Cybersecurity Essentials: The Beginner's Guide | cybersecurity Textbook | cybersecurity for Beginners | Cybersecurity Books for Beginners for Certification | Cybersecurity for Libraries and Archives 9798840919057

Citation preview

Cybersecurity Essentials The Beginner’s Guide

Ojula Technology Innovations

Cybersecurity Essentials The Beginner’s Guide

Copyright © 2022 By Ojula Technology Innovations All rights reserved ISBN: 9798840919057

Published in the United States Limit of Liability/Disclaimer of Warranty This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. All information given in this book is based on the author’s own knowledge and research, and does not constitute technical, financial or professional advice. The author and publisher have attempted to trace the copyright holders of all material reproduced in this publication, and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publisher.

2

Table of Contents How this Book can Help You ....................................................................................... 8 1. What is Cybersecurity? ........................................................................................... 10 1.1. Learning Objectives ......................................................................................... 10 1.2. Security Threats: Confidentiality, Integrity, and Availability ......................... 10 1.2.1. The CIA Triad .......................................................................................... 11 1.2.2. Regulatory Standards ................................................................................ 14 1.3. Security Threats: Security and Information Privacy ........................................ 14 1.3.1. Data and Information Assets .................................................................... 14 1.3.2. Intellectual Property ................................................................................. 15 1.3.3. Data-driven Business Decisions ............................................................... 16 1.4. Security Threats 2: Threats and Breaches ........................................................ 18 1.4.1. Hardware Threats ..................................................................................... 18 1.4.2. Data Threats .............................................................................................. 19 1.4.3. Software Threats ....................................................................................... 20 1.5. Security Threats 3: Threat Types ..................................................................... 22 1.5.1. Impersonation ........................................................................................... 22 1.5.2. Snooping Attack ....................................................................................... 23 1.5.3. Eavesdropping Attack............................................................................... 23 1.5.4. Man in the Middle (MITM) Attack .......................................................... 24

3

1.5.5. Replay/Repeat Attack ............................................................................... 24 1.5.6. Password Cracking: Brute Force, Dictionary & Rainbow Attacks .......... 25 1.5.7. Unauthorized Information Alteration ....................................................... 25 1.5.8. Denial of Service: DoS & DDoS .............................................................. 26 2. Security Threats ...................................................................................................... 28 2.1. Password Management Techniques ................................................................. 28 2.1.1. Managing Passwords ................................................................................ 28 2.1.2. Password Policies ..................................................................................... 28 2.1.3. How to Create Strong Passwords ............................................................. 29 2.1.4 Password Confidentiality ........................................................................... 30 2.1.5. Password Reuse ........................................................................................ 30 2.1.6. Password Expiration ................................................................................. 31 2.1.7. Single-factor Authentication..................................................................... 31 2.1.8. Two-factor Authentication........................................................................ 31 2.1.9. Multifactor Authentication ....................................................................... 31 2.1.10. Identification Factors .............................................................................. 32 2.1.11. Single Sign-on (SSO) ............................................................................. 33 2.1.12. Password Managers ................................................................................ 33 2.2. Access Control, Authorization, and Authentication ........................................ 34 2.2.1. The Three A’s ........................................................................................... 34 2.2.2. How the Three A’s Work Together .......................................................... 35

4

2.2.3. Digital Accounting ................................................................................... 36 2.3. Hardening Devices........................................................................................... 38 2.3.1. Apps & Operating Systems ...................................................................... 38 2.3.2. Encryption ................................................................................................ 40 2.3.3. Device Lock .............................................................................................. 40 2.3.4. Disabling Features and Ports .................................................................... 41 2.3.5. Firewalls and VPNs .................................................................................. 42 2.3.6. Open WI-FI vs Secure WI-FI ................................................................... 42 2.3.7. Default Passwords .................................................................................... 43 2.4. Validation and Device Usage .......................................................................... 44 2.4.1. Software Sources Validation .................................................................... 44 2.5. Encryption Concepts ........................................................................................ 47 2.5.1. What is Encryption? ................................................................................. 47 2.5.2. Data at Rest ............................................................................................... 47 2.5.3. Data in Motion .......................................................................................... 48 2.5.4. Symmetric Encryption .............................................................................. 48 2.5.5. Asymmetric Encryption ............................................................................ 49 2.5.6. Public Key Infrastructure.......................................................................... 49 2.5.7. Cryptographic Hashes............................................................................... 50 2.6. Managing Email and Spam .............................................................................. 50 2.6.1. How to Identify & Manage Spam ............................................................. 51

5

2.6.2. How to Identify Suspicious Emails .......................................................... 52 3. Safe Browsing Practices.......................................................................................... 53 3.1. Application Ecosystem Security ...................................................................... 53 3.1.1. Mobile Applications ................................................................................. 53 3.1.2. Rooting & Jailbreaking ............................................................................. 53 3.1.3. Desktop Software ..................................................................................... 54 3.1.4. Business Software..................................................................................... 54 3.1.5. Corporate Network ................................................................................... 55 3.2. Public Browsing Risks ..................................................................................... 56 3.2.1. Free & Open Networks ............................................................................. 56 3.2.2. Public Browsing Risks.............................................................................. 56 3.2.3. Social Networking Sites & How to Protect Yourself ............................... 57 3.2.4. Instant Messaging ..................................................................................... 58 3.2.5. Internet Browser & Versions .................................................................... 58 3.3. Browser Security Settings: Plug-ins, Extensions & Toolbars ......................... 59 3.3.1. Browsers ................................................................................................... 59 3.3.2. Security Zones & Settings ........................................................................ 59 3.3.3. Browser Add-ons: Plug-ins, Extensions & Toolbars ................................ 60 3.3.4. Cookies ..................................................................................................... 60 3.3.5. Security Certificates.................................................................................. 62 3.3.6. Browser Updates....................................................................................... 63

6

3.4. Safe Browsing Techniques .............................................................................. 63 3.4.1. Autofill Management ................................................................................ 63 3.4.2. Browser Cache & History ......................................................................... 64 3.4.3. Private Browsing (Incognito Mode) ......................................................... 65 3.4.4. Malicious Websites................................................................................... 65 3.4.5. Safe Websites ........................................................................................... 65 3.4.6. Adware & Popups ..................................................................................... 66 3.4.7. Redirection................................................................................................ 66 3.4.8. Warning Signs .......................................................................................... 67 3.5. Virtual Private Networks ................................................................................. 68 3.5.1. Encrypted Tunnel ..................................................................................... 68 3.5.2. Site-to-site VPN ........................................................................................ 68 3.5.3. Host-to-Site VPN ...................................................................................... 68 3.5.4. Host-to-host VPN ..................................................................................... 69 3.5.5. VPN Hardware ......................................................................................... 69 3.5.6. Internet Protocol Security (IPSec) ............................................................ 69 4. Wrap up ................................................................................................................... 71 5. Self-assessment Test ............................................................................................... 72

