Most policies appear to be "allow anybody to do anything", but this cannot be recommended. Also common is "all Web access is to go through the Web Proxy", and similar for email. But policies can be more complicated, such as "staff are allowed direct Web access, but students must go via a proxy".
Implementation of the policy is a quite different question.
It is common to get many thousands of vulnerability probes per day, but directed active attacks happen less often, unless you are highly visible or popular or you have annoyed someone. More likely a machine is subverted by an email worm or something downloaded from the Web.
Defences start with firewalls, but should move upwards from there. For example, regular scanning of hosts for unauthorised modifications of files; virus scans of incoming and outgoing email; virus scans of files; timely security upgrade of software systems; checking user passwords are unbreakable; regular service reviews to ensure you are not running unneeded software; reviews of firewall logs; and so on.
Sites like US-CERT provide a lot of useful information, while Viruslist.com and the like keep lists of viruses.
There will (or should be) a little closed padlock that you can click on to get the certificate. Check the name on the certificate is the same as the website you are visiting. If not, there is something very wrong.
Also check the expiry date and other information on the certificate to make sure everything is OK.
Social engineering is an ancient art only recently given this modern name. There are very many instances of confidence tricks in real life that could conceivably transfer to the online world.
This has been reported to be as little as a few minutes for some operating systems. Others OSs reputedly resist for many months without security updates.
VPNs come in many flavours: the Microsoft system is relatively easy to install and configure, but has some security issues. IPSec appears to be secure, but is notoriously tricky to configure.
Some others, like CIPE are suspect, but OpenVPN is worth looking at.
Many other books are equally good, but Schneier has a particularly good and clear style.
See Schneier and Mudge, Cryptoanalysis of Microsoft's Point-to-Point Tunneling Protocol and Schneier, Mudge and Wagner Cryptoanalysis of Microsoft's PPTP Authentication Extensions (MS-CHAPv2).
Usually supported are SSLv2, SSLv3 and TLSv1. It is recommended to disable the use of SSLv2 if you can.
A typical browser contains dozens of authority certificates. A few include
Equifax GTE Corporation GlobalSign RSA Data Security, Inc Thawte VISA VeriSignto pick a few of the more well-known names.
A big task, but there is plenty of help on the Web, and the O'Reilly book "Network Security with OpenSSL" is a good primer. Also see the GNU TLS documentation.
There is some initial playing with certificates, but at base it is as simple as opening a socket, creating an SSL/TLS session on the socket (this is where certificates are required), and then using it to read and write data.
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.