Ethical Considerations in IT & Detecting Phishing
Requirements: 1 hour
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 1 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Hands-On Lab: Ethical Considerations in IT and Detecting Phishing Attacks To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks Table of Contents Objective ……………………………………………………………………………………………………………………….. 2 Estimated Completion Time …………………………………………………………………………………………… 2 Materials Required ………………………………………………………………………………………………………… 2 Introduction ………………………………………………………………………………………………………………….. 2 Ethical Considerations in the Use of Information Security Tools ………………………………………. 3 Are You a White Hat? ………………………………………………………………………………………………….. 3 The White Hat Agreement …………………………………………………………………………………………… 4 (ISC)2 Code of Ethics ……………………………………………………………………………………………………. 5 Self-Reflection and Response …………………………………………………………………………………………. 7 Instructor’s Response …………………………………………………………………………………………………. 7 Detecting and Responding to Phishing Attacks ……………………………………………………………….. 8 Legitimate Messages Don’t Request Sensitive Information …………………………………………… 8 Legitimate Messages Usually Call You by Your Name ……………………………………………….. 9 Legitimate Messages Come from Authentic Domains ………………………………………………… 10 Legitimate Messages Come from People Who Know How to Spell and Write ………………. 11 Legitimate Messages Don’t Force You to a Web Site …………………………………………………… 12 Legitimate Messages Don’t Include Unsolicited Attachments ……………………………………… 13 Legitimate Messages Have Links that Match Legitimate URLs …………………………………….. 13 Legitimate Messages Don’t Create an Artificial Sense of Urgency………………………………… 14 Legitimate Messages Display Reliable Names …………………………………………………………….. 15 Legitimate Messages Don’t Solicit Money …………………………………………………………………… 16 How You Should Respond to Phishing E-Mails ……………………………………………………………. 18 Test Your Knowledge …………………………………………………………………………………………….. 19 Instructor’s Response: ………………………………………………………………………………………………. 26
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 2 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Objective Upon completion of this activity, you will: • have a better understanding of the ethical expectations of IT professionals; and • be able to identify several types of social engineering attacks that use phishing techniques. Estimated Completion Time If you are prepared, you should be able to complete: • The Ethical Considerations lab in 15 to 20 minutes. • The Phishing E-Mail lab in 60 to 75 minutes. Materials Required Completion of this lab does not require any software to be installed and configured on your computer. Introduction This module does not include a “hands-on” project to develop specific skills. Instead, it discusses two topics that will be useful for the projects you perform in the later modules. You will first learn about the ethical dimension of using information security tools and techniques that many consider to be from the “dark side.” Social engineering is a term to describe malicious actions that exploit human psychology to gain access to sensitive information or money. Attackers manipulate people through dishonest social interactions and exploit the human tendency to trust to gather valuable information. Phishing is a popular form of social engineering attack in which an attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site to extract personal or confidential information. The best defense against e-mail phishing attacks is user awareness. Many organizations now filter employee e-mail using commercial products, but even the best of these products will not stop every phishing e-mail. Having an alert workforce and a trained service support staff are also required. In the second part of this lab, you will begin by reading about the indicators that an e-mail is actually a phishing attack. Next, you will assume the role of a help-desk analyst who is responding to alerts from users that have received suspicious e-mails. [return to top]
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 3 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Ethical Considerations in the Use of Information Security Tools Using some of the “tools of the trade” in information security might lead students (and their instructors) to use software and techniques that are designed to break the rules and allow bad acts to occur. Because each academic community sets certain standards, you need to be aware of how they might apply in your specific circumstances. Conformance to standards and exhibiting ethical behavior is required to ensure the unhindered pursuit of knowledge and the free exchange of ideas. Academic integrity means that you respect the right of other individuals to express their views and opinions, and that you, as a student or faculty member, do not engage in plagiarism, cheating, illegal access, misuse or destruction of college property, or the falsification of college records or academic work. As a member of the academic community, and as a future InfoSec or IT professional, you are expected to adhere to standards of ethical behavior. You are expected to read and follow your institution’s code of conduct, which usually is found in your student handbook. You need to be aware that if you violate these standards, you will be subject to penalties outlined in your institution’s student conduct and academic integrity procedures. These penalties likely range from grade penalties to permanent expulsion. Your instructor may require you to read the white hat agreement and code of ethics that follow. Your instructor might also ask you to sign a form acknowledging that you agree to abide by these ethical standards while you are a student. Your agreement would indicate that you understand the ethical behavior expected of you as part of an academic community, and that you understand the consequences of violating those standards. For those of you in InfoSec or cybersecurity programs, the standard is even higher, given that you will be a guardian of an organization’s data in the future. Are You a White Hat? As part of this course, you may be exposed to systems, tools, and techniques related to information security. With proper use, these components allow a security administrator or technician to better understand vulnerabilities and the security precautions used to defend an organization’s information assets. Misuse of these components, either intentionally or accidentally, can result in breaches of security, damage to data, or other undesirable results. Because the labs in this book will sometimes be carried out in a public network that is used by people for real work, you must agree to the following before you can participate. If you are unwilling to sign this agreement, your instructor may not allow you to participate in the projects.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 4 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. The White Hat Agreement If you have questions about any of the following guidelines, please contact your instructor. This document may be changed from time to time by your instructor, who will notify you of such changes and may ask you to reaffirm your understanding and agreement. 1. Just because you can do something doesn’t mean you should. 2. As you engage in projects, you will be granted access to tools and training that have the potential to do harm even when they are used to determine or investigate the security of an information system. Use these tools with care and consideration of their impact, and only in the ways specified by your instructor. 3. If any question arises in your mind about whether you can or should perform an activity or use a tool in a particular way, stop and ask your instructor for clarification. In information security, it is most definitely NOT easier to ask for forgiveness than for permission. 