Chapter 5 Mobile Security 181 8. On a separate computer, log into your email account to view the message sent by Prey. 5 Click GO TO MY ACCOUNT and log into your PreyProject account. 9. Click the name of your recently added device. 10. On the Devices tab, select Sound alarm. What does this function perform? 11. Click SET DEVICE TO MISSING on the Devices tab. 12. It may take up to 10 minutes for the alarm to sound, depending on how frequently the device checks into Prey. 13. When a report is generated, click Reports and read the information about the location of the device. Would this be sufficient information to find the missing device? 14. Click SET DEVICE TO RECOVERED on the Devices tab. 15. Close all windows. Case Projects Case Project 5-1: Your Wireless Security Is the wireless network you own as secure as it should be? Examine your wireless network or that of a friend or neighbor and determine which secu- rity model it uses. Next, outline the steps it would take to move it to the next highest level. Estimate how much it would cost and how much time it would take to increase the level. Finally, estimate how long it would take you to replace all the data on your computer if it was corrupted by an attacker, and what you might lose. Would this be a motivation to increase your current wireless security model? Write a one-page paper on your work. Case Project 5-2: Information Security Community Site Activity The Information Security Community Site is an online companion to this text- book. It contains a wide variety of tools, information, discussion boards, and other features to assist learners. Go to community.cengage.com/infosec. Sign in with the login name and password that you created in Chapter 1. What is the legality of war driving? Is it considered illegal? Why or why not? If it is not ille- gal, do you think it should be? What should be the penalties? Record your responses on the Community Site discussion board. Additional Case Projects for this chapter are available through the MindTap online learning environment. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 182 Chapter 5 Mobile Security References 1. Bosomworth, Danyl, “Mobile Marketing Statistics 2015”, Smart Insights, July 22, 2015, accessed Sep. 8, 2015. //www.smartinsights.com/mobile-marketing/mobile -marketing-analytics/mobile-marketing-statistics. 2. “Gartner Says Smartphone Sales Surpassed One Billion Units in 2014,” Gartner, Mar. 3, 2015, accessed Sep. 8, 2015. //www.gartner.com/newsroom/id/2996817. 3. “Mobile Phones Strengthen Lead for Mobile Video Viewing,” eMarketer, July 2, 2015, accessed Sep. 8, 2015. //www.emarketer.com/Article/Mobile-Phones-Strengthen -Lead-Mobile-Video-Viewing/1012683?ecid=NL1001. 4. “How Fancy Do Consumers Want Their Wearables?” eMarketer, July 21, 2015, accessed Sep. 10, 2015. //www.emarketer.com/Article/How-Fancy-Do-Consumers-Want -Their-Wearables/1012756. 5. “TrendLabs 2012 Mobile Threat and Security Roundup: Repeating History,” accessed Mar. 9, 2014. www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/reports /rpt-repeating-history.pdf. 6. “Millennials Embrace Mobile Banking,” eMarketer, Aug. 18, 2015, accessed Sep. 10, 2015. //www.emarketer.com/Article/Millennials-Embrace-Mobile-Banking/1012871. 7. “Pin Analysis,” DataGenetics, accessed Mar. 10, 2014. //datagenetics.com/blog /september32012/index.html. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 6chapter Privacy After completing this chapter you should be able to do the following: ● Define privacy and explain the risks associated with unprotected private data ● Define cryptography ● List the various ways in which cryptography is used ● Explain how privacy best practices may be used ● Describe the responsibilities of organizations regarding protecting private data 183 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 184 Chapter 6 Privacy Security in Your World “Good morning, everyone. Let’s get started with today’s discussion.” Dr. Faucheux was teaching the Current Issues in American Society course and had assigned students to read three articles for the discussion. “Who wants to start with any reaction to what you read?” he asked. Amaka raised her hand and said, “I was shocked! I knew that the NSA is sup- posed to protect us from our enemies. But what they’re doing now is against Ameri- can citizens.” The article to which she was referring contained a list of known activities that the U.S. National Security Agency was conducting to monitor American citizens as well as foreign nationals. “Look at this list,” Amaka continued. “They can access your email, chat, and web browsing history. They can see what websites you visit. They can track your Likes on social media. Where does it all end?” Bob raised his hand and said, “I don’t have a problem with it. They’re looking for any terrorists who have sneaked into our country. I want them to find those people before they do anything bad.” Henryk said, “My grandparents had to flee Czechoslovakia and they would tell me about how the government spied on everyone back then. They said you could trust nobody, and nobody trusted you. This sounds a lot like that.” “Let me ask this question,” Dr. Faucheux interrupted. “Is this illegal?” Amaka leaned forward and said, “Yes it is. We have a right to privacy in our country.” Dr. Faucheux displayed a PowerPoint slide on the screen in front of the classroom. “Here’s what the Declaration of Independence says: ‘We hold these truths to be self- evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness.’ I don’t see privacy listed there, do you?” “And besides,” said Bob, “if you don’t have anything to hide, then why would you worry about what they look at? Only criminals need to be afraid.” “Wait a minute,” said Henryk. “Didn’t the second article we read say that when people were asked, ‘Do you have anything to hide?’ 83 percent said that they did not. But when they also were asked, ‘Would you want to share everything about your life with everyone, everywhere, all the time, forever?’ then 89 percent said no. People want their privacy. And the NSA is stealing it.” “Dr. Faucheux, I was thinking along a different line as I read these articles,” said Hermione. “Doesn’t much of the data collection happen on the websites that we visit? So these websites and the advertising networks are collecting our data? And then it’s used in ways we don’t even know about and by people we don’t even know? Shouldn’t we have a say in who collects our online data and how they might use it against us?” Dr. Faucheux leaned forward in his chair. “Hermione, that’s an excellent observa- tion. Class, what do you think about that?” Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 185 Over the past 30 years, the changes in our society as a result of the introduction of personal 6 computers and related technology have been nothing short of phenomenal. Advances in medi- cal research, manufacturing systems, transportation, telecommunications, and in many other areas have profoundly impacted the world. Yet it is universally agreed that an unforeseen consequence of the introduction of technology has also been the erosion of our personal privacy. Whereas in the past individuals could regu- late what information about them was gathered and used, today that is no longer the case. Technology has automated the process of the collection of our personal data. The websites we visit, the telephone calls we make, the emails we send, the location of our meeting places, and hundreds of other “data points” about us are collected without our knowledge—and usu- ally without our consent—and then used in a variety of ways. And this data is collected on billions of citizens around the world each day. Consider just the area of insurance premiums. Does your neighbor pay lower car insurance premiums because data shows that he does not drive between the hours of 2:00 AM and 6:00 AM as you do—even though you are driving to work the early morning shift at that time? Will your health insurance premiums be higher because your web surfing habits show that you are more likely to accept a price increase instead of shopping online for a new policy—even though you work hard to maintain a healthy lifestyle so as to limit the number of your health insurance claims? Are your life insurance premiums higher because a distant relative 50 years ago died at an early age due to a disease—even though you never even knew this person? Are funeral insurance expense policies higher for your lower-income uncle because he visits websites that indicate he struggles with financial literacy and may be confused about insurance—even though he is having difficulty even paying the premiums? What is even more troubling may be how personal data can be used to change our behavior. Consider Facebook. It has been shown that simply increasing the amount of “hard news” dis- played in the Facebook news feeds results in more citizens turning out to vote in elections. Would supporters of a particular candidate running in a close election be able to influence the election results by just increasing the volume of news that is displayed on Facebook news feeds? Or if a Facebook user notices that one of her posts on Facebook about that candidate receives no Likes from her friends, she assumes it is because their friends do not agree and she feels silently pressured to support the opposing candidate. But in reality, Facebook simply fil- tered out her posts from her friends’ news feeds so that they never saw the posts. Thus, access to our private data can not only erode our privacy but may also be used to quietly manipulate our behavior. In this chapter, you learn about privacy and what users can do to protect their data. You will first learn what privacy is and the risks that have been placed on it with today’s technology. Then you will examine ways in which to limit the erosion of our privacy. Privacy Primer Understanding privacy begins with a definition of privacy. It also involves knowing the risks associated with private data that is collected. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 186 Chapter 6 Privacy What Is Privacy? Privacy is defined as the state or condition of being free from public attention to the degree that you determine. That is, privacy is freedom from attention, observation, or interference, based on your decision. Privacy is the right to be left alone to the level that you choose. Prior to the current age of technology, almost all individuals (with the exception of media celebrities and politicians) generally were able to choose the level of privacy that they desired. For those who wanted to have very open and public lives in which anyone and everyone knew everything about them, they were able to freely provide that informa- tion about themselves to others. Those who wanted to live a very quiet or even unknown life could limit what information was disseminated. In short, both those wanting a public life and those wanting a private life could choose to do so by controlling information about themselves. However, today that is no longer possible. Data is collected on almost all actions and trans- actions that individuals perform. This includes data collected through web surfing, purchases (online and in stores), user surveys and questionnaires, and through a wide array of other sources. It also is collected on benign activities such as the choice of movies streamed through the Internet, the location signals emitted by a cell phone, and even the path of walking as recorded by a surveillance camera. This data is then aggregated by data brokers. One data broker holds an average of 1,500 pieces of information on more than 500 million consumers around the world.1 These brokers then sell the data to interested third parties such as mar- keters or even governments. Unlike consumer reporting agencies, which are required by federal law to give consumers free copies of their credit reports and allow them to correct errors, data brokers are not required to show consumers information that has been col- lected about them or provide a means of correcting it. Risks Associated with Private Data The risks associated with the use of private data fall into three categories: • Individual inconveniences and identity theft. Data that has been collected on indivi- duals is frequently used to direct ad marketing campaigns toward the person. These campaigns, which include email, direct mail marketing promotions, and telephone calls, generally are considered annoying and unwanted. In addition, personal data may be used as the basis for identity theft, which involves stealing another person’s information (such as Social Security number) and then using the information to impersonate the victim for financial gain. Identity thieves often create new bank or credit card accounts under the victim’s name and then charge large purchases to these accounts, leaving the victim responsible for the debts and ruining her credit rating. Usually, identity theft starts with personal data theft. Identity theft is covered in Chapter 2. