Mostusersemployinefficientandinsecurepasswordsystemsho

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: transmissio ns using a metho d called public key encrypt ion. The system wo rks with two keys —a public key and a private key. The public key can “lo ck” o r encrypt data, but it can’t unlo ck it: that can o nly be perf o rmed by the private key. So a Web site that wants yo u to transmit secure inf o rmatio n will send yo u a public key—yo u use this to lo ck the data, and no o ne that intercepts that transmissio n can break in unless they’ve go t the private key. If the Web site do es its jo b, it will keep the private key o ut o f reach o f all po tentially prying eyes. Wo ndering if a Web site’s transmissio ns are encrypted? Lo o k at the Web address. If it begins with “https” instead o f “http”, it sho uld be secure. Also , lo o k f o r the padlo ck ico n in the co rner o f yo ur Web bro wser to be clo sed (lo cked). Finally, yo u can do uble click the padlo ck to bring up a verif icatio n o f the Web site’s identity (verif ied by a trusted third party f irm, kno wn as a cert if icat e aut h orit y). If this matches yo ur URL and indicates the f irm yo u’re do ing business with, then yo u can be pretty sure verif ied encryptio n is being used by the f irm that yo u intend to do business with. Figure 1 3. 6 In t his s creens hot , a Firefox brows er is vis it ing Bank of America. The p adlock icon was clicked t o bring up digit al cert ificat e informat ion. Not e how t he Web s it e’ s name mat ches t he URL. The verifying cert ificat e aut horit y is t he firm VeriSign. K E Y TAK E AWAYS An organiz ation’s information assets are vulnerable to attack from several points of weakness, including users and administrators, its hardware and software, its networking systems, and various physical threats. Social engineering attempts to trick or con individuals into providing information, while phishing techniques are cons conducted through technology. While dangerous, a number of tools and techniques can be used to identify phishing scams, limiting their likelihood of success. Social media sites may assist hackers in crafting phishing or social engineering threats, provide information to password crackers, and act as conduits for unwanted dissemination of proprietary information. Most users employ inefficient and insecure password systems; however, techniques were offered to improve one’s individual password regime. Viruses, worms, and Trojans are types of infecting malware. Other types of malware might spy on users, enlist the use of computing assets for committing crimes, steal assets, destroy property, serve unwanted ads, and more. Examples of attacks and scams launched through advertising on legitimate Web pages highlight the need for end‐user caution, as well as for firms to ensure the integrity of their participating online partners. SQL injection and related techniques show the perils of poor programming. Software developers must design for security from the start—considering potential security weaknesses, and methods that improve end‐user security (e. g. , in areas such as installation and configuration). Encryption can render a firm’s data assets unreadable, even if copied or stolen. While potentially complex to administer and resource intensive, encryption is a critical tool for securing an organiz ation’s electronic assets. QU E S TI ONS AND E XE RC I S E S 1. Consider your own personal password regime and correct any weaknesses. Share any additional password management tips and techniques with your class. 2. Why is it a bad idea to use variants of existing passwords when registering for new Web sites? 3. Relate an example of social engineering that you’ve experienced or heard of. How might the victim have avoided being compromised? 4. Have you ever seen phishing exploits? Have you fallen for one? Why did you take the bait, or what alerted you to the scam? How can you identify phishing scams? 5. Have you or has anyone you know fallen victim to malware? Relate the experience—how do you suppose it happened? What damage was done? What, if anything, could be done to recover from the situation? 6. Why are social media sites such a threat to information security? Give various potential scenarios where social media use might create personal or organiz ational security compromises. 7. Some users regularly update their passwords by adding a number (say month or year) to their code. Why is this bad practice? 8. What kind of features should a programmer build into systems in order to design for security? Think about the products that you use. Are there products that you feel did a good job of ensuring security during setup? Are there products you use that have demonstrated bad security design? How? 9. Why are SQL injection attacks more difficult to address than the latest virus threat? 10. How should individuals and firms leverage encryption? 11. I nvestigate how you might use a VPN if traveling with your laptop. Be prepared to share your findings with your class and your instructor. 13.4 Taking Action L E A RN I N G OBJ E C T I V E S 1. I dentify critical steps to improve your individual and organiz ational information security. 2. Be a tips, tricks, and techniques advocate, helping make your friends, family, colleagues, and organiz ation more secure. 3. Recogniz e the major information security issues that org...
View Full Document

Ask a homework question - tutors are online