Chapter 30

Summarize Behavioral Security Concepts

In this chapter, we examine CompTIA IT Fundamentals+ Objective 6.3: Summarize behavioral security concepts. We will cover the following topics:

• Expectations of privacy when using:

  • The Internet (social networking sites, email, file sharing, instant messaging)

  • Mobile applications

  • Desktop software

  • Business software

  • Corporate network

• Written policies and procedures

• Handling of confidential information (passwords, personal information, customer information, company confidential information)

While an increasing number of websites now support secure connections using the HTTPS protocol instead of the insecure HTTP protocol, privacy threats come from some websites in the form of tracking cookies.

Searches for products and services with leading browsers and search engines typically store tracking cookies on your system. These tracking cookies are used to deliver targeted ads in news and information websites and can be used by malware to record and send your search history to hackers.

Depending on the browser, you might be able to block cookies from specific websites, allow cookies from specific websites, clear cookies when you close the browser, block all cookies, or block third-party cookies.

Here’s how to access cookie settings on leading browsers:

• Google Chrome: Enter chrome://settings/content/cookies into the address window.

• Opera: Open the Menu tab, scroll down to Cookies.

• Firefox: Open the menu (three-line icon), click Options, click Privacy & Security, scroll down to Cookies and Site Data.

• Internet Explorer: Open the menu (gearbox icon), click Internet Options, click the Privacy tab, click Sites (to change cookie settings for specific sites) or Advanced (to configure general cookie settings).

• Edge: Open the menu (three-dot icon), click View Advanced Settings, scroll down to Cookies.

• Safari: Click the Safari button in the menu bar, click Preferences, click Privacy, scroll down to the Block Cookies section.

E-commerce websites that are not adequately protected against attack can expose your personal information to theft. It’s not unusual for some credit and debit card users to need to replace their cards several times a year due to identity theft threats against retailers and e-commerce sites.

Many governments track web usage and take actions against users they suspect of performing anti-government activities.

To achieve a reasonable level of Internet privacy, users need to take steps such as the following:

• Use virtual private networking (VPN) connections to remote servers. VPN connections are encrypted. Some third-party VPN providers include NordVPN (https://nordvpn.com/) and TunnelBear VPN (www.tunnelbear.com). Many VPN services work with mobile devices as well as computers.

  Note

  Windows 10 includes a built-in VPN provider, or you can use a third-party provider. To learn more, see https://support.microsoft.com/en-us/help/20510/windows-10-connect-to-vpn. To learn how to set up a VPN in macOS, see https://support.apple.com/kb/PH25513?locale=en_US. To connect to a VPN using Ubuntu 18’s GUI, see https://help.ubuntu.com/stable/ubuntu-help/net-vpn-connect.html.

• Switch to a browser that provides greater privacy protection, such as Tor (www.torproject.org), Brave (https://brave.com), or Epic (www.epicbrowser.com). See https://www.techworld.com/security/best-8-secure-browsers-3246550/ for additional options.

• Switch to a search engine that does not track searches, such as DuckDuckGo (www.duckduckgo.com).

• Use a single-use credit card (also known as a virtual credit card) for online shopping, such as Bank of America ShopSafe (https://www.bankofamerica.com/privacy/accounts-cards/shopsafe.go) or CitiCard Virtual Account Numbers (https://www.cardbenefits.citi.com/Products/Virtual-Account-Numbers).

• Use a secure payment service such as Apple Pay (https://www.apple.com/apple-pay/) or Google Pay (https://pay.google.com/about/) for online and retail shopping.

How can you continue to enjoy social networking without revealing too much about yourself? Here are a few tips: Don’t overshare about your life; tweak the privacy settings in your social networking apps; don’t overshare about your work; make sure you know who the connection really is; and don’t get duped by impersonators. For more details and more tips, see https://www.nortonsecurityonline.com/security-center/15-social-networking-safety-tips.html.

However, the contents of an email message that have been sent can be generally expected to remain private until delivered. Of course, the receiver may distribute the contents of an email if desired. To ensure the privacy of email during transit, use a secure email protocol such as Secure Sockets Layer/Transport Layer Security (SSL/TLS).