7

How this Book can Help You If you need to read only one book to acquire a strong foundation in cybersecurity fundamentals, make it this one. This is not just another book on cybersecurity. It is a well-illustrated practical guide designed for beginners to familiarize them with the latest cyber security landscape and provide the knowledge of relevant tools to assess and manage security protocols in information processing systems. It is a self-paced book that is excellent for beginners, practitioners and scholars alike. After completing this book, you will be able to: •

Explain basic security risks, security of data and information, types of security breaches, and how to manage security threats

•

Demonstrate how to configure browsers and safe browsing practices

•

Identify security threats and explain how to address them in applications and shared networks

Whether you’re skilling up to become a Help Desk Support Specialist, Security Specialist, Virtual Customer Service Agent, or just want to learn the basics of working in and managing security and security systems, you need a strong foundation in security fundamentals. This course is divided into three modules: •

Common Security Threats and Risks

•

Security Best Practices

•

Safe Browsing Practices

You’ll learn about common security risks and the importance of information privacy. You’ll also learn various ways to identify and protect your organization against different types of security breaches and malware threats, and you’ll discover more about confidentiality, integrity, and availability. 8

You’ll learn about security best practices, creating effective passwords, and securing devices. You will learn about authentication, authorization, and accounting, and how these concepts help secure devices, validate devices and servers, encrypt devices, and manage email and spam. You’ll learn about safety concerns with applications and public browsing, including managing plug-ins, extensions, and toolbars. You will learn about web browser security configurations, cookies, and computer caches. To successfully complete this guide, you should be familiar with: •

Basic computer operating skills

•

Basic knowledge of computer terminology

•

Knowledge of switching applications

•

Familiarity with MS Windows OS

9

1. What is Cybersecurity? Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These attacks typically include business interruptions or the theft, tampering, or destruction of sensitive information. Ransomware attacks are on the rise and are predicted to cost victims more than $265 billion (USD) annually by 2031. That is just one type of threat we all need to protect against. The need for organizations to implement effective security practices has never been more important or urgent. This module will teach you the skills you need to identify basic security threats and choose the best security practices to address those threats. In this chapter, you’ll learn the difference between data, information, and insights and how companies leverage all three to help guide their business decisions. You’ll learn how to maintain data integrity and keep data confidential. You’ll also learn about the different types of attacks and breaches that threaten today’s organizations and their data.

1.1. Learning Objectives • • • •

Explain how to keep data safe, confidential, and tamper-resistant Define what data is, how it drives business decisions, and how companies manage it Identify security threats like hacking, data theft, malware, and data leaks List other types of attack vectors used by cybercriminals

1.2. Security Threats: Confidentiality, Integrity, and Availability After studying this section, you will be able to: • • •

Explain what the CIA Triad is list concerns related to the CIA Triad define common regulatory standards and penalties 10

1.2.1. The CIA Triad A comprehensive security program must include confidentiality, integrity, and availability. These are known as the CIA Triad. Confidentiality means that data is protected from unauthorized access. Integrity means that data is protected from unauthorized changes. Availability means that you have access to your data whenever you need it.

Figure 1.1: Components of the CIA Triad

Confidentiality When confidential data is exposed beyond the intended audience, it causes risk. Confidential information is kept secret to prevent: identity theft, compromised accounts and systems, legal concerns, damage to reputation, and other severe consequences.

11

Figure 1.2: Facts about Confidentiality

To determine if data should be confidential, ask: Who is authorized? Do confidentiality regulations apply? Are there conditions for when data can be accessed? What would the impact of disclosure be? Is the data valuable? Cybercriminals are always after sensitive information or personal data. To keep confidential data secure, control data access and use security tools like encryption and multifactor authentication (MFA).

Integrity Data is one of the most valuable assets a company can have, but it is not static. It can be transferred to other systems, altered, and updated multiple times. Data integrity guarantees that data is accurate, complete, and consistent. It covers data in storage, during processing, and in transit. Without data integrity, loss, corruption, or compromise can cause significant damage and financial loss for both businesses and customers. The two main types of data integrity are physical and logical. Physical data integrity is the collection of actions and fail-safes that protect the physical systems that store and process the data. Logical data integrity are the checks and protocols that protect data from human error and hackers. These confirm that data is correct and accurate as it’s used in different ways within an organization. 12

Availability Data availability means that authorized users have immediate and reliable access to their data. This includes granting access to authorized users with passwords and security questions. Some of the most fundamental threats to availability are non-malicious, including hardware failures, unscheduled software downtime, and network bandwidth issues. Malicious attacks against availability include various forms of sabotage intended to cause harm to an organization by denying users access to the information system. One such example would be a DoS (or Denial of Service) attack where a website or server is targeted with so much traffic that it overwhelms that system, degrading performance until the server is unable to respond.

Figure 1.3: Facts about Availability

To protect against these threats, systems that require high availability, (99.999% uptime) have network monitoring, redundant hardware, and backup servers ready to take over. If the primary system is compromised, business continuity and customer access can be maintained.

13

1.2.2. Regulatory Standards There are regulatory standards, contracts, and local laws that companies and organizations must follow to secure and maintain data.

HIPAA The Health Insurance Portability and Accountability Act, or HIPAA, regulates the use and disclosure of protected health information in America.

GDPR The General Data Protection Regulation, or GDPR, regulates digital privacy for all countries in the European Union. Fines and penalties for non-compliance help companies keep data safe, secure, accurate, and private.

1.3. Security Threats: Security and Information Privacy After studying this section, you will be able to: • • •

Define intellectual property, Explain how to turn data into information List the different types of confidential information

1.3.1. Data and Information Assets An information asset is information or data that is of value. Examples include: Patient records, Customer information, and intellectual property. Information assets can exist physically, on paper, disks, or other media, or they can exist electronically in databases and files.

Creating Information from Data Data is the raw values and facts, usually collected by automated systems, such as page visits, link clicks, monthly sales.

14

Data analytics is when raw data like values or facts are used to create meaningful information. Information is a summary of the raw data. For example, positive or negative results that happen after some specific change. Insights are conclusions based on the results of information analysis. Meaningful business decisions are based on insights. For example, if a positive trend occurs after store hours are changed, the right business decision would be to maintain those new hours.