4. You are only allowed to use the tools and exercises if you are currently registered for a grade in the course. An instructor always has the right to ask students for appropriate identification if necessary. 5. Any instance of suspected misconduct, any illegal or unauthorized use of tools or exercises, or any action construed as being outside the guidelines of the course syllabus and instruction will be investigated by the instructor and may result in severe academic and/or legal penalties. Being a student does not exempt you from consequences if you commit a crime. 6. All students are expected to follow the (ISC)2 code of ethics, which is available at www.isc2.org/ethics and included later in this document. 7. By acknowledging this agreement, you confirm that you will: • Only perform the actions specified by the course instructor for using security tools on assigned systems. • Report any findings to the course instructor or in specified reporting formats without disclosing them to anyone else. • Maintain the confidentiality of any private information learned through course exercises. • Manage assigned course accounts and resources with the understanding that their contents may be viewed by others. • Hold harmless the course instructor and your academic institution for any consequences or actions if you use course content outside the physical or virtual confines of the specified laboratory or classroom.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 5 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. • Abide by the computing policies of your academic institution and by all laws governing the use of computer resources on campus. 8. By acknowledging this agreement, you confirm that you will not: • Attempt to gain access to a system, attempt to increase privileges on any system, or access any data without proper authorization. • Disclose any information that you discover as a direct or indirect result of this course exercise. • Take actions that will modify or deny access to any system, data, or service except those to which administrative control has been delegated to you. • Attempt to perform any actions or use utilities presented in the laboratory outside the confines and structure of the projects or classroom. • Use any security vulnerabilities beyond the target accounts in the course or beyond the duration of the course exercise. • Pursue any legal action against the course instructor or the university for any consequences or actions if you use what you learn in the course outside the physical or virtual confines of the laboratory or classroom. 9. You will abide by the following code of ethics: Safety of the commonwealth, duty to our principles, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. (ISC)2 Code of Ethics Protect society, the common good, necessary public trust and confidence, and the infrastructure. • Promote and preserve public trust and confidence in information and systems. • Promote the understanding and acceptance of prudent information security measures. • Preserve and strengthen the integrity of the public infrastructure. • Discourage unsafe practice. Act honorably, honestly, justly, responsibly, and legally. • Tell the truth; make all stakeholders aware of your actions on a timely basis. • Observe all contracts and agreements, express or implied. • Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principles, individuals, and the profession in that order. • Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 6 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. • When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service. Provide diligent and competent service. • Preserve the value of systems, applications, and information. • Respect the trust and privileges granted to you. • Avoid conflicts of interest or the appearance thereof. • Render only those services for which you are fully competent and qualified. Advance and protect the profession. • Sponsor for professional advancement those best qualified. All other things being equal, prefer those who are certified and who adhere to these canons. • Avoid professional association with those whose practices or reputation might diminish the profession. • Take care not to injure the reputation of other professionals through malice or indifference. • Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others. The ISC2 code of ethics is available from www.isc2.org/ethics.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 7 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Self-Reflection and Response In the space below, write a brief statement indicating your intention to abide by the ethics codes spelled out in this lab. Instructor’s Response
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 8 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Detecting and Responding to Phishing Attacks The following questions indicate some of the telltale signs of phishing attacks. In general, you should ask yourself these questions for each e-mail you receive: • Does the message ask for sensitive information, such as account numbers, passwords, or even your birthday? • Does the message use your correct name and refer to other details accurately? • Does the address look authentic? • Are there misspelled words and improper grammar? • Does the message force you to a web site? • Does the message have an attachment you are not expecting? • Do links in the message fail to match the visible URL? • Does the message request that you send money? Each of these questions is explained with examples in the following sections. Legitimate Messages Don’t Request Sensitive Information If you receive an unsolicited e-mail that appears to be from an official institution and the message includes a functional link or attachment, it’s a scam. Most companies do not send e-mail asking for passwords, credit card information, credit scores, or tax numbers, nor do they send log-in links. If a company needs information, you will usually be asked to visit its web site or mobile app, but you should not need a special e-mail link—after all, you do business with the company already. Figure L01-1 Global Pay Phishing E-Mail In Figure L01-1, notice the unsolicited web link attachment. Also, look at the generic salutation at the beginning (“Dear customer”). Such greetings are discussed next.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 9 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Legitimate Messages Usually Call You by Your Name Phishing e-mails typically use generic salutations such as “Dear valued member,” “Dear account holder,” or “Dear customer.” If a company you deal with actually required information about your account, the e-mail would refer to you by name and would probably direct you to contact the company via phone, a phone app, or the official company web site. However, some hackers simply avoid a salutation altogether. This is especially common with advertisements. In the phishing e-mail shown in Figure L01-2, everything is nearly perfect. So, how would you spot it as suspicious? Figure L01-2 Hotels.com Phishing E-Mail The example in Figure L01-2 is very convincing, but the fact that the message has the recipient’s name spelled correctly does not make it legitimate. The clue that the message is not legitimate is indicated by the e-mail domain, as you will learn next.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 10 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Legitimate Messages Come from Authentic Domains Don’t just check the name of the person who sent you the e-mail. Check the e-mail address by hovering your mouse over the contents of the From line. Make sure there have been no alterations, such as additional numbers or letters. For example, be suspicious if the e-mail address appears to be [email protected] but is [email protected] when you hover the mouse over the From line. This isn’t a foolproof method of demonstrating fraud, however. Some companies make use of varied domains to send e-mails, and some smaller companies use third-party e-mail providers. Figure L01-3 Costco Phishing E-Mail In the example shown in Figure L01-3, the Costco logo is just a bit off. To see the actual logo, you can go to https://costco.com. Do you see the difference? Also, note the “From” field is from a different business: “cbcbuilding.com” rather than “costco.com” Also, note that most companies use the https:// service in their URLs. If the “s” is missing, dig a little deeper.