A major exception to the privacy expectations of email contents takes place when a corporate, education, or business network or email system reminds users at logon that their use of the network or email system is monitored. Public Internet access via Wi-Fi at kiosks, libraries, coffee shops, hotels, airports, and business centers often uses captive portals for free access. To use Wi-Fi Internet access, you must agree to the provider’s accepted use policies, which frequently include provisions for monitoring.

Some of the people issues that cloud file sharing can have include insider threats, phishing attacks, and what happens if an authorized user’s credentials are lost or compromised. Data issues can include malware, which can be spread to all users of an organization’s shared cloud storage; how to classify data; file permissions; and encryption.

To help organizations protect their cloud file sharing assets, some companies such as Trend Micro, Symantec, and others now offer cloud security services that work in a similar fashion to local or network security apps. For companies that use multiple products from third-party vendors to protect their local and network files and want to use the same apps, Avanan has partnered with dozens of security vendors (anti-malware, encryption, and so on) to enable cloud storage users to assemble a customized cloud file sharing security stack.

Another threat to privacy is the use of P2P file-sharing (peer-to-peer) services such as Gnutella, BitTorrent, and others. These are often used for illegal downloads, although some organizations also use them for faster downloading of large files such as Linux distributions.

If illegal downloads are shared over a corporate network, users can put a company in legal jeopardy, and many P2P apps make it easy to share folders that contain confidential information with other users. P2P is useful in creating mesh-type network services, but if P2P is used for file sharing, it can threaten privacy. For more, see https://www.cio.com/article/2436917/security0/stop-that-attack--blocking-and-stopping-network-intruders.html and https://www.csoonline.com/article/3030711/security/current-p2p-trends-threatening-enterprise-security.html.

File sharing using built-in operating system features can also be a security risk. With some operating systems, it is possible to disable password-protected file sharing. However, this is very risky and is not recommended. To share folders with other users, you must create an account for each user on a system.

Windows 10 formerly included HomeGroup file sharing, in which a single password was used to permit sharing with several users. Starting with the 1803 (spring 2018) release, HomeGroup is gone. Users who want to share a folder or file must select specifically what to share and with whom. See https://support.microsoft.com/en-us/help/4092694/windows-10-changes-to-file-sharing-over-a-network for more information.

Computers running macOS can share folders with other macOS users and with users of other operating systems such as Windows. For details, see https://support.apple.com/en-us/HT204445 or https://www.lifewire.com/set-up-macs-file-sharing-options-2260207.

Computers running Linux should have Samba installed to make file/folder sharing with Windows and macOS computers easy. To learn more, see https://www.networkworld.com/article/3269189/linux/sharing-files-between-linux-and-windows.html. For more about Samba, see https://www.samba.org/.

For truly secure file sharing, consider one of the following methods:

• PGP (Pretty Good Privacy), OpenPGP, and GnuPG use public key cryptography to send and receive files securely. See https://www.openpgp.org/ and https://gnupg.org/ for more information.

• Use encrypted instant messaging (IM) apps. If your current IM app does not support encryption, consider using OTR (Off the Record) messaging, which can be added to some existing IM apps (https://otr.cypherpunks.ca/), or switch to IM apps that do support encryption.

• Create one-time pads for use by the sender and receiver of a message. A one-time pad is a random pre-shared key containing the same or longer amounts of random characters used to encrypt the message. The message can only be deciphered by someone with the same one-time pad. This method has been widely used in espionage. To learn more, see http://users.telenet.be/d.rijmenants/en/onetimepad.htm.

• Use secure file transfer methods such as Secure Shell (SSH) or Secure File Transfer Protocol (SFTP). SSH, which creates a secure tunnel over a public network for transferring confidential information, can also be used for secure remote control.

To learn more about these and other methods, see https://www.techradar.com/news/best-ways-to-share-files-securely.

Users of IM apps should be just as careful about what they send and whom they send it to as with email or other communications. Keep in mind that spam exists in the IM world as well as in email. SPIM (spam IM) can be used to send malware, pornographic links, or other undesirable material. Ways to fight back against SPIM include accepting messages only from your contact list, using spam blockers on corporate networks, and reporting spam text messages. See https://zamparoblog.wordpress.com/2016/01/05/stopping-scam-and-spam-phone-calls-and-text-messages/.

