Online Security Basics

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

25 minutes
Video Transcription
Our next section is on some online security basics. How to protect yourself when you're out on the Internet, you're browsing the Web, you're exchanging information across the Internet and across these boundaries. We want to make sure that we're using good, safe, basic security principles, and we know what to look for.
So online browsing we open ourselves up to a potential
just a plethora of threats out there on the Internet, whether it's compromised. Website, spoofed website, sending information that's unencrypted and yet sensitive sending in tow illegitimate sources. You have to be very, very careful when we talk about this idea of rogue
websites and you'll see this is our second bullet point.
A rogue website is another way of saying a spoofed website. Smoothing is all about impersonation. So, for instance, I go to a website that appears to be Bank of America. I don't know if you've ever missed tight a Web address like, for instance, Craig's list. If you type out
Craigslist, you'll go to Craig's list. But if you type out c r I a. G instead of a I G. If you transpose your letters, you'll go to a website that someone could reasonably think is Craigslist if they've never been to Craigslist. It's not an out and out blatant copy, but it's similar enough to make me think, Oh, maybe this is it.
So with these rogue websites, they could be very basic. It could just be about advertising. It's just a different site, and I get so many dollars for every click. I get those air fairly innocuous. But if I make it look enough like Craigslist, and if I ask you for enough information that you'll provide
well, that's where identity theft and personally identifiable information gets compromised.
That's why when we connect Thio financial sites and other sites where I want to make sure that my information is secure will use H T T P s. Instead of http
Https stands stands for hypertext transfer protocol secure and its certificate based. So when I connect to Bank of America or Wells Fargo or wherever, I might connect when I type out with https that essentially says that particular Bank of financial server
needs to send me back a certificate
that guarantees that that's a legitimate server, and I'm sure many of us have seen these certificate warning messages that say this has not been signed by trusted authority or the certificate is expired, blah, blah, blah.
Sadly, what most people do when they get an error of this nature,
they think, What's the first button I can click on to make this pesky security warning message go away? Because I gotta hurry up and send my financial information to some known stranger on, you know, some unknown stranger across the Web.
And I think sometimes we get desensitized to air messages because we see a lot of them. The thing is, when I'm trying to initiate a secure connection
and that server comes back with the reason they can't provide a secure connection, there's a problem there. There's no reason my bank can't provide me with a legitimate certificate or my financial institution. So one of the things I'll tell youse part of online security is stop and look
when you get an air message. The thing that used to drive me crazy because I started years and years ago in technical support,
my favorite help desk call was you know, when I do such and such function, I get an error message was their message. Say I don't know. I just quit. Cancel. I can't help you.
We've gotta stop and read these air messages. They're short. Even if you're a little attention. Aly challenged their three lines. Slow it down and look at what those air messages are there trusted websites and their untrusted websites.
And when you're following the link of a link of a link of a Web page, unless it's
from the same entity, you could be looking at something untrusted. You know, you're known financial institutions, the one that one's you can connect with. Https usually consider those trusted. And as a matter of fact, when you have that secure connection, if you look up at the browser bar, you'll see the little walk.
And a lot of times, depending on your browser, it may have a green background in the U R L to give you that degree of security,
but there are so many sites out there that are untrusted, whether they're intentionally malicious or perhaps they've been compromised. We really have to be very, very careful. So how to send information securely as I've mentioned, use https. When you connecting to your banking server, your financial servers,
honestly, most of those servers don't give you a choice.
Even if you were to type in http
Bank of America or whatever, it would actually switch that to being a secure connection. So that's good. But I would be very conscious that that happens before I send financial or sensitive information.
I want to see that lock up in the URL or up in the address. More or different browsers display that differently, but it's kind of universal that you'll see a lock to indicate it's secure.
Check for that. And if you're not getting that, what I would do is I would stop. I would make sure that I actually have connected to the right address. I didn't maybe transpose characters, and then I would think about Is there a different way to get to that website? Maybe,
you know, go out Google to make sure Wells Fargo's address as well smarter dot com
Sometimes the address space that a company wants is already taken up, so they have to use a modification on that. Don't assume just because that's the name of the company that that's their website. So if you're not getting that secure connection, if you're not seeing that lock in the browser bar, stop and figure out why. There's no reason somebody wants your money
without giving you a secure connection
other than they want your money on securely. So think about that. Whenever browsing, look for suspicious signs. Some of these signs are on the next page. You know when a website doesn't behave as you would expect it to. There's a reason for that. One of the common things that you'll see his bright browser hijacking
and browser hijacking can take all sorts of different forms. But if you've ever gone and downloaded a file
and the next thing you know, you go to open up your browser and your home page takes you somewhere different. You've never been before or your search engine has been modified or you have a brand new toolbar
again. We want to be very careful what you download from the Internet.