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 11 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Legitimate Messages Come from People Who Know How to Spell and Write Possibly the easiest way to recognize a suspicious e-mail is through its use of bad grammar and misspelled words. An e-mail from a legitimate organization is usually well written. Look at this example: Figure L01-4 Best Buy Phishing E-Mail In addition to the generic salutation in Figure L01-4, the grammar gaffes and extra spaces are a good clue that something is wrong—for example, note the sentence that begins “Please fill this form.” Also, notice the “17” that appears in the middle of the next sentence for no reason.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 12 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Legitimate Messages Don’t Force You to a Web Site Phishing e-mails are sometimes coded so that the entire message is a graphic image tagged as a hyperlink. Clicking anywhere in the e-mail will open a fake Web page or download malware, ransomware, or spam to your computer. For this reason, you must be careful and deliberate when performing analysis on suspect e-mails. If you click or activate the attachment, it can infect your system. You will need tools to render the attachment or headers harmless without activating the trap. Right clicking your mouse and using basic tools can be very helpful. Figure L01-5 USPS Phishing E-Mail The entire e-mail shown in Figure L01-5 was sent as an image tagged as a single hyperlink. If a recipient clicked anywhere in the e-mail, a malicious attack would be initiated. You can guard against this by hovering your mouse cursor over the message to see if a link address preview appears. You can also see the spelling and grammar errors in the body of the “Notification.”
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 13 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Legitimate Messages Don’t Include Unsolicited Attachments Unsolicited e-mails that contain any type of attachment should make you suspicious. Typically, authentic institutions do not randomly send you e-mail with attachments, but instead direct you to download documents or files from their secured web site. Like many of the other tips in this lab, this method isn’t foolproof. Companies that already have your e-mail address sometimes send you information, such as a white paper, that may require a download. In that case, be on the lookout for high-risk attachment file types, such as .exe, .scr, and .zip. Even .pdf and .docx files are suspicious. If you think the e-mail might be legitimate but you have doubts, contact the sender directly using information obtained from a source other than the e-mail. Figure L01-6 ePayment Phishing E-Mail Before you wonder what’s in the .zip file attached in Figure L01-6, remember that curiosity killed the cat. Legitimate Messages Have Links that Match Legitimate URLs If an e-mail appears to be suspicious, take precautions with any web links in the message. Make a habit to always double-check URLs. If the link in the text isn’t identical to the URL displayed when you hover the mouse cursor over the link, that’s a sure sign you will be taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct or doesn’t match the context of the e-mail, don’t trust it. Instead, use your web browser to find the company’s authentic web site. To help ensure security, hover your mouse over an embedded link (without clicking!), confirm that it begins with https://, and consider whether the rest of the link looks like what you might expect.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 14 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L01-7 Nokia Phishing E-Mail Although the preceding message looks convincing, Nokia wouldn’t actually send a “Save your stuff” e-mail from [email protected]. A mouse flyover of the link would show a domain you should not trust. Legitimate Messages Don’t Create an Artificial Sense of Urgency Scammers know that most of us procrastinate and then have to get things done in a hurry so many phishing attempts request that we act now before it’s too late. Scammers also understand that crises in the workplace are common and must be handled quickly. Unfortunately, hurrying creates a greater chance of making mistakes and bad choices. When you take time to think about something, you are much more likely to notice things that don’t seem quite right. For instance, when you receive an unexpected e-mail from a major company, maybe you’ll think twice and realize that the organization has never contacted you via e-mail. Maybe you’ll receive what appears to be a frantic e-mail from a co-worker and realize that he simply would have called you in case of an actual emergency.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 15 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. A common workplace scam is to pretend that a problem has arisen with a commonly used service or account, such as that with a bank or credit card company an organization uses. Any actual problems with such accounts would cause an immediate inconvenience. Criminals know we’re likely to drop everything if our boss e-mails us with a vital request, especially when other senior colleagues are supposedly waiting for us to act. A typical example looks like Figure L01-8. Figure L01-8 Mobile Phishing E-Mail Legitimate Messages Display Reliable Names A favorite phishing tactic among cybercriminals is to spoof the display name of an e-mail, just like robocalling telemarketers can spoof your phone’s caller ID. For example, if a fraudster wanted to impersonate your bank, the top of the e-mail message might look like Figure L01-9. Check out the domain name (in the example, [email protected]) to see if it matches the display name (My Bank). Figure L01-5 Secure.com Phishing E-Mail
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 16 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Legitimate Messages Don’t Solicit Money Many successful phishing attacks create a false sense of urgency or appeal to a person’s greed. One type of scam that attempts to exploit greed is the advance fee fraud, which uses confidence tricks and is much older than e-mail. This approach typically involves promising the victim a significant share of a valuable prize, a desired business objective, or a sum of money in return for a small, up-front payment. This payment is needed to obtain the larger sum—hence the name “advance fee fraud.” One of the best-known frauds is the Nigerian 4-1-9 scam, which has been around for a long time. Originally conducted via phone, fax, and traditional mail, this scam invites victims to send a small amount of money with the promise of receiving a much larger sum in return. The development of e-mail has made it much easier for scammers to reach new victims. The best-known source of these e-mail scams is Nigeria, although they can originate from anywhere. In Nigeria, the e-mails have become a significant source of income for some, although section 4-1-9 of the Nigerian legal code prohibits them (hence the name). A typical Nigerian 4-1-9 scam begins with a potential victim opening a letter or e-mail that’s purportedly from a famous person or an exiled politician. The person may claim to be from a place that’s currently in the news, possibly because of a