Some IM apps include additional privacy and security features, such as encryption, screenshot warning or blocking, and self-destructing messages. Pryvate (https://www.pryvatenow.com/#Home), Wire* (https://wire.com), Wickr* (https://wickr.com/), Telegram*^ (https://telegram.org/), Signal*^ (https://signal.org/), and Confide*^ (https://getconfide.com/) are some of the IM apps you can choose from. A self-destructing message is a message that will delete itself after the message is opened and read. It might use a timer that counts down from the time the message was opened or from the time the message was sent to determine when to destroy the message.

*Free version available

^Also available for desktop

• Angry Birds Space (game): Contacts

• AT&T Maps (directions): Contacts, Location, Microphone, Phone, and SMS

• Google Chrome (web browser): Camera, Contacts, Location, Microphone, and Storage

• CVS (shopping): Camera, Contacts, Location, Microphone, and Storage

• Schnucks (shopping): Camera, Location, and Storage

As you review the permissions list for an app, you might ask yourself, “Why does a shopping app need access to my contacts?”

If you are concerned about privacy, take a careful look at the list of app permissions before you install a mobile app. According to a report by the Pew Research Center in 2015, six out of ten smartphone users surveyed decided not to install an app because of the permissions it needed, and 43% of those surveyed uninstalled an app because of the permissions it used.

What can you do about permissions that can affect your privacy after a mobile app is installed?

iOS users can download the MyPermissions Privacy Cleaner from the App Store to view and fix privacy issues for already-installed apps. Learn more at https://itunes.apple.com/us/app/mypermissions-privacy-cleaner/id535720736.

Mobile devices running Android 6.0 and above can adjust app permissions by following the steps available at https://support.google.com/googleplay/answer/6270602?hl=en.

IT departments can use mobile device management (MDM) software to monitor what mobile devices are doing, manage them, and keep them secure. MDM can work with a mix of providers and devices that use different mobile operating systems.

IT departments can also manage and enable apps on both corporate and end-user-owned mobile devices used in a particular organization by using mobile application management (MAM).

MAM vendor Arxan recommends seven best practices for mobile application security. Here are some highlights:

• Implement security measures at the application layer.

• Don’t limit tools to anti-malware.

• Only download apps from trusted enterprise app stores.

• Ensure the app does not save passwords.

• Encrypt data in transit.

• “Listen” to the traffic that flows between the mobile app and the web server.

• Contain critical corporate data.

For details, see https://www.arxan.com/arxan-blog/7-best-practices-for-mobile-application-security.

• Setting up screen locks. A screen lock can be a static image or a screensaver that is displayed in place of your normal display when the system is locked, either before you log in or by temporarily locking the screen.

  Note

  To lock the screen in Windows, press the Windows key+L. To lock the screen in macOS starting with High Sierra (10.13.x) and newer, press Command+Control+Q. With older versions of macOS, use Control+Shift+Eject. In Linux, screen locking can be done from the command line or from the GUI. For details, see http://xmodulo.com/control-screen-lock-settings-linux-desktop.html.

• Setting up whitelists (allowed websites) or blacklists (blocked websites) in your browser. If you use an operating system that supports controls for child accounts, such as Parental Controls (macOS: https://support.apple.com/kb/PH25799) or Family (Windows 10: https://account.microsoft.com/family/faq/), you can use the family control software’s blacklist/whitelist feature for websites and for apps.

• Using intrusion detection software to help detect and stop network-based intrusion. See https://www.lifewire.com/ids-and-prevention-ips-software-2487316 for free software for Windows, Linux, and macOS.

• Installing encryption software for drives, files, and email. See Chapter 33, “Explain Common Uses of Encryption,” for more information.

• Using steganography, which hides information such as text or images inside a different type of document. To learn more, see https://www.computerworld.com/article/2576708/security0/steganography--hidden-data.html. For tools, see https://resources.infosecinstitute.com/steganography-and-tools-to-perform-steganography/.

Desktop software also requires permissions to operate. How permissions are assigned varies greatly among operating systems. To learn more about how Windows, macOS, and Linux assign file permissions, see “Permissions,” p.359, in Chapter 17.