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 187 • Associations with groups. Another use of personal data is to place what appears to 6 be similar individuals together into groups. One data broker has 70 distinct seg- ments (clusters) within 21 consumer and demographic characteristic groups (life stages). These groups range from Boomer Barons (baby boomer-aged households with high education and income), Hard Changers (well-educated and professionally successful singles), and True Blues (working parents who hold blue-collar jobs with teenage children about to leave home). Once a person is placed in a group, the characteristics of that group are applied, such as whether a person is a “potential inheritor,” an “adult with senior parent,” or whether a household has a “diabetic focus” or “senior needs.” However, these assumptions may not always be accurate for the individual that has been placed within that group. Individuals might be offered fewer or the wrong types of services based on their association with a group. • Statistical inferences. Statistic inferences are often made that go beyond groupings. For example, researchers have demonstrated that by examining only four data points of credit card purchases (such as the dates and times of purchases) by 1.1 million people, they were able to correctly identify 90 percent of them.2 In another study, the Likes indicated by Facebook users can statistically reveal their sexual orientation, drug use, and political beliefs.3 The issues raised regarding how private data is gathered and used are listed in Table 6-1. Issue Explanation The data is gathered and kept in Users have no formal rights to find out what private information is being secret. gathered, who gathers it, or how it is being used. The accuracy of the data cannot be verified. Because users do not have the right to correct or control what personal information is gathered, its accuracy may be suspect. In some cases, inaccurate Identity theft can impact the or incomplete data may lead to erroneous decisions made about individuals accuracy of data. without any verification. Unknown factors can impact Victims of identity theft will often have information added to their profile that overall ratings. was the result of actions by the identity thieves, and even this vulnerable group has no right to see or correct the information. Informed consent is usually missing or is misunderstood. Ratings are often created from combining thousands of individual factors or data streams, including race, religion, age, gender, household income, Data is being used for zip code, presence of medical conditions, transactional purchase increasingly important information from retailers, and hundreds more data points about decisions. individual consumers. How these different factors impact a person’s overall rating is unknown. Statements in a privacy policy such as “We may share your information for marketing purposes with third parties” are not clearly informed consent to freely allow the use of personal data. Often users are not even asked for permission to gather their information. Private data is being used on an ever-increasing basis to determine eligibility in significant life opportunities, such as jobs, consumer credit, insurance, and identity verification. Table 6-1 Issues regarding how private data is gathered and used Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 188 Chapter 6 Privacy The inaccuracy of data is of particular concern. A study of consumer financial data used by consumer reporting agencies found that 20 percent of consumers discovered an error on at least one of their three credit reports that had impacted their credit score. After the information was corrected, over 10 percent of consumers saw their credit score increase, while 1 in 20 consumers had a score change of over 25 points. And 1 in 250 consumers who corrected their data had a maximum score change of over 100 points.4 The risks associated with private data have led to concern by individuals regarding how their private data is being used. According to a recent survey:5 • 91 percent “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies. • 88 percent “agree” or “strongly agree” that it would be very difficult to remove inac- curate information about them online. • 80 percent of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites. • 70 percent of social networking site users say that they are somewhat concerned about the government accessing some of the information they share on social networking sites without their knowledge. • 62 percent of adults have used a search engine to look up their own name or see what information about them is on the Internet. • 47 percent generally assume that people they meet will search for information about them on the Internet. • 16 percent say they have asked someone to remove or correct information about them that was posted online. • 11 percent of adults say they have had bad experiences because embarrassing or inac- curate information was posted about them online. • 6 percent have set up some sort of automatic alert to notify them when their name is mentioned in a news story, blog, or elsewhere online. Security in Your World “Let’s now move to questions from the floor.” Dr. Faucheux was serving as moderator of a panel discussion regarding privacy. It was being held by the college’s student gov- ernment association, or SGA. The SGA president, after hearing positive student com- ments from the Current Issues in American Society course, had asked Dr. Faucheux to organize a panel of three different faculty and staff members. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 189 Will raised his hand and said, “I have a question for Mr. Dicello,” who taught in 6 the college’s marketing department. “Can you explain again how the data the web- sites get from us is being used?” Mr. Dicello moved toward his microphone and said, “Certainly. The data compiled from the websites that you visit goes far beyond matching products with consumers for determining what ads you will see. It also can be used to set the prices you pay for services like auto insurance. But how those decisions are made isn’t clear. There are what we call ‘algorithmic black boxes’ that are used to make countless important decisions about our lives, but we don’t know how they work or even what the algorithm is,” he said. “Plus,” he con- tinued, “the data that is amassed isn’t always accurate or complete, and gives away far more about us than we realize.” Dr. Olhouser from the political science department leaned forward. “We need what I would call a policy approach. It should not be just privacy by design, but pri- vacy by default. But unfortunately, I don’t think that public policy and legislation can solve our privacy problem. I’m afraid we’ll have to rely on a technology solution.” Mia, who was sitting next to Will, spoke up and said, “What is the technology solution?” Mrs. Jackson, the director of IT at the college, said, “There are browser additions that can help. One popular addition blocks spying ads and invisible track- ers. And we also should have end-to-end encryption of everything that is being trans- mitted and stored. Government agencies can’t do mass surveillance if our data is encrypted.” Mia raised her hand again and asked, “How does encryption work?” Privacy Protections It is virtually impossible today to prevent the collection and use of all private data. Neverthe- less, there are several different protections that may be implemented to reduce the risks associ- ated with private data. These protections include using cryptography and following best practices. In addition, organizations that collect private data have responsibilities. Cryptography Defining cryptography involves understanding what it is and what it can do. It also involves understanding how cryptography can be used as a tool to protect data. What Is Cryptography? “Scrambling” data so that it cannot be read is a process known as cryptography (from Greek words meaning hidden writing). Cryptography is the science of transforming information into a secure form so that unauthorized persons cannot access it. Whereas cryptography scrambles a message so that it cannot be understood, steganography hides the existence of the data. What appears to be a harmless image can contain hidden data, usually some type of message, embedded within the image. Steganography takes the data, divides it into smaller sections, and hides it in unused portions of the file, as shown in Figure 6-1. Steganography may hide data in the file header fields that describe the file, Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 190 Chapter 6 Privacy Message in Metadata Header 1 00110011 00000000 © Chris Parypa Photography/Shutterstock.com binary form Header size File size 00110001 01011001 01011001 Reserved space 1 01101111 01110101 01101111 Reserved space 2 01110101 Offset address for 00100000 01110011 00100000 start data 00110111 00000000 01110011 Message to 01101000 Message hidden 01110101 be hidden 01101111 in metadata 01101100 01110101 The secret password... 01101100 Metadata Header 2 01100100 Image width 00111001 00000000 Image height 00110000 01100100 Number of graphic 00110101 00000000 planes Number of bits per 00110101 01101100 pixel Compression type 00110101 00100000 Number of colors 00110101 00000000 Figure 6-1 Data hidden by steganography between sections of the metadata (data that is used to describe the content or structure of the actual data), or in the areas of a file that contain the content itself. Steganography can use a wide variety of file types—image files, audio files, video files, etc.—to hide messages and data. Government officials suspect that terrorist groups routinely use steganography to exchange information. A picture of a sunrise posted on a website may actually contain secret information, although it appears harmless. Cryptography’s origins date back centuries. One of the most famous ancient cryptographers was Julius Caesar. In messages to his commanders, Caesar shifted each letter of his messages three places down in the alphabet, so that an A was replaced by a D, a B was replaced by an E, and so forth. Changing the original text into a secret message using cryptography is known as encryption. When Caesar’s commanders received his messages, they reversed the process (such as substituting a D for an A) to change the secret message back to its original form. This is called decryption. Data in an unencrypted form is called cleartext data. Cleartext data is “in the clear” and thus can be displayed as is, without any decryption being necessary. Plaintext data is clear- text data that is to be encrypted and is also the result of decryption as well. Plaintext may be considered as a special instance of cleartext. Plaintext should not be confused with “plain text.” Plain text is text that has no formatting (such as bolding or underlining) applied. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 191 Plaintext data is input into a cryptographic algorithm, which consists of procedures based on a mathematical formula used to encrypt and decrypt the data. A key is a mathematical value entered into the algorithm to produce ciphertext, or encrypted data. Just as a key is inserted into a door lock to lock the door, in cryptography a unique mathematical key is input into the encryption algorithm to “lock down” the data by creating the cipher- text. When the ciphertext needs to be returned to plaintext, the reverse process occurs with a decryption algorithm and key. The cryptographic process is illustrated in Figure 6-2. Plaintext Encryption algorithm Confidential Memo Layoffs at the Lakeview Ciphertext 6 store will begin... 626vscc*7&5 2#hdkP0)... Key Transmitted to remote user Decryption algorithm Ciphertext 626vscc*7&5 Plaintext 2#hdkP0)... Confidential Memo Layoffs at the Lakeview store will begin... Key Figure 6-2 Cryptographic process Cryptography and Privacy Cryptography can provide basic privacy protection for information because access to the keys can be limited. Cryptography can provide five basic protections: • Confidentiality. Cryptography can protect the confidentiality of information by ensuring that only authorized parties can view it. When private information, such as a document containing a user’s financial information, is transmitted across the Internet or stored on a USB flash drive, its contents can be encrypted, which allows only authorized individuals who have the key to see it. • Integrity. Cryptography can protect the integrity of information. Integrity ensures that the information is correct and no unauthorized person or malicious software has altered that data. Because ciphertext requires that a key must be used in order to open the data before it can be changed, cryptography can ensure its integrity. The document Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 192 Chapter 6 Privacy of financial information, for example, can be protected so that no data can be added or deleted by unauthorized personnel. • Availability. Cryptography can help ensure the availability of the data so that authorized users who possess the key can access it. Instead of storing an important file on a hard drive that is locked in a safe to prevent unauthorized access, an encrypted file can be immediately available to authorized individuals who have been given the key. The list of document of financial data could be stored on a computer and available to a financial planner for review because she has the algorithm key. • Authentication. The authentication of the sender can be verified through cryptography. Specific types of cryptography, for example, can prevent a situation such as sending a request to a financial planner to withdraw money from an account that appears to come from the user but in reality was sent by an imposter. • Nonrepudiation. Cryptography can enforce nonrepudiation. Repudiation is defined as denial; nonrepudiation is the inability to deny, so nonrepudiation is the process of proving that a user performed an action, such as sending an email message. Nonrepudiation prevents an individual from fraudulently “reneging” on an action. The nonrepudiation features of cryptography can prevent a financial manager from claiming she never sent a copy of financial data transactions to an unauthorized third party. A practical example of nonrepudiation is Alice taking her car to a repair shop for service and signing an estimate form of the cost of repairs and authorizing the work. If Alice later returns and claims she never approved a specific repair, the signed form can be used as nonrepudiation. The security protections afforded by cryptography are summarized in Table 6-2. Not all types of cryptography provide all five protections. Characteristic Description Protection Confidentiality Ensures that only authorized parties can Encrypted information can only be viewed Integrity view the information by those who have been provided the key. Availability Ensures that the information is correct Encrypted information cannot be changed Authentication and no