1.3.2. Intellectual Property Intellectual property (or IP) refers to creations of the mind and generally are not tangible. It's often protected by copyright, trademark, and patent law. Industrial designs, trade secrets, and research discoveries are all examples of IP. Even some employee knowledge is considered intellectual property. Companies use a legally binding document called a Non-Disclosure Agreement (or an NDA) to prevent the sharing of sensitive information. Digital Products Digital products are non-tangible assets a company owns. Examples include: • • • • •

Software Online music Online courses e-Books or audiobooks Web elements like WordPress or Shopify themes

A company must protect digital products from piracy and reverse-engineering. Source codes, licenses, and activation keys also need protection from hackers and insider threats.

15

Digital Rights Management, or DRM, is code added directly to files that helps prevent digital assets from being copied or pirated, but there are tools that can remove DRM code. The Digital Millennium Copyright Act, or DMCA, makes it illegal to bypass copy protections or to develop technology that helps bypass copy protections.

1.3.3. Data-driven Business Decisions Data-driven business decisions help companies respond to real events. For example, sales and marketing data helps identify trends and customer interests. Production and fulfilment data helps identify productivity issues in areas like manufacturing, billing systems, transportation, and more. Getting the right information is key to data-driven business decisions.

Data Capture Data capture is the collection of data from multiple sources and storing the secure storage of it securely in relational databases, or more commonly semi-structured data warehouses. Data may be captured by: • • •

Server logs showing where customers browse IoT sensors in home appliances and business technology Customer and employee surveys or rating systems

Data Correlation Data correlation is when raw data points are analyzed to find connections or links. For example, Netflix uses tools that compare searches, views, and ratings so they can predict which movies and shows will be successful on their platform. Artificial intelligence or AI and machine learning algorithms automate parts of the analysis.

16

Meaningful Reporting Meaningful reporting is the presentation of analyzed information in ways that help people further analyze and interpret. Reporting tools use captured and correlated data to provide charts, keyword search, and graphs that help companies achieve business insights.

Confidential Information Confidential information is information that must be kept secret. Employees are trained to recognize and deal with confidential information so that it remains secure. Companies rank information and files by how sensitive each one is. Each company ranks their information differently, but there are four main types of confidential information that should be universally protected: 1. Personally Identifiable Information (PII) is any information that can be used to identify someone, like government ID numbers, birthdates, addresses, and phone numbers. 2. Company Confidential Information is any information that is used to run a company, like intellectual property, product designs, procedures, plans, employee records, and financial data. 3. Customer Confidential Information is information customers or partners provide to companies, which includes PII and also things like purchase histories, credit card information. 4. Protected Health Information (PHI) is any information added to a person’s medical record during diagnosis or treatment that can be used to identify them, like PII, medical history, prescription lists, photos, and more.

Careless Data Handling Examples of careless data handling include things like entering a customer’s credit card information into an unencrypted database, leaving a patient’s medical file unattended at the front desk, or letting a work friend borrow your password to download files because they forgot theirs. 17

Properly Handling Confidentiality Properly handling confidentiality means • • • • • •

Restricting access to only those who need the information Not allowing unauthorized views or copies Storing information securely with encryption, firewalls, permissions, and more. Destroying any file copies that are no longer needed, not just discarding them. Getting explicit consent before processing or storing information, including a disclosure about how long it will be kept Ensuring employees create strong passwords that they do not write down or share, and that they change those passwords regularly.

1.4. Security Threats 2: Threats and Breaches After studying this section, you will be able to: • • •

Identify the different types of security threats List examples of security threats, Explain the difference between a worm and a trojan

1.4.1. Hardware Threats Weak security policies can lead to physical threats, tampering, or the theft of hardware. Only trusted, authorized personnel should have physical access to information systems and only for the specific systems they are responsible for. It's much easier to steal data directly from a laptop or server than it is to remotely hack into a complex network.

18

To keep hardware safe from physical threats, tampering, and theft, • • •

Lock it in a secured area with card readers on doors to limit access Use robust surveillance on the inside and outside of the premises Keep these two security solutions maintained, updated, and tested

Hardware failure or destruction can occur during power outages, fires, and natural disasters like earthquakes, floods, tornados, hurricanes, and electrical storms. Environmental conditions such as humidity, and mold also pose risks. Keep hardware safe with a well-maintained infrastructure that includes fire suppression systems, backup power, and a properly functioning HVAC system to prevent humidity and mold. Ultimately, none of these strategies will work without a detailed plan for what to do if disaster strikes or a system is breached. Regular planning and run-throughs of mock disaster and attack scenarios will help refine the process and identify security weaknesses.

1.4.2. Data Threats Unpatched systems, misconfigured firewalls, weak cybersecurity, and weak physical security are just a few ways that data threats occur.

Data Leaks & Data Breaches Data leaks are the accidental exposure of confidential or sensitive data through a security vulnerability. Data breaches are when a data leak is caused intentionally by a cybercriminal. These occur when social engineering or phishing attacks trick employees into leaking sensitive credentials or information.

Data Dumps Data dumps are when cybercriminals dump stolen data onto the dark web for monetary gain. A data dump might include PII, PHI, bank account numbers, PINs, social security numbers, and more. Other cybercriminals buy and use data dumps for things like identity theft and password attacks. 19

Dumpster Diving Dumpster diving is the act of physically searching through a literal dumpster to find something valuable. A company’s trash might contain lists of customer names, phone numbers, contact information, business plans, product designs, or an access code written on a post-it note.

Document Shredding Tech companies require document shredding and device destruction as a normal part of business because these can be stolen from the trash to harvest data that can be used for identity theft and data breaches, or the data could be sold to hackers, or a company's competitors.

1.4.3. Software Threats Software threats include theft, exploits, and malware. Software or license theft is the unauthorized copy or use of copyright-protected software. This includes pirating software and counterfeiting activation codes. Exploits are pieces of code that use vulnerabilities in hardware or software to get into a system. Malware-infected websites use exploits to automatically download malware to a system. This is called a drive-by download. Malware is a general term for software designed to compromise computer systems. Malware can cause • • • •

system slowdowns odd requests browser misdirection popup ads

It can also steal data, record everything you do with or near your device, spam your contacts with infected links, and connect your computer to a network of hijacked computers that are remotely controlled (known as a botnet). 20

Malware can come from: • • • • •

attachments sketchy websites file downloads infected USB drives links in emails, ads, social media, torrents, and even text messages

Phishing and Remote Desktop Protocol attacks (or RDP attacks) are the most popular attack vectors for ransomware since they result in a higher success rate.

