Ciampa - SecurityAwareness6e - PPT - Module02 - Tagged

Security
Awareness, 6e
Module 2: Personal
Cybersecurity
Mark Ciampa, Security Awareness, 6th Edition. © 2024 Cengage. All Rights Reserved. May not be scanned, copied or
duplicated, or posted to a publicly accessible website, in whole or in part. 1
Icebreaker
Never Have I Ever …
Module Objectives
2.1: Explain how passwords work and the attacks against them
2.2: List the different types of attacks using social engineering
2.3: Identify social networking risks and identity theft
2.4: Explain how to create a defensive stance
2.5: Describe personal security defenses
Introduction
• Many attacks are directed at technology—computers and
smartphones
• Other attacks are directed more toward the person
– Can apply across multiple devices
• In this module, we will explore personal security attacks
• We will look at defenses against these types of attacks
Personal Security Attacks
• Attacks launched against a user’s personal security:
– Password attacks
– Attacks using social engineering
– Identity theft
– Social networking attacks
Password Attacks
• Username and password
– Primary means of authentication on a computer system
• Password
– Secret combination of letters and numbers
– Only known to the user
• Password not considered strong defense against attackers
– Passwords can be weak
– Passwords subject to different types of attacks
What Is Authentication? (1 of 2)
Table 2-1 Elements that prove authenticity
Element Description Scenario example
Somewhere you are Restricted location Restricted military base
Something you are Unique biological characteristic Fingerprint reader to enter
that cannot be changed building
Something you have Possession of an item that nobody Riker’s ID card
else has
Someone you know Validated by another person Li knows Peyton
Something you exhibit Genetically determined Peyton’s red hair
characteristic
Something you can do Performance of an activity that Paolo’s signature
cannot be exactly copied
Something you know Knowledge that nobody else Combination to unlock
possesses locker
What Is Authentication? (2 of 2)
• Authentication is proof of genuineness
– Only the real person possesses one or more of the seven
elements
– These can confirm a person’s identity
– These can deny access by an imposter
• In IT, these elements are called authentication credentials
• IT authentication normally uses three of these elements, called
factors
– Something you know (i.e., a password)
– Something you have
– Something you are
How Passwords Work (1 of 3)
• The server uses a one-way hash algorithm to convert the
password to a scrambled set of characters that are unlike the
original password
• The scrambled set of characters is called a message digest of
the password
• When the user logs back in, the server uses the same one-way
hash to create a digest
• If the new digest matches the original digest, the user is
authenticated
Password Weaknesses (1 of 4)
• Human beings can only memorize a limited number of items
• Long, complex passwords are difficult to memorize
• Users must remember multiple passwords for multiple
accounts
• Each account password should be unique
• Many businesses have strict policies that mandate passwords
expire after a set period of time
– May even prevent a previously used password from being
recycled, forcing users to repeatedly memorize new passwords
• Characteristics of weak passwords
– Use a common word
– Short passwords
– Using a predictable sequence of characters or personal
information in a password
– Reuse the same password (or a slight variation) for multiple
accounts
Hackers are aware of predictable patterns and can search for
them.
• Appending a number or punctuation in a pattern

