Professional Documents
Culture Documents
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit-
ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.
com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
Preface, xv
About the Authors, xxiii
v
vi ◾ Contents
GLOSSARY, 307
APPROACH
Traditional computer security books educate readers about a multitude of
topics, ranging from secure programming practices, protocols, and algo-
rithm designs to cryptography and ethics. These books typically focus on
the implementation or theory of security controls and mechanisms at the
application, operating system, network, and physical layers. Breaking this
traditional model, Computer Security Literacy: Staying Safe in a Digital
World instead seeks to educate the reader at the user layer and focuses on
practical topics that one is likely to encounter on a regular basis. It has long
been recognized that the user is in fact the weakest link in the security
chain. So, why not effect change by providing practical and relevant edu-
cation for the normal user of information technology? As it turns out, we,
the users, often have the greatest impact on the security of our computer
and information as a result of the actions that we do or do not perform.
This text provides practical security education to give the context to make
sound security decisions. The outcomes of this book will enable readers to
• Discuss current event topics and read security articles in the popu-
lar press
• Assess computing actions in the context of security
current events are used to provide tangible evidence regarding the func-
tion and impact of security in everyday life.
Computer security education need not be made exclusive to technical
audiences. If abstracted correctly, it is our belief that practical security
education can be made accessible to readers of all technological back-
grounds. As it turns out, we all perform the same basic routines on our
computers and the Internet each day. During an average day, people use
passwords, connect to the Internet on an unsecure wireless connection,
share media via external devices, receive suspicious emails, surf the web,
share information via social networking, and much, much more. Each of
these actions involves a potential risk and can result in consequences with
malicious intent. However, the understanding of these risks and corre-
sponding defensive strategies is not as complicated as you would think
and does not require an engineering degree as a prerequisite to gain work-
ing knowledge. While defensive security measures like antivirus software,
firewalls, and software patches have been around for quite sometime, we
truly believe that practical security education—the content found in this
book—is the future of innovation in computer security.
ORGANIZATION
The content of this text is presented in a logical progression of topics that
allows for a foundation to be constructed and context to be built on as the
reader progresses through the chapters. The organization of the book is as
follows:
the many threats that plague the common uses of email are dis-
cussed, and mitigation strategies are presented.
• Chapter 5 focuses on all the different ways that malware infects a
computer and what malware does once it infects a computer.
• Chapter 6 supplements Chapter 5 by providing a defense-in-depth
strategy to mitigate against the many malware threats that one is
likely to encounter. The defense-in-depth strategy consists of data
backup, software patches, firewalls, antivirus software, and last but
not least, user education.
• Chapter 7 deals primarily with the operation of the web browser and
how functions that afford convenience also are at odds with security
and privacy. This chapter also discusses the popular and applicable
topics of HTTPS and cookies, among other types of information
stored by web browsers.
• Chapter 8 presents the topic of online shopping by discussing com-
mon security threats and online shopping best practices, such as the
motivation why using a credit card is more secure than a debit card
when making online purchases.
• Chapter 9 explains the security vulnerabilities that wireless net-
works present. Included in this discussion is an explanation of the
differences between a secure and unsecure wireless network and the
security threats and best practices for both a user of a wireless net-
work (as typically found in a coffee shop) and as an administrator of
a home wireless network.
• Chapter 10 takes a different approach to social networking security
and privacy by focusing on the higher-level concepts as they relate
to public information sharing. A key discussion includes how infor-
mation that is found on social networking sites affects one’s job or
career prospects.
• Chapter 11 unravels the many different ways that cyber criminals
use social engineering tactics to trick their victims into revealing
personal information or installing malware on their computers.
Included in this chapter are the steps one can take to dissect a URL
(Uniform Reference Locator) and how to consider each part of the
Preface ◾ xix
TARGET AUDIENCE
This book is truly meant for anyone interested in information technology
who wants to understand better the practical aspects of computer security.
The only prerequisites that a reader needs are prior use of a computer,
web browser, and the Internet. Depending on your motivation for want-
ing to learn more about practical computer security knowledge, this book
serves many different audiences. Although originally written to provide a
xx ◾ Preface
SCREENSHOT DISCLAIMER
It should be noted that technology is constantly evolving, and as this evo-
lution takes place, the provided screen shots will likely become outdated.
Despite this challenge, we have strived to provide underlying context so
that even if the appearance of a particular screenshot changes, the expla-
nation of the core technology will remain relevant.
Website: www.dougj.net/literacy
ACKNOWLEDGMENTS
Doug Jacobson: I want to thank my wife, Gwenna, and our children,
Sarah, Jordan, and Jessica, for their support, patience, and love. And a
special thank you to Sarah for designing the art for the book cover.
Preface ◾ xxi
xxiii
Chapter 1
What Is Information
Security?
1.1 INTRODUCTION
Information security has become a common term used by many, often in
reference to a conflict between “hackers” and security professionals, or
what many see as a war of the geeks. The term information security can
have many definitions; some use it as an overarching term defining all
security-related issues with technology, while others use it as a subclas-
sification of a broader category, such as information assurance. Simply
put, information security is the process of protecting information from
threats. In the context of this book, the terms computer security, cyber
security, and information security are synonymous and can be used inter-
changeably. Information security is a broad field of study and employs a
large number of people to implement and maintain computer and data
security controls at a cost of billions of dollars per year. At first glance,
information security may seem to be too complex a topic for average peo-
ple to understand, let alone play an active role in protecting themselves
from threats. It is the goal of this book to change that perception because,
in fact, everyone who uses a computer and the Internet has a role to play
in protecting themselves and their information. Often, you, the user, play
the most significant role in protecting your own security by the decisions
you do or do not make.