unauthorized person or except by authorized users who have the Nonrepudiation malicious software has altered that data key. Ensures that data is accessible to Authorized users are provided the authorized users decryption key to access the information. Provides proof of the genuineness of Proof that the sender was legitimate and not the user an imposter can be obtained. Proves that a user performed an action Individuals are prevented from fraudulently denying that they were involved in a transaction. Table 6-2 Information protections by cryptography Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 193 Types of Cryptography There are three broad categories of cryptographic algorithms. These are known as hash algorithms, symmetric cryptographic algorithms, and asymmetric cryptographic algorithms. Hash Algorithms The most basic type of cryptographic algorithm is a one-way hash algo- 6 rithm. A hash algorithm creates a unique “digital fingerprint” of a set of data and is com- monly called hashing. This fingerprint, called a digest (sometimes called a message digest or hash), represents the contents. Although hashing is considered a cryptographic algorithm, its purpose is not to create ciphertext that can later be decrypted. Instead, hashing is “one-way” in that its contents cannot be used to reveal the original set of data. Hashing is used primar- ily for comparison purposes. Hash algorithms are used extensively with passwords. When a password is first created by the user, a hash algorithm is used to create a digest or digital repre- sentation of that password and is stored on the computer or website. Password digests are covered in Chapter 2. A secure hash that is created from a set of data cannot be reversed. For example, if 12 is multi- plied by 34 the result is 408. If a user was asked to determine the two numbers used to create the number 408, it would not be possible to “work backward” and derive the original numbers with absolute certainty because there are too many mathematical possibilties (204 þ 204, 204 Â 2, 407 þ 1, 102 Â 4, 361 þ 47, etc.). Hashing is similar in that it is used to create a value, but it is not possible to determine the original set of data. A hashing algorithm is considered secure if it has these characteristics: • Fixed size. A digest of a short set of data should produce the same size as a digest of a long set of data. For example, a digest of the single letter a is 86be7afa339d0fc7cf- c785e72f578d33, while a digest of 1 million occurrences of the letter a is 4a7f5723f954eba1216c9d8f6320431f, the same length. • Unique. Two different sets of data cannot produce the same digest, which is known as a collision. Changing a single letter in one data set should produce an entirely different digest. For example, a digest of Sunday is 0d716e73a2a7910bd4ae634 07056d79b, while a digest of sunday (lowercase s) is 3464eb71bd7a4377967a30- 32#da798a1b54. • Original. It should be impossible to produce a data set that has a desired or predefined hash. • Secure. The resulting hash cannot be reversed in order to determine the original plaintext. Hashing is often used to determine the integrity of a message or contents of a file. In this case, the digest serves as a check to verify that the original contents have not changed. For example, digest values are often posted on websites in order to verify the integrity of files that can be downloaded. A user can create a digest on a file after it has been downloaded and then compare that value with the original digest value posted on the website. A match indicates that the integrity of the file has been preserved. This is shown in Figure 6-3. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 194 Chapter 6 Privacy Install.exe Digest: 201416021551 1. File downloaded 3. Digest compared with posted digest Install.exe 2. Digest generated on downloaded file Digest: 201416021551 Figure 6-3 Verifying file integrity with digests At one time, in some countries, a customer’s automated teller machine (ATM) card stored the digest of the customer’s personal identification number (PIN) on the back of the card. When the PIN was entered on the ATM, it was hashed and then compared with the digest stored on the back of the card. If the numbers matched, the customer’s identity was verified. This prevented a thief from easily using a stolen card. These types of cards, however, are no longer used. Symmetric Cryptographic Algorithms The original cryptographic algorithms for encrypting and decrypting data are symmetric cryptographic algorithms. Symmetric crypto- graphic algorithms use the same single key to encrypt and decrypt a document. Unlike hash- ing, in which the hash is not intended to be decrypted, symmetric algorithms are designed to encrypt and decrypt the ciphertext. Data encrypted with a symmetric cryptographic algo- rithm by Alice will be decrypted when received by Bob. It is therefore essential that the key be kept private (confidential), because if an attacker obtained the key he could read all the encrypted documents. For this reason, symmetric encryption is also called private key Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 195 cryptography. Symmetric encryption is illustrated in Figure 6-4 where identical keys are used to encrypt and decrypt a document. Symmetric cryptography can provide strong protections against attacks as long as the key is kept secure. Plaintext Encryption algorithm Confidential Memo Layoffs at the Lakeview Ciphertext store will begin... 626vscc*7&5 2#hdkP0)... Identical key Key - 134706242008 Transmitted to 6 remote user Plaintext Decryption Confidential Memo algorithm Ciphertext Layoffs at the Lakeview 626vscc*7&5 store will begin... 2#hdkP0)... Identical key Key - 134706242008 Figure 6-4 Symmetric (private key) cryptography Asymmetric Cryptographic Algorithms If Bob wants to send an encrypted message to Alice using symmetric encryption, he must be sure that she has the key to decrypt the mes- sage. Yet how should Bob get the key to Alice? He cannot send it electronically through the Internet, because that would make it vulnerable to interception by attackers. Nor can he encrypt the key and send it, because Alice would not have a way to decrypt the encrypted key. This example illustrates the primary weakness of symmetric encryption algorithms: dis- tributing and maintaining a secure single key among multiple users, who are often scattered geographically, poses significant challenges. A completely different approach from symmetric cryptography is to use asymmetric crypto- graphic algorithms, also known as public key cryptography. Asymmetric encryption uses two keys instead of only one. These keys are mathematically related and are known as the public key and the private key. The public key is known to everyone and can be freely dis- tributed, while the private key is known only to the individual to whom it belongs. When Bob wants to send a secure message to Alice, he uses Alice’s public key to encrypt the mes- sage. Alice then uses her private key to decrypt it. Asymmetric cryptography is illustrated in Figure 6-5. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 196 Chapter 6 Privacy Plaintext Encryption algorithm Confidential Memo Layoffs at the Lakeview Ciphertext store will begin... 626vscc*7&5 Bob (sender) 2#hdkP0)... Different keys Transmitted to Alice’s public key remote user Plaintext Decryption algorithm Confidential Memo Layoffs at the Lakeview Ciphertext store will begin... 626vscc*7&5 Alice (receiver) 2#hdkP0)... Different keys Alice’s private key Figure 6-5 Asymmetric (public key) cryptography Several important principles regarding asymmetric cryptography are: • Key pairs. Unlike symmetric cryptography that uses only one key, asymmetric cryptog- raphy requires a pair of keys. • Public key. Public keys by their nature are designed to be “public” and do not need to be protected. They can be freely given to anyone or even posted on the Internet. • Private key. The private key should be kept confidential and never shared. • Both directions. Asymmetric cryptography keys can work in both directions. A docu- ment encrypted with a public key can be decrypted with the corresponding private key. In the same way, a document encrypted with a private key can be decrypted with its public key. Asymmetric cryptography also can be used to provide proof of the sender’s identity and that the data has not been intercepted or altered. Suppose that Alice receives an encrypted document that says it came from Bob. Although Alice can be sure that the encrypted mes- sage was not viewed or altered by someone else while being transmitted, how can she know for certain that Bob was actually the sender? Because Alice’s public key is widely available, anyone could use it to encrypt the document. Another individual could have Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 197 created a fictitious document, encrypted it with Alice’s public key, and then sent it to Alice 6 while pretending to be Bob. Alice’s key can verify that no one read or changed the docu- ment in transport, but it cannot verify the sender. Proof can be provided with asymmetric cryptography, however, by creating a digital signature, which is an electronic verification of the sender. A handwritten signature on a paper document serves as proof that the signer has read and agreed to the document. A digital signature is much the same but can provide additional benefits. A digital signa- ture can: • Verify the sender. A digital signature serves to confirm the identity of the person from whom the electronic message originated. • Prevent the sender from disowning the message. The signer cannot later attempt to disown it by claiming the signature was forged (nonrepudiation). • Prove the integrity of the message. A digital signature can prove that the message has not been altered since it was signed. The basis for a digital signature rests on the ability of asymmetric keys to work in both direc- tions (a public key can encrypt a document that can be decrypted with a private key, and the private key can encrypt a document that can be decrypted by the public key). The steps for Bob to send a digitally signed message to Alice are: 1. After creating a memo, Bob generates a digest on it. 2. Bob then encrypts the digest with his private key. This encrypted digest is the digital sig- nature for the memo. 3. Bob sends both the memo and the digital signature to Alice. 4. When Alice receives them, she decrypts the digital signature using Bob’s public key, revealing the digest. If she cannot decrypt the digital signature, then she knows that it did not come from Bob (because only Bob’s public key is able to decrypt the digest gen- erated with his private key). 5. Alice then hashes the memo with the same hash algorithm Bob used and compares the result to the digest she received from Bob. If they are equal, Alice can be confident that the message has not changed since he signed it. If the digests are not equal, Alice will know the message has changed since it was signed. These steps are illustrated in Figure 6-6. Using a digital signature does not encrypt the message itself. In the example, if Bob wanted to ensure the privacy of the message, he also would have to encrypt it using Alice’s public key. Public and private keys may result in confusion regarding whose key to use and which key should be used. Table 6-3 lists the practices to be followed when using asymmetric cryptography. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 198 Chapter 6 Privacy Plaintext Hash Step 1 Asymmetric algorithm cryptographic Step 2 Confidential Memo Digest algorithm Layoffs at the Lakeview 93827653 store will begin... Confidential Memo Layoffs at the Lakeview Bob (sender) store will begin... 3&6%[email protected] Digital Q[9}[0x872... signature Bob’s private key Step 3 Asymmetric Transmitted to cryptographic remote user algorithm Alice (receiver) Hash algorithm Digest 93827653 Confidential Memo Confidential Memo Layoffs at the Lakeview Layoffs at the Lakeview store will begin... store will begin... Digest 93827653 3&6%[email protected] Digital Q[9}[0x872... signature Step 4 Bob’s public key Digests match Step 5 Figure 6-6 Digital signature Whose key Which key to use Action to use Explanation Bob wants to send Alice an Alice’s key Public key When an encrypted message is to be sent, the encrypted message Alice’s key recipient’s, and not the sender’s, key is used. Bob’s key Private key Alice wants to read an An encrypted message can be read only by using encrypted message sent by Bob Public key the recipient’s private key. to encrypt Bob wants to send a copy to Private key An encrypted message can be read only by the himself of the encrypted to decrypt recipient’s private key. Bob would need to message that he sent to Alice Private key encrypt it with his public key and then use his private key to decrypt it. Bob receives an encrypted Bob’s key Public key reply message from Alice Susan’s key The recipient’s private key is used to decrypt Bob’s key Private key received messages. Bob wants Susan to read Alice’s Bob’s key reply message that he received The message should be encrypted with Susan’s key for her to decrypt and read with her private key. Bob wants to send Alice a message with a digital signature Bob’s private key is used to encrypt the hash. Alice wants to see Bob’s digital Public key Because Bob’s public and private keys work in signature both directions, Alice can use his public key to decrypt the hash. Table 6-3 Asymmetric cryptography practices Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 199 No user other than the owner should ever have the private key. Using Cryptography Cryptography should be used to secure any and all data that needs to be protected. This includes individual files, databases, removable media, or data on mobile devices. Cryptography can be applied through either software or hardware. Encryption through Software Encryption can be implemented through cryptographic 6 software running on a desktop computer, laptop, tablet, or smartphone. There are three