Transcript Security Awareness Chapter 4 Personal Security

Security Awareness
Chapter 4
Personal Security
Objectives
After completing this chapter, you should be able to
do the following:
• Describe attacks on personal security
• Explain the dangers of identity theft
• List the defenses against personal security attacks
• Define cryptography and explain how it can be
used
Security Awareness, 3rd Edition
2
Attacks on Personal Security
• Include
–
–
–
–
–
Spyware
Password attacks
Phishing
Attacks on users of social networking sites
Identity theft
Security Awareness, 3rd Edition
3
What Is Spyware?
• Spyware
– Software that violates a user’s personal security
– Tracking software that is deployed without adequate
notice, consent, or user control
• Spyware creators are motivated by profit
• Harmful spyware is not always easy to identify
• Very widespread
– Average computer has over 24 pieces of spyware
Security Awareness, 3rd Edition
4
What Is Spyware? (cont’d.)
Table 4-1 Effects of spyware
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
5
What Is Spyware? (cont’d.)
• Keylogger
– Small hardware device or a program
– Monitors each keystroke a user types on the
computer’s keyboard
– Transmits keystrokes to remote location
– Attacker searches for useful information in captured
text
Security Awareness, 3rd Edition
6
What Is Spyware? (cont’d.)
Figure 4-1 Hardware keylogger
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
7
What Is Spyware? (cont’d.)
• Browser hijacker
– Program that changes the Web browser’s home
page and search engine to another site
• Add Internet shortcut links in the user’s Favorites
folder without asking permission
Security Awareness, 3rd Edition
8
Passwords
• Username
– Unique name for identification
• Authentication
– Process of providing proof that the user is ‘‘genuine’’
or authentic
– Performed based on one of three entities
• What you have
• What you know
• What you are
Security Awareness, 3rd Edition
9
Passwords (cont’d.)
• Password
– Secret combination of letters, numbers, and/or
symbols
– Validates or authenticates a user by what she knows
• Primary (and often exclusive) means of
authenticating a user for access to a computer
• Not considered strong defense against attackers
• “Password paradox”
– Requires sufficient length and complexity that an
attacker cannot easily determine
– But must be easy to remember
Security Awareness, 3rd Edition
10
Passwords (cont’d.)
• Users have multiple accounts for computers that
require passwords
• Weak passwords
–
–
–
–
–
–
–
Common word used as a password
Not changing passwords unless forced to do so
Passwords that are short
Personal information in a password
Using the same password
Writing the password down
Predictable use of characters
Security Awareness, 3rd Edition
11
Passwords (cont’d.)
Table 4-2 Common password myths
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
12
Passwords (cont’d.)
• Attacks on passwords
–
–
–
–
–
Frequent focus of attacks
Brute force attack
Decrypt encrypted password
Dictionary attack
Rainbow tables
Security Awareness, 3rd Edition
13
Passwords (cont’d.)
Figure 4-4 Dictionary attack
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
14
Phishing
• Social engineering
– Deceiving someone to obtain secure information
• Phishing
– Sending an e-mail or displaying a Web
announcement that falsely claims to be from a
legitimate enterprise
– Attempt to trick the user into surrendering private
information
• Number of users that respond to phishing attacks is
considered to be extremely high
Security Awareness, 3rd Edition
15
Phishing (cont’d.)
Figure 4-5 Phishing message
Security Awareness,
3rd
Course Technology/Cengage Learning
Edition
16
Social Networking Attacks
• Social networking
– Grouping individuals and organizations into clusters
or groups based on some sort of affiliation
• Social networking sites
– Web sites that facilitate linking individuals with
common interests
– Increasingly becoming prime targets of attacks
– Provide a treasure trove of personal data
– Users are generally trusting
Security Awareness, 3rd Edition
17
Identity Theft
• Using someone’s personal information to establish
bank or credit card accounts
– Left unpaid
• Number of security breaches that have exposed
users’ digital data to attackers continues to
increase
Security Awareness, 3rd Edition
18
Personal Security Defenses
• Tools and techniques that should be implemented
–
–
–
–
–
–
Installing antispyware software
Using strong passwords
Recognizing phishing attacks
Setting social networking defenses
Avoiding identity theft
Using cryptography
Security Awareness, 3rd Edition
19
Installing Antispyware Software
• Antispyware software
– Helps prevent computers from becoming infected by
different types of spyware
• Similar to AV software
• Update regularly
• Set to provide continuous real-monitoring
Security Awareness, 3rd Edition
20
Using Strong Passwords
• Strong passwords basic rules
– Optimally have at least 15 characters
– Random combination of letters, numbers, and
special characters
– Replaced with new passwords at least every 60
days
– Not be reused for 12 months
– Same password should not be duplicated and used
for multiple accounts
Security Awareness, 3rd Edition
21
Using Strong Passwords (cont’d.)
