Chapter 7
evil twin connection
, even if the network's name matches the coffee shop's name, someone in the shop might have set up a so‐called evil twin connection Wi‐Fi connection and that all incoming and outgoing Internet traffic becomes routed through the perpetrator's system.
security education, training, and awareness (SETA)
. Training and awareness programs provide team members with guidelines and sample behaviors to keep the organization secure. IT and business managers have an additional role to model cybersecure behaviors and to emphasize the importance of cybersecurity.
IT Security Governance Framework
Information Security Decisions-Security Strategy Who Is Responsible-=BUSINESS LEADERS Rationale=Business leaders have the knowledge of the company's strategies on which security strategy should be based. No detailed technical knowledge is required. Major Symptoms of Improper Decision Rights Allocation Security is an afterthought and patched on to processes and products. Information Security Decisions-Infrastructure Who Is Responsible=IT LEADERS (CISO) Rationale-In‐depth technical knowledge and expertise are needed. Major Symptoms of Improper Decision Rights Allocation= There is a misspecification of security and network typologies or a misconfiguration of infrastructure. Technical security control is ineffective. Information Security Decisions-Security Policy Who Is Responsible-Shared: IT and business leaders Major Symptoms of Improper Decision Rights Allocation-Rationale-Technical and security implications of behaviors and processes need to be analyzed, and trade‐offs between security and productivity need to be made. The particulars of a company's IT infrastructure need to be known. Information Security Decisions-CYBERSECURITY CULTURE Who Is Responsible-Shared: IT and business leaders Rationale-Business buy‐in and understanding are needed to design programs. Technical expertise and knowledge of critical security issues are needed to build them. Major Symptoms of Improper Decision Rights Allocation User behaviors are not consistent with security needs. Users bypass security measures, fail to recognize threats, or do not know how to react properly when security breaches occur. Information Security Decisions-INVESTMENTS Who Is Responsible-Shared: IT and business leaders Rationale-They require financial (quantitative) and qualitative evaluation of business impacts of security investments. A business case has to be presented for competing projects. Infrastructure impacts of funding decisions need to be evaluated. Major Symptoms of Improper Decision Rights Allocation-Under‐ or overinvestment in information security occurs. The human or technical security resources are insufficient or wasted.
spear phishing
More advanced versions of phishing attacks, often called spear phishing to highlight the targeted nature of the attack, mimic a situation or relationship highly familiar to the targeted user. For example, an unsuspecting user might receive a fake e‐mail from a charity the user supports, asking the user to click on a link to make a donation. In another example, a malicious actor obtained the name of the CEO of a company and sent a phishing e‐mail to his subordinates pretending to be the executive and asking the CFO to click on a link, which would open up a vulnerability and enable the hacker to steal bank account information.
NIST Cybersecurity Framework
National Institute of Standards and Technology (NIST) to produce a nation‐wide cybersecurity framework (CSF) Identify, An organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities Protect,Safeguards to ensure delivery of critical infrastructure services Detect,Activities to identify the occurrence of a cybersecurity event Respond,Activities to take action regarding a detected cybersecurity incident Recover,Activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident
social media management
Provide rules about what can be disclosed on social media, who can tweet, and how employees can identify themselves Pros It will prevent misrepresentation and confusion It will limit liability by avoiding errors Cons It might appear restrictive to workers It might appear to be meddling in workers' personal use of social media
biometrics
Scan a body characteristic; Medium Ubiquity; Pros: It is somewhat better than passwords It can be very reliable (e.g., iris scanning) It cannot be forgotten It cannot be derived from key loggers or social engineering It can be quite inexpensive (e.g., voice, fingerprint) Cons: It can present false positives and false negatives (e.g., voice; facial recognition) It can be relatively expensive and intrusive techniques (e.g., iris scanning) It is possible to change characteristics over time, such as voice It can create "loopholes" such as using a photo of a face or fingerprint on paper
firewall
Software and sometimes hardware‐based filter prevent or allow outside traffic from accessing the network Ubiquity High Pros Is flexible and can prevent traffic from a particular user, device, method, or geography Cons Barrier to only those threats it knows to stop Not a barrier if a password or other authentication technique is used