dif- ferent methods for encryption through software: • Individual files. One means for encrypting through software is to encrypt or decrypt files one-by-one. However, this can be a cumbersome process if many files need to be encrypted. • File system. Instead of protecting individual files, entire groups of files, such as all files in a specific folder, can be encrypted by taking advantage of the operating system’s file system. A file system is a method used by operating systems to store, retrieve, and organize files. • Whole disk encryption. Software encryption also can be performed on a larger scale to entire disks. This is known as whole disk encryption and protects all data on a hard drive. In addition to protecting individual files and folders, whole disk encryption prevents attackers from accessing data by booting from another operating system or stealing the hard drive and then placing it in another computer. Hardware Encryption Software encryption suffers from the same fate as any application program: it can be subject to attacks to exploit its vulnerabilities. As another option, cryptog- raphy can be embedded in hardware to provide an even higher degree of security. Hardware encryption cannot be exploited like software encryption. Many instances of private data falling into the hands of unauthorized personnel are the result of USB flash drives being lost or stolen. Although this data can be secured with software- based cryptographic application programs, vulnerabilities in these programs can open the door for attackers to access the data. As an alternative, encrypted hardware-based USB devices like flash drives can be used to prevent these types of attacks. These drives, like the Apricorn Aegis Secure Key shown in Figure 6-7, resemble standard USB flash drives, with several significant differences: • Encrypted hardware-based USB drives will not connect to a computer until the correct password has been provided. • All data copied to the USB flash drive is automatically encrypted. • The external cases are designed to be tamper-resistant, so attackers cannot disassemble the drives. • Administrators can remotely control and track activity on the devices. • Compromised or stolen drives can be remotely disabled. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 200 Chapter 6 Privacy Figure 6-7 Apricorn Aegis Secure Key USB encrypted drive Source: Apricorn Co. One hardware-based USB encrypted drive allows administrators to remotely pro- hibit accessing the data on a device until it can verify its status, to lock out the user completely the next time the device connects, or even to instruct the drive to initiate a self-destruct sequence to destroy all data. Just as an encrypted hardware-based USB flash drive will automatically encrypt any data stored on it, self-encrypting hard disk drives (HDDs) can protect all files stored on them. When the computer or other device with a self-encrypting HDD is initially powered up, the drive and the host device perform an authentication process. If the authentication process fails, the drive can be configured to simply deny any access to the drive or even perform a “cryptographic erase” on specified blocks of data (a cryptographic erase deletes the decryption keys so that all data is permanently encrypted and unreadable). This also makes it impossible to install the drive on another computer to read its contents. Self-encrypting HDDs are commonly found in copiers and multifunction printers as well as point-of-sale systems used in government, financial, and medical environments. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 201 Digital Certificates A digital certificate is a technology used to associate a user’s identity to a 6 public key and that has been “digitally signed” by a trusted third party. This third party verifies the owner and that the public key belongs to that owner. When Bob sends a message to Alice, he does not ask her to retrieve his public key from a central site; instead, Bob attaches the digital certificate to the message. When Alice receives the message with the digital certificate, she can check the sig- nature of the trusted third party on the certificate. If the signature was signed by a party that she trusts, then Alice can safely assume that the public key contained in the digital certificate is actually from Bob. Digital certificates make it possible for Alice to verify Bob’s claim that the key belongs to him and prevent an attack that impersonates the owner of the public key. One type of digital certificate is server digital certificates that are often issued from a web server to a user’s client computer. Server digital certificates perform two functions. First, they can ensure the authenticity of the web server. Server digital certificates enable clients connecting to the web server to examine the identity of the server’s owner. A user who connects to a website that has a server digital certificate issued by a trusted third party can be confident that the data transmitted to the server is used only by the person or organization identified by the certificate. Second, server digital certificates can ensure the authenticity of the cryptographic connection to the web server. Sensitive connections to web servers, such as when a user needs to enter a credit card number to pay for an online purchase, need to be protected. Web servers can set up secure cryptographic connections so that all transmitted data is encrypted by providing the server’s public key with a digital certificate to the client. This handshake between web browser and web server is illustrated in Figure 6-8: 1. The web browser sends a message (“ClientHello”) to the server that contains informa- tion including the list of cryptographic algorithms that the client supports. Web browser 1. ClientHello Web server Cryptographic information 3. Verifies certificate 4. Creates master and creates 2. ServerHello secret and pre-master secret Algorithms supported session keys Server digital certificate 4. Creates master secret and 3. ClientKeyExchange session keys Pre-master secret Figure 6-8 Server digital certificate handshake Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 202 Chapter 6 Privacy 2. The web server responds (“ServerHello”) by indicating which cryptographic algorithm will be used. It then sends the server digital certificate to the browser. 3. The web browser verifies the server certificate (such as making sure it has not expired) and extracts the server’s public key. The browser generates a random value (called the pre-master secret), encrypts it with the server’s public key, and sends it back to the server (“ClientKeyExchange”). 4. The server decrypts the message and obtains the browser’s pre-master secret. Because both the browser and server now have the same pre-master secret, they can each create the same master secret. The master secret is used to create session keys, which are symmetric keys to encrypt and decrypt information exchanged during the session and to verify its integrity. Most server digital certificates combine both server authentication and secure communication between clients and servers on the web, although these functions can be separate. A server digital certificate that both verifies the existence and identity of the organization and securely encrypts communications displays two items that the user can verify. First, the URL begins with // instead of //. Second, a padlock icon appears in the web browser. Clicking the padlock icon displays information about the digital certificate along with the name of the site, as shown in Figure 6-9 (Google Chrome browser). Padlock icon Figure 6-9 Padlock icon and certificate information Source: Google Chrome web browser An enhanced type of server digital certificate is the Extended Validation SSL Certificate (EV SSL). This type of certificate requires more extensive verification of the legitimacy of the business. In addition, web browsers can visually indicate to users that they are con- nected to a website that uses the higher-level EV SSL by using colors on the address bar. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 203 A web browser that accesses a site that uses EV SSL displays the address bar shaded in green along with the site’s name. The address bar displays in red if the site is known to be dangerous. Privacy Best Practices 6 In order to protect important information users should consider the following privacy best practices: • Use encryption to protect sensitive documents that contain personal information, such as a Social Security number, driver’s license number, and bank account numbers. Store the encryption keys in a password management application. • Be sure that strong passwords are used on all accounts that contain personal information. • Shred financial documents and paperwork that contains personal information before discarding it. • Do not carry a Social Security number in a wallet or write it on a check. • Do not provide personal information either over the phone or through an email message. • Keep personal information in a secure location in a home or apartment. • Be cautious about what information is posted on social networking sites and who can view your information. Show “limited friends” a reduced version of a profile, such as casual acquaintances or business associates. • Keep only the last three months of the most recent financial statements and then shred older documents instead of tossing them in the trash or a recycling bin. For paper documents that must be retained, use a scanner to create a PDF of the document and then add a strong password to the PDF file that must be entered before it can be read. • Install antispyware software that helps prevent computers from becoming infected by spyware. • Use a popup blocker to stop popup advertisements from appearing. • Control cookies through the web browser. If cookies cannot be blocked, the browser should be set to delete all cookies when the browser is closed. • Use the private browsing option available in most browsers. When not using private browsing, delete the browsing history and clear the cache after each session. • Review the privacy options of the web browser and turn on those features that will provide the highest level of privacy without negatively impacting the browser experience. • Turn on Wi-Fi Protected Access 2 (WPA2) Personal on Wi-Fi networks to prevent an unauthorized person from viewing wireless transmissions (see Chapter 5). • Give cautious consideration before giving permission to a website or app request to collect data. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 204 Chapter 6 Privacy • Be sure that a padlock and https appear at the beginning of a web address that asks for credit card numbers or other sensitive information. Do not provide any information if that is not present. • Use common sense. Websites that request more personal information than would nor- mally be expected, such as a user name and password to another account, should be avoided. Responsibilities of Organizations Organizations that collect user’s personal data likewise have responsibilities and obligations. These are summarized in Table 6-4 with actual examples of misuse by organizations, by the responsible action the organization should have taken, and an explanation of the practices. Example of misuse Responsible action Explanation During the online registration process the Collect only necessary Organizations should not collect any organization required new users to provide personal personal information unless it is both their email address and the password to information. absolutely necessary, and the information that email account, and then stored the that is collected should be limited. information in cleartext. Keep personal information only as Unless there is a legitimate business need, An organization collected customers’ credit long as necessary. personal information should be securely and debit card information to process disposed of as soon as any transactions transactions in its retail stores but then stored Do not use personal are completed. that information for 30 days, long after the information when it sale was complete. is not necessary. Fictitious information should be used for any for training or development An organization used actual personal Restrict access to purposes. information in employee training sessions and sensitive then failed to remove the information from information. If employees do not need to use employees’ computers after the training was customers’ personal information as part completed. Limit administrative of their job function, access to such access. information should be denied. Over 7,000 files containing users’ personal information were inadvertently sent to a third Use industry-tested Administrative access, which allows a user party by an organization that had failed to and accepted to make system-wide changes, should be restrict employee access to sensitive personal methods. limited to employees who have that job information. function. Dispose of sensitive An organization gave all of its employees data securely. Organizations should take advantage of administrative control over the system, the “collected wisdom” of encryption including the ability to reset user account algorithms that have been tested by passwords and view users’ comments. experts over many years. An organization stored sensitive customer When paperwork or equipment information that was encrypted with a containing personal information is no nonstandard and proprietary form of encryption, longer needed, it should be destroyed by which contained several vulnerabilities. shredding, burning, or pulverizing to make the data unreadable. Sensitive personal information was thrown away in dumpsters, and hard drives that contained personal information were sold as surplus. Table 6-4 Privacy responsibilities of organizations Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 205 Exceptional Security RESTRICT YOUR INFORMATION—Decide what information about you is personal and 6 needs to be