recent civil disturbance. The message explains that, due to political instability or the death of a relative, a significant amount of money is trapped in some form of escrow account. The message goes on to explain that if the reader could send just a small amount of cash, it will pay the fee needed to access the account. In return for their trust and generosity, the reader is promised a large percentage of the money that’s locked away. If the reader does decide to send money, more requests will follow. According to subsequent e-mails sent by the scammer, unexpected costs are often discovered, such as increased taxes or bribes to officials. The scammers will continue to ask for money as long as the victim sends it. Needless to say, victims will never receive a payout, regardless of how much money they send. A variant of the 4-1-9 attack involves vendors that supposedly sell products or rent accommodations online. A fraudster first identifies a company from a foreign country that offers to buy a product, rent a property, or contract a service. The fraudster then sends the victim a fake check or international money order for a much greater amount than the item or activity is worth, along with an explanation for why they cannot pay a smaller amount. The fraudster asks the victim to deposit the money in a personal bank account and then transfer the overage back to the fraudster. Later, of course, the victim discovers the swindle and that the original “payment” was fake.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 17 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. These types of scams have some common traits: • The message (usually an e-mail) is unexpected. • You don’t know the sender. • There is a long, sad story about why the sender needs your help to access money. • You are asked to help by transferring funds. • A large payment is offered in exchange for assistance. The examples of advance fee fraud are many and varied; they include investment proposals, lottery winnings, and online dating scams. The example shown in Figure L01-10 is fairly typical. Figure L01-10 UAE World Expo Phishing E-Mail
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 18 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. How You Should Respond to Phishing E-Mails The easiest response to suspected phishing e-mails is to delete them. Most larger organizations have automated filters in place to catch phishing attempts. Most companies also offer staff assistance to deal with such e-mail, and offer an account like [email protected] where you can send suspicious messages. Many organizations have a web resource that explains examples of current phishing messages that are making the rounds; this resource helps users stay abreast of emerging threats in social engineering. At Kennesaw State University in Georgia, the resource is called the phishmarket. You can see it at https://uits.kennesaw.edu/ocs/phish-market/index.php. When dealing with suspicious e-mail, the best advice is to be skeptical. Phishers are good at what they do. Many malicious e-mails include convincing brand logos, persuasive language, and a seemingly valid e-mail address. However, if an e-mail message looks even remotely suspicious, do not open it. If the message seems too important to ignore and you cannot easily toss it away, try to follow up using resources you can find that are NOT in the e-mail. Go to the sender’s web site or call the colleague who allegedly sent you the attachment or urgent request. If the original message was valid and urgent, the sender will appreciate your follow-up. You should report fraudulent e-mail and other types of social engineering attacks. If you work for a company, contact the help desk or the information security team. For suspicious e-mails sent to your personal account, your e-mail provider or ISP may be able to help you. After evaluation, the company’s technical support team should follow up to ensure that the e-mail was deleted, and no losses occurred. If you fall victim to a phishing attack, get help as soon as possible because lost time can factor into the ability to recover losses. If the attack involved a bank or a credit card company, or if you have an identity protection service (like LifeLock), get them involved as soon as you can. When dealing with phishing attacks, it does not matter if your organization has the most secure security system in the world. It takes only one untrained employee to be fooled and give away data your organization has worked hard to protect. Make sure that you and your co-workers understand the examples illustrated in this lab so you can detect the telltale signs of a phishing attempt.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 19 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Test Your Knowledge Now let’s test your knowledge. Imagine that you are a help-desk analyst reading your organization’s abuse e-mail account as co-workers send in suspicious messages. Look at each of the following messages and then determine whether you think they are legitimate or suspicious. Print out the answer page at the end of the lab for recording your answers. For each suspicious message, explain why you think it fails the “smell test.” Here is a handy list you can use when evaluating each of the following example e-mails: • The message asks for sensitive information. • The message does not contain your correct name; other details are incorrect as well. • The address does not look authentic. • There are misspelled words and improper grammar. • The message forces you to a web page. • The message has an attachment that is not expected. • Links in the message seem suspicious. • The message requests that you send money.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 20 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Example 1 Example 2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 21 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Example 3 Example 4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 22 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Example 5 Example 6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 23 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Example 7 Example 8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 24 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Example 9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 25 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Example 10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks 26 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Phishing Email Responses Email Trustworthy (T) or Suspicious (S) Reason Example 1 Example 2 Example 3 Example 4 Example 5 Example 6 Example 7 Example 8 Example 9 Example 10 Instructor’s Response:
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 1 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Hands-On Lab: Web Browser Security To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security Table of Contents Introduction ………………………………………………………………………………………………………………….. 2 Objective ……………………………………………………………………………………………………………………. 2 Estimated Completion Time ………………………………………………………………………………………… 2 Materials Required ……………………………………………………………………………………………………… 2 Minimum System Configuration ………………………………………………………………………………….. 2 Web Browser Security for Google Chrome ……………………………………………………………………… 2 Autofill ……………………………………………………………………………………………………………………….. 3 Safety Check ………………………………………………………………………………………………………………. 7 Privacy and Security ……………………………………………………………………………………………………. 9 Incognito Browsing …………………………………………………………………………………………………… 13 Web Browser Security for Mozilla Firefox ……………………………………………………………………… 14 Protections Dashboard ……………………………………………………………………………………………… 15 Privacy and Security ………………………………………………………………………………………………….. 17 Private Window Browsing …………………………………………………………………………………………. 22 Web Browser Security for Microsoft Edge ……………………………………………………………………… 23 Profiles …………………………………………………………………………………………………………………….. 25 Privacy, Search and Services ……………………………………………………………………………………… 27 Family Safety ……………………………………………………………………………………………………………. 30 InPrivate Window Browsing ………………………………………………………………………………………. 31 Web Browser Security for Apple Safari ………………………………………………………………………….. 32 Self-Reflection and Response ……………………………………………………………………………………….. 34 Instructor’s Response ……………………………………………………………………………………………….. 34
