Security Awareness Chapter 4 Personal Security. Security Awareness, 3 rd Edition2 Objectives After...

Security Awareness

Chapter 4Personal Security

Security Awareness, 3rd Edition 2

Objectives

After completing this chapter, you should be able to do the following:

•Describe attacks on personal security

•Explain the dangers of identity theft

•List the defenses against personal security attacks

•Define cryptography and explain how it can be used

Attacks on Personal Security

• Include – Spyware– Password attacks– Phishing– Attacks on users of social networking sites– Identity theft

What Is Spyware?

• Spyware – Software that violates a user’s personal security– Tracking software that is deployed without adequate

notice, consent, or user control

• Spyware creators are motivated by profit

• Harmful spyware is not always easy to identify

• Very widespread– Average computer has over 24 pieces of spyware

What Is Spyware? (cont’d.)

Table 4-1 Effects of spyware

Course Technology/Cengage Learning

• Keylogger – Small hardware device or a program – Monitors each keystroke a user types on the

computer’s keyboard– Transmits keystrokes to remote location– Attacker searches for useful information in captured

Figure 4-1 Hardware keylogger

• Browser hijacker – Program that changes the Web browser’s home

page and search engine to another site

• Add Internet shortcut links in the user’s Favorites folder without asking permission

Passwords

• Username– Unique name for identification

• Authentication– Process of providing proof that the user is ‘‘genuine’’

or authentic– Performed based on one of three entities

• What you have

• What you know

• What you are

Passwords (cont’d.)

• Password – Secret combination of letters, numbers, and/or

symbols– Validates or authenticates a user by what she knows

• Primary (and often exclusive) means of authenticating a user for access to a computer

• Not considered strong defense against attackers

• “Password paradox”– Requires sufficient length and complexity that an

attacker cannot easily determine– But must be easy to remember

• Users have multiple accounts for computers that require passwords

• Weak passwords– Common word used as a password– Not changing passwords unless forced to do so– Passwords that are short– Personal information in a password– Using the same password– Writing the password down– Predictable use of characters

Table 4-2 Common password myths

• Attacks on passwords– Frequent focus of attacks– Brute force attack– Decrypt encrypted password– Dictionary attack– Rainbow tables

Figure 4-4 Dictionary attack

Phishing

• Social engineering – Deceiving someone to obtain secure information

• Phishing– Sending an e-mail or displaying a Web

announcement that falsely claims to be from a legitimate enterprise

– Attempt to trick the user into surrendering private information

• Number of users that respond to phishing attacks is considered to be extremely high

Phishing (cont’d.)

Figure 4-5 Phishing messageCourse Technology/Cengage Learning

Social Networking Attacks

• Social networking– Grouping individuals and organizations into clusters

or groups based on some sort of affiliation

• Social networking sites– Web sites that facilitate linking individuals with

common interests– Increasingly becoming prime targets of attacks– Provide a treasure trove of personal data– Users are generally trusting

Identity Theft

• Using someone’s personal information to establish bank or credit card accounts – Left unpaid

• Number of security breaches that have exposed users’ digital data to attackers continues to increase

Personal Security Defenses

• Tools and techniques that should be implemented– Installing antispyware software– Using strong passwords– Recognizing phishing attacks– Setting social networking defenses– Avoiding identity theft– Using cryptography

Installing Antispyware Software

• Antispyware software– Helps prevent computers from becoming infected by

different types of spyware

• Similar to AV software

• Update regularly

• Set to provide continuous real-monitoring

Using Strong Passwords

• Strong passwords basic rules– Optimally have at least 15 characters– Random combination of letters, numbers, and

special characters– Replaced with new passwords at least every 60 days– Not be reused for 12 months– Same password should not be duplicated and used

for multiple accounts

Using Strong Passwords (cont’d.)

• Techniques for preventing “password paradox”– Use a phrase or expression instead of a single word

• Replace the spaces between the words with a special character

– Use password storage program• Enter account information such as username and

password, along with other account details

• Protect with single strong password

Using Strong Passwords (cont’d.)

Figure 4-6 Password storage program

Security Awareness, 3rd Edition 23Course Technology/Cengage Learning

Recognizing Phishing Attacks

• Recognize phishing attacks– Deceptive Web links– E-mails that look like Web sites– Fake sender’s address– Generic greeting– Popup boxes and attachments– Urgent request

• Treat e-mail like a postcard

Setting Social Networking Defenses

• Be cautious regarding placing personal information on social networking sites

• General security tips– Consider carefully who is accepted as a friend– Show ‘‘limited friends’’ a reduced version of your

profile– Disable options and then reopen them only as

necessary

Setting Social Networking Defenses (cont’d.)