protected. Then do not share this information, even when asked. If infor- mation absolutely must be provided, use fictitious information. If given the option, do not sign up for a new service using your Facebook account. Review and set the privacy settings for every online service you use, and revisit those policies regularly to update them, since the services tend to change their policies frequently and with- out warning. Do not post photos of your children or relatives, your interests, or when you will be going on vacation on social networking sites. Opt out of mail and email direct marketing. Use the Federal Trade Commission’s Do Not Call Registry to opt out of telemarketer calls and report any violators. PRIVATELY SURF THE WEB—Create a personal and professional online profile for browsing the web, and then use different web browsers for each persona; that is, use one browser for accessing your social media accounts and another for your pro- fessional online activities. Block all cookies. Turn on the Do Not Track option found on browsers. Use a secure browser that has strict built-in privacy controls. Use a search engine that does not retain your search history, or use a proxy search service that resides between your browser and the popular search engines so that your search history cannot be tracked. Use // instead of // whenever possible. Sign up for a virtual private network (VPN) service. Create a “disposable” webmail account that is different from your normal account and provide it when asked to give an email address. Consider creating the webmail account using an international provider that is beyond the reach of the U.S. Patriot Act to make your data less prone to government access. Also create an online phone number that you give on demand. Delete all unused online accounts. MANAGE YOUR MOBILE DEVICES—Use a self-destructing texting and chatting service so that no information is retained. Check with your mobile phone carrier to deter- mine options that let you limit how it uses and shares your data. Use a strong pass- word to protect your smartphones, tablets, and mobile devices. Configure the Find Me feature or app for mobile devices in the event that they are lost or stolen. Use a password management application on your smartphone. Turn on two-factor authen- tication. Do not share your mobile location information. Completely turn off Wi-Fi and Bluetooth to avoid retail tracking when shopping. GO EXTREME—Use only cash or disposable credit card numbers when making pur- chases. Check your credit report every four months, rotating through the three differ- ent report providers. Put a permanent security freeze on your credit report so that no one can access it to open up new credit accounts in your name without your permis- sion. Use a service to monitor the information that is about you on the Internet on public online databases and delete as much as possible. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 206 Chapter 6 Privacy Chapter Summary ■ Privacy is defined as the state or condition of being free from public attention to the degree that you determine, or the right to be left alone to the level that you choose. Prior to the current age of technology, individuals were generally able to choose the level of privacy that they desired. Today that is no longer possible, for data is col- lected on almost all actions and transactions that individuals perform. There are sev- eral risks associated with the use of private data. ■ Cryptography is the science of transforming information into a secure form so that unauthorized persons cannot access it. Unlike steganography, which hides the exis- tence of data, cryptography masks the content of documents or messages so that they cannot be read or altered. The original data, called plaintext, is input into a crypto- graphic encryption algorithm that has a mathematical value (a key) used to create ciphertext. Because access to the key can be restricted, cryptography can provide con- fidentiality, integrity, availability, authenticity, and nonrepudiation. ■ Hashing creates a unique digital fingerprint called a digest that represents the contents of the original material. Hashing is not designed for encrypting material that will be later decrypted; it is used only for comparison. If a hash algorithm produces a fixed-size hash that is unique, and the original contents of the material cannot be determined from the hash, the hash is considered secure. Symmetric cryptography, also called private key cryptography, uses a single key to encrypt and decrypt a message. Symmetric crypto- graphic algorithms are designed to decrypt the ciphertext. Symmetric cryptography can provide strong protections against attacks as long as the key is kept secure. Asymmetric cryptography, also known as public key cryptography, uses two keys instead of one. These keys are mathematically related and are known as the public key and the private key. The public key is widely available and can be freely distributed, while the private key is known only to the recipient of the message and must be kept secure. Asymmetric cryp- tography also can be used to create a digital signature, which verifies the sender, proves the integrity of the message, and prevents the sender from disowning the message. ■ Cryptography can be applied through either software or hardware. Software-based cryptography can protect individual files, groups of files, or an entire disk. Hardware encryption cannot be exploited like software cryptography. Hardware encryption devices can protect USB devices and standard hard drives. ■ There are several practical best practices that users should consider when attempting to protect their personal information. In addition, organizations that collect user’s personal data have responsibilities and obligations. Key Terms Definitions for key terms can be found in the Glossary for this text. algorithm ciphertext data broker decryption asymmetric cryptographic cleartext digital certificate algorithm cryptography Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. digest nonrepudiation Chapter 6 Privacy 207 digital signature plaintext encryption privacy public key hash private key public key cryptography key private key cryptography steganography symmetric cryptographic algorithm Review Questions 6 1. Each of the following is true about privacy EXCEPT: a. Privacy is the right to be left alone to the degree that you choose. b. Today individuals can achieve any level of privacy that is desired. c. Privacy is difficult due to the volume of data silently accumulated by technology. d. Privacy is freedom from attention, observation, or interference based on your decision. 2. Which of the following is not a risk associated with the use of private data? a. individual inconveniences and identity theft b. devices being infected with malware c. associations with groups d. statistical inferences 3. Which of the following is not an issue raised regarding how private data is gathered and used? a. The data is gathered and kept in secret. b. The accuracy of the data cannot be verified. c. By law, all encrypted data must contain a “backdoor” entry point. d. Informed consent is usually missing or is misunderstood. 4. hides the existence of the data. a. Cryptography b. Symmetric encryption c. Asymmetric decryption d. Steganography 5. What is ciphertext? a. Procedures based on a mathematical formula used to encrypt and decrypt data. b. A mathematical value entered into an algorithm. c. Encrypted data. d. The public key of a symmetric cryptographic process. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 208 Chapter 6 Privacy 6. Which of the following is “one-way” so that its contents cannot be used to reveal the original set of data? a. hash b. symmetric cryptography c. Message Digest Encryption (MDE) d. asymmetric cryptography 7. What is data called that is to be encrypted by inputting it into a cryptographic algorithm? a. ciphertext b. plaintext c. cleartext d. opentext 8. Which of these is NOT a basic security protection for information that cryptography can provide? a. risk loss b. authenticity c. integrity d. confidentiality 9. The areas of a file in which steganography can hide data include all of the following EXCEPT . a. data that is used to describe the content or structure of the actual data b. the directory structure of the file system c. the file header fields that describe the file d. areas that contain the content data itself 10. Proving that a user sent an email message is known as . a. repudiation b. integrity c. nonrepudiation d. availability 11. A(n) is not decrypted but is only used for comparison purposes. a. stream b. digest c. algorithm d. key Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 209 12. Which of these is NOT a characteristic of a secure hash algorithm? a. A message cannot be produced from a predefined hash. b. Collisions should be rare. c. The results of a hash function should not be reversed. d. The hash should always be the same fixed size. 13. How many keys are used in asymmetric cryptography? a. one b. two c. three d. four 14. Which of these is not a method for encryption through software? 6 a. encrypt individual files b. whole disk encryption c. encrypt using the file system d. encrypt using a separate hardware computer chip 15. If Bob wants to send a secure message to Alice using an asymmetric cryptographic algorithm, which key does he use to encrypt the message? a. Alice’s private key b. Alice’s public key c. Bob’s public key d. Bob’s private key 16. A digital signature can provide each of the following benefits EXCEPT . a. proving the integrity of the message b. verifying the receiver c. verifying the sender d. enforcing nonrepudiation 17. What is the most important advantage of hardware encryption over software encryption? a. Software encryption cannot be used on older computers. b. Hardware encryption is up to 10 times faster than software encryption. c. Software that performs encryption can be subject to attacks. d. There are no advantages of hardware encryption over software encryption. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 210 Chapter 6 Privacy 18. Which of the following appears in the web browser when you are connected to a secure website that is using a digital certificate? a. // b. wrench c. padlock d. a yellow warning message 19. Which of the following is NOT a privacy best practice? a. Use the private browsing option in your web browser. b. Shred financial documents and paperwork that contains personal information before discarding it. c. Use strong passwords on all accounts that contain personal information. d. Carry your Social Security number with you so that it cannot be stolen you are not home. 20. Each of these is a responsibility of an organization regarding user private data EXCEPT: a. Collect only necessary personal information. b. Use industry-tested and accepted methods. c. Keep personal information for no longer than 365 days. d. Do not use personal information when it is not necessary. Hands-On Projects Project 6-1: Using OpenPuff Steganography Unlike cryptography that scrambles a message so that it cannot be viewed, steganography hides the existence of the data. In this project, you will use OpenPuff to create a hidden message. 1. Use your web browser to go to embeddedsw.net/OpenPuff_Steganography_ Home. html (if you are no longer able to access the site through the web address, use a search engine to search for “OpenPuff”). 2. Click Source Page and then click Manual to open the OpenPuff manual. Save this file to your computer. Read through the manual to see the different features available. 3. Click your browser’s back button to return to the home page. 4. Click OpenPuff to download the program. 5. Navigate to the location of the download and uncompress the Zip file on your computer. 6. Now create a carrier file that will contain the hidden message. Open a Windows search box and enter Snipping Tool. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 211 For added security, OpenPuff allows a message to be spread across several carrier files. 7. Launch Snipping Tool. 6 8. Click the New menu arrow, then click Window Snip. 9. Capture the image of one of the pages of the OpenPuff manual. Click File and Save As. Enter Carrier1.png and save to a location such as the desktop. 10. Now create the secret message to be hidden. Create a new Word file and enter This is a secret message. 11. Save this file as Message.docx. 12. Exit Word. 13. Create a Zip file from Message. Navigate to the location of this file through Windows Explorer and click the right mouse button. 14. Click Send to and select Compressed (zipped) folder to create the Zip file. 15. Navigate to the OpenPuff directory and double-click OpenPuff.exe. 16. Click Hide in the Steganography section. Under Bit selection options, note the wide variety of file types that can be used to hide a message. 17. Under (1), create three unrelated passwords and enter them into Cryptography (A), (B), and (C). 18. Under (2), locate the message to be hidden. Click Browse and navigate to the file Message.zip. Click Open. 19. Under (3), select the carrier file. Click Add and navigate to Carrier1.png and click Open as shown in Figure 6-10. 20. Click Hide Data! 21. Navigate to a different location than that of the carrier files and click OK. Click Done in the Task Report window. 22. After the processing is completed, navigate to the location of the carrier file that con- tains the message and open the file. Can you detect anything different with the file now that it contains the message? 23. Now uncover the message. Close the OpenPuff Data Hiding screen to return to the main menu. 24. Click Unhide. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 212 Chapter 6 Privacy Figure 6-10 OpenPuff Source: EmbeddedSW.net 25. Enter the three passwords. 26. Click Add Carriers and navigate to the location of Carrier1 that contains the hidden message and click Open. 27. Click Unhide! and navigate to a location to deposit the hidden message. When it has finished processing click OK. 28. Click Done after reading the report. 