antivirus/antispyware
Software scans incoming data and evaluates the periodic state of the whole system to detect threats of secret software that can either destroy data or inform a server of your activity Ubiquity-Very high Notable Advantages Products block known threats very effectively Products have a large database and can detect hundreds of thousands of patterns that reveal a virus Notable Disadvantages Some products reveal a limited set of zero‐day threats (brand‐new outbreaks) by tracking suspicious behavior Products sometimes slow down the device Products are not as effective for a clever zero‐day threat (brand‐new outbreak)
encryption
System follows a complex formula, using a unique key (set of characters) to convert plain text into what looks like unreadable nonsense and then to decode back to plain text when presented with the decoding key Ubiquity: Very high It is very difficult to use or read a stolen computer file without the key Long and complex keys would take years of computer time to break Cons: The key can be unnecessary if access password is known If the key is not strong, hackers can uncover it by trial and error
deep web
The deep web is anything that is not found by general search engines. Content on the deep web includes material found on websites such as government databases and library databases that are accessible outside of the search engine
challenge questions
Ubiquity Medium overall; very high in banking Pros The answers are usually not forgotten Shuffling through several different questions can enhance security Cons Some answers can be derived from social network sites or by those who know the user Spelling inconsistencies can be a nuisance
token
Use small electronic device that generates a new supplementary passkey at frequent intervals Ubiquity Low in general but popular in highly secure environments Pros: Even if passkey is stolen, the system is again secure once the passkey changes Cons: Access requires physical possession of token device If the device is lost, access is lost until a new one is obtained Alternative access control (e.g., password) is essential if token device is stolen
spoofing
a technique intruders use to make their network or internet transmission appear legitimate to a victim computer or network
cybersecurity hygiene
applying the basic system updates and patches offered from the vendors of systems, since these updates usually fix known bugs and vulnerabilities
zero‐day threats
brand‐new outbreaks
black hat hackers
break in for their own gain or to wreak havoc on a firm
white hat hackers
e hired to try to break into systems in an effort to help the client firm uncover weaknesses.
weak password
hired to try to break into systems in an effort to help the client firm uncover weaknesses.
phishing attack
sends a person a counterfeit e‐mail that purports to be from a known entity. The e‐mail includes either a virus‐laden attachment or a link that when clicked, opens a back door on the user's system to install malware. Some well‐known examples are e‐mails from supposedly foreign dignitaries or newly wealthy individuals seeking help to get assets out of their country. More clever versions mimic a well‐known company and threaten account closure if the users do not respond.
key logger
software that traps keystrokes and stores them for hackers to inspect later. A key logger can even be hidden on a thumb drive plugged into a public computer in a hotel's business center. A key logger might also be triggered by visiting an unfamiliar website. Just by clicking on a search result, a user might inadvertently download and install the key logging software. Asking the user to log‐in will reveal his or her user name and password, opening a world of opportunity for the hacker.
grey hat hackers
test organizational systems without any authorization and notify a company when they find a weakness. Although they can be helpful, what they do is nevertheless illegal.
dark web
that part of the deep web that is intentionally hidden from the surface web. Special software, such as the Tor browser, are necessary to access the dark web.
defense in depth
the concept of having multiple layers of different security policies and practices so when one layer fails to stop a perpetrator, another layer might be more effective.
cross‐site scripting (XSS)
traps that appear to lead users to their goal, but in reality, they lead to a fraudulent site that requires a log‐in eBay permits users to install some computer code in their listings to add animation to make their items in eBay search results grab shoppers' attention. In this attack, malicious code was inserted instead, designed for a nefarious purpose: to alter the listing's address to point to a bogus log‐in screen. Users assumed they needed to log‐in once again for security purposes, but in reality everyone who "logged‐in" that second time provided the crooks with user names and passwords.