Grammarly (grammar checker):

• See the websites you visit

• Read and change info on sites you visit

• Read and change anything you send or receive from websites

• Store personal browsing data on your device

The Grammarly app page did not have a link to the vendor’s privacy policy.

WhatsApp Desktop (chatting):

• Uses all system resources

The WhatsApp Desktop app page has a link to the vendor’s privacy policy.

Skype (voice, text, video chat):

• Use your web cam

• Use your microphone

• Use your contacts

• Access your Internet connect ion

• Access your home or work networks

• Read and delete text messages

• Access all the phone lines on your device

• Use your device’s voice over IP (VoIP) services

• Background VolP

• Read contact information

• Query software licensing policies

• Access your settings from when you first signed in to your device

• Access your Windows Phone identification data

• Have control over your Windows Phone

• Make use of SMS and RCS

• Send SMS and MMS messages

• Read and write all SMS and MMS messages

• Project the screen on another device

• Human Interface Device (HID) Telephony

• xboxTrackingStream

• Use your devices that support the HID protocol

Metadata is data about data. For example, the metadata in a file is information about the app or device that created it; the date and time it was created, last modified, or last viewed; keywords; author; number of words; print dimensions; and much more.

Some metadata is visible and easily modified. For example, the Info tab of Microsoft Word or other Office apps’ File menu lists many file properties that can be added to or changed (see Figure 30-1). The Check for Issues menu shown in Figure 30-1 is the gateway to the Document Inspector shown in Figure 30-4.

To view the metadata in a PDF file using Adobe Acrobat, open File, Properties, Description, Additional Metadata (see Figure 30-2).

To see the exposure and camera metadata for a digital photo, examine the photo’s details (see Figure 30-3).

What many users do not know about metadata is that information such as hidden text is also stored in a document’s metadata. For example, an earlier draft of a report critical of a company decision might contain a phrase such as “The head of Department X is a complete fool and should be fired yesterday.” Upon reflection, the writer of the report decided to hide that sentence and replace it with “The head of Department X made an unwise decision.”

As a document is saved, the later version with the more diplomatic language replaces the earlier version in the visible version of the document. However, the hidden text is still stored in the document.

If the document is sent out unchanged, the hidden text can be revealed and the writer of the letter could be fired. To clean up metadata, use the Document Inspector option and remove hidden text, author, and other data (see Figure 30-4).

• https://www.americanbar.org/publications/gp_solo/2012/november_december2012privacyandconfidentiality/what_are_limits_employee_privacy.html

• https://app.lla.state.la.us/llala.nsf/B84716BFA23CB2C686257FB1006D7957/$FILE/Privacy%20Expectation%20in%20Public%20Workplace%20Electronic%20Communications.pdf

In general, unless a legally binding policy of employee privacy has been provided by the employer, employees should not regard email, instant messaging, or other computer or device uses as private.

If an AUP needs to be developed or revised, here are some of the issues that should be included in such policies:

• Rules regarding employee email use

• Whether employees can use company-owned equipment for shopping, email, or other personal tasks

• When employees can use company-owned equipment (lunches, breaks)

• Use of personal devices (bring your own device, or BYOD) such as smartphones and tablets for company work

• What state law might require you to include

There are many sources for workplace privacy templates that can be used to create a privacy policy. Take a look at the following resources for information that can be helpful in creating or updating an employee privacy policy:

• “Privacy at Work: Know Your Rights” (text and infographic): https://privacypolicies.com/blog/privacy-at-work/

• “Privacy: What you need to know” (includes links to state-specific regulations): https://www.blr.com/HR-Employment/HR-Administration/Privacy

Some general procedures help protect confidential information of any type; these procedures include the following:

• Don’t download or open emails with unexpected attachments.

• Use password-protected screensavers or lock screens when a device is not in use or if the user is not present.

• Use network storage for backups.

• Make sure all updates for the operating system, apps, and other functions are installed. This might require the user to log off.

• Make sure users are trained in security issues that concern their work.

Personal information, as well as customer information and company confidential information, should be accessible only on a “need to know” basis, should be stored on a secure network server, and should never be stored on mobile devices unless strong encryption is used to protect the contents. As an alternative to storing information on mobile devices, use a virtual private network (VPN) with two-factor authentication to permit secure remote access if necessary.