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 2 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Introduction This module describes how to configure the security and privacy features of several popular web browsers to minimize the probability of unwanted disclosures or exploits. Modern web browsers are some of the most used tools to access remote information. Organizations develop complex web sites to share information with their customers and suppliers, and internal site to share information with employees. While the examination of all the features of the various available web browsers is beyond the scope of this lab exercise, we will look at some of the more common security features and settings of the more common browsers. Note: if you are performing these labs on organizational equipment, like computers in a university lab or at a business, some of these options may not be available. All may be performed on your personal computer or laptop. Objective Upon completion of this activity, the student will be able to: • Review and configure the security and privacy settings in the most popular web browsers. Estimated Completion Time If you are prepared, you should be able to complete: • The Web Browser Security and Privacy labs in 1 to 1.5 hours. Materials Required Access to the named web browsers. Minimum System Configuration Completion of this lab requires that the user have the appropriate rights and privileges to modify software on the local system. Web Browser Security for Google Chrome The first web browser discussed is Google Chrome (https://www.google.com/chrome/), shown in Figure L02-4.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 3 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02- 1 Google Chrome Website 1. Download the Google Chrome browser by going to https://google.com/chrome above and clicking the Download Chrome button. Follow the on-screen prompts, until the software has installed. 2. Access the Google Chrome settings by clicking the Customize and Control Google Chrome button (looks like a vertical ellipse) beneath the close window button in the upper right corner, or type chrome://settings/ in the URL field. On this screen are several settings important to security, including AutoFill, Passwords, Payment Methods, Safety Checks and Privacy & Security. Autofill The first set of options to investigation are in the Autofill section, as shown in Figure L02-5. Here the user can configure the browser’s ability to remember Passwords, Payment Methods, and Addresses for the user.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 4 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-2 Google Chrome Settings 3. Click the Passwords menu option shown in Figure L02-2. You should see the options shown in Figure L02-3. If you are sharing a computer with anyone else, even a family member, you should disable both the Offer to save passwords and AutoSign-in options, by clicking on the slider to the right of the option to the left. Similarly, if you are using a computer owned by an organization, and not by you, you should disable these options. On your personal systems, you can log into Google Chrome and it will sync your settings across multiple computers. This is fine if you remember to log out of Google Chrome before logging out of the computer system. Use caution with this feature as someone else using the computer could have access to your credentials.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 5 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-3 Google Chrome Passwords Settings 4. If you have been using Google Chrome for some time, and storing system credentials in the browser, you may want to periodically check your credentials (usernames and passwords). Hackers work to compromise systems and steal credentials. They then sell or share this information on “the dark web”. Google scans the dark web and allows you to see if one of your system credentials have been found there. Click the Check passwords button to review your credentials. 5. As shown in Figure L02-4, Google Chrome will let you know when there is a problem with your stored credentials, including those with passwords that Chrome views as “weak”. You will have the option to chance any password Chrome has flagged for your review by clicking on the Change password button beside the account credentials shown. If there were any compromised passwords, they would be listed above the Weak passwords section.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 6 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-4 Google Chrome Check Passwords Results 6. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field. 7. Select Payment methods in the Autofill field. As shown in Figure L02-5, Google Chrome can remember your commonly used payment methods. You should use extreme caution when allowing Chrome to do this, as this would allow anyone else using the system to use your payment methods. Chrome does require you to validate the use of a payment card by entering the security code on the reverse, however if someone saw you using a card, they may have remembered that information, and thus could shop with your credit. Figure L02-5 Google Chrome Payment Methods Settings
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 7 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. 8. For systems you share with others, or which belong to an organization, it is recommended that you disable the Save and fill payment methods and Allow sites to check if you have payment methods saved options by sliding the button to the right of the options to the left. Any payment methods saved will be listed at the bottom of this menu and can be accessed there. 9. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field. 10. Click on the Addresses and more option under Autofill. As shown in Figure LM01-9, here you can allow Google Chrome to remember key addresses, much the same as passwords and payment methods. Again, disable this option on shared systems, or systems owned by an organization. Figure L02-6 Google Chrome Addresses and more Settings 11. Return to the Settings menu by selecting the left arrow next to the Settings menu title, or the back arrow next to the URL field. Safety Check The next area to examine is the Safety Check menu, shown in Figure L02-7. Just like the Password check in the previous section, this function will determine if there are any issues with your Google Chrome. Figure L02- 7 Google Chrome Safety Check 12. Click on the Check now button to run the Safety check. Figure L02-8 shows a sample results screen.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 8 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02- 8 Google Chrome Safety Check Results 13. Review and resolve any issues identified by clicking the corresponding button to the right of the menu option. If you did not resolve all issues with Google Chrome managed passwords, you will have the option to fix those here as well, by clicking the Review button. 14. If your system is not currently using Safe browsing, select the Manage button and select the options that best suits your preferences. At a minimum you should select Standard protection under Safe Browsing. Enhanced protection is the best option, however it does send browsing data to Google, as illustrated in Figure L02-9. 