Security Awareness Chapter 4 Personal Security. Security Awareness, 3 rd Edition2 Objectives After...

Security Awareness

Chapter 4Personal Security

Security Awareness, 3rd Edition 2

Objectives

After completing this chapter, you should be able to do the following:

•Describe attacks on personal security

•Explain the dangers of identity theft

•List the defenses against personal security attacks

•Define cryptography and explain how it can be used

Attacks on Personal Security

• Include – Spyware– Password attacks– Phishing– Attacks on users of social networking sites– Identity theft


What Is Spyware?

• Spyware – Software that violates a user’s personal security– Tracking software that is deployed without adequate

notice, consent, or user control

• Spyware creators are motivated by profit

• Harmful spyware is not always easy to identify

• Very widespread– Average computer has over 24 pieces of spyware


What Is Spyware? (cont’d.)

Table 4-1 Effects of spyware


Course Technology/Cengage Learning


• Keylogger – Small hardware device or a program – Monitors each keystroke a user types on the

computer’s keyboard– Transmits keystrokes to remote location– Attacker searches for useful information in captured

text



Figure 4-1 Hardware keylogger




• Browser hijacker – Program that changes the Web browser’s home

page and search engine to another site

• Add Internet shortcut links in the user’s Favorites folder without asking permission


Passwords

• Username– Unique name for identification

• Authentication– Process of providing proof that the user is ‘‘genuine’’

or authentic– Performed based on one of three entities

• What you have

• What you know

• What you are


Passwords (cont’d.)

• Password – Secret combination of letters, numbers, and/or

symbols– Validates or authenticates a user by what she knows

• Primary (and often exclusive) means of authenticating a user for access to a computer

• Not considered strong defense against attackers

• “Password paradox”– Requires sufficient length and complexity that an

attacker cannot easily determine– But must be easy to remember



• Users have multiple accounts for computers that require passwords

• Weak passwords– Common word used as a password– Not changing passwords unless forced to do so– Passwords that are short– Personal information in a password– Using the same password– Writing the password down– Predictable use of characters



Table 4-2 Common password myths




• Attacks on passwords– Frequent focus of attacks– Brute force attack– Decrypt encrypted password– Dictionary attack– Rainbow tables



Figure 4-4 Dictionary attack



Phishing

• Social engineering – Deceiving someone to obtain secure information

• Phishing– Sending an e-mail or displaying a Web

announcement that falsely claims to be from a legitimate enterprise

– Attempt to trick the user into surrendering private information

• Number of users that respond to phishing attacks is considered to be extremely high


Phishing (cont’d.)


Figure 4-5 Phishing messageCourse Technology/Cengage Learning

Social Networking Attacks

• Social networking– Grouping individuals and organizations into clusters

or groups based on some sort of affiliation

• Social networking sites– Web sites that facilitate linking individuals with

common interests– Increasingly becoming prime targets of attacks– Provide a treasure trove of personal data– Users are generally trusting


Identity Theft

• Using someone’s personal information to establish bank or credit card accounts – Left unpaid

• Number of security breaches that have exposed users’ digital data to attackers continues to increase


Personal Security Defenses

• Tools and techniques that should be implemented– Installing antispyware software– Using strong passwords– Recognizing phishing attacks– Setting social networking defenses– Avoiding identity theft– Using cryptography


Installing Antispyware Software

• Antispyware software– Helps prevent computers from becoming infected by

different types of spyware

• Similar to AV software

• Update regularly

• Set to provide continuous real-monitoring


Using Strong Passwords

• Strong passwords basic rules– Optimally have at least 15 characters– Random combination of letters, numbers, and

special characters– Replaced with new passwords at least every 60 days– Not be reused for 12 months– Same password should not be duplicated and used

for multiple accounts


Using Strong Passwords (cont’d.)

• Techniques for preventing “password paradox”– Use a phrase or expression instead of a single word

• Replace the spaces between the words with a special character

– Use password storage program• Enter account information such as username and

password, along with other account details

• Protect with single strong password


Using Strong Passwords (cont’d.)

Figure 4-6 Password storage program

Security Awareness, 3rd Edition 23Course Technology/Cengage Learning

Recognizing Phishing Attacks

• Recognize phishing attacks– Deceptive Web links– E-mails that look like Web sites– Fake sender’s address– Generic greeting– Popup boxes and attachments– Urgent request

• Treat e-mail like a postcard


Setting Social Networking Defenses

• Be cautious regarding placing personal information on social networking sites

• General security tips– Consider carefully who is accepted as a friend– Show ‘‘limited friends’’ a reduced version of your

profile– Disable options and then reopen them only as

necessary


Setting Social Networking Defenses (cont’d.)

Table 4-3 Recommended Facebook profile settings



Setting Social Networking Defenses (cont’d.)

Table 4-4 Recommended Facebook contact information settings



Avoiding Identity Theft

• Help safeguard information– Shred financial documents and paperwork

– Do not carry a Social Security number in a wallet

– Do not provide personal information either over the phone or through an e-mail message

– Keep personal information in a secure location

• Monitor financial statements and accounts– Be alert to signs that may indicate unusual activity

– Follow up on calls regarding purchases that were not made

– Review financial and billing statements each month


Avoiding Identity Theft (cont’d.)

• Fair and Accurate Credit Transactions Act (FACTA) of 2003– Right to request one free credit report from each of

the three national credit-reporting firms every 12 months

– If a consumer finds a problem on her credit report, she must first send a letter to the credit-reporting agency


Using Cryptography

• Safeguard sensitive data by ‘‘scrambling’’ it through encryption

• Cryptography– Science of transforming information into a secure

form while it is being transmitted or stored

• Encryption/decryption

• Cleartext– Data in unencrypted form

• Plaintext– Cleartext data to be encrypted


Using Cryptography (cont’d.)

• Algorithm– Procedure based on a mathematical formula used to

encrypt the data

• Key – Mathematical value entered into the algorithm to

produce ciphertext

• Symmetric cryptography – Uses the same key to encrypt and decrypt a

message– Private key cryptography



• Asymmetric cryptography– Public key cryptography– Uses two keys instead of one

• One to encrypt the message and one to decrypt it

• Public key

• Private key


Figure 4-7 Cryptography process





Figure 4-8 Symmetric cryptography





Figure 4-9 Asymmetric cryptography



• Encrypting files and disks– Cumbersome to encrypt and decrypt individual

document– Protecting groups of files

• Microsoft Windows Encrypting File System (EFS)

– Whole disk encryption• Microsoft Windows BitLocker

• Trusted Platform Module (TPM)



• Digital certificates– User’s public key that has been ‘‘digitally signed’’ by

a reputable source entrusted to sign it

• Server digital certificates– Ensure the authenticity of the Web server– Ensure the authenticity of the cryptographic

connection to the Web server



Figure 4-10 Web Server digital certificate




• Extended Validation Secure Sockets Layer Certificate (EV SSL)– Enhanced server digital certificate


Summary

• Spyware– Keylogger or browser hijacker

• Authentication– Passwords provide weak security

• Social engineering– Phishing

• Defenses– Strong passwords– Caution on social networking sites– Encryption


Date post:	26-Dec-2015
Category:	Documents
Upload:	alexis-baker
View:	221 times
Download:	1 times

Security Awareness Chapter 4 Personal Security. Security Awareness, 3 rd Edition2 Objectives After...

Documents