How to Avoid Malware To avoid malware, • • • • •

keep software updated, don’t open strange attachments or links, back up your data, use strong antivirus software, and use strong, frequently updated passwords

Malware Types Malware types include viruses, worms, trojans, exploits, spyware, adware, and ransomware. Computer viruses are programs designed to spread from host to host, just like real viruses. An infected app or file has to be started by a user for a virus to activate. Viruses can turn on a webcam, record keystrokes and site visits, steal data, corrupt files, and hijack email accounts. Let’s look at some different types of malware: • •

Program viruses are bits of code that insert themselves into another program. Macro viruses affect Microsoft Office files via the macros they use to automate tasks. 21

• • •

• • •

•

Stealth viruses copy themselves to different locations to avoid antivirus scans. Polymorphic viruses change their characteristics to get around cybersecurity defenses. 97% of all malware uses polymorphic viruses. Worms are viruses that start themselves after identifying system weaknesses. They don’t rely on apps or files. Unlike viruses, worms can be controlled remotely. Trojans trick you into installing legitimate-seeming software that includes harmful malware. Spyware collects personal data, login credentials, credit card information, online activity, and can record using a device’s camera or microphone. Adware is software coded into online ads that records your personal data, website visits, and keystrokes to send you personalized ads. Both adware and spyware can be legitimate or malicious. Ransomware locks a system, encrypts its files, and displays a ransom demand. To get the encryption key you must pay the ransom, or you can regain access by doing a full system restore from a backup.

1.5. Security Threats 3: Threat Types After studying this section, you will be able to: • • •

List the types of impersonation Explain password cracking Identify a DoS attack

1.5.1. Impersonation Impersonation is when a hacker sets up a public wifi network that seems legitimate. Once a user connects, login credentials, session information, and PII can be intercepted.

22

Another type of impersonation is when a hacker sets up a fake website that looks and feels exactly like a real website, such as a well-known bank or other highprofile site. They may send fake email or text links (known as phishing) to trick you into visiting the fake site so they can steal your credentials to the real site and install malware on your device. A third type of impersonation is when a hacker pretends to be someone else so they can steal data or take over systems. This is also called social engineering. Impersonation attacks can be used individually, or in combination with each other.

1.5.2. Snooping Attack Hackers use snooping attacks to intercept data between devices. These attacks can reveal, logins, credit card numbers, intellectual property, and more.

Types of Snooping Attack Snooping attack types include: • • •

eavesdropping man-in-the-middle replay

Some hackers can even use a computer monitor’s electromagnetic fields to reconstruct what it displays. Snooping is common on open, unsecured networks and can be difficult to trace.

1.5.3. Eavesdropping Attack Eavesdropping (or packet-sniffing) attacks occur on wireless, wired, and phone connections. A packet sniffer is a tool that intercepts everything transmitted on a network. Anything your device sends on an unencrypted network can be viewed with a packet sniffer. This gives hackers an opportunity to intercept, alter, or delete data transmitted between devices. 23

If a network is encrypted, packet sniffers will only be able to see things like the origin and destination of a packet, but not the data inside it.

How to Prevent Eavesdropping Attacks Staying off public Wi-Fi or using encryption with a VPN or cellular connection helps prevent eavesdropping attacks.

1.5.4. Man in the Middle (MITM) Attack A man-in-the-middle attack is a form of eavesdropping. It has a victim, a receipt point, and an attacker. The victim and receipt point are unaware the attacker is listening in. Man in the middle attacks can be physical or logical. In a physical man in the middle attack, the attacker is physically near the victim, like the same public WiFi network, or a network they set up themselves as a trap. The attacker sniffs the unencrypted network traffic to gain access to everything the victim is doing online so they can steal information. In a logical man-in-the-middle attack, the attacker sends emails or texts with fake links that direct victims to sites that steal their data and install malware. If a fake email warned about a bank account problem, the victim might click the link and try to login. This gives the attacker control of their bank account and installs malware on the victim’s computer. Other man-in-the-middle attacks include spoofing, hijacking, and theft of browser cookies.

1.5.5. Replay/Repeat Attack A replay attack is a type of man-in-the-middle attack which intercepts and retransmits data. Replay attacks are also known as repeat or playback attacks. Replay attacks involve “trusted entities” and require an “access token”.

24

Trusted entities are users or websites that get an access token (or security key) after verifying that they are who they say they are. For example, connecting to your bank or your work network on a network-registered device. Hackers get access tokens by sniffing network traffic between trusted entities. Once they find an access token, they can hijack the session and use the token to impersonate the trusted entities. After that, the hacker can intercept and modify any information sent or access private accounts as if they were the account holder.

1.5.6. Password Cracking: Brute Force, Dictionary & Rainbow Attacks Password cracking is getting a correct password in an unauthorized way. • • •

Brute force attacks submit as many passwords as possible hoping one will work Dictionary attacks use words pulled from dictionaries or newspapers to crack passwords Rainbow attacks use words from an original password hash to generate all other possible passwords

Hashing Hashing is when an algorithm transforms an input string (like your password) into a smaller, fixed-length output string (or hash) that's saved to a file. A hash is like a digital fingerprint. Passwords are hashed with a scrambling algorithm. If a password hash is determined, attackers can use it to determine other passwords that were scrambled in the same way — that can be over 90% of unknown passwords in some cases.

1.5.7. Unauthorized Information Alteration Unauthorized information alteration threatens the integrity of any process or outcome based on that information.

25

Alteration Threats Alteration threats including: • • • •

financial records vote totals health records news stories

and more.

Tools for fighting Unauthorized Information Tools that fight unauthorized information alteration include: • •

File integrity monitoring (or FIM), which audits sensitive files and folders to ensure all activity is authorized. Relational database management systems (or RDBMSs)

An RDBMS is a database that records user access and data changes. RDBMS is safer than a spreadsheet program.