15. There are additional options under Advanced you may specify. If available select Use secure DNS. There are also options to manage your certificates and implement the Google Advanced Protection Program here. The GAPP program allows you to implement multi-factor authentication for your Google browser, requiring the use of specifical software on your phone or a hardware token to authenticate your Google login. Visit https://landing.google.com/advancedprotection/ if you want to learn more about the GAPP program. 16. Also available under Safety check is Extensions management. Extensions are add-ons for Google Chrome to provide additional functionality. Some however may introduce new vulnerabilities. If you have any issues with extensions in your version of Chrome, the option to resolve those will appear here (See Figure L02-8 above). 17. Return to the Settings page by using the back option again.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 9 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-9 Google Chrome Safe Browsing Settings Privacy and Security Back at the Settings screen, the next section is Privacy and Security. As shown in Figure L02-10, here you can clear your browsing data, cookies and adjust other security features. Figure L02-1 Google Chrome Privacy and Security Settings
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 10 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. 18. Click on Clear browsing data. Here you can specify whether you want to clear your browsing history, cookies and cached images and files from your browser. Periodically you may experience issues using a piece of software that caches files on your system. Clearing your browsing data by checking the options shown in Figure L02-11 and clicking the Clear data button will give you a fresh start and force your browser to download all new web content. If you are not logged in to Google, this action will only clear the cached information on the local machine. If you are logged in, it will clear this information for all systems you are logged into, as the data is stored and synced by Chrome. 19. You can specify how much data to clear by using the pull-down box next to Time range. Use this option to select All time, if not already selected and click Clear Data.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 11 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-2 Google Chrome Clear Browsing Data Settings 20. Click the Cookies and other site data option. As shown in Figure L02-12, here you can specify which Cookies to allow to be stored on your system. While you can block all cookies, you would quickly find issues trying to access some web sites. At a minimum, it is recommended you select the option Block third-party cookies in Incognito, as shown in the Figure, although you may decide to select Block third-party cookies to provide more privacy. To change your options, simply click on the radio button (circle) to the left of the desired option.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 12 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-3 Google Chrome Cookies and Other Site Data Settings 21. Further down this screen you can view all cookies currently stored on your system by selecting the See all cookies and site data option. This allows you to selectively delete the cookies from one vendor by clicking on the trash can icon shown in Figure L02-13. Figure L02-43 Google Chrome View Cookies 22. You can also add specific sites to whitelist (allow) or blacklist (deny) their access to your cookies use, if you choose to allow all or block all in the previous step. You can also specify certain sites to dump their cookies (and no others). 23. Return to the settings page using the back arrows. 24. The Security menu option takes you back to the Safe Browsing options. 25. Click the Site Settings menu option. As shown in Figure L02-14, here you can specify the permission associated with the use of your system for specific sites. This is commonly used to allow or deny the use of location information (for pizza
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 13 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. delivery!), your camera, and your microphone (for web conferencing). It also allows you to specify permissions for notifications (popup reminders). Review the options available and adjust to your preferences. Figure L02-5 Google Chrome Permissions Settings 26. The Additional content settings menu allows you to specify things like the preferred software to play sounds and open images and PDFs. It also allows you to blacklist certain sites with misleading or offensive ads. Incognito Browsing 27. While there are other settings and options in Google Chrome, these are the dominant settings related to privacy and security. There is one other feature of interest, especially if you’re using a shared computer. Incognito browsing involves the use of a specifical instance of the browser to prevent the retention of history and cookies (if selected). The easiest way to start an incognito browser session is to right click on the Chrome icon or menu option and select New incognito window. Do so now. 28. As shown in Figure L02-15, this gives you an increased level of privacy over the standard browser. Keep in mind that this simply protects you from retained data on the local system, it does not screen you from systems that monitor network use, such as the organization or university’s IT department, or the internet service provider.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 14 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-65 Google Chrome Incognito Browsing Web Browser Security for Mozilla Firefox Mozilla’s Firefox browser has many of the same features as other browsers. Firefox can be downloaded from https://www.mozilla.org/en-US/, selecting the Firefox browsers option in the top menu, as shown in Figure L02-16. Figure L02-76 Mozilla Firefox
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 15 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. 1. If you do not have Mozilla Firefox installed, go to the URL listed above and follow the instructions to download and install. Then start Firefox. 2. To access the security and privacy options in Firefox, first click on the menu button (three parallel lines in upper left corner under the Close button). Protections Dashboard 3. The first security option we’ll look at is the Protections Dashboard. To access the Protections Dashboard on the shield icon in the address bar when visiting a web page or you can accessed it by entering the text “about:protections” into the address bar. As shown in Figure L02-17, you can see the first security feature is the Enhanced Tracking Protection. This is always on, so it’s just a report of how Firefox is working to protect you from online tracking software. Also on this menu is the offer to sign up for Breach alerts with Firefox Monitor. This is currently free but requires a Firefox account (also free). Like Google Chrome, signing into your Firefox browser allows you to sync your settings across multiple systems. Firefox monitor (Shown in Figure L02-18) will alert you if it finds your credentials (based on your e-mail address) in a compromised system. Figure L02-17 Mozilla Firefox Protections Dashboard
