Cross-posted from a Goal Keeping DBA blog:

Just recently, my oldest son entered the ranks of the teenagers. I shouldn’t actually say teenagers, because I have come to not like that word, mainly because of the influence of the book, Do Hard Things. But with 13 came access to email and to Facebook. Here’s how I tackled things, not only setup, but initial education.

E-Mail:

The first thing I did was set him up with an email account with one of the many providers that are out there. I could have set him up through one of my domains, but I decided this would be easiest for him, especially since I had already planned on getting him a decent cell phone. When I chose the name, I avoided obvious “tells” such as references to video games, to popular cartoons, or to anything else that might scream, “I’m not an adult.” Instead, I went with one variant of his full name, one that would be appropriate on a professional resume.

Now, most email accounts have the ability to contact another email in case you need to get into the account. I set up the emergency email to be one of my wife’s accounts, and I promptly gave her the email address and password to my son’s new email account. I have it, too. The email account password is a strong passphrase with some alterations. It’s not one you’d tie to him in any way but it is one he can easily remember.

Then I pre-loaded his contacts list with the folks he would most likely want to contact and sent an email from his account to all of those contacts sharing the email address and indicating that it was me setting up his email since he was a newly minted 13 year-old. This, of course, served three purposes:

1. It gave him access to the email addresses of the people he’d most likely email.
2. It gave those people his legitimate email so they wouldn’t be tricked by an account they though might be his.
3. It gave them an opportunity to wish him a happy birthday!

Facebook:

With his email account set up, it was time to set up my son’s Facebook account. I used the email address just created, but chose a completely different passphrase. This ensures that should one password be compromised, the other one isn’t. I went through his profile, configuring the basic information that was necessary, hiding the rest. While Facebook does offer some protection for those who are classified as minors, I’m not going to rely on that. So among some of the things I did:

• I did not specify his current city. He has already been told not to set this.
• I specified his hometown as an older ones. Folks who legitimately know him will recognize the hometown and know they have the right person.
• I did not publish his birthday to Facebook (yes, he’ll get posts on his birthday, but how old he is will remain hidden).
• I locked things down to friends of friends for much of his information, because he is in a youth group and so there has to be some flexibility there.
• I turned off the location features that Facebook now offers.
• I configured initial interests that I knew were appropriate for him. For instance, Chris Tomlin as a musician he liked.
• I picked up a reasonable profile pic that I had. He eventually changed it to another one that it is acceptable, too, of one with him and his grandfather.
• And again, my wife and I have his password.

The Phone:

Truth be told, I was looking for a really basic phone that would allow him to call us and to text.For those teens thinking, “No fair! My parents won’t let me have a phone!” it is truly a mixed blessing. As the old AT&T commercial went, him having a phone means I can “reach out and touch someone,” namely him, whenever I want. We have a dispersed church campus and we spend a lot of time there, and tracking him down could sometimes be a chore. Not any more! Now I can get him any time. And believe me, my wife and I have (ab)used this greatly since he got his new phone.

He’s on our plan, which is pretty robust since me and my wife both carry smartphones due to my ministry and professional commitments. Looking at the phones, however, the only decent set of phones that I saw also had the built-in camera and ability to connect to Facebook and Email. As I thought about that, though, it occurred to me that this was just fine. So we got him a good phone, and I set up Facebook and his mail on it, because I knew this would be his primary interface to those two mediums. That restricts some of what he can do, but it also protects him a great deal because the phone doesn’t have a lot of functionality. It’s not a smart phone, so certain security threats are naturally eliminated.

The Education:

Next came educating him on everything. I started with the phone, which is his primary means of communications. First there was the explanation of the shared plan and that his phone use should be limited. He knows my wife and I will check the minutes religiously, so he’s been good about his usage of his phone. Then I showed him how to call out, how to text, and how to access Facebook and e-mail, to get him started quickly. The rest he picked up from reading the instructions that came with his phone. He knows his phone only has a 1 GB card in it, so he has to limit the photos and pictures he might take.