Table 4-3 Recommended Facebook profile settings

Setting Social Networking Defenses (cont’d.)

Table 4-4 Recommended Facebook contact information settings

Avoiding Identity Theft

• Help safeguard information– Shred financial documents and paperwork

– Do not carry a Social Security number in a wallet

– Do not provide personal information either over the phone or through an e-mail message

– Keep personal information in a secure location

• Monitor financial statements and accounts– Be alert to signs that may indicate unusual activity

– Follow up on calls regarding purchases that were not made

– Review financial and billing statements each month

Avoiding Identity Theft (cont’d.)

• Fair and Accurate Credit Transactions Act (FACTA) of 2003– Right to request one free credit report from each of

the three national credit-reporting firms every 12 months

– If a consumer finds a problem on her credit report, she must first send a letter to the credit-reporting agency

Using Cryptography

• Safeguard sensitive data by ‘‘scrambling’’ it through encryption

• Cryptography– Science of transforming information into a secure

form while it is being transmitted or stored

• Encryption/decryption

• Cleartext– Data in unencrypted form

• Plaintext– Cleartext data to be encrypted

Using Cryptography (cont’d.)

• Algorithm– Procedure based on a mathematical formula used to

encrypt the data

• Key – Mathematical value entered into the algorithm to

produce ciphertext

• Symmetric cryptography – Uses the same key to encrypt and decrypt a

message– Private key cryptography

• Asymmetric cryptography– Public key cryptography– Uses two keys instead of one

• One to encrypt the message and one to decrypt it

• Public key

• Private key

Figure 4-7 Cryptography process

Figure 4-8 Symmetric cryptography

Figure 4-9 Asymmetric cryptography

• Encrypting files and disks– Cumbersome to encrypt and decrypt individual

document– Protecting groups of files

• Microsoft Windows Encrypting File System (EFS)

– Whole disk encryption• Microsoft Windows BitLocker

• Trusted Platform Module (TPM)

• Digital certificates– User’s public key that has been ‘‘digitally signed’’ by

a reputable source entrusted to sign it

• Server digital certificates– Ensure the authenticity of the Web server– Ensure the authenticity of the cryptographic

connection to the Web server

Figure 4-10 Web Server digital certificate

• Extended Validation Secure Sockets Layer Certificate (EV SSL)– Enhanced server digital certificate

Summary

• Spyware– Keylogger or browser hijacker

• Authentication– Passwords provide weak security

• Social engineering– Phishing

• Defenses– Strong passwords– Caution on social networking sites– Encryption

Security Awareness Chapter 4 Personal Security. Security Awareness, 3 rd Edition2 Objectives After...

Documents

Security Awareness Chapter 3 Internet Security. Security Awareness, 3 rd Edition2 Objectives After completing this chapter, you should be able to do the

ODU-CHP Presentation Edition2

Chem Excel 2008 Edition2

Final Edition2

Edition2 Vol3

Security Awareness Campaign Overview. Security Awareness Campaign Goal: Raise security awareness across campus Target audiences: Students Faculty/Staff

Security Awareness

Principles of Information Security, 3rd Edition2 Recognize that organizations have a business need for information security Understand that a successful

Security Awareness Communication Calendar - SANS · Information Security Awareness Communication ... Security Education and Awareness ... Brand Awareness • Culture change New Hire

Principles of Information Security, 3rd Edition2 Define information security Relate the history of computer security and how it evolved into information

Xmas Edition2

Cyber Security Awareness training - Curricular Affairsca.med.sc.edu/handbooks/CyberSecurity.pdf · Cyber Security Awareness Training Cyber Security Awareness Training FY 2007FY 2007

Bread Edition2

Impact edition2

Security Awareness, Training, and Education Plan · • Basic Security Awareness Training (AT-2): Basic security awareness training ... • Security Training Records (AT-4): Each

Security awareness 24 May 2015 Security awareness

Helix™ Presentation Edition2

Symbian Third Edition2

SAR Guide Edition2 - Copy

SGTM 6: Personal Security Awareness Slide 1 SGTM 6: Personal Security Awareness