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 16 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-18 Mozilla Firefox Monitor 4. At the bottom of this screen is the Password Management feature, shown in Figure L02-19, which allows you to manage stored passwords in Firefox. Click the Manage Passwords button. Figure L02- 19 Mozilla Firefox Password Management 5. This opens the Firefox Lockwise feature, used to manage your passwords on various web sites, as shown in Figure L02-20. Here you can edit and remove any stored passwords for your Firefox account, if logged in, or on the local system only, if not. Lockwise can also be directly accessed through the menu by selecting Logins and Passwords.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 17 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-80 Mozilla Firefox Lockwise Privacy and Security 6. Open the menu and select Options. Here you can specify general Firefox settings. In the left menu, select Privacy & Security. As shown in Figure L02-21, here you can specify the level of tracking allowed. At a minimum, you should ensure your system is set to Standard. While there is no lower setting available, someone may have created a custom configuration which allows fewer security features and protections. If you desire, you can set your system(s) to Strict, providing increased protection.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 18 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-91 Mozilla Firefox Browser Privacy Settings 7. Further down this page, you have the options to clear and manage Cookies, Logins and Passwords, Forms and Autofills, History, and the Address Bar as shown in Figure L02-22.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 19 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-102 Mozilla Firefox Cookies and Site Data Settings
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 20 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. 8. Click Clear Data under Cookies and Site Data. When prompted, select both Cookies and Site Data and Cached Web Content, and click the Clear button. 9. Next, click Clear History under History. Select Everything in the Time range to clear pull down menu, and check all boxes under History and Data. Then click OK. 10. While most of these are self-explanatory, one feature deserves additional attention. The Primary Password is a feature that allows additional protection for systems used by multiple users, allowing the secure use of saved credentials. If this feature is enabled by checking the box to the left of the option, each session (new web browser) will prompt you for a “Primary Password” to use the saved password functions. This will prevent someone from using a shared system and then taking advantage of saved credentials. The Primary password is typically your Firefox account password. You are also prompted for this password if you try to add, remove, or edit stored passwords. 11. Review each of these options and enter the settings that you desire. 12. Further down on this screen are the Permissions settings for specific applications, as shown in Figure L02-23. Here you can specify which applications can use which features such as your location, the web camera, and microphone. Figure L02-113 Mozilla Firefox Permissions Settings 13. Also located in the options menu is the specification for Firefox Data Collection and Use, shown in Figure L02-24, which provides specific criteria which you can select to craft what data, if any, you allow Mozilla to collect and use.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 21 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-124 Mozilla Firefox Data Collection and Use Settings 14. The last set of options in this menu are the Security features not covered elsewhere. Here you can Block dangerous and deceptive content, review your certificates, and specify the use of HTTPS (HTTP Secure) protocol. Ensure the minimum levels of security by reviewing your settings and making sure they are at least as secure as the ones shown in Figure L02-25.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 22 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-135 Mozilla Firefox Security Settings Private Window Browsing 15. Users can create anonymous browsing windows by right clicking the Mozilla Firefox icon and selecting New Private Window. This window, shown in Figure L02-26, allows the user to avoid saving passwords, cookies, and browsing history while in a private window. It allows the user to access any stored materials from normal browsing but will not save any new materials. Again, private windows do not block your information from an organization’s IT department or the Internet Service Provider.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 23 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-26 Mozilla Firefox Private Window Browsing While there are many other options you can configure for Mozilla Firefox, these are the primary security and privacy features. Web Browser Security for Microsoft Edge Microsoft Edge is the newest browser from Microsoft, provided with its Windows operating systems. Edge replaces the venerable (and vulnerable) Microsoft Internet Explorer. Like other browsers, Edge can sync settings between systems if the user creates an account with Microsoft and logs in. 1. Microsoft Edge can be downloaded from https://www.microsoft.com/en-us/edge, as shown in Figure L02-27, although it most likely is already installed if you are using a Windows operating system like Windows 10.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 24 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-27 Microsoft Edge 2. The first set of security and privacy features are accessed by selecting the menu (the ellipsis in the upper left corner under the close button), then selecting Settings. As Figure L02-28 shows, options are listed on the left, with configuration on the right.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 25 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-28 Microsoft Edge Settings Profiles 3. Select Profiles (if not already selected). The profiles section, shown in Figure L02-29, allows quick access to sync functions, password management, and retained payment preferences. Figure L02-29 Microsoft Edge Your Profile Settings
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 26 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. 4. Click Passwords. As shown in Figure L02-30, here you can specify whether to allow Edge to save passwords for you, sign in automatically and provide a “reveal passwords” button so you can determine if you entered a password correctly. If you are using a shared computer, ensure these options are turned off. Figure L02-140 Microsoft Edge Profiles/Passwords Settings 5. Click the back arrow next to Profiles / Passwords in the right side of the window, to return to the Your profile page. Next, click the Payment info option. As shown in Figure L02-31, here you can allow the saving and use of payment information and manage saved payment information like credit and debit cards, or online payment account. If you have already added a payment card, you can edit its attributes. On shared systems, ensure this option is disabled by clicking the blue oval with a white dot in it, located to the right of the option. Once it is off, the oval will turn white, with a black dot on the left side. Figure L02-151 Microsoft Edge Profiles/Payment Info Settings
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 27 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Privacy, Search and Services 6. Click the Privacy, search and services option on the left side of the Settings menu. As shown in Figure L02-32, here you can specify one of three options for your Tracking prevention settings. At a minimum, you should select the Balanced option. You can also review blocked trackers by clicking that option beneath the three boxes and specify exceptions for trackers. Review these options now. Figure L02-16 Microsoft Edge Tracking Prevention Settings 7. Scroll down the Privacy, search, and settings menu on the right. The next section allows you to Clear your browsing data, and to specify what is cleared. Click the Choose what to clear button. Figure L02-33 shows the Clear browsing data area of the menu, while Figure L02-34 shows the option available once you click the Choose what to clear (there are two versions of this window as the second shows the additional options when scrolling down).