29. Go to that location and you will see Message.zip. 30. Close OpenPuff and close all windows. Project 6-2: Viewing Digital Certificates In this project, you will view digital certificate information using a Google Chrome web browser. 1. Use your web browser to go to www.google.com. 2. Note that although you did not enter //, nevertheless Google created a secure con- nection. Why would it do that? What are the advantages? 3. Click the padlock icon in the browser address bar. 4. In the Permissions tab, under Cookies and site data, how many cookies are allowed from this site? Why? Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 213 5. Under Permissions, are there any permissions that have been restricted? 6 6. Click the Connection tab. 7. Read the information about the identity of this website. 8. Click the Certificate information link. 9. Note the general information displayed under the General tab. 10. Now click the Details tab. 11. Click Valid to to view the expiration date of this certificate. 12. Click Public key to view the public key associated with this digital certificate. Why is this site not concerned with distributing this key? How does embedding the public key in a digital certificate protect it from impersonators? 13. Click the Certification Path tab. Because web certificates are based on the distributed trust model, there is a “path” to the root certificate. Click the root certificate and click the View Certificate button. Click the Details tab and then click Valid to. Notice that the expiration date of this root certificate (belonging to the third-party verifier) is lon- ger than that of the website certificate (provided to the website). Click OK and then click OK again to close the Certificate window. 14. Now go to a website from which you have purchased items online. Does it default to //? If not, then enter your account information to log into this site. 15. Click the padlock icon in the browser address bar and view the information about this certificate as you did above. 16. How would you explain the purpose of digital certificates to a friend? Is it easy to show someone how to determine if the certificate is valid? How could this be improved? 17. Close all windows. Project 6-3: Installing Hash Generator and Comparing Digests In this project, you will download a hash generator and compare the results of various hash algorithms. 1. Create a Microsoft Word document with the contents Now is the time for all good men to come to the aid of their country. 2. Save the document as CountryWithDot.docx. 3. Now remove the period at the end of the sentence and save the document as CountryWithoutDot.docx. Close the file. 4. Use your web browser to go to implbits.com/products/hashtab (if you are no longer able to access the site through the web address, use a search engine to search for “Hashtab”). 5. Click Download Now! Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 214 Chapter 6 Privacy 6. Enter an email address to receive a direct link to download the file and click Send Download Link. 7. Follow the default instructions to install Hash Tab. 8. Navigate to the document CountryWithDot.docx. 9. Click once on CountryWithDot.docx and then right-click. 10. Click Properties. 11. Notice that there is a new tab, File Hashes. Click this tab to display the digests for this file. 12. Click Settings. 13. Click the Select All button. 14. Click OK. 15. Scroll through the different digests generated. 16. Click Compare a file. 17. Navigate to the file CountryWithoutDot.docx and then click Open. 18. A digest is generated on this file. What tells you that the digests are not the same? Note that the only difference between the two files is a single period. How different are the digests based on a single period? 19. Close all windows. Project 6-4: Using a Secure Email Addition Basic email lacks many privacy features. However, additions are available that allow users to encrypt and control emails. In this project, you will download and install a secure email addition to a Google Gmail account. 1. Use your Google Chrome web browser to go to criptext.com (if you are no longer able to access the site through the web address, use a search engine to search for “Criptext”). 2. Click Install on Gmail. 3. Click Add extension. 4. After the extension is added, your Gmail account will launch. Click Activate Now. 5. Click the Allow button in the Request for Permission box. 6. Click Compose to create a new email message. 7. Click the Enable box to turn on Criptext. 8. Send an email message to another email account. 9. Click Send Securely to encrypt the email and send it. 10. Access the second email account and read the message. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Chapter 6 Privacy 215 11. Click the Email Activity button in Gmail. What does it show? 6 12. Now recall the message. Click the UNSEND button next to this message. What hap- pens to the message? 13. Click Compose to send another message. Create an email message but this time click the timer icon. When the Set expiration time dialog box appears, set the time at 1 minute. Click Set. 14. Click Send Securely. 15. When the email arrives, open it and read the message. 16. After one minute, what happens to the email message? 17. Close all windows. Case Projects Case Project 6-1: Microsoft Windows 10 Privacy With the introduction of Microsoft Windows 10, Microsoft by default gathers information about user preferences. For example, Windows 10 assigns an advertising ID to users and then uses it to deliver customized ads and informa- tion. This has caused alarm among some users regarding intrusion into their privacy. Using the Internet, research the information gathered through Windows 10. What are the advantages of this data collection? What are the disadvantages? Is this any different from how other operating systems and websites gather information? Should Microsoft be more upfront about the collection of this data? Is there a way to turn the data collection off? If so, how is it done? Should it be easier to turn it off for users who do not want their data collected? Write a one-page paper on your research and opinions. Case Project 6-2: Information Security Community Site Activity The Information Security Community Site is an online companion to this text- book. It contains a wide variety of tools, information, discussion boards, and other features to assist learners. Go to community.cengage.com/infosec. Sign in with the login name and password that you created in Chapter 1. How do you feel about the NSA gathering data on American citizens? Is it a serious intrusion on privacy? Or is it a practical protection in the world today in order to keep the nation safe? Should there be laws in place to prevent this? Record your responses on the Commu- nity Site discussion board. Additional Case Projects for this chapter are available through the MindTap online learning environment. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 216 Chapter 6 Privacy References 1. Tucker, Patrick, “Has Big Data Made Anonymity Impossible?”, MIT Technical Review, May 7, 2013, accessed Sep. 12, 2015. //www.technologyreview.com /news/514351/has-big-data-made-anonymity-impossible/. 2. Hardesty, Larry, “Privacy Challenges,” MIT News, Jan. 29, 2015, accessed Sep. 12, 2015. //news.mit.edu/2015/identify-from-credit-card-metadata-0129. 3. Halliday, Josh, “Facebook Users Unwittingly Revealing Intimate Secrets, Study Finds,” The Guardian, Mar. 11, 2013, accessed Sep. 12, 2015. //www.theguardian.com/ technology/2013/mar/11/facebook-users-reveal-intimate-secrets. 4. Dixson, Pam and Gellman, Robert, “The Scoring of America: How Secret Consumer Scores Threaten Your Privacy and Your Future,” World Privacy Forum, Apr. 2, 2014, accessed Sep. 12, 2015. //www.worldprivacyforum.org/wp-content/uploads/2014 /04/WPF_Scoring_of_America_April2014_fs.pdf. 5. Madden, Mary, “Public Perceptions of Privacy and Security in the Post-Snowden Era,” Pew Research Center, Nov. 12, 2014, accessed Sep. 12, 2015. //www.pewinternet .org/2014/11/12/public-privacy-perceptions/. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Glossary access point (AP) A more sophisticated device authorization The act of providing permission used in an office setting instead of a wireless or approval to technology resources. router. availability Security actions that ensure that data accounting The ability that provides tracking of is accessible to authorized users. events. backdoor Software code that gives access to a add-on Web browser addition that adds func- program or a service that circumvents normal tionality to the entire web browser. security protections. adware A software program that delivers adver- blacklist A list of senders from whom the user tising content in a manner that is unexpected and does not want to receive any email. unwanted by the user. bluejacking An attack that sends unsolicited algorithm Procedures based on a mathematical messages to Bluetooth-enabled devices. formula used to encrypt and decrypt the data. bluesnarfing An attack that accesses unautho- Android The Google operating system for rized information from a wireless device through mobile devices that is not proprietary but is a Bluetooth connection. entirely open for anyone to use or even modify. Bluetooth A short-range wireless technology antispyware Software that that helps prevent designed for quickly interconnecting devices. computers from becoming infected by different types of spyware. bot herder An attacker who controls a botnet. antivirus (AV) Software that examines a com- botnet A logical computer network of zombies puter for any infections as well as monitors under the control of an attacker. computer activity and scans new documents that might contain a virus. broker Attacker who sells knowledge of a vul- nerability to other attackers or governments. arbitrary code execution A malware payload that allows an attacker to execute virtually any browser A program for displaying webpages. command on the victim’s computer. brute force attack A password attack in which asset An item that has value. every possible combination of letters, numbers, and characters is used to match passwords in a asymmetric cryptographic algorithm Cryp- stolen password file. tography that uses two mathematically related keys. ciphertext Data that has been encrypted. attachment File, such as a word processing cleartext Unencrypted data. document, spreadsheet, or picture, that is attached to an email message. computer virus (virus) Malicious computer code that, like its biological counterpart, reproduces authentication The steps that ensure that the itself on the same computer. individual is who he or she claims to be; the process of providing proof of genuineness. confidentiality Security actions that ensure that only authorized parties can view the information. 217 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 218 Glossary cookie A file created by a web server and stored dumpster diving Digging through trash recep- on the local computer that contains the user’s tacles to find information that can be useful in an preferences and other information. attack. cryptography The science of transforming embedded hyperlink Link contained within the information into a secure form so that unautho- body of the message as a shortcut to a website. rized persons cannot access it. encryption The process of changing plaintext cybercrime Targeted attacks against financial into ciphertext. networks, unauthorized access to information, and the theft of personal information. evil twin An AP or another computer that is set up by an attacker designed to mimic the autho- cybercriminal Individual who participates in a rized Wi-Fi device. network of attackers, identity thieves, spammers, and financial fraudsters. exploit kit Automated attack package that can be used without an advanced knowledge of cyberterrorism A premeditated, politically computers. motivated attack against information, computer systems, computer programs, and data, which extension Web browser addition that expands often results in violence. the normal capabilities of a web browser for a specific webpage. cyberterrorist Attacker whose motivation may be defined as ideological, or attacking for the Fair and Accurate Credit Transactions Act sake of principles or beliefs. (FACTA) of 2003 A U.S. law that contains rules data backup A copy of files from a computer’s regarding consumer privacy. hard drive saved on other digital media that is stored in a secure location. feature update Enhancements to the software to provide new or expanded functionality, but do data broker Organization that aggregates user not address security vulnerability. data and then sells it to interested third parties. firewall Hardware or software designed to limit decryption The process of changing ciphertext the spread of malware. into plaintext. first-party cookie A cookie that is created from dictionary attack A password attack that com- the website that a user is currently viewing. pares common dictionary words against those in a stolen password file. Gramm-Leach-Bliley Act (GLBA) A U.S. law that requires banks and financial institutions to digest The unique digital fingerprint created by alert customers of their policies and practices in a one-way hash algorithm. disclosing customer information. digital certificate A technology used to associ- hactivist Attacker who attacks for ideological ate a user’s identity to a public key and that has reasons that are generally not as well defined as a been “digitally signed” by a trusted third party. cyberterrorist’s motivation. digital signature An electronic verification of hash An algorithm that creates a unique digital the sender. fingerprint. drive-by download An attack that results from Health Insurance Portability and Accountabil- a user visiting a specially crafted malicious webpage. ity Act (HIPAA) A U.S. law designed to guard protected health information and implement pol- icies and procedures to safeguard it. