Security Awareness Chapter 4 Personal Security. Security Awareness, 3 rd Edition2 Objectives After...
-
Upload
alexis-baker -
Category
Documents
-
view
221 -
download
1
Transcript of Security Awareness Chapter 4 Personal Security. Security Awareness, 3 rd Edition2 Objectives After...
Security Awareness
Chapter 4Personal Security
Security Awareness, 3rd Edition 2
Objectives
After completing this chapter, you should be able to do the following:
•Describe attacks on personal security
•Explain the dangers of identity theft
•List the defenses against personal security attacks
•Define cryptography and explain how it can be used
Attacks on Personal Security
• Include – Spyware– Password attacks– Phishing– Attacks on users of social networking sites– Identity theft
Security Awareness, 3rd Edition 3
What Is Spyware?
• Spyware – Software that violates a user’s personal security– Tracking software that is deployed without adequate
notice, consent, or user control
• Spyware creators are motivated by profit
• Harmful spyware is not always easy to identify
• Very widespread– Average computer has over 24 pieces of spyware
Security Awareness, 3rd Edition 4
What Is Spyware? (cont’d.)
Table 4-1 Effects of spyware
Security Awareness, 3rd Edition 5
Course Technology/Cengage Learning
What Is Spyware? (cont’d.)
• Keylogger – Small hardware device or a program – Monitors each keystroke a user types on the
computer’s keyboard– Transmits keystrokes to remote location– Attacker searches for useful information in captured
text
Security Awareness, 3rd Edition 6
What Is Spyware? (cont’d.)
Figure 4-1 Hardware keylogger
Security Awareness, 3rd Edition 7
Course Technology/Cengage Learning
What Is Spyware? (cont’d.)
• Browser hijacker – Program that changes the Web browser’s home
page and search engine to another site
• Add Internet shortcut links in the user’s Favorites folder without asking permission
Security Awareness, 3rd Edition 8
Passwords
• Username– Unique name for identification
• Authentication– Process of providing proof that the user is ‘‘genuine’’
or authentic– Performed based on one of three entities
• What you have
• What you know
• What you are
Security Awareness, 3rd Edition 9
Passwords (cont’d.)
• Password – Secret combination of letters, numbers, and/or
symbols– Validates or authenticates a user by what she knows
• Primary (and often exclusive) means of authenticating a user for access to a computer
• Not considered strong defense against attackers
• “Password paradox”– Requires sufficient length and complexity that an
attacker cannot easily determine– But must be easy to remember
Security Awareness, 3rd Edition 10
Passwords (cont’d.)
• Users have multiple accounts for computers that require passwords
• Weak passwords– Common word used as a password– Not changing passwords unless forced to do so– Passwords that are short– Personal information in a password– Using the same password– Writing the password down– Predictable use of characters
Security Awareness, 3rd Edition 11
Passwords (cont’d.)
Table 4-2 Common password myths
Security Awareness, 3rd Edition 12
Course Technology/Cengage Learning
Passwords (cont’d.)
• Attacks on passwords– Frequent focus of attacks– Brute force attack– Decrypt encrypted password– Dictionary attack– Rainbow tables
Security Awareness, 3rd Edition 13
Passwords (cont’d.)
Figure 4-4 Dictionary attack
Security Awareness, 3rd Edition 14
Course Technology/Cengage Learning
Phishing
• Social engineering – Deceiving someone to obtain secure information
• Phishing– Sending an e-mail or displaying a Web
announcement that falsely claims to be from a legitimate enterprise
– Attempt to trick the user into surrendering private information
• Number of users that respond to phishing attacks is considered to be extremely high
Security Awareness, 3rd Edition 15
Phishing (cont’d.)
Security Awareness, 3rd Edition 16
Figure 4-5 Phishing messageCourse Technology/Cengage Learning
Social Networking Attacks
• Social networking– Grouping individuals and organizations into clusters
or groups based on some sort of affiliation
• Social networking sites– Web sites that facilitate linking individuals with
common interests– Increasingly becoming prime targets of attacks– Provide a treasure trove of personal data– Users are generally trusting
Security Awareness, 3rd Edition 17
Identity Theft
• Using someone’s personal information to establish bank or credit card accounts – Left unpaid
• Number of security breaches that have exposed users’ digital data to attackers continues to increase
Security Awareness, 3rd Edition 18
Personal Security Defenses
• Tools and techniques that should be implemented– Installing antispyware software– Using strong passwords– Recognizing phishing attacks– Setting social networking defenses– Avoiding identity theft– Using cryptography
Security Awareness, 3rd Edition 19
Installing Antispyware Software
• Antispyware software– Helps prevent computers from becoming infected by
different types of spyware
• Similar to AV software
• Update regularly
• Set to provide continuous real-monitoring
Security Awareness, 3rd Edition 20
Using Strong Passwords
• Strong passwords basic rules– Optimally have at least 15 characters– Random combination of letters, numbers, and
special characters– Replaced with new passwords at least every 60 days– Not be reused for 12 months– Same password should not be duplicated and used
for multiple accounts
Security Awareness, 3rd Edition 21
Using Strong Passwords (cont’d.)
