prevent "bad material" from being encountered, but makes recovering from it easier.

It can also be used as an educational experience for the pre-teen: "You made the mess, you clean it up." Giving them reasonable tools to do so, makes that a realistic option.

Teaching them to judge what is appropriate or not, dangerous or not, or questionable, is the goal, not protecting them from the world in a perfect cocoon.
Rastech

18 Posts
Kevin,

Thank you for leaving the contact with the wrong people and exposure to unwanted ideas to the parent. That is the way it should be.

When talking about pre-teen online safety I hear all to often the cry of protecting our kids from stranger abductions of people they met: in chat rooms; through social networking sites; or over the Internet in general. If there really are only 115 stranger abduction cases in the U.S. per year, then U.S. parents should not have to worry about Internet based contacts for stranger abduction.

I am the father of three pre-teens ages 8, 6 and 1. My wife and I endeavor to teach children security, not fear. So we let our two oldest have full Internet access through their own Netbooks. We have them keep the Netbooks on TV trays in the "living room" (a public area). We tell the kids to have us help them whenever they get a pop-up adking them to do something (the both can read, so this works out well). Then I let them watch me as I go through the process of validating that an update or patch was indeed released and verifying that it is the correct program asking to update. Hopefully by the time they are teenagers they can do the process correctly themselves. It works out well, (at least for now) because the only sites that interest them at this age are the sites that my wife and I approved.

Whenever they come across something that we don't approve of, we talk to them about it and explain why we do not approve. It's like walking up "The Strip" in Las Vegas with your kids (we actually have walked with our kids on "The Strip" in the evening when going from one family friendly attraction to another) and explain and talk to them about what they are seeing and explain why we do not approve of some of the things they see. We help them deal with the trauma (if any), and let them understand consequences of actions. We are therefore teaching them how to be secure in their life and not fear things they cannot control.
Nathan Christiansen

20 Posts

Sign Up for Free or Log In to start participating in the conversation!