Then, when we got home, I went over email and Facebook. The first rule is, if it looks too good to be true, it probably is. Then we talked about the mentality of attackers on the Internet. They basically don’t care how they get you, as long as they get you. While this is slightly overstating things, and may seem a bit paranoid, having worked in IT security for a number of years, I know it’s not. My son knows I worked in IT security and so when I said “Pay attention,” he really did. Let’s talk about the basics:

Getting Something from Someone You Don’t Know: Unless you know something was coming in, like from a school or something and you just didn’t know the address, automatically be suspicious of this, whether it’s email or a Facebook message or a Facebook friend request. This is a play on your trust.

Getting Something from Someone You Do Know That Doesn’t Fit: This is the classic con game. I explained to him that it’s not too hard to make an email look like it came from someone you know, when it really didn’t. Technically, it may have, but their computer is infected. So if they send something that’s out of character for them, like sending an attachment, don’t open it. Instead, write them back and ask them if they really meant to send it. Even if they did, be suspicious.

If You Get an App Request for a Photo or Video, Close Out the Tab: Facebook photos and videos do not require an application request. If you get one, that means it’s not legitimate. Don’t play around with navigation. Simply close that tab, open a new one, and go back to Facebook. If it was posted to your wall, go into your profile and delete it so it doesn’t get someone else.

If You Get a Prompt Saying You Need to Update Software, Check with Me: We talked about how attackers have used false software updates to push malware onto a system. The unsuspecting user thinks they are getting a needed software update to say, Adobe Flash, and what they are really doing is infecting their system. His account doesn’t have rights to do a software update, so he has to check with me anyway, but should he see such a prompt, he needs to tell me right away.

If It Appeals to What You Know You Shouldn’t Be Messing with, Avoid It: Scantily clad girls, adult content, beer/alcohol ads, etc., it makes no difference. Not only should he not be going after such things because of his age, but it’s just dumb on the Internet. Attackers know what our vices are. And they know that when it comes to our vices, we’ll let down our guard, meaning it’s easier to push malware onto our systems. So knowing that attackers are using our weaknesses against us, it’s just smart to steer clear. It’s not just about purity, it’s also about IT security.

Limit the Facebook Games You Play: I used to play a handful of Facebook games. One was because my cousin was in QA for Zynga and he asked me to play one to give him honest feedback. But over time I started tracking the number of hours spent each week on those games. I wasn’t pleased with those numbers. They are incredible time sinks. They also collect personal information on you from Facebook. So I told him to limit it to a few sets of games I’d approve of. Bejeweled Blitz is one, though that can be addictive. But any of the -ville games are definitely out. This isn’t an IT security one, just a common sense one.

Understand What a Phishing Attack Is: We talked about how attackers will make a link look legitimate but it’s not. Therefore, if it’s something that asks him to disclose any personal information, even his email, he immediately should delete/ignore it. If he thinks it might be legitimate, then he needs to let me see it.

If You Have Any Doubts, See Me: I knew that with the brief education I gave him, he would occasionally come across things he wasn’t sure what to do with. In those cases, he needed to talk to me or my wife (who would likely just ask me). And then I reminded him of the next one.

On the Internet, Be Paranoid: As a security professional, I came to understand the following maxim very well: “Just because I’m paranoid doesn’t mean there isn’t someone out to get me.” There are plenty of attackers looking for anyone they can take advantage of. There are sexual predators out there who will pretend to be a teenage boy or girl and want to be his friend, all to arrange a meeting with him. If you don’t know the person, if you aren’t sure you can trust something, check in with me. It’s better to be safe than sorry.

Likely More to Come:

I’m sure there are some other things I’m leaving off, but this is what we started with, so far as I can remember. It was sort of like a brain dump on him, but he’s done well thus far. Now it’s about ensuring he stays diligent.