There's a reason I'm giving you something for free. So a lot of times when you click that end user license agreement, it says, such and such software will be installed as part of this installation. So you have to read that whole agreement to really know where, sometimes as part of the Wizard, it'll have default settings that allow you to do that.
And a lot of times when you go through and you remove those pieces of software,
they leave remnants behind that can later on affect your system. So just be very careful with what you download from the from the Internet. But browser hijacking It's gonna modify your browser in some form or fashion. And if you've ever gone to a Web browser, where every link you click on takes you to an advertisement for such and such,
you have a serious infection, and at that point time
you need contact somebody with some security skills. In order to clean up your system, your browser should behave the way a browser supposed to behave. Andi. I've seen it numerous times being asked to clean up a browser where you type in google dot com, and yet it takes you to x y z dot com instead.
And there's flashing,
um, Jeff files that are dancing bears and please, you know, give us your credit card information and data. Obviously, something has gone on, but the thing is, don't let it continue. Well, it only happens every 10th time. I'm okay, Stop because these problems are gonna get worse and worse.
And that's just a indication that something's been installed on your system.
That could be much more sinister than what it does your website. You know, again, these by now, once you start hitting, getting the pop ups and not only are there pop ups, but they're also pop unders. You know, if you close out all the windows from your browsing section and there's still Ah, little window to some sight you've never been to before, that might indicate,
there's been some sort of compromise. The pop throughs. A lot of times, those were part of the Web page that you go through. So you find this fascinating article, you click on it, the page start slow, then also on the page goes black
and a picture of a Ford Escort comes out, you know, and you can't. You have to watch portion of the ad for you can close it out. It's not really an attack. That's part of the advertising on the Web page, so I wouldn't be as concerned with that. That's fairly common.
Doesn't install toolbars without your permission. Once you download and let me tell you, sometimes we make mistakes, right? Sometimes. Oh, I shouldn't downloaded that. So indications that I've downloaded something malicious or all these things. Listen, it's never too late to contact your security people. And let me tell you this. I've been a security person for a long time.
I don't expect everybody to be perfect.
I don't want you to be embarrassed. If you've done something you shouldn't. What I want is to know about right because I can fix it if I know about it. So when you've done something honestly, my best tip to you is called the security professional and say, Look, in hindsight, I probably shouldn't have done this
at my mind on different things. Here's what happened.
Be upfront and honest with you, and I'll tell you, your security people should be very grateful to you because most people are many people. When they find they've made a mistake, they want to hide it.
That's where the problem is. Come clean. Blame it on being up all night with your 20 kids or your dog or this or that. Blame it on whomever you want, but let me know. I can fix the problem if I know about it. Okay.
All right. Again. I have scanned your computer and detected viruses. No, I haven't. I can't scan your computer from before, Certainly if you have the security settings that you should have on your system. So these ads that say
click here to download our any virus off we've detected Trojan 99 dot e x e. That's a popular one.
One that was particularly nasty was the Windows seven security alert. So it pops up and it looks just like, ah, security box from windows. But the thing is, windows doesn't really have that feature that comes up and puts away a window in the middle of your screen saying you're infected.
A lot of any virus programs might have something comparable, but Windows dozens.
So that's my first sign that I've had an infection. Somebody telling me I've had an infection and what happens is when you click on that link, that's actually what launches the malicious code.
Now, at that point in time, all sorts of terrible things can happen. There could be weeping and gnashing of teeth and all sorts of bad stuff. One of the worst things is an attack called a fork bomb, and maybe you've seen this on your system before. But what a fork bomb does is it opens up all the available processes on your computer.
So without getting too technical,
every system has a limited number of applications that could be running at any given time.
What a fork bomb does is it. Lets say your limit is 100. It'll open up 100 applications. What that means is, in order to try to remove this, you can't open up McAfee or Norton. Why?
Because that's another process and you've already opened your maximum. Well, that's okay. I'll browse to the Internet. And no, that's another application. Will let me use task manager to shut this note. That's another application.
One of the things also that I note about these types of attacks in this malicious code is
I know how end users respond, and most in users would rather eradicate the problem rather than calling the security team.
So what I'll do is I'll lay some trap some traps for an end user trying to fix the problem. You know, I'll give you dialogue box that says closed. But when you click on that button that says Closed, it launches something else or it has some other sort of payload. So again, and I hate to sound like a broken record. But
when you first detect that, there's been a compromise that you downloaded maybe something that you shouldn't
go ahead and pick up the phone and let somebody that has some experience in some background dealing with these Attackers tricky, poorly built websites where it's hard to find what you're looking for. That's an indication there's a problem. You know, click here to download on this file. You click there, and it takes you somewhere else. Or,
you know some of these sites where it's hard to find where you click on the button to download what you're looking for.
