Commonly Employed Threats

Commonly Employed Threats: Many threats will continue to pose problems for those using the Internet, and unless you opt to stop using this resource, you must address the threats.

This section explores threats targeted toward human beings and the weaknesses of human nature.

What type of threats target users and prey on human nature? The following are just a few:

Malware: This can be used as an all-inclusive term for viruses, spyware, keyloggers, worms, Trojan horses, and other Internet threats.

However, narrowing this down to social engineering means that we are talking about Trojan horses.

Shoulder Surfing: This type of attack takes place when one party is able to look over another shoulder or spy on another screen.

This is common in environments of every type, because when you see other people watching what you are doing, you attribute it to normal human curiosity and think little of it.

Eavesdropping: This involves listening in on conversations, videos, phone calls, emails, and other communications with the intent of gathering information that an attacker would not otherwise be authorized to have.

Dumpster Diving: One man’s trash is another man’s treasure, and an attacker may be able to collect sensitive or important information form wastebaskets and other collection points and use it to perform an attack.

In practice, such information should be shredded, burned, or otherwise destroyed to avoid it being intercepted by an attacker.

Phishing: Phishing uses a legitimate-looking email that entices you to click a link or visit a website where your information will be collected.

This is a common attack and is very effective, even though this technique has been around for more than a decade and multiple warnings and advisories have been published, telling users what to look out for.

Although many companies implement technology, administrative policies, and physical measures to stop social-engineering attacks, prevention still comes down to human beings.

They are in many cases on the front lines, watching for an attack. Measures that can help defeat technology-related attacks include the following:

Installing a Modern Web Browser: As the main portal to the world of the Internet, your browser must be as safe and secure as possible.

Being safe and secure means at least two things: Use the most current browser, and keep the browser up to date.

Additionally, avoid unnecessary plug-ins and add-ons that clutter the browser and may weaken it.

Most modern web browsers include features that protect against social-engineering attacks like phishing and bogus websites.

Out with the Old and In with the Chrome

In January 2014, in an effort to reduce support costs and other issues, the website nursingjobs.com decided to take the unusual step of buying new Chromebooks for their older users who had legacy software and hardware. The company issued the following statement:

IE7 users make up 1.22% of our traffic right now and this will decline as more computers are upgraded and can use modern browsers.

However, we know that some of our clients are still stuck with IE7 so we decided to make a bold offer, one that initially seemed crazy to use but now makes a lot of sense.

We are offering to buy a new computer with new modern browsers for any of our customers who are stuck with IE7.

We determine that it would cost us more to support a browser from 2006 in 2014 and beyond than it would to help our clients upgrade their legacy hardware.

In addition to the support costs of offloading a browser from 2006, nursingjobs.com is also avoiding the costs associated with security issues that may arise from the use of an older and unsupported browser.

Although such a move may not be an option for your company, it shows a unique approach to the problem of legacy equipment.

Using a Pop-up Blocker: A modern browser recognizes potentially dangerous pop-ups, lets you know when it blocks a pop-up, and offer the option to selectively block each pop-up as needed.

Heeding Unsafe Site Warnings: If you go to a website that is fraudulent, untrusted, or has known security problems, the browser should prevent the site from loading.

Integrating with Antivirus Software: Your browser should work with a resident antivirus program to scan downloaded file for security threats.

Using Automatic Update: Modern browsers typically update themselves to incorporate fixes to flaws in the software and to add new security features.

Private Browsing: This feature has become a staple of newer browsers, including all the popular browsers such as Chrome, Internet Explorer, Firefox, and others.

This mode prevents the savings of specific type of information in the browser such as search history as well as preventing certain behavior from being observed.

Changing Online Habits: No software can compensate for poor Internet safety habits. Tools can help, but they cannot stop you from acting recklessly or carelessly online.

NOTE: Take a moment to think about this lat point and its value to you as an ethical hacker. The average person parts with enormous amounts of information nowadays through social networking and other means.

Many users of social networking features think nothing of posting or providing information that would be dangerous if it fell into the wrong hands.

Some commonly methods you should consider educating your user base or client about should include the following at very least.

• Exercise caution on unsecured wireless networks. The free Wi-Fi access at the coffee shop down the street could cost you plenty if it is unsecured and open to the world.

  An unsecured connection is an open network that allows anyone to connect. Information passed from a laptop to the wireless router and vice versa can be intercepted by people with the right tools because it is not encrypted.

  In addition, network attacks can be made from other computer connected to the network.

NOTE: As you learned in our exploration of wireless networks, you should always assume on public networks or unknown networks that someone may be listening.

This assumption, although it may be untrue in many cases, will shape your thinking toward being more cautions with the information you are accessing on these networks.

• Be careful accessing sensitive information in public place. Even on a secured connection or a VPN, people can see what you type on a laptop screen.

  You may reveal sensitive information to a person walking by with a camera phone while you do your online banking.

  The same is true in an office, where a nosy coworkers peering over a cubicle wall or an unscrupulous network administrator spying on a workstation can snag a password.

• Don’t save personal information casually on shopping websites. Most shopping sites offer to save a credit card and address information easier checkout in the future.

  Although the information is supposedly secure, many thefts of such information have occurred recently.

• Be careful about posting personal information. People love to chat and share or post the details of their personal lives on social-networking sites such as Facebook.

  They give the public access to their information and then complain about privacy issues.

• Keep your computer personal. Internet browsers such as Internet Explorer and Mozilla Firefox make it easy to store passwords and form information.

  Anyone who opens such a web browser can check the browsing history, visit secure sites, and automatically log in as you, if you opt to have the browser save your password.

  Avoid storing passwords—or, better yet, passwords protect your computer and lock it when not in use.

  Make a second account on a computer for other people to use so information is kept separate, and make sure that account is password protected and not given high level access such as that available to an administrator.

NOTE: Also consider that when you upgrade a browser to a newer version, some provide an extensive library of plug-ins, extensions, and add-ons that can make the browser more seucre than it would be on its own.

For example, a browser such as Chrome offers extensions like Chostery, Adblock Plus, AVG Antivirus and others.

Over the last couple of years, some of the most insecure browsers plugins have even been discontinued or plan to do so have been announced.

Plugins such as the popular Adobe Flash and Oracle’s Java have both recently announced that they are to be phased out or killed off completely.