Data Integrity To preserve data integrity, security plans must: • • •

Prevent unauthorized user access Prevent unauthorized data changes by authorized users Use error checking and data validation

1.5.8. Denial of Service: DoS & DDoS Denial of service (or DoS) attack floods a network with so much traffic that it crashes. DoS attack victims are typically high-profile, like government sites, banks, or social media sites. Sometimes, DoS attacks are used to distract from other attacks happening at the same time. 26

Common Types of DoS Attack Common DoS attack types include: • •

•

Buffer overflow: when a website gets more Internet traffic than it can handle ICMP flood: when diagnostic pings are sent to every computer on a network. Each computer pings every other computer, and so on until the network crashes SYN flood: when a rapid series of incomplete connection requests floods a website until the server crashes

DDoS A Distributed Denial of Service (or DDoS) attack is when a DoS attack is made with a large collection of compromised, malware-infected computers known as a botnet. DDoS attacks give attackers the following advantages: • •

It's harder to identify a DDoS attack’s origin, which makes it harder to shut down and DDoS attacks are far more devastating than DoS attacks since hundreds or thousands of computers are used instead of just one

How to Defend Against DoS and DDoS There are methods available to defend against DoS and DDoS, but they continue to be a real threat.

27

2. Security Threats 2.1. Password Management Techniques After studying this section, you will be able to: • • •

Explore password management best practices Identify strong and weak passwords Explain the difference between SFA, 2FA, and MFA

2.1.1. Managing Passwords Strong passwords and an effective password strategy are essential to online security. People tend to use the same passwords across personal and business accounts. But weak or stolen passwords account for more than 80% of company data breaches. Each online account should have a unique password, especially corporate accounts. And employee training should exist to explain why password management and data security is so important.

2.1.2. Password Policies A password policy is a set of rules that provide guidance on using strong passwords. Password policies should require: • • • • •

A minimum length of 12 characters A mix of upper- and lower-case letters, numbers, and special characters A unique password for each account or device, including personal devices used for work A mandatory password change every 6 to 12 months Employee training on cyberattacks, and notification to employees that the company will never ask for passwords

28

Password policies should insist that employees should: • • • •

Never reuse or recycle passwords Never share passwords, not even with the CEO Never write passwords down Never store passwords in a digital file

Hackers can guess one trillion passwords per second. Passwords often have quotes from movies, songs, or books. But hackers already have online databases full of these quotes, and lists of dictionary words, encyclopedia entries, and more. For stronger security: • • • •

• •

Use12-characters, minimum Avoid names, places, dictionary words, or PII Use upper and lower-case letters, numbers, and special characters Avoid using “leet” or symbols for letters (hackers already know about it). For example, writing the word ‘password’ using the number four instead of the letter ‘A’, or the dollar sign instead of the letter ‘S’. Use random characters Use a passphrase (12 or more random words)

2.1.3. How to Create Strong Passwords Figure 2.1 shows what strong passwords look like:

29

Figure 2.1: Examples of strong passwords

2.1.4 Password Confidentiality Organizations should never ask customers or employees for their passwords. When employees know that their company would never ask for passwords, they are less likely to fall for impersonation and phishing attacks. Don’t share your password with anyone. Not even your boss or the IT department. IT staff have admin rights. Any work they do can be done with their own logins.

2.1.5. Password Reuse Companies must teach employees the risks of password reuse and take steps to stop it. Password reuse means: • • •

Using the same username and password for all your accounts Using common passwords like ‘12345’ or the word ‘password’ Using the same password but with a different username

Hackers can easily link previously used passwords to people and they can ‘spray’ common passwords at online accounts.

30

2.1.6. Password Expiration Password expiration is when a password is set to expire after a specific amount of time. In the past, employees typically had to change their passwords every 90 days. But this inspired weak and reused passwords. Longer intervals help employees use less risky behavior. Password expiration does make sense but not once it starts to negatively affect security.

2.1.7. Single-factor Authentication Single factor authentication (or SFA) is when you enter one credential to log in. Username and password is the most common form. Single-factor authentication is not safe from: • • •

Keystroke loggers – malware that captures everything typed on a device Phishing Data breach information sold on the dark web

With single-factor authentication, anyone who has your username and password can do whatever they want to with your account or data.

2.1.8. Two-factor Authentication Two-factor authentication (or 2FA) is when you enter two credentials to log in. Two-factor authentication is usually hardware-based, with the most common form being a security key that plugs into a USB port. 2FA devices are the best defense you can have against phishing and hijacking and are very easy to set up. Newer versions use NFC so the key only has to be near the device instead of plugged in.

2.1.9. Multifactor Authentication Multifactor authentication, or MFA, is quickly becoming the industry standard for effective security. It’s an extra layer of protection that companies and 31

organizations are using to keep cybercriminals out of their systems. When you’re trying to access a resource or device that’s using MFA, you need to provide more than just the correct password to get in. MFA offers the following extra protection over SFA: • • • •

Risk of a breach occurring is significantly reduced MFA factors can't be captured by keystroke loggers You're in full control over which factors you provide (phone, email, text, security questions or some combination of all of them) Significantly reduced risk from phishing

It's important to understand that multi-factor authentication is not 100% failproof. As hackers realize that the number of organizations using MFA is steadily on the rise, they continue to look for ways to circumvent it or to exploit the vulnerabilities which inevitably exist in these types of solutions.

2.1.10. Identification Factors Identification factors are pieces of information that only you and an authentication service know. They are: 1. Something you know, • • •

like your password or PIN answers to security questions or one time password (OTP) code

2. Something you have, • • •

like a phone or email to receive OTP codes a phone app that can generate OTP codes, or a device plugged into your phone or computer.

32

3. Something about you: •

like your fingerprints, retinas, face, or voice.

Biometric scans use these to authenticate you online or unlock a door to a secured area

2.1.11. Single Sign-on (SSO) Single sign-on (or SSO) verifies users for connected accounts or apps so they only have to log in once. Businesses use SSO to simplify and speed up access to resources. IT departments set up single sign-on with vendors like Office365 or Salesforce.com so employees are automatically logged in when they sign into their work networks. This lets employees continue working without having to remember multiple passwords.

2.1.12. Password Managers Password managers generate strong, unique passwords for every online account you create and remember each of them for you. They can analyze your stored passwords and warn you if any are too weak or if any have been reused on other sites.

Figure 2.2: About Password Managers

33

They use Powerful encryption on all stored passwords to keep them safe. Once set up, you have to remember the one password for the password manager.