– cheer99
– Chris#6 (letters+punctuation+number is a common pattern)
• Replacing in a predictable pattern
– passw0rd
– br1ttney
– bet$y
Table 2-2 Ten most common passwords
Rank Password
1 123456
2 123456789
3 password
4 qwerty
5 12345678
6 1234567890
7 12345
8 111111
9 1234567
10 123123
Attacks on Passwords (1 of 4)
Variety of attacks used on passwords
• Online brute force attack
– Same account is continuously pounded
– Automated; Parameters can be entered into the attack program
– Every combination of letters, numbers, and characters is
attempted
– Slowest yet most thorough method, but could take thousands of
years to guess the correct password
– Accounts set to disable after a number of attempts
– Rarely used because it is impractical
• Password spraying attack
– One or two common passwords when trying to log in to several
user accounts rather than multiple passwords to log in to one
account
– Less likely to be logged out from too many failed attempts
– Has a low success rate
• Password collections
– Most successful approach
– Uses technology for comparisons
 Password crackers (software designed to break passwords)
• In 2009, an attacker broke into a server that contained more
than 32 million user passwords
– Passwords were posted on the Internet
– Gave attackers insight into the strategic thinking of how users
create passwords
• Using stolen passwords is now the foundation of password
cracking
• Most password cracking software tools can accept these stolen
lists of passwords
Attacks Using Social Engineering (1 of
9)
• The attacker uses trickery to get the victim to act in the
attacker’s favor.
• Relies on clever manipulation of human nature to persuade
victim to provide information or take action.
• Many of the psychological approaches involve person-to-person
contact, so variety of techniques are used to gain trust.
• Provide a reason.
– Attackers add a reason along with their request.
– Example: I was asked to call you because the director’s office
manager is out sick today.
9)
• Project confidence.
– Enters a restricted area and calmy walks through the building as
if knowing where to go.
– May even greet people.
– Example: Hi, how are you doing?
• Make them laugh
– Humor can put people at ease and develop a sense of trust.
– Example: I can’t believe I left my badge in my office again! You
know, some mistakes are too much fun to only make once!
9)
• Use evasion and diversion.
– Might evade a question by giving a vague or irrelevant answer.
– May feign innocence or confusion.
– May just keep denying any allegations.
– Can resort to anger and cause the victim to drop the challenge.
– Example: Who are you to ask that? Connect me with your
supervisor immediately!
9)
Table 2-3 Social engineering
effectiveness
Principle Description Example
Authority Directed by someone “I’m the CEO calling.”
impersonating an authority figure
or falsely citing their authority
Intimidation To frighten and coerce by threat “If you don’t reset my password, I will
call your supervisor.”
Consensus Influenced by what others do “I called last week, and your colleague
reset my password.”
Scarcity Something is in short supply “I can’t waste time here.”
Urgency Immediate action is needed “My meeting with the board starts in 5
minutes.”
Familiarity Victim is well-known and well- “I remember reading a good evaluation
received on you.”
Trust Confidence “You know who I am.”
9)
• Social engineering often relies on impersonation (also called
identity fraud) and then playing out the role of that person on a
victim
– Example: An attacker could impersonate a help desk support
technician and call the victim pretending there is a problem with
the network. They would usually ask for the victim’s username
and password to reset the account
– To appear genuine, the attacker must know something about the
victim
– Credential harvesting can be carried out by Internet and social
networking searches
9)
• Social engineering attacks include phishing, typo squatting,
and hoaxes
• Phishing
– Most common attack based on social engineering
– Sending bogus email claiming to be from a legitimate business
– Users directed to an imposter website controlled by attacker
– Attempts to trick user into providing personal information
– An invoice scam sends a fictitious, overdue invoice that demands
immediate payment
9)
9)
• Typo Squatting
– Takes advantage of users who make a typing error when entering
a URL address
– Example: typing goggle.com (instead of google.com)
 Will be directed to a fake look-alike site
 Users will be asked to fill out a survey, thus giving personal
information
 Attackers purchase the domain names of sites that are spelled
similarly to actual sites
9)
• Hoaxes
– False warnings
– Often contained in an email message claiming to come from the
IT department
– Can be used as first step in attack
– May warn of virus and ask user to take action
– May even ask user to call attacker for help
Social Networking Risks (1 of 3)
• Social networking
– The use of Internet-based social media platforms to stay
connected with friends, family, or peers
– A global revolution
– Replaced the phone, email, newspapers, and television for
communication and current news information
– Social media are forms of electronic communication through
which users engage in social networking
– Social networking has become a way of life
The very nature of social networking carries a significant risk
• Personal data can be used maliciously

– A burglar may know the person is on vacation
– The name of a pet could be a weak password
– Could result in identity theft
• Users may be too trusting
– After a period of time on a social-networking site, users may feel
like they know the attacker and start to provide personal
information
• Social networking security is lax or confusing
– These sites are designed for the sharing of information
– Often it is too easy for unauthorized users to view other people’s
information
• Unforeseen consequences of accepting friends
– Some users readily accept any “friend” request
– This allows the new “friend” to also see the personal information
of their friends
Identity Theft (1 of 2)
• Using someone’s personal information to impersonate the
victim, often to commit financial fraud
• Actions of identity thieves
– Produce counterfeit checks or debit cards to remove money from
account
– Establish phone service in victim’s name
– File for bankruptcy under victim’s name to avoid eviction
– Purchase big-ticket items with stolen credit card numbers
– Open bank or credit accounts in victim’s name
Identity Theft (2 of 2)
• Actions of identity thieves
– Open a new credit card account
– Obtain loans for expensive items such as cars and motorcycles
Knowledge Check Activity 2-1
Which two statements are correct?
1. Phishing is sending an email or displaying a web