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Glossary 219 hoax A false warning intended to trick a user iOS The operating system developed by Apple for into performing an action that will compromise its mobile devices, using a closed and proprietary security. architecture. HTML5 The most recent version of HTML that jailbreaking Removing the built-in limitations standardizes sound and video formats. and protections on Apple iOS devices. Hypertext Markup Language (HTML) A lan- Java A complete programming language that can guage that allows web authors to combine text, be used to create stand-alone applications. graphic images, audio, and video into a single document. JavaScript A popular scripting code that is embedded within HTML documents. Hypertext Transfer Protocol (HTTP) A subset of a larger set of standards for Internet transmission. key A mathematical value entered into a crypto- graphic algorithm to produce encrypted data. identity theft Stealing another person’s per- sonal information, such as a Social Security keylogger Software or a hardware device that number, and then using the information to captures and stores each keystroke that a user impersonate the victim, generally for financial types on the computer’s keyboard. gain. locally shared object (LSO) A special type of image spam Spam that uses graphical images of cookie that can store more complex data, also text in order to circumvent text-based filters. called a Flash cookie. IMAP (Internet Mail Access Protocol) A more location services Services that can identify the recent and advanced email protocol. location of a person carrying a mobile device, or a specific store or restaurant. information security The tasks of protecting the integrity, confidentiality, and availability of lock screen Technology that prevents a mobile information on the devices that store, manipulate, device from being used until the user enters the and transmit the information through products, correct passcode, such as a PIN, password, swipe people, and procedures. pattern on the screen, or a fingerprint touch ID. insiders Employees, contractors, and business logic bomb Computer code that lies dormant partners who can be responsible for an attack. until it is triggered by a specific logical event. Institute of Electrical and Electronics malvertising Attacks that are based on mali- cious code sent through third-party advertising Engineers (IEEE) The most widely known networks so that malware is distributed through and influential organization in the field of ads sent to users’ web browsers. computer networking and wireless communications. The IEEE sets wireless malware Software that enters a computer system networking standards. without the user’s knowledge or consent and then performs an unwanted and usually harmful integrity Security actions that ensure that the action. information is correct and no unauthorized person or malicious software has altered the network firewall A hardware device that is data. located at the “edge” of the network as the first line of defense defending the network and devices Internet A global network that allows devices connected to it. connected to it to exchange information. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 220 Glossary nonrepudiation The process of proving that a privacy The state or condition of being free from user performed an action. public attention to the degree that the user chooses. password A secret combination of letters, num- bers, and/or symbols that serves to authenticate a private key An asymmetric encryption key that user by what he or she knows. does have to be protected. password manager One of several types of private key cryptography Cryptographic algo- tools for securing passwords, including password rithms that use a single key to encrypt and generators, online vaults, and password manage- decrypt a message. ment applications. Protected View A Microsoft Office function patch A publicly released software security that automatically opens documents attached to update intended to repair a vulnerability. emails in a read-only mode that disables editing functions. Payment Card Industry Data Security Stan- public key An asymmetric encryption key that dard (PCI DSS) A set of security standards that does not have to be protected. all U.S. companies processing, storing, or transmitting credit card information must public key cryptography Cryptography that follow. uses two mathematically related keys. personal firewall Software that runs as a ransomware Malware that prevents a user’s program on the local computer to block or device from properly operating until a fee is paid. filter traffic coming into and out of the computer. reading pane An email client feature that allows the user to read an email message without actu- phishing Sending an email or displaying a web ally opening it. announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the remote code execution Malware that can trig- user into surrendering private information. ger arbitrary code execution from one computer to a second computer over a network or the plaintext Cleartext data that is to be encrypted Internet. and decrypted by a cryptographic algorithm. remote wiping The ability to remotely erase plug-in A web browser addition that adds new data stored on a mobile device. functionality to the web browser so that users can play music, view videos, or display special risk A situation that involves exposure to danger. graphical images within the browser that nor- mally it could not play or display. rooting Removing the built-in limitations and protections on Google Android devices. popup blocker A separate program or a feature incorporated within a browser that stops popup rootkit A set of software tools used by an advertisements from appearing. attacker to hide the actions or presence of other types of malicious software. Post Office Protocol (POP) An earlier email protocol for handling incoming mail. Sarbanes-Oxley Act (Sarbox) A U.S. law designed to fight corporate corruption. pretexting Creating an invented scenario to persuade the victim to perform an action or pro- script kiddie Individual who lacks advanced vide confidential information. knowledge of computers and networks and so Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Glossary 221 uses downloaded automated attack software to symmetric cryptographic algorithm Encryp- attack information systems. tion that uses a single key to encrypt and decrypt a message. service pack Software that is a cumulative package of all patches and feature updates. tablet Portable computing device that is gener- ally larger than a smartphone and smaller than a shoulder surfing Viewing information that is laptop, and is focused on ease of use. entered by another person. third-party cookie A cookie that is created by a sideloading Downloading an app from an third party other than the main website that is unofficial third-party website. being viewed. signature file A database of viruses that is used threat A type of action that has the potential to to identify an infected file. cause harm. Simple Mail Transfer Protocol (SMTP) An ear- threat agent A person or element that has the lier protocol for email that handles outgoing mail. power to carry out a threat. smartphone A cellular phone that has an oper- threat likelihood The probability that a threat ating system that allows it to run apps and access will actually occur. the Internet. threat vector The means by which an attack social engineering A means of gathering infor- could occur. mation for an attack by relying on the weak- nesses of individuals. Transmission Control Protocol/Internet social networking Grouping individuals and Protocol (TCP/IP) The standards for Internet organizations into clusters based on an transmissions. affiliation. Trojan horse (Trojan) An executable program spam Unsolicited email. that is advertised as performing one activity but which actually performs a malicious activity. spam filter Software that inspects email mes- sages to identify and stop spam. typo squatting Redirecting a user to a fictitious website based on a misspelling of the URL. spear phishing A phishing attack that targets only specific users. User Account Control (UAC) A Microsoft Win- dows function that provides information to users spyware A general term used to describe soft- and obtains their approval before a program can ware that spies on users by gathering informa- make a change to the computer’s settings. tion without consent. username A unique name used for identification state-sponsored attacker Attacker commis- in a computer system or website. sioned by governments to attack enemies’ information. virtual private network (VPN) A technology that uses an unsecured public network, such as steganography Hiding the existence of data the Internet, as if it were a secure private net- within another type of file. work, by encrypting data transmissions. strong password A long and complex vishing A phishing attack in which the attacker password. calls the victim on the telephone. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 222 Glossary vulnerability A flaw or weakness that allows a Wi-Fi Protected Setup (WPS) A simplified and threat agent to bypass security. optional method for configuring WPA2 Personal wireless security, but has security war driving Searching for wireless signals from weaknesses. an automobile or on foot using a portable com- puting device. wireless client network interface card weak password A password that can easily be adapter A device that allows a mobile device to broken and compromises security. send and receive wireless signals. wearable technology A new class of mobile wireless local area network (WLAN) The tech- technology consisting of devices that can be worn nical name for a Wi-Fi network. by the user instead of carried. wireless router A device used for a home-based whaling A phishing attack that targets wealthy Wi-Fi network that combines several network- individuals, who typically would have larger ing technologies. sums of money in a bank account that an attacker could access. World Wide Web (WWW) A network composed of Internet server computers on networks that whitelist A list of senders from whom the user will provide online information in a specific format, accept email. commonly known as the web. Wi-Fi (wireless fidelity) A wireless data net- worm A malicious program designed to enter a work that is designed to provide high-speed data computer via a network to take advantage of a connections for mobile devices. vulnerability in an application or an operating system. Wi-Fi Protected Access 2 (WPA2) Personal A security setting that provides the optimum level zombie An infected computer that is under the of wireless security. remote control of an attacker. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Index IAndexIndex insiders, 22 Bluetooth, 155–156 script kiddies, 21 configuring, 167 accessing untrusted content state-sponsored, 23 enabled devices, 156 in mobile devices, 161–162 types, 23 pairings, 156 attacks product, 155 access point (AP), 154 authentication, 40 undiscoverable, 167 accounting, 12 brute force, 43 add-ons, 122–123 cost of, 18 boomer barons, 188 ad hoc network, 166 dictionary, 43–44 bot herder, 89 administrator account, 98 difficulties in defending botnet, 89–90 adware, 86 algorithm against, 7–8, 9 attacks generated through, 90 mobile, 151–162 uses of, 90 asymmetric cryptographic, on mobile devices, 156 brokers, 21–22 195–198 on passwords, 42–44 browser, 117 phishing, 46–48 additions, 123 cryptographic, 191 recognizing phishing, 57 displaying HTML code, 118 hash, 42, 193 recovering from, 101 test security, 142–143 symmetric cryptographic, skills needed for creating, 21 browser-based password stealing data via, 39 194–195 through wireless networks, 151 management program, allowed senders, 133 today’s, 4–6 69–70 android operating system, 160 tools menu, 8 browser vulnerabilities, 120 annual credit report, 71–72 using malware, 77–90 brute force attack, 43 antispyware, 97 using social engineering, antivirus (AV) software, 96 C 44–46 program settings, 96 on Wi-Fi, 154–155 candidates, 43 test, 110–111 authentication, 12 card thieves appender infection, 78–79 authorization, 12 Apple iOS, 158 automated teller machine common techniques of, 16 application-based firewall, 94 carriers apps, 158 (ATM), 168 arbitrary code execution, 83 automatic continuous backup, virus, 81 asset, 14 C&C or C2. See command and asymmetric cryptographic 100 availability, 12 control (C&C or C2) algorithms, 195–198 Cengage Learning website, 161 important principles, 196 B character set, 43 practices, 198 ciphertext, 191 ATM. See automated teller backdoor, 89 circulation/infection malware, Blacklist, 134 machine (ATM) block attacks, 24 77–78 attachments, 135 blocked senders, 133 cleartext data, 190. See also blocked top-level domain list, email, 119 plaintext data attackers, 19–23 134 clusters, 187 bluejacking, 156 cncealment, 82–83 brokers, 21–22 bluesnarfing, 156 command and control (C&C or cybercriminals, 20 cyberterrorists, 22 C2), 89 hacker, 19 computer defenses, 91–101 hactivists, 22–23 creating data backups, 99–101 223 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 224 Index computer defenses (continued) exceptional security, 102 data backups, 102 examining firewalls, 94–96 scheduled backup, 99–100 Facebook security, 60 installing antimalware data breaches managing passwords, 60 software, 96–97 textual, 30–31 managing patches, 101–102 managing patches, 91–94 visual, 31–32 monitor firewalls, 102 monitoring user account data brokers, 186 retaining documents, 59 control (UAC), 97–99 deadly virus, 49 execute commands recovering from attacks, decryption, 190 adware, 86 101 delayed deletion, 101 arbitrary code execution, 83 delete data, 88–89 collect data, 84 computer security, 75–114 dictionary attack, 43–44 payload capabilities, 83–84 computer virus. See virus digest, 193 ransomware, 86–87 confidentiality, 12 message, 193 remote code execution, 84 configure microsoft windows digital certificate, 201–203 