2.2. Access Control, Authorization, and Authentication After studying this section, you will be able to: • • •

Define each authentication factor Explain how digital accounting is used Identify the four methods of non-repudiation

2.2.1. The Three A’s There are three processes involved in logging in to a network or account: • • •

Access Control – limiting or granting access to different areas based on user status Authorization – giving permission to access a computer, network, app, or account Authentication – proving it’s you with a password or other credentials

Access Control prevents unauthorized viewing, modification, or copying of data. IT staff use access control to restrict what users can do, which resources they have access to, and what functions they are allowed to perform. Access is granted using the rule of least privilege where access is only granted to resources that a user needs to fulfil their role. Role-based Access Control (or RBAC) follows a company’s org chart. Different customer and employee roles are set up as groups on a network, and then those groups are granted certain permissions. When a new user joins the network, they are assigned to the group that fits their role. They will have the lowest level of permissions they need to do their job. Authorization is when you have permission to access a location or do an action. Before you can access an account or system, you need authorization. Access 34

control must be set up before any authorization is granted to maintain data security, and authorization must be set up for your user account before you’re able to log in. Once you are authorized, you can then use authentication to log in. Authentication is the act of confirming the identity of a user. Authentication involves two steps: • •

entering the correct login information, and confirming that it is really you

Authentication factors used to confirm identity include: • • •

Something you know (like a username, password, PIN, or answers to security questions), something you have (like a mobile device, security key, or security badge), and something you are (biometrics like facial recognition or a fingerprint, iris, or voice scan).

Authentication methods include: • • • •

Single-factor (or SFA) Two-factor (or 2FA) Muti-factor (or MFA) Single sign-on (or SSO)

SSO lets you log in to multiple applications and platforms with one login. 2FA and MFA are the most secure ways to log in because they require at least two authentication factors.

2.2.2. How the Three A’s Work Together Access control sets boundaries, authorization gives access, and authentication confirms identity. In the Security field, it’s important to know the right balance between the three A’s. 35

Authorization vs Access Control Strictly applying role-based permissions groups won’t secure data if those groups all have the same authorization levels. The same is true if groups have properly set permissions, but are not properly applied by administrators.

Authentication vs Access Control Using strong passwords and MFA won’t secure data if all groups have the same permissions. The same problem exists if groups have properly set permissions, but passwords are weak.

Authentication vs Authorization Using strong passwords and MFA won’t secure data if all users are assigned to the same group. The same problem exists if administrators assign users to the proper groups, but passwords are weak. Best practice should require strong authentication, strong authorization, and strong access control.

2.2.3. Digital Accounting Digital accounting is used in troubleshooting, security analysis, forensics, and hacking.

Logs Most software and systems generate audit logs. Audit logs capture log file events which can show who did what and how the system behaved.

Tracking Websites can track your Operating System (OS), browser version, installed extensions, screen resolution, installed fonts, time zone, language, and how long you spent on a site and what you did there. 36

Cookies A cookie is code used to track, personalize, and save information about your browsing session. Cookies can also be used to ban you from a website if you've violated any of its conditions for use.

Browsing History This is a list of recently visited websites. Anyone with access to your device can see what sites you visited. Attackers use browsing history to learn where they might impersonate their victims. Companies use it to see which sites you go to on your work computer.

Non-repudiation Non-repudiation is when you can't deny being in a specific location. It guarantees that a message sent between two parties is genuine, like a digital signature. It includes: • • •

•

Video: Clear recordings of a person entering, leaving, or occupying a space Biometrics: fingerprint or iris scans can confirm whether a person physically accessed a device, network, or area Digital Signature: When a signature is used in conjunction with a hardware token, it becomes a digital signature. This authenticates the signer Receipt: A digital receipt proves that a message was sent from one party to another

37

2.3. Hardening Devices After studying this section, you will be able to: • • •

Evaluate methods to secure and harden devices Identify device and system vulnerabilities Determine best practices for common security threats

Hardening is the process of securing a device to minimize vulnerabilities. You can harden devices by: • • •

Disabling unneeded device features, Regularly updating device firmware, OS, and software, Using firewalls, Virtual Private Networks (or VPNs), and antimalware.

The more layers of security you use, the safer your data and devices will be.

2.3.1. Apps & Operating Systems To protect your applications and operating systems (OSes), turn on auto-updates for PCs, phones, tablets, and routers. Outdated systems are huge targets for hackers. In business, updates are tested first. If they pass, they are pushed to production servers. To make sure your apps, OSes, and drivers are secure, only install from app stores, authorized resellers, and manufacturers. Check software for a digital signature from its manufacturer.

Patching Updates Patches are updates to apps and OSes that fix security weaknesses. Companies regularly release patches alongside system improvement updates to make sure that their customers are safe from new threats.

38

But patches are a response to KNOWN threats—meaning the threat has already happened to someone. To prevent unknown threats, also use Multifactor Authentication, Virtual Private Networks, and strong passwords. Firmware Updates Firmware is software that tells hardware how to behave. Security firmware protects devices and data from malware and tampering.

BIOS passwords (also, firmware passwords) BIOS (or Basic Input/Output System) is firmware that boots up Windows and Linux PCs, runs hardware checks, and starts the OS. The OS won’t start without the password, or if the checks find a problem.

Secure Boot UEFI (or Unified Extensible Firmware Interface) is newer and more advanced boot firmware than BIOS. Secure boot is a feature of UEFI. It confirms an OS manufacturer’s digital signature, which prevents malware from taking control during boot-up.

TPM TPM (or Trusted Platform Module) is a chip that stores and manages encryption keys. TPM chips won’t start a device or unencrypt data if tampering is detected.

Drive Encryption Drive encryption scrambles a drive’s data so it’s unreadable. Outdated firmware leaves devices vulnerable. Make sure your PCs, phones, networking hardware, and even your cars have firmware that is up to date.

39

2.3.2. Encryption Encryption is one of the most powerful tools you can use to harden a device. It uses algorithms to encode plain text into unreadable ciphertext.

Figure 2.3: How encryption works

Only the encryption key can decode it. Encryption is used at the network layer for data traveling across networks. It can also be done locally to hard drives, phones, and even thumb drives so that lost device data remains unreadable.

2.3.3. Device Lock Device lock adds device security. For example: • • •

Heavy, bolted-in hardware is physically difficult to take, especially if it’s behind a locked door. Laptops are harder to take when they’re bound to a desk with a steel cable and padlock Even though mobile devices are easy to lose, digital locks keep their data inaccessible.

40

2.3.4. Disabling Features and Ports Disabling features and ports when not in use reduces the ways a hacker can gain access. For example

Disabling Features • • •

Autorun allows inserted drives and disks to run or play automatically. An infected drive could install malware automatically Bluetooth allows connections and data transfers between devices. If a hacker gains access, they can use it to steal data and install malware NFC transfers data across devices with a tap or a bump. It’s usually used for payments or sharing contacts. It has a much shorter range than Bluetooth and has zero security protections aside from its limited range

Disabling Ports Disabling unused computer ports also reduces the ways a hacker can gain access. However, some of the most vulnerable ports have to be open to ensure functionality and connectivity. For example, • • •

port 443 manages secure web traffic, port 22 is used for secure server connections, and port 80 manages standard web traffic.