1
2 ◾ Computer Security Literacy: Staying Safe in a Digital World
freely chooses to disclose his or her name, address, and credit card num-
ber in exchange for the convenience of buying an item online. While the
client cannot directly control the security of the system that processes and
stores this private information, the client does have the ability to choose
which e-commerce website he or she prefers to shop at or whether to shop
online at all. Furthermore, if the client chooses to create an account on an
e-commerce website for future use, the security of the password chosen
is also a factor controlled by the client that can contribute to the overall
security of the client’s information. This book discusses the types of pri-
vate information you should entrust to nonpersonal computers and how
to safeguard access to this information.
security, they are also at odds with convenience and over time convenience
tends to trump security.
The next five terms are used to describe methods attackers may use to
gain access to your information or to your computer system.
Vulnerability: A weakness in some aspect of a computer system that
can be used to compromise a system during an attack. Vulnerabilities can
exist in the design, the implementation, or the configuration of computers
and software. Design vulnerabilities occur when flaws in the design of
the computer or software can be used to bypass security. As illustrated in
Figure 1.1, a physical example would be if a house plan used by a developer
does not specify locks on any of the outside doors. If a thief discovered
such a flaw, the thief would then be able to break into any of the houses
sold by that developer (i.e., houses denoted with yellow x’s).
Implementation vulnerabilities exist when developers make errors
implementing software designs. Continuing with the previous physical
example in Figure 1.1, while the developer’s plans contained designs for
every house to be equipped with door locks, the locks were installed either
improperly or not at all by contractors. In such a case, instead of all homes
What Is Information Security? ◾ 7
Design Vulnerability
Implementation Vulnerability
Configuration Vulnerability
using the same plans that were vulnerable to break-ins, only those homes
built by a certain contractor would be vulnerable. Implementation vulner-
abilities in software can be difficult to find, but once discovered, they are
often easy to fix with a software patch.
Configuration vulnerabilities occur when a user either configures the
system incorrectly or uses system defaults. Continuing with the door lock
example in Figure 1.1, this would be the case when design plans were
8 ◾ Computer Security Literacy: Staying Safe in a Digital World
correct and locks were installed correctly, but the homeowner fails to lock
the door. The most common computer system configuration vulnerabili-
ties occur when the user fails to change a default password, chooses a weak
password, or elects not to use a password at all.
Exploit: An exploit is an unimplemented method or algorithm that is
able to take advantage of a vulnerability in a computer system. Using the
door lock example, an exploit might consist of knowing that if you made a
bump key—a key with no notches—it will open certain locks, but you do
not possess or know how to make the key. Therefore, an exploit is a poten-
tial threat underlying a potential attack.
Attack Code: An attack code is a program or other implementation of
an exploit used to attack a vulnerability in a computer system. An attack
code would be analogous to creating a bump key that would be able to
open vulnerable locks. Throughout the remainder of this book, the cou-
pling of an exploit and attack code is simply referred to as an exploit. The
term exploit will also be used as a verb to denote the action of an attacker
or malware when taking advantage of a vulnerability.
Attack: The actual use of attack code against a system or the exploita-
tion of a vulnerability. This is the same as using a bump key to open a
vulnerable door.
Figure 1.2 shows the chronological relationship among vulnerabilities,
exploits, attack code, and attacks. Vulnerabilities often lay dormant in
software programs for years before being discovered. Even when they are
discovered, there may not be an easy way to exploit them. The time inter-
val between when a vulnerability is discovered and an exploit is designed
can be anything from days to months or even longer. Once the exploit
has been identified, there may be a period of time before the attack code
is created. Sometimes, the exploit is discovered directly through creation
of attack code, and the time between exploit and attack code is thus zero.
Time
The time between attack code production and widespread attacks can also
vary depending on the attack code type and its distribution method.
As is often the case, attack code is made available on the Internet for
other users to download, use, modify, and improve the original design.
Attack code is like any other software that goes through a design process,
and the attack code itself may ironically have vulnerabilities that can be
exploited by other attack code. There are documented cases on the Internet
for competing versions of malware, engaged in a virtual turf war, attempt-
ing to defeat the competition’s malware by exploiting vulnerabilities in the
adversary’s software design. Therefore, even those that design and write
attack code must be sensitive to writing secure software that strives to be
free of vulnerabilities.
Zero-Day Exploit: When attack code is used to target a system before
the vulnerability or exploit is discovered or known to exist by the secu-
rity community (i.e., defenders or good guys), this action is known as a
“zero-day” exploit. Zero-day exploits are particularly dangerous because
security practitioners are often initially defenseless against such attacks.
It is a common misconception that attackers are sophisticated com-
puter programmers with a deep understanding of computers and net-
works. While there are indeed many such people creating attacks, there
are an even larger number of naïve attackers who simply use attack code
created by others. Such attackers do not need to understand the vulner-
ability, the exploit, or the code itself. They simply visit a website, download
a malicious program, and with a few clicks of the mouse, start attacking
other computer systems. The ubiquitous nature of the Internet fuels this
problem and allows naïve attacks to be easily launched against numerous
computer systems.
The next four terms deal with quantifying the likelihood that a com-
puter will be subjected to an attack and the resultant costs of such an attack.
Risk: Risk is a measure of the criticality of a situation—the likelihood
of something being attacked. Risk is based on several metrics, as sub-
sequently described. The risk of attack associated with a given situation
consists of several factors, commonly described as threats, vulnerabilities
(previously discussed), and impact.
Threat: Threat is a measure of likelihood that a computer system will
be attacked or the confidentiality of information lost. For example, a web
server placed on the public Internet may have a high probability of being
attacked, while a web server located on a private corporate network not
connected to the Internet would have a significantly lower probability
10 ◾ Computer Security Literacy: Staying Safe in a Digital World