announcement that falsely claims to be from a legitimate
enterprise in an attempt to trick the user into surrendering
private information or taking action.
2. The most common IT authentication credential is providing
information that only the user would know, namely a
password.
3. The most effective password attack is a password spraying
attack.
Knowledge Check Activity 2-1: Answer
Phishing is sending an email or displaying a web

announcement that falsely claims to be from a legitimate
enterprise in an attempt to trick the user into
surrendering private information or taking action.
The most common IT authentication credential is providing

information that only the user would know, namely a
password.
Creating a Defensive Stance (1 of 2)
• There are basic steps that all users can do for their
protection.
• The first step is to create a defensive stance that begins
with a basic goal:
– The key to protecting my digital life is to make it too difficult
for an attacker to upend my safety, financial security, and
privacy.
– Few attackers will want to dedicate all of their resources to a
single person
– Being more secure than the average user will afford you the
basic protections that you need
Creating a Defensive Stance (2 of 2)
Begin by asking yourself these questions:
• What do I need to protect? (That is, what in my digital life can
give away critical information tied to my finances, privacy, and
safety?)
• How likely is it that it needs protection? (That is, what is your
current personal level of exposure to threats?)
• Will the effort be worth it to protect my digital life? (That is, do
you want to spend the energy to protect yourself?)
• Creating a defensive stance is doable. The most likely place to
start is with personal security defenses.
1. The key to protecting your digital life is to make it too difficult

for an attacker to upend your safety, financial security, and
privacy.
2. Being more secure than the average user will afford you the
basic protections that you need.
3. No matter what defenses you use, they must be perfect to
defeat all attackers.
The key to protecting your digital life is to make it too