When features and ports are not being used, disabling them hardens them against attack.

41

Hardening Apps Apps that harden are affordable, reliable, and provide helpful configuration suggestions. Examples include: • • • • •

Antivirus Anti-malware Anti-spyware Software firewalls VPNs

Maintaining these apps—especially on smartphones—helps keep attackers out of your devices.

2.3.5. Firewalls and VPNs Firewalls harden devices by keeping unwanted visitors out of your system and off your network. There are software firewalls and hardware firewalls. They monitor connections and block harmful traffic based on preset rules. For example, schools and businesses use firewalls to block social media sites, age-inappropriate content, and certain types of downloads. VPNs encrypt the traffic coming out of your device. Even if a hacker is capturing your data, they won't be able to read it or decrypt it. VPNs and Firewalls range in cost. Some are free.

2.3.6. Open WI-FI vs Secure WI-FI Public WI-FI is convenient, but it’s unencrypted and doesn’t require passwords. Hackers can easily intercept and steal your identity, drain your accounts, and scam your contacts. Secured WI-FI provided by your ISP or the network at your job is much safer to use. These have very strong encryption.

42

If you can’t avoid public WI-FI try as much as you can to: • • • • •

Use a VPN on all your devices Only visit HTTPS sites that are well-known Use your phone as a hotspot. Cellular networks are encrypted Disable automatic WI-FI connection settings Don’t access personal or financial information on public WI-FI

2.3.7. Default Passwords Default usernames and passwords are essential to tech support, software installation, and device configuration. They also pose serious risks for the following reasons: • • • •

They are easily found online in help guides or user manuals They have admin-level privileges They hide who is using them They are usually left unchanged

It’s common for hackers use default usernames and passwords to break into apps, devices, OSes, databases, and BIOS. To close security loopholes: • • • •

disable built-in accounts, if possible, change all default passwords, use strong passwords, check documentation for default, backdoor, and hidden accounts.

43

2.4. Validation and Device Usage After studying this section, you will be able to: • • •

Explore device use best practices Identify reputable driver and firmware sources List the do’s and don’ts of keeping your devices safe

2.4.1. Software Sources Validation To reduce security risks, always be sure to get your software, cloud services, device drivers, and firmware updates from legitimate sources like: • • • •

Vendor app stores – like Windows Store and Google Play Store Authorized resellers – like Best Buy and Costco Original Equipment Manufacturers (OEMs) – like Dell and Samsung Software Manufacturers – like Adobe and Microsoft

If you’re downloading purchased software from a website, check the URL to ensure it begins with HTTPS. Click the lock icon in the URL bar to see if the certificate is still current and who owns it. • • • •

Avoid pirated software torrents, they’re loaded with malware Avoid software from untrusted sources Avoid jailbreaking or rooting your phone Non-approved apps are untested and could contain malware

OEM vs Third-party Websites Original equipment manufacturers (or OEMs) provide drivers and firmware updates on their websites. Dell, HP, Samsung, Nikon, NVidia, and more all provide downloads for device drivers and firmware updates for the products they build and sell.

44

Figure 2.4: OEM vs Third-party websites

Avoid 3rd party sites that claim to host drivers for the latest devices. These may be malware traps. There are some third-party sites that host legitimate obsolete drivers for obsolete hardware that a manufacturer no longer supports, but use these sites with care. Research them and check forum reviews to ensure they aren’t malicious. Device driver software should also be digitally signed by the vendor, and the vendor's certificate should be trusted by your computer.

Uninstall Software Uninstall software that you don’t use or don’t want. New devices may come preloaded with unwanted trial software, commonly referred to as bloatware. Aging bloatware is soon outdated, and may have vulnerabilities. The same is true for software you no longer use. If you need an app in the future, download it from the software manufacturer’s website to ensure it is legitimate and up to date. Then enable automatic updates to keep the application safe.

Removal of Malicious Software New attacks and malware are released onto the Internet daily. This makes antimalware, software, and VPN services a must for all your devices. Microsoft's Windows Defender protects your computer against viruses and malware, free of 45

charge. It also integrates with the built-in firewall that comes with the Windows operating system and is enabled by default. However, Windows Defender does not perform VPN functions. Some third-party antivirus software such as McAfee, BitDefender, or Norton can be purchased for a reasonable cost if that is your preference. They may disable Windows Defender and Windows Firewall during their installation process, which is completely normal. Many reputable antivirus companies provide malicious software removal tools for free, including Microsoft. They always have the latest virus signatures and are very effective. Just pick the one you like, download, and scan. It will automatically remove any malware it finds. If the tool doesn’t resolve your issues, you may need a PC technician who can assist you further.

Keeping Your Computer Safe Prevent malware infection with the following safe computer usage and browsing techniques. • • • • • • • • •

Don't visit questionable websites or HTTP sites Don't download from filesharing sites, as they have loads of viruses Don't insert used or unknown disks, storage, or USB devices into your computer Don't click links or file attachments from emails or messages – even if you know the sender Do use good anti-malware software on all of your devices and keep them up to date Do use up-to-date firewall and VPN software on any devices you go online with Do visit encrypted, HTTPS sites Do use OEM or authorized reseller sites when downloading software Do reduce accounts that have elevated privileges like admin, superuser, or root roles 46

2.5. Encryption Concepts After studying this section, you will be able to: • • •

Explore encryption and its common uses List use cases for symmetric and asymmetric encryption Explain how cryptographic hashing works

2.5.1. What is Encryption? Encryption is the act of taking readable text and scrambling it so it can only be read by a recipient that has the decryption key. Data that has not been encrypted is called plain text because it's readable. Algorithms used to scramble plain text are called ciphers. An encrypted plain text is called ciphertext. An encryption key is a series of random, unique numbers, combined with very powerful algorithms that are used to encrypt (or scramble) your data before you send it. The person on the receiving end has a decryption key that's used to decrypt (or unscramble) the data so it's in a readable or useable format. In some industries, data encryption is a mandatory requirement. This includes student records, medical records, and consumer data. Many OSes have encryption built in. For those that don't, 3rd party encryption software is available.

2.5.2. Data at Rest Data at rest refers to data that resides on a storage device. The files aren't open or being transmitted anywhere. Data at rest can be encrypted at the file level, storage device level, and cloud level. Encryption at the file level lets you encrypt all your files on a storage device or just a select few. Disks and drives can be encrypted two ways: Using software to perform the encryption, or enabling hardware-based encryption like BitLocker. Data at rest is less vulnerable but it’s not immune from attacks. Using updated 47

firewalls, VPNs, and anti-malware helps keep your data safe.