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 28 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-173 Microsoft Edge Clear Browsing Data Selection Figure L02-184 Microsoft Edge Clear Browsing Data Settings 8. Select All time in the Time range pull down window, then check all of the option boxes and click Clear now to completely clear Microsoft Edge’s browsing data. You can also select Choose what to clear every time you close the browser to configure Edge to clear its cached data each time you close the browser. 9. The next areas of interest are Privacy, Required diagnostic data, and Optional diagnostic data, located in the next sections after Clear browser data. The Privacy options allow you to specify whether your system allows sites to check if you have payment methods stored in Edge, as shown in Figure L02-35. Shared systems should enable Send “Do Not Track” requests and disable the payment methods option.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 29 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02- 195 Microsoft Edge Privacy and Diagnostic Data Settings 10. To see what data Edge is collecting and reporting to Microsoft, you must click the Windows diagnostic data setting hyperlink shown at the bottom of Figure L02-38. If this is the first time you are doing this you will have to allow this action in the pop-up window that follows. You will find yourself at the Diagnostics & feedback setting. Review these options carefully to ensure you are comfortable with their current settings. Make changes as needed. You can also select Delete under Delete diagnostic data to purge data already collected and sent to Microsoft. This also deletes the data from their systems. 11. Figure L02-36 shows the Security menu options, including the ability to manage certificates.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 30 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-206 Microsoft Edge Security Settings 12. It also includes the Microsoft Defender SmartScreen, which can block malicious content and web sites, in conjunction with the Microsoft Defender antimalware application. This sometimes-annoying popup, shown in Figure L02-37, will stop suspicious programs. It may give you the option to “run anyway” in which case you should be sure the application is safe before running. Clicking on the More info option when encountering the pop-up can help you decide whether to do so or not. Figure L02-37 Microsoft Defender SmartScreen Family Safety 13. A feature that is relatively unique to Microsoft browsers is the Family safety options. Select Family safety in the left side menu of the Settings window. As shown in Figure L02-38, you can enable this to create accounts for underage children to restrict their online access, report their browsing habits, and filter inappropriate web sites.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 31 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-38 Microsoft Edge Family Safety InPrivate Window Browsing 14. Users can create anonymous browsing windows by right clicking the Microsoft Edge icon and selecting New InPrivate Window. This window, shown in Figure L02-39, allows the user to avoid saving passwords, cookies, and browsing history while in a private window. It allows the user to access any stored materials from normal browsing but will not save any new materials. Again, private windows do not block your information from an organization’s IT department or the Internet Service Provider.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 32 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-39 Microsoft Edge InPrivate Browsing While there are many other options you can configure for Microsoft Edge, these are the primary security and privacy features. Web Browser Security for Apple Safari While we won’t go into detail about the security features of Apple’s Safari browser, it is available from https://www.apple.com/safari/, and contains many of the same features demonstrated in the other browsers noted. Apple Safari only runs on Apple Mac and other iOS devices like the iPad and iPhone. On mobile devices, much of the browser configuration is managed through the Device configuration rather than an options menu within Safari. Safari also has a Private browsing mode like other browsers.
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 33 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Figure L02-40 Apple Safari Which browser(s) did you improve the security and privacy for? (Check all that you performed.) Google Chrome Mozilla Firefox Microsoft Edge Apple Safari Were you able to access all the security and privacy features of the browsers you used? Yes No (explain what you could not revise)
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431; Web Browser Security 34 © 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web site, in whole or in part. Self-Reflection and Response Which browser(s) did you improve the security and privacy for? (Check all that you performed.) Google Chrome Mozilla Firefox Microsoft Edge Apple Safari Were you able to access all the security and privacy features of the browsers you used? Yes No (explain what you could not revise) Do you feel more equipped to make your browser experience more secure? Yes No Please explain: Instructor’s Response
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.