Printed information of these types should be stored securely and shredded when it is no longer needed.

Here is a selection of policies that provide more detail in protecting all types of confidential data:

• University of Chicago HR: http://humanresources.uchicago.edu/fpg/policies/600/p601.shtml

• UConn ISO: https://security.uconn.edu/guidelines-for-responsible-handling-of-confidential-data/

• Federal Trade Commission: https://www.ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business and https://www.ftc.gov/tips-advice/business-center/guidance/stick-security-business-blog-series

Privacy

tracking cookies

virtual private networking (VPN)

single-use credit cards

Apple Pay

Google Pay

social networking

expectation of privacy

SaaS

cloud file sharing

P2P file sharing

instant messaging

mobile apps

permissions

personally identifiable information (PII)

metadata

personal information

customer information

company confidential information

1. Customer information

2. Personal information

3. Metadata

4. Company confidential information

2. You are preparing to submit a digital photo to a photo contest and you don’t want to reveal the camera and lens you used. Which of the following do you need to remove from the file?

1. Personal information

2. Metadata

3. Permissions

4. Company confidential information

3. Before you install a mobile app, you notice that the app wants to access your contact list and GPS navigation. These are examples of which of the following?

1. Personal information

2. Permissions

3. File sharing

4. Privacy

4. You need to work remotely using a public Internet connection at a coffee shop. Which of the following should you use to make a secure connection?

1. Virtual private network

2. P2P network

3. Social networking

4. Dropbox

5. You are using a P2P file-sharing service to download a Linux distribution. You notice that in addition to the Linux installation files on the remote server, you can also see files such as Salesforecast2019.xlsx and SuperCrispv2.pptx. If you download these files, you might be downloading what type of information?

1. Customer information

2. Company confidential information

3. Metadata

4. Personal information

6. You want to use IM to communicate breaking news to your company’s sales force. However, you want to make sure the messages are removed after 72 hours. Which of the following features does your IM service need to support?

1. Self-destructing messages

2. Encryption

3. Screenshot blocking

4. Voice chat

7. Some of your co-workers using macOS computers are complaining about app permission settings. Which of the following do they need to use to view and change permissions?

1. Settings

2. System Preferences, Security & Privacy

3. App Store

4. Finder

8. HR has received an email claiming to be from the company’s CEO asking for the names, contact information, and social security numbers of its food scientists. The email is a phishing email that is attempting to compromise personal information. What else might the email be attempting to compromise?

1. Metadata

2. Customer information

3. Permissions

4. Company confidential information

9. You are part of a task force developing a privacy policy for your company. Which of the following do you need to add to the policy to cover personal smartphone usage?

1. BYOD policy

2. BYOB policy

3. Permissions policy

4. IM policy

10. Which of the following represents information that can be used to identify a person that is stored in a file’s metadata?

1. SPIM

2. MDM

3. MAM

4. PII

11. Which of the following is an alias for a regular credit card number that can be used one time for online purchases?

1. Apply Pay

2. Single-use credit card

3. Single sign-on payment

4. Google Pay

12. Which of the following is a legal test used to determine how the Fourth Amendment of the U.S. Constitution applies to a particular issue of privacy, such as employee privacy?

1. Expectation of privacy

2. Permissions based on need to know

3. Permissions based on least privilege

4. Intrusion prevention system test

13. Which of the following is a file stored on a computer or device by a website a computer or device visited and can be used for targeted ads and to track where a user goes online?

1. Location data executable

2. Single-use applet

3. Tracking cookie

4. Metadata file

14. What can iOS users download from the App Store to view and fix privacy issues for already installed apps?

1. Location tracking remover

2. MyPermissions Privacy Cleaner

3. Apple App Privacy Filter (AAPF)

4. Personal information eraser

15. You have just been hired as a Certified Information Privacy Technologist. Before you start your new job, you have been asked to sign a document stipulating constraints and practices that you must agree to before accessing the corporate network. What is this document called?

1. AUP

2. NDA

3. EULA

4. PIIA

16. Which of the following is a network protocol that establishes a secure tunnel allowing remote users to log in securely?

1. MDM

2. SSH

3. HTTP

4. One-time pad (OTP)