2.5.3. Data in Motion Data in motion or data in transit refers to data that is actively moving between two devices – meaning two computers, a mobile device and a mail server, or your computer and your bank's online website. Any website that uses HTTPS in its prefix is using encryption. However, hackers can compromise encrypted sites with social engineering, manin-the-middle attacks, and password cracking, and they can create their own encrypted HTTPS sites that install malware. Data in motion is especially at risk for interception attacks like man-in-themiddle. Using end-to-end encryption means that the data being transmitted and received is safe, even if it's intercepted by a hacker. They won't be able to decrypt your data. Data traversing through a virtual private network (or a VPN) is automatically encrypted but is not always end-to end.

2.5.4. Symmetric Encryption Symmetric encryption, also called “single-key” or “private key” encryption, is when a single key is used between parties to encrypt and decrypt data. With only one key, symmetric encryption uses less memory, which is great for quickly and securely processing larger amounts of data. That’s why it is often used to protect the main data exchange in a session. But it’s harder to keep a single key secret, especially if it needs to be broadly distributed. If this key is intercepted by a hacker, then they can decrypt your messages, hack your account, and steal or tamper with your data. 3DES and CAST are examples of symmetric encryption technologies.

48

2.5.5. Asymmetric Encryption Asymmetric encryption, also called “Public Key Cryptography”, uses a public key and a private key. Asymmetric encryption takes longer because it is more complex. It is used for smaller amounts of data. It is safe to widely share the public key for encryption or decryption, because only the secret key can undo the public key’s action. • • • • •

Uses include: Authentication, Digital Certificates, Digital signatures, Key exchange – where a symmetric encryption key is shared only to the intended recipients.

The RSA cipher is used in most asymmetric encryption.

2.5.6. Public Key Infrastructure Public Key Infrastructure (or PKI) is when a user is validated with a digital certificate by a Certificate Authority (CA). The digital certificate has a public encryption key that encrypts data. If the data recipient trusts the CA that issued the digital certificate, they use a private key to decrypt the data. Digital certificates are used in smart card authentication. The smart card has a public/private key pair. It presents a digital certificate (including the public key) to the server it’s trying to access. If the server trusts the CA that issued the digital certificate, it will use the public key to send an encrypted request. Only the smart card’s private key can decrypt the request, which means only the smart card owner can send the correct response. For digital signatures, the process is reversed. The sender sends an encrypted signature and a public decryption key to a recipient. If the recipient can decrypt the signature with the public key, that proves the sender signed it because they must have performed the encryption with the private key. 49

2.5.7. Cryptographic Hashes A cryptographic hash is a short string of numbers and letters created by running a password or file through an algorithm. A single password and a full library will have different cryptographic hashes, but each will have the same number of characters. If any data is altered or removed from a password or file, its cryptographic hash will be different. If the cryptographic hash of a secure email is different after being sent across a network, the recipient knows the message has been tampered with. When you create a password, it’s converted into a cryptographic hash. On your next log in, it’s converted again. If the stored hash and the new hash match, the system lets you in. Cryptographic hashes save space, authenticate data, and keep information secure.

2.6. Managing Email and Spam After studying this section, you will be able to: • • •

Define spam Identify phishing scams List ways to reduce spam

Email management is classifying email messages and deciding whether they should be saved or deleted. It can help you prioritize emails, save you time, and increase your productivity. For well-managed email:

50

• • • • •

keep your Inbox clean use folders and subfolders to organize your email by category use rules or filters to automatically move certain emails into folders unsubscribe from email lists, and turn off email notifications on your computer to keep distractions at a minimum.

But what about spam or junk mail? Most email apps and servers block spam and junk mail, but some still gets through. You can configure your email settings to include additional filters. Mail routed to the junk folder is automatically deleted after a set number of days.

2.6.1. How to Identify & Manage Spam Spam is email that's unwanted and often unsolicited. Some spam is harmless, but it can be dangerous when scammers use it to commit phishing attacks or fraud against you. Your company and web-based email services filter out spam at the email server level and block domains known for sending spam. But there is more that you can do on your own to help reduce it. • • • • •

Don't give out your email address Use throwaway accounts Configure your phone and PC OS settings to block spam Use a full-featured, desktop mail app like Microsoft Outlook It lets you block email from a sender or domain and create rules to delete spam automatically

Note that you can unsubscribe from mailing lists, but this just validates your email address, which may result in more spam.

51

2.6.2. How to Identify Suspicious Emails Hackers use email and messaging to commit fraud. They steal usernames and passwords, bank account information, Social Security numbers, and more. This is called “phishing”. Phishing attacks are common because they work. Rule number 1 in phishing attacks is: Don't click any links and never open attachments. Phishing attackers do their best to make it look like the email or message came from a friend or family member, or someone official like your bank, the government, or a large company. The story is always the same. They want you to feel fear, greed, or a sense of urgency so you’re more likely to make a rush decision. Below are a few examples: •

• • • •

They alert you to suspicious activities or logins on your account. They say there's some problems with your account information or your payment hasn't been received and provide a link for you to click and update your payment information They say your account has been breached and offer a link for you to reset your username and password They say you're entitled to a refund; you simply click the link they provide and enter your personal information They offer prizes or other free items, but you must respond ASAP to get the deal They demand that you pay a fake invoice to avoid fines or jail time

Phishing emails usually have typos and grammatical errors. Make sure to inspect the text, logos, and URLs to see if they look wrong or are misspelled. Close the email then visit the genuine website of the impersonated company. Manually enter the URL so you get to the right site. Let them know about the phishing attack so they can report it to the Fraud Department. 52

3. Safe Browsing Practices 3.1. Application Ecosystem Security After studying this section, you will be able to: • • •

Identify app and software security concerns, Explain how apps and software are compromised List the types of data hackers look for

3.1.1. Mobile Applications Mobile apps are designed to be functional and easy-to-use. But they are not always the most secure. Weak passwords, malware or poorly designed apps can compromise a device, letting hackers access texts, contact lists, personal and business files, and other valuable information. For better security, use strong passwords, only install app store approved apps, and use multi-factor authentication. Multi-factor authentication, or MFA, is a setting that requires you to fill in a code sent to your email or phone to prove that a login attempt came from you. Strong passwords are long, difficult-to-guess, and have a mix of numbers, letters, symbols, and capitalizations. For example, the phrase, J0hnny@ppleseed