difficult for an attacker to upend your safety, financial
security, and privacy.
Being more secure than the average user will afford you
the basic protections that you need.
Personal Security Defenses
• Defenses against attacks on personal security
– Password defenses
– Recognizing social engineering attacks
– Taking steps to avoid identity theft
– Reducing social networking risks
Password Defenses
• There are several defenses against password attacks
– Creating strong passwords using password managers
– Other password defenses
Creating Strong Passwords (1 of 5)
• General guidelines to create strong passwords:
– Do not use dictionary words or phonetic words
– Do not repeat characters or use sequences (123)
– Do not use birthdays, family member names, pet names,
addresses, or any personal information
– Do not use short passwords
• Use nonkeyboard characters (special characters that do not
appear on the keyboard)
– Method of making passwords stronger
– In the Microsoft Windows operating system, nonkeyboard
characters are accessed by holding down Alt key while typing a
number on the numeric keypad
– A list of available nonkeyboard characters can be seen by clicking
Start and entering charmap.exe, and then clicking a character
• The most critical factor in a strong password is length
– The longer a password is, the more attempts an attacker must
make to attempt to break it
– Increasing the length of a password increases the strength
exponentially
– The formula for determining the number of possible passwords
based on a specific password length is
 Number-of-Keyboard-Keys ^ Password-Length = Total-Number-of-
Possible-Passwords
Table 2-4 Number of possible
passwords
Keyboard Password Number of Average attempts to
keys length possible break password
passwords
95 2 9025 4513
95 3 857,375 428,688
95 4 81,450,625 40,725,313
95 5 7,737,809,375 3,868,904,688
95 6 735,091,890,625 367,545,945,313
Using Password Managers (1 of 3)
• Surprising characteristics of weak passwords
– Password that can be memorized
– Repeated use of the same password on multiple accounts
• Technologies used for securing passwords are called password
managers
• There are different types of password managers
– They all provide a higher degree of password security than relying
on human memory
• Allowing a web browser to save a password has several
disadvantages
– Can only retrieve passwords on that computer (unless the
browser is synched with other computers)
– Passwords may be vulnerable if another user accesses the
computer
– Applications are available that display stored passwords
• Password managers contain a random number generator to
create strong random passwords based on different settings.
Other Password Defenses (1 of 2)
Other password defenses include the following:
• Two-factor authentication (2FA)
– Based on the approved user having a specific item in their
possession (something you have)
– Often used with passwords (something you know)
• Special email account
– If a password is forgotten, most accounts email a reset link
– A secure practice is to have a special email account that is only
used to retrieve email reset links
Other Password Defenses (2 of 2)
• Anonymous username
– If the option is available, it is a secure practice to create an
anonymous username that cannot be associated with a specific
person
– Example: IdsP%fQW34E$
• Fictitious security answers
– Most accounts ask for an answer to a security question
– A secure practice is to use a fictitious answer
Recognizing Social Engineering Attacks
(1 of 2)
• Two foundational principles
– Attacks based on social engineering can come at any time
without warning
– The attacker presents herself as someone who can be trusted
• Both principles must be counteracted
– Users must always be aware
– Users must be initially suspicious of any email or electronic
correspondence
Recognizing Social Engineering Attacks
(2 of 2)
Table 2-5 Social engineering defenses
Social engineering example Secure action Explanation
An email stating you have won a prize and you Recognize scams Any offer for “easy money” should always be rejected.
must send your bank account number for the
money to be deposited.
A text message that a friend vacationing overseas Think before you Attackers employ a sense of urgency to make you act now and
has lost her purse and needs you to immediately click think later, so any highly urgent or high-pressure messages
purchase gift cards or a money wire transfer to should be rejected until they can be verified through another
send funds to a foreign bank account. method of communication different from the message itself
(like calling the person if a text message was received).
An email from a company that says your credit Research sources Always be careful of any unsolicited messages and check the
card will be charged for a recent purchase, but you domain links to see if the company is real and if the person
did not make the purchase. sending you the email belongs to the organization.
You receive an email from a friend that has an Never download Always verify through a different channel (phone, text
attachment with the subject line I can’t believe this unexpected file message, etc.) with the sender that the attachment is
is a picture of you doing this! attachments legitimate, especially if there is a sense of urgency with the
message.
A text message asks you to donate to a disaster Reject requests for Perform research into the organization asking for funds.
recovery effort due to a tornado that occurred last help
night.
An email says that you are eligible to apply for Reject offers of help Go directly to the primary website that assists and never give
federal disaster relief and this company will assist personal information through an email to an unknown sender.
you.
Avoiding Identity Theft (1 of 3)
Two basic steps for avoiding identity theft:
• Deter theft by safeguarding information
– Shred financial documents
– Avoid carrying Social Security number in wallet
– Do not share personal information through phone or email
– Keep personal information in a secure location
– Receive electronic notification of statements instead of through
postal mail
• Monitor financial statements and accounts
– Be alert to signs that may indicate unusual activity
– Follow up on calls regarding purchases that were not made
– Review financial and billing statements each month carefully as
soon as they arrive
• Legislation to help users monitor financial information
– Fair and Accurate Credit Transactions Act (FACTA) of 2003
 Allows consumers one free credit report from each of the three
national credit-reporting firms every 12 months
 Consumers can report inaccuracies to the credit-reporting agency
 Agency had 30 days to investigate and respond with a corrected
report
Reducing Social Networking Risk
• Be cautious about what information you post
– Posting travel plans can invite burglary
– Consider your boss and mother reading the post
• Consider allowing casual acquaintances and business
associates access to a limited version of a profile
• Pay close attention to information about new or updated
security settings
1. The most critical factor in a strong password is not length but

complexity.
2. Password managers are not only used to store and retrieve
passwords, but they also contain a password generator
feature.
3. In a social engineering attack, the attacker presents herself as
someone who can be trusted.
Password managers are not only used to store and

retrieve passwords, but they also contain a password
generator feature.
In a social engineering attack, the attacker presents

herself as someone who can be trusted.
Summary
Click the link to review the objectives for this presentation.
Link to Objectives

Ciampa - SecurityAwareness6e - PPT - Module02 - Tagged

Uploaded by

Copyright:

Available Formats

Ciampa - SecurityAwareness6e - PPT - Module02 - Tagged

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ciampa - SecurityAwareness6e - PPT - Module02 - Tagged

Uploaded by

Copyright:

Available Formats

Security

• Appending a number or punctuation in a pattern

• Personal data can be used maliciously

1. Phishing is sending an email or displaying a web

Phishing is sending an email or displaying a web

The most common IT authentication credential is providing

1. The key to protecting your digital life is to make it too difficult

The key to protecting your digital life is to make it too

1. The most critical factor in a strong password is not length but

Password managers are not only used to store and

In a social engineering attack, the attacker presents

You might also like