spyware, 84–86 handshake, 202 exploit kits, 21 security, 108–110 viewing, 212–213 Extended Validation SSL connecting to public networks digital signature, 197–198 additional benefits of, 197 Certificate (EV SSL), 203 in mobile devices, 161 disk image backup, 112 extensions, 121 continuous backup, 100–101 drive-by downloads, 125 convenience dumpster diving, 49 F items and their usefulness, 49 relationship between security Facebook and, 11 E recommendations and explanations, 59 cookies, 126–127 Email, 119–120 security types, 126 attachments, 119 exceptional, 60 first-party cookie, 126 client, 119 third-party cookie, 126 defenses, 133 factory settings, 168 distributed malware, 128 Fair and Accurate Credit cryptography, 189–203 risks, 127–129 algorithm of, 191 spam, 127 Transactions Act and cleartex, 190 secure addition, 214–215 (FACTA) of 2003, 57 and decryption, 190 security settings, 134–135 feature updates, 92 defined, 189 web, 134–135 firewall, 94 and encryption, 190, 199 application-based, 94 information protections by, embedded hyperlinks, 128–129 host-based application, 94 192 encryption, 190 network, 95 and privacy, 191–192 personal, 94–95 private key, 194–195 cryptographic hardware, Windows personal, 94 process of, 191 199–200 first-party cookie, 126 types of, 193–198 fitness tracker, 159 using, 199–203 cryptographic software, 199 flash cookie. See locally shared methods, 199 object (LSO) cybercrime, 20 free airport wireless, 166 cybercriminals, 20 whole disk, 199 free wireless network, 166 cyberterrorism evil twin, 155 G foiling, 18–19 network, 166 cyberterrorists, 22 EV SSL. See Extended gateway, 153 GLBA. See Gramm- D Validation SSL Certificate (EV SSL) Leach-Bliley Act (GLBA) data backups examining firewalls, 94–96 continuous backup, 100–101 exceptional security, 59–60 creating, 99–101 defined, 99 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Index 225 global positioning system I extensions, 121 (GPS), 161 malvertising, 123–125 identity theft, 50–51 plug-in, 121–122 Google Android, 158 avoiding, 57–58 scripting code, 120–121 GPS. See global positioning tools, 117–120 IEEE. See Institute of Electrical Email, 119–120 system (GPS) and Electronics World Wide Web Gramm-Leach-Bliley Act Engineers (IEEE) (WWW), 117–119 (GLBA), 17 image spam, 127–128 Internet Mail Access Protocol graphical user interface (GUI), IMAP. See Internet Mail Access (IMAP), 119 7, 91 Protocol (IMAP) Internet Protocol (IP) address, guest access, turning on, 166 information security, 10–19 guest accounts, 98 163 GUI. See graphical user community site activity, 113 IRS. See U.S. Internal Revenue components analogy, 14 interface (GUI) defining, 11–14 Service (IRS) importance, 15–19 H J avoiding legal hacker, 19 consequences, 17–18 jailbreaking, 169 hactivists, 22–23 Java, 121 handoff, 154 identity theft, 16–17 Java applet, 121–122 hard changers, 188 maintaining productivity, JavaScript, 120 hard disk drives (HDDs), 18 defenses, 121 200 preventing data theft, 16 hash algorithm, 193 layers, 13 K hash generator, 213–214 and protection, 11 HDD. See hard disk drives terminology, 14–15 KeePass random password injecting malware, 154 generator, 54 (HDDs) insiders, 22 Health Insurance Portability installing antimalware key, 191 keylogger and Accountability Act software, 96–97 (HIPAA), 17 installing unsecured and spyware, 85–86 HIPAA. See Health Insurance Portability and applications L Accountability Act in mobile devices, 160 (HIPAA) Institute of Electrical and language mask, 43 hoaxes, 49 laptop, missing home Wi-Fi security, 163–166 Electronics Engineers securing wireless router, (IEEE), 152 software to locate, 180–181 163–164 integrity, 12 launch attacks host-based application firewall, internet 94 defenses, 130–136 and payload capabilities, HTML. See Hypertext Markup defined, 117 89–90 Language (HTML) securing web browser, 130 HTTP. See Hypertext Transfer security, 115–138 life stages, 188 Protocol (HTTP) best practices, 135–136 limited physical security hyperlinks, 117 security risks, 120–129 Hypertext Markup Language add-ons, 122–123 in mobile devices, 161 (HTML), 117–118 browser vulnerabilities, local email client, 134 Hypertext Transfer Protocol 120 locally shared object (LSO), (HTTP), 90, 118 cookies, 126–128 drive-by downloads, 126, 143–144 125–126 local security, 24 location services, 161 location tracking in mobile devices, 161 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 226 Index lockout period, 168 risks, 160–162 O lock screen, 167 accessing untrusted logic bomb, 88–89 content, 161–162 offline cracking, 42 LSO. See locally shared object connecting to public online backup services, 113 networks, 161 online guessing, 42 (LSO) installing unsecured online or disc-based restore, applications, 160 M limited physical security, 101 161 online password cracker, macro virus, 78 location tracking, 161 malicious attachments, 128 65–66 malvertising, 123–125 security, 167–170 online vaults, 53 setup, 167–169 advantages for the attacker, password manager program, 124–125 disable unused features, 68–69 167 malware optional program file backup, and adware, 86 enable lock screen, 101 attacks using, 77–90 167–169 defined, 77 P injecting, 154 types of, 156 installing antimalware portable computers, packet filter. See firewall software, 96–97 156 padlock icon and logic bomb, 88–89 smartphones, 158 and ransomware, 86–87 tablets, 157–158 and certificate information, scan, 32–33 wearable technology, 202 types of, 77–86 158–159 circulation/infection, passphrase. See shared key 77–78 mobile security, 149–170 password, 40–44 concealment, 82–83 modify system security, 89 payload capabilities, monitor firewalls on attacks, 42–44 83–90 browser-based password Trojan, 81–82 exceptional security, 102 virus, 78–81 monitoring user account management program, worm, 81 69–70 control (UAC), comparing password digests, managing patches, 91–94 97–98 43 exceptional security, control settings, 98 defenses, 53 101–102 types of, 98 download and install generator, 70–71 master secret, 202 N exceptional security, 60 memorized password, 53 general observations message digest, 193 National Highway Traffic creating, 55 metadata, 190 Safety Administration generators, 53 Microsoft Windows, 158 (NHTSA), 4–5 KeePass random password mobile attacks, 151–162 generator, 54 mobile defenses, 163–170 network firewall, 95 management applications, network of computer networks. 53–54, 66–68 wireless network security, features, 54 163 See internet management tools, 53–55 network viruses. See worm memorized, 53 mobile devices NHTSA. See National number of possible, 55 attacks on, 156 online cracker, 65–66 loss or theft, 169–170 Highway Traffic Safety online vault password security features for Administration manager program, locating, 170 (NHTSA) 68–69 nomophobia, 151 personal security and, 40–44 nonrepudiation, 192 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Index 227 repeated, 53 pretexting, 48 R strong, 55–56 primer, privacy, 185–188 ten most common, 41 privacy, 183–205 radio frequency (RF) password length, 43 transmissions, 152 payload capabilities, 83–90 best practices, 203–204 and delete data, 88–89 and cryptography, 191–192 ransomware execute commands, 83–84 defined, 186 computer infection, 88 and launch attacks, 89–90 primer, 185–188 and malware, 86–87 and modify system security, protections, 189–204 message, 87 89 cryptography, 189–203 reading pane, 134 and modify system security responsibilities of recovery drive, 101 remote code execution, 84 settings, 89 organizations, 204 repeated password, 53 Payment Card Industry Data private data repudiation, 192 rescue discs, 101 Security Standard (PCI issues in gathering and using, residential WLAN gateways, DSS), 17 187 PCI DSS. See Payment Card 153 Industry Data Security risks associated with, retaining documents Standard (PCI DSS) 186–188 personal firewall, 94 exceptional security, 59 personal identification number associations with groups, risk, 15 (PIN), 49 187 roaming, 154 personal security rooting, 169 attacks, 39–52 individual inconveniences rootkit, 82–83 defenses, 53–58 and identity theft, 186 passwords cmputer infected with, 83 password weaknesses, statistical inferences, 188 router 40–42 private key, 195 phishing, 46–48 private key cryptography, remote access settings, 163 email message, 47 securing wireless, 163–164 recognizing attack of, 57 194–195 using online emulator to spear, 47 productivity, maintaining, 18 voice, 48 program virus, 78 configure wireless, whaling, 47 protected view, 135 176–177 phishing voice. See vishing protection routers, wireless. See wireless PIN. See personal identification broadband routers number (PIN) and accounting, 12 plaintext data, 190. See also and authentication, 12 S cleartext data and authorization, 12 plug-in, 121–123 and availability, 12 Sarbanes–Oxley Act (Sarbox), poisoned ad attack, 123 and confidentiality, 12 17 POP3, 119 and information security, 11 popup blocker, 97 and integrity, 12 scripting code, 120–121 portable computers, 156–157 protocols, 118 script kiddies, 21 Post Office Protocol (POP), public key, 195 Seat Electronic Box (SEB), 5 119 public key cryptography. SEB. See Seat Electronic Box pre-master secret, 202 preparation, 101 See asymmetric (SEB) preshared key (PSK), 164 cryptographic secure desktop mode, 98 algorithms security public wi-fi networks, 166 breaches, 6 Q challenges of information, quick response (QR) codes, 3–9 161 comprehensive strategy of, creating and using, 177–178 23–25 block attacks, 24 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. 228 Index security (continued) spyware, 84–86 underground forums, 20 minimize losses, 25 antispyware, 97 undiscoverable bluetooth, 167 stay alert, 25 and keylogger, 85–86 universal access, 100 update defenses, 24 technologies used by, 84 URL hijacking. See typo introduction to, 1–25 SSID. See Service Set Identifier squatting local, 24 (SSID) U.S. Internal Revenue Service patch, 92 perimeter, 24 standard account, 98 (IRS), 51 relationship between state-sponsored attackers, 23 USB encrypted drive, 200 static analysis, 96 usb flash drive convenience and, 11 statistical inferences, 188 understanding, 10–11 steganography, 189–190 write-protecting, 33–34 service pack, 92 user account, 98 Service Set Identifier (SSID), 165 using OpenPuff, 210–212 session keys, 202 string scanning, 97 types, 98 shared key, 164 strong password, 38, 42 username, 40 shellcode, 83 subnotebook, 156–157 short message service (SMS) swipe pattern, 168 V symmetric cryptographic text messages, 158 virtual private network (VPN), shoulder surfing, 49–50 algorithms, 194–195 166–167 sideloading, 160 signature file, 96 T virus, 78–81 Simple Mail Transfer Protocol actions performed by, 80 tablets, 157–158 carriers, 81 (SMTP), 119 TCP/IP. See Transmission macro, 78 smartphones, 158 program, 78 smartwatch, 159 Control Protocol/Internet vs. worms, and Trojans, 82 SMTP. See Simple Mail Transfer Protocol (TCP/IP) theft, identity, 16–17 VirusTotal, 111–112 Protocol (SMTP) thied-party cookie, 126 vishing, 48 social engineering third-party binary library, 121 VPN. See virtual private threat, 14 attacks using, 44–46 agent, 14 network (VPN) defined, 45 likelihood, 15 vulnerability, 14 dumpster diving, 49 vector, 15 effectiveness, 46 Tomlinson, Ray, 119 W hoax, 49 Transmission Control Protocol/ identity theft, 50–51 Internet Protocol (TCP/ war driving, 154 phishing, 46–48 IP), 118 weak passwords, 41 pretexting, 48–49 treasure-trove, 44 wearable technology, 158–159 shoulder surfing, 49–50 Trojan, 81–82 web. See World Wide Web typo squatting, 48 vs. worms and virus, 82 social-networking Trojan horse, 82 (WWW) defined, 51 true blues, 188 web-based computer, 157 risks, 51–52 typo squatting, 48 web browser setting defenses, 58 social security number, 50 U alternative, 144–145 spam, 127 configuration settings, filters, 127, 133–134 UAC. See monitoring user image, 127 account control (UAC) 130–133 spear phishing, 47 securing, 130 split infection, 79–80 ultrabook, 156 security settings, 145–146 unblocking, 94 web email, 134–135 whaling phishing, 47 Whitelist, 134 whole disk encryption, 199 Wi-Fi equipment, 152–154 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Index 229 Wi-Fi networks, 151–155 security update procedures, and Wi-Fi networks, 151–155 home, 153 92–93 wireless network security, and Wi-Fi equipment, 152–154 Windows personal firewall, 163–170 94 WLAN. See wireless local area Wi-Fi Protected Access 2 (WPA2) Personal, 163, wireless broadband routers, network (WLAN) 164–165 153 World Wide Web (WWW), wireless router settings, 165 wireless client network 117–119 Wi-Fi Protected Setup (WPS), interface card adapter, transmission process, 119 152 worm, 81 165 actions performed by, 81 Wi-Fi (wireless fidelity), 152 wireless local area network vs.virus and Trojans, 82 (WLAN), 152 WPS. See Wi-Fi Protected Setup attacks, 154–155 cells, 154 wireless monitor (WPS) security settings, 165 download and install, Windows character map, 56 177–178 Z Windows 10 Microsoft patch update options, 93 wireless networks zombie, 89 attacks through, 151 and bluetooth, 155–156 Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it. Copyright 2017 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.
Which feature of cryptography is used to prove a users identity and prevent an individual from fraudulently reneging on an action?
Authentication: The process of proving one's identity. Integrity: Assuring the receiver that the received message has not been altered in any way from the original. Non-repudiation: A mechanism to prove that the sender really sent this message.
Asymmetric encryption can be used to prove identity, authentication, non-repudiation, and key agreement and exchange.
BitLocker Device Encryption uses the XTS-AES 128-bit encryption method.
To facilitate outside connections to segmented parts of the network, admins sometimes designate a specially configured machines called a "jump box" or " jump server." As the name suggests, these computers serve as jumping-off points for external users to access protected parts of the network.