Security Awareness: Applying Practical Security in Your World, Second Edition

Chapter 4 Personal Security

Security Awareness: Applying Practical Security in Your World, 2e 2

Objectives

• Define spyware and tell how it is used

• List and describe spyware tools

• Explain how to use personal security defense mechanisms

Security Awareness: Applying Practical Security in Your World, 2e 3

What is Spyware?

• Spyware – Software that violates user’s personal security

• The Antispyware Coalition defines spyware as – Technologies implemented in ways that impair

user’s control over• Use of system resources

• The collection, use, and distribution of personal or otherwise sensitive information

• Material changes that affect user’s experience, privacy, or system security

Security Awareness: Applying Practical Security in Your World, 2e 4

What is Spyware? (continued)

• Characteristics of spyware– Creators are motivated by money– More intrusive than viruses– Harder to detect– Harder to remove– Harmful spyware is not always easy to identify

Security Awareness: Applying Practical Security in Your World, 2e 5

Security Awareness: Applying Practical Security in Your World, 2e 6

Security Awareness: Applying Practical Security in Your World, 2e 7

What is Spyware? (continued)

• Identity theft – Use of someone’s personal information to

impersonate with intent to commit fraud

• Once identity thieves have personal information they can– Change the mailing address on a credit card account– Establish phone or wireless service in the person’s

name– File for bankruptcy under the person’s name

Security Awareness: Applying Practical Security in Your World, 2e 8

What is Spyware? (continued)

• Computer might be infected with spyware if– Pop-up advertisements appear even when user is

not on the Web– Browser settings have changed without user’s

consent– New toolbar unexpectedly appears and is difficult to

remove– Computer takes longer than usual to complete

common tasks– Computer crashes frequently

Security Awareness: Applying Practical Security in Your World, 2e 9

Spyware Tools

• Adware – Delivers advertising content in a manner or context

that is unexpected and unwanted by user

• Most users frown on adware because– Unwanted advertisements can be a nuisance– Repeated pop-up ads can impair productivity– Adware may display objectionable content– Advertisements can slow a computer down or cause

crashes and the loss of data

Security Awareness: Applying Practical Security in Your World, 2e 10

Security Awareness: Applying Practical Security in Your World, 2e 11

Phishing

• Sending an e-mail or displaying a Web announcement that – Falsely claims to be from a legitimate enterprise – Attempts to trick a user into surrendering private

information

• Both the e-mails and the fake Web sites appear legitimate

Security Awareness: Applying Practical Security in Your World, 2e 12

Security Awareness: Applying Practical Security in Your World, 2e 13

Security Awareness: Applying Practical Security in Your World, 2e 14

Phishing (continued)

• Variations on phishing attacks– Spear phishing

• Targets specific users

– Pharming• Automatically redirects user to fake site

– Google phishing• Phishers set up their own search engines to direct

traffic to illegitimate sites

Security Awareness: Applying Practical Security in Your World, 2e 15

Keyloggers

• Hardware device or small program that monitors each keystroke a user types

• Small plug located between keyboard connector and computer keyboard port

• Software keyloggers– Silently capture what a user types, including

passwords and sensitive information

• Can elude detection by Windows Task Manager

Security Awareness: Applying Practical Security in Your World, 2e 16

Security Awareness: Applying Practical Security in Your World, 2e 17

Security Awareness: Applying Practical Security in Your World, 2e 18

Configuration Changers

• Type of spyware that change settings on computer without user’s knowledge or permission

• Configuration changers can– Change operating system or software security

settings– Disable antivirus or other security software– Initiate an outbound Internet connection– Change startup procedures or security settings

Security Awareness: Applying Practical Security in Your World, 2e 19

Dialers

• Change settings of a computer that uses a dial-up telephone line to connect to Internet

• Not affected by dialers– Users with broadband connections

Security Awareness: Applying Practical Security in Your World, 2e 20

Backdoors

• Provide unauthorized way of gaining access to a program

• Enable the remote malicious user to– Upload files to the computer– Start programs– Reboot computer– Log off current user– Display message boxes– Play sounds through the speakers

Security Awareness: Applying Practical Security in Your World, 2e 21

Personal Security Defenses

• Antispyware software– Helps prevent computers from becoming infected by

different types of spyware– Must be regularly updated– Can be set to

• Provide continuous real-time monitoring

• Perform a complete scan of the entire computer system

Security Awareness: Applying Practical Security in Your World, 2e 22

Security Awareness: Applying Practical Security in Your World, 2e 23

Security Awareness: Applying Practical Security in Your World, 2e 24

Antispyware Software

• Additional tools– System explorers

• Expose configuration information that are normally difficult to access

– Tracks Eraser• Automatically removes cookies, browser history,

record of which programs have been recently opened

– Browser Restore• Allows user to restore specific browser settings if

spyware infects the Web browser

Security Awareness: Applying Practical Security in Your World, 2e 25

Recognize Phishing

• Common elements in messages that could be phishing attacks– Deceptive Web links– E-mails that look like Web sites– Fake sender’s address– Generic greeting– Pop-up boxes and attachments– Unsafe Web sites

Security Awareness: Applying Practical Security in Your World, 2e 26

Security Awareness: Applying Practical Security in Your World, 2e 27

Security Awareness: Applying Practical Security in Your World, 2e 28

Legislation and Procedures

• Fair and Accurate Credit Transactions Act (FACTA) of 2003– Grants consumers the right to

• Request one free credit report from each national credit-reporting firms every twelve months

– If consumers find a problem on their credit reports • They must first send a letter to the credit-reporting

agency

Security Awareness: Applying Practical Security in Your World, 2e 29

Security Awareness: Applying Practical Security in Your World, 2e 30

Fair and Accurate Credit Transactions Act (FACTA) of 2003

• FACTA Disposal Rule– Proper destruction of data relating to personal

information– Extends to

• Employers, landlords, automobile dealers

• Private investigators, debt collectors

• Anyone who obtains credit reports on prospective contractors

Security Awareness: Applying Practical Security in Your World, 2e 31

Payment Card Industry Data Security Standard (PCI-DSS)

• Payment Card Industry Data Security Standard (PCI-DSS)– Established by Visa and Mastercard– Safeguards cardholder data and prevents identity

theft based on stolen credit card information– Composed of 12 discrete requirements that force

merchants to develop a secure network

Security Awareness: Applying Practical Security in Your World, 2e 32

Proposed Federal Legislation

• Several bills proposed in the U.S. Congress to address spyware and identity theft

• Microsoft – Has teamed up with the FBI– Has brought charges against over 100 suspected

phishers

Security Awareness: Applying Practical Security in Your World, 2e 33

Summary

• Spyware – Term used to describe software that violates user’s

personal security

• Adware – Delivers advertising content in a manner that is

unexpected and unwanted by user

• Phishing– Sending e-mail or displaying Web announcement

that falsely claims to be from a legitimate enterprise

Security Awareness: Applying Practical Security in Your World, 2e 34

Summary (continued)

• Keylogger or keystroke logger– Hardware device or software that monitors and

collects each keystroke a user types

• Antispyware program– One of the best defenses against spyware

• Legislation – Addresses protection of personal data