Unformatted text preview: transmissio ns using a metho d called public key encrypt ion. The system wo rks with two keys
—a public key and a private key. The public key can “lo ck” o r encrypt data, but it can’t unlo ck it:
that can o nly be perf o rmed by the private key. So a Web site that wants yo u to transmit secure
inf o rmatio n will send yo u a public key—yo u use this to lo ck the data, and no o ne that intercepts
that transmissio n can break in unless they’ve go t the private key. If the Web site do es its jo b, it
will keep the private key o ut o f reach o f all po tentially prying eyes. Wo ndering if a Web site’s transmissio ns are encrypted? Lo o k at the Web address. If it begins
with “https” instead o f “http”, it sho uld be secure. Also , lo o k f o r the padlo ck ico n in the co rner
o f yo ur Web bro wser to be clo sed (lo cked). Finally, yo u can do uble click the padlo ck to bring up
a verif icatio n o f the Web site’s identity (verif ied by a trusted third party f irm, kno wn as a cert if icat e aut h orit y). If this matches yo ur URL and indicates the f irm yo u’re do ing business
with, then yo u can be pretty sure verif ied encryptio n is being used by the f irm that yo u intend
to do business with.
Figure 1 3. 6 In t his s creens hot , a Firefox brows er is vis it ing Bank of America. The p adlock icon was clicked t o
bring up digit al cert ificat e informat ion. Not e how t he Web s it e’ s name mat ches t he URL. The
verifying cert ificat e aut horit y is t he firm VeriSign. K E Y TAK E AWAYS
An organiz ation’s information assets are vulnerable to attack from several points of weakness,
including users and administrators, its hardware and software, its networking systems, and
various physical threats.
Social engineering attempts to trick or con individuals into providing information, while phishing
techniques are cons conducted through technology.
While dangerous, a number of tools and techniques can be used to identify phishing scams,
limiting their likelihood of success.
Social media sites may assist hackers in crafting phishing or social engineering threats, provide
information to password crackers, and act as conduits for unwanted dissemination of proprietary
Most users employ inefficient and insecure password systems; however, techniques were offered
to improve one’s individual password regime.
Viruses, worms, and Trojans are types of infecting malware. Other types of malware might spy
on users, enlist the use of computing assets for committing crimes, steal assets, destroy property,
serve unwanted ads, and more. Examples of attacks and scams launched through advertising on legitimate Web pages highlight
the need for end‐user caution, as well as for firms to ensure the integrity of their participating
SQL injection and related techniques show the perils of poor programming. Software developers
must design for security from the start—considering potential security weaknesses, and
methods that improve end‐user security (e. g. , in areas such as installation and configuration).
Encryption can render a firm’s data assets unreadable, even if copied or stolen. While potentially
complex to administer and resource intensive, encryption is a critical tool for securing an
organiz ation’s electronic assets. QU E S TI ONS AND E XE RC I S E S
1. Consider your own personal password regime and correct any weaknesses. Share any additional
password management tips and techniques with your class.
2. Why is it a bad idea to use variants of existing passwords when registering for new Web sites?
3. Relate an example of social engineering that you’ve experienced or heard of. How might the
victim have avoided being compromised?
4. Have you ever seen phishing exploits? Have you fallen for one? Why did you take the bait, or
what alerted you to the scam? How can you identify phishing scams?
5. Have you or has anyone you know fallen victim to malware? Relate the experience—how do you
suppose it happened? What damage was done? What, if anything, could be done to recover from
6. Why are social media sites such a threat to information security? Give various potential
scenarios where social media use might create personal or organiz ational security compromises.
7. Some users regularly update their passwords by adding a number (say month or year) to their
code. Why is this bad practice?
8. What kind of features should a programmer build into systems in order to design for security?
Think about the products that you use. Are there products that you feel did a good job of
ensuring security during setup? Are there products you use that have demonstrated bad security
9. Why are SQL injection attacks more difficult to address than the latest virus threat?
10. How should individuals and firms leverage encryption?
11. I nvestigate how you might use a VPN if traveling with your laptop. Be prepared to share your
findings with your class and your instructor. 13.4 Taking Action
L E A RN I N G OBJ E C T I V E S
1. I dentify critical steps to improve your individual and organiz ational information security.
2. Be a tips, tricks, and techniques advocate, helping make your friends, family, colleagues, and
organiz ation more secure.
3. Recogniz e the major information security issues that org...
View Full Document
This document was uploaded on 01/31/2014.
- Winter '14