• Techniques for preventing “password paradox”– Use a phrase or expression instead of a single word
• Replace the spaces between the words with a special character
– Use password storage program• Enter account information such as username and
password, along with other account details
• Protect with single strong password
Security Awareness, 3rd Edition 22
Using Strong Passwords (cont’d.)
Figure 4-6 Password storage program
Security Awareness, 3rd Edition 23Course Technology/Cengage Learning
Recognizing Phishing Attacks
• Recognize phishing attacks– Deceptive Web links– E-mails that look like Web sites– Fake sender’s address– Generic greeting– Popup boxes and attachments– Urgent request
• Treat e-mail like a postcard
Security Awareness, 3rd Edition 24
Setting Social Networking Defenses
• Be cautious regarding placing personal information on social networking sites
• General security tips– Consider carefully who is accepted as a friend– Show ‘‘limited friends’’ a reduced version of your
profile– Disable options and then reopen them only as
necessary
Security Awareness, 3rd Edition 25
Setting Social Networking Defenses (cont’d.)
Table 4-3 Recommended Facebook profile settings
Security Awareness, 3rd Edition 26
Course Technology/Cengage Learning
Setting Social Networking Defenses (cont’d.)
Table 4-4 Recommended Facebook contact information settings
Security Awareness, 3rd Edition 27
Course Technology/Cengage Learning
Avoiding Identity Theft
• Help safeguard information– Shred financial documents and paperwork
– Do not carry a Social Security number in a wallet
– Do not provide personal information either over the phone or through an e-mail message
– Keep personal information in a secure location
• Monitor financial statements and accounts– Be alert to signs that may indicate unusual activity
– Follow up on calls regarding purchases that were not made
– Review financial and billing statements each month
Security Awareness, 3rd Edition 28
Avoiding Identity Theft (cont’d.)
• Fair and Accurate Credit Transactions Act (FACTA) of 2003– Right to request one free credit report from each of
the three national credit-reporting firms every 12 months
– If a consumer finds a problem on her credit report, she must first send a letter to the credit-reporting agency
Security Awareness, 3rd Edition 29
Using Cryptography
• Safeguard sensitive data by ‘‘scrambling’’ it through encryption
• Cryptography– Science of transforming information into a secure
form while it is being transmitted or stored
• Encryption/decryption
• Cleartext– Data in unencrypted form
• Plaintext– Cleartext data to be encrypted
Security Awareness, 3rd Edition 30
Using Cryptography (cont’d.)
• Algorithm– Procedure based on a mathematical formula used to
encrypt the data
• Key – Mathematical value entered into the algorithm to
produce ciphertext
• Symmetric cryptography – Uses the same key to encrypt and decrypt a
message– Private key cryptography
Security Awareness, 3rd Edition 31
Using Cryptography (cont’d.)
• Asymmetric cryptography– Public key cryptography– Uses two keys instead of one
• One to encrypt the message and one to decrypt it
• Public key
• Private key
Security Awareness, 3rd Edition 32
Figure 4-7 Cryptography process
Security Awareness, 3rd Edition 33
Using Cryptography (cont’d.)
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 34
Figure 4-8 Symmetric cryptography
Using Cryptography (cont’d.)
Course Technology/Cengage Learning
Using Cryptography (cont’d.)
Security Awareness, 3rd Edition 35
Figure 4-9 Asymmetric cryptography
Course Technology/Cengage Learning
Using Cryptography (cont’d.)
• Encrypting files and disks– Cumbersome to encrypt and decrypt individual
document– Protecting groups of files
• Microsoft Windows Encrypting File System (EFS)
– Whole disk encryption• Microsoft Windows BitLocker
• Trusted Platform Module (TPM)
Security Awareness, 3rd Edition 36
Using Cryptography (cont’d.)
• Digital certificates– User’s public key that has been ‘‘digitally signed’’ by
a reputable source entrusted to sign it
• Server digital certificates– Ensure the authenticity of the Web server– Ensure the authenticity of the cryptographic
connection to the Web server
Security Awareness, 3rd Edition 37
Using Cryptography (cont’d.)
Figure 4-10 Web Server digital certificate
Security Awareness, 3rd Edition 38
Course Technology/Cengage Learning
Using Cryptography (cont’d.)
• Extended Validation Secure Sockets Layer Certificate (EV SSL)– Enhanced server digital certificate
Security Awareness, 3rd Edition 39
Summary
• Spyware– Keylogger or browser hijacker
• Authentication– Passwords provide weak security
• Social engineering– Phishing
• Defenses– Strong passwords– Caution on social networking sites– Encryption
Security Awareness, 3rd Edition 40