• Techniques for preventing “password paradox”
– Use a phrase or expression instead of a single word
• Replace the spaces between the words with a special
character
– Use password storage program
• Enter account information such as username and
password, along with other account details
• Protect with single strong password
Security Awareness, 3rd Edition
22
Using Strong Passwords (cont’d.)
Figure 4-6 Password storage program
Security Awareness,
3rd
Course Technology/Cengage Learning
Edition
23
Recognizing Phishing Attacks
• Recognize phishing attacks
–
–
–
–
–
–
Deceptive Web links
E-mails that look like Web sites
Fake sender’s address
Generic greeting
Popup boxes and attachments
Urgent request
• Treat e-mail like a postcard
Security Awareness, 3rd Edition
24
Setting Social Networking Defenses
• Be cautious regarding placing personal information
on social networking sites
• General security tips
– Consider carefully who is accepted as a friend
– Show ‘‘limited friends’’ a reduced version of your
profile
– Disable options and then reopen them only as
necessary
Security Awareness, 3rd Edition
25
Setting Social Networking Defenses
(cont’d.)
Table 4-3 Recommended Facebook profile settings
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
26
Setting Social Networking Defenses
(cont’d.)
Table 4-4 Recommended Facebook contact information settings
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
27
Avoiding Identity Theft
• Help safeguard information
– Shred financial documents and paperwork
– Do not carry a Social Security number in a wallet
– Do not provide personal information either over the
phone or through an e-mail message
– Keep personal information in a secure location
• Monitor financial statements and accounts
– Be alert to signs that may indicate unusual activity
– Follow up on calls regarding purchases that were not
made
– Review financial and billing statements each month
Security Awareness, 3rd Edition
28
Avoiding Identity Theft (cont’d.)
• Fair and Accurate Credit Transactions Act
(FACTA) of 2003
– Right to request one free credit report from each of
the three national credit-reporting firms every 12
months
– If a consumer finds a problem on her credit report,
she must first send a letter to the credit-reporting
agency
Security Awareness, 3rd Edition
29
Using Cryptography
• Safeguard sensitive data by ‘‘scrambling’’ it through
encryption
• Cryptography
– Science of transforming information into a secure
form while it is being transmitted or stored
• Encryption/decryption
• Cleartext
– Data in unencrypted form
• Plaintext
– Cleartext data to be encrypted
Security Awareness, 3rd Edition
30
Using Cryptography (cont’d.)
• Algorithm
– Procedure based on a mathematical formula used to
encrypt the data
• Key
– Mathematical value entered into the algorithm to
produce ciphertext
• Symmetric cryptography
– Uses the same key to encrypt and decrypt a
message
– Private key cryptography
Security Awareness, 3rd Edition
31
Using Cryptography (cont’d.)
• Asymmetric cryptography
– Public key cryptography
– Uses two keys instead of one
• One to encrypt the message and one to decrypt it
• Public key
• Private key
Security Awareness, 3rd Edition
32
Using Cryptography (cont’d.)
Figure 4-7 Cryptography process
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
33
Using Cryptography (cont’d.)
Figure 4-8 Symmetric cryptography
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
34
Using Cryptography (cont’d.)
Figure 4-9 Asymmetric cryptography
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
35
Using Cryptography (cont’d.)
• Encrypting files and disks
– Cumbersome to encrypt and decrypt individual
document
– Protecting groups of files
• Microsoft Windows Encrypting File System (EFS)
– Whole disk encryption
• Microsoft Windows BitLocker
• Trusted Platform Module (TPM)
Security Awareness, 3rd Edition
36
Using Cryptography (cont’d.)
• Digital certificates
– User’s public key that has been ‘‘digitally signed’’ by
a reputable source entrusted to sign it
• Server digital certificates
– Ensure the authenticity of the Web server
– Ensure the authenticity of the cryptographic
connection to the Web server
Security Awareness, 3rd Edition
37
Using Cryptography (cont’d.)
Figure 4-10 Web Server digital certificate
Course Technology/Cengage Learning
Security Awareness, 3rd Edition
38
Using Cryptography (cont’d.)
• Extended Validation Secure Sockets Layer
Certificate (EV SSL)
– Enhanced server digital certificate
Security Awareness, 3rd Edition
39
Summary
• Spyware
– Keylogger or browser hijacker
• Authentication
– Passwords provide weak security
• Social engineering
– Phishing
• Defenses
– Strong passwords
– Caution on social networking sites
– Encryption
Security Awareness, 3rd Edition
40