Everything you click seems to take you somewhere else. That's a poorly designed the tight, but it's there for a reason
all it takes to launch malicious code, and in some cases it may not even take this much. But clicking on a link or clicking on a button on a Web page. If you've ever seen the African what they call this type of the pack, but I've seen it a lot where your mouths, When you move it up to the top of the screen, it comes a set of crosshairs,
and your job is to click on the bear that's going back and forth, back and forth, back and forth.
Well, it's not that hard. So why are they asking me to do that? They're getting me to click on a portion of the screen that will install when I click that I'm essentially saying, Download this file or provide this, you know, malicious script to run the ability to run. There's no good reason. I'm going to say,
Hey, click on this balloon and you get the chance of $100.
I'm basically saying, I'll give you a chance at winning $100 that chance is one in a 1,000,000 or one in a trillion
for clicking here. What sense does that really make? What I'm trying to buy from you is your clique. What does that click do?
Install software, social media? My goodness, My goodness, I don't know of anything that has provided the largest compromise of individual security and organizational security than social media. And if you think about social media, what's the point? It's about sharing information,
right? Here's what I'm doing every second of the day. Well, here's a picture of my breakfast in my lunch, and here's where I am at this second. Well, all of that information is valuable. And if you think about it,
information that I put up on a server like a Facebook server, for instance, that information is no longer mine. That information now belongs to Facebook. What his Facebook do? Collect that information and find somebody that wants it.
There's a term that's becoming very value very prevalent today, and you'll hear the term big data a lot.
Well, big data means we, as individuals, have put so very much information out there about ourselves through frequent shopper cards, through making a purchase at a store and giving our telephone number in our email address, allowing thes
the spyware programs to collect our online browsing service.
So when you talk about big data, what companies want to do is they want to harness that information
so that ideally, let's say, maybe I go to Ford's website
okay, and I type in my user name and password.
Well, that information, ideally would be retrieved and would bring along a set of attributes with that. Okay, So targeted marketing is huge.
Does Ford, though? Do sport really care that I'm 44 years old?
Oh, yeah. I am perfect age for midlife crisis. All right, so there's that.
Do they care that My favorite colors Blue? Yep.
Did they care that I have pretty good credit? Yep.
Do they care that I have
the occasional speeding ticket?
So when I go to forge website along with my credentials, what do I see?
All right, so Ford says, What kind of car are we gonna show to a young a young woman to a woman at midlife crisis who likes Blue? He's got a heavy foot as good credit. They're gonna show me that brand new Ford Mustang convertible, right? And someone else with different attributes might see something different.
So that's a positive way, at least for an organization to use all of this big data for marketing. But think about how else it could be used. You know, again, the fact that I have all this information about Kelly Hander Hand might that be used in some way to get some court related information
or some financial information.
You know most of these social engineering attack. Start with aggregation.
Give me a little bit of information about you that I can use to get a little more.
Then I'll take that and get a little more in a little more. So all this data that we're putting out there can really be a compromise. You know, you see reports of soldiers out in the field uploading pictures to Facebook with some sort of geographic landmark in the background, so that discloses their location.
There's GPS information embedded into these images. Perhaps,
Um, there's a lot of information that we intentionally unintentionally make available. Used to be a site called something like Rob my house dot com, and what it did with the people behind that site did is they went out and took advantage of all the people posting. Here's where I am. I'm on vacation. I'm here. I'm there.
Well, if I'm on vacation with my family in Hawaii,
who's at my house?
All right, that's just common sense. So some of these things and one of the things about these attacks this was designed for fun. It was designed for information sharing with my family. But always Attackers were looking for these things that they can use to their own benefit again. New social media responsibly
and wisely.
Um, your foot print your digital footprint is there forever. And I will tell you that before I walk into a job interview, I can guarantee you
80% of the decision whether to hire me or not has already been made because they have checked my social media. They have checked what I've done and said, What political rant I've gone on or this that or the other. And they're looking for me to come in and change their mind, which might be an uphill battle.
We're just confirmed what they already know about me.
Hey, this stuff lives on forever whether you delete it or not.
And they're instances. One of the funniest stories to me was
a guy had an interview. I believe it was with Cisco, and it was a high end, high tech position, and he was awarded the job. And on his Twitter, he tweeted.
Now I have to decide whether or not to sell my soul to the big corporate devil or continue doing what I really like.
And he got a response. That said, at Cisco, we know how to use Twitter to job offer rescinded
numerous instances where Facebook posts have come up in court cases there. Even some employers that don't just want your Facebook page, they want your name and password.
That's a very, very sticky situation to me. I wouldn't do it, But let me tell you, somebody that wants a job, it's a good job. Good benefits and all that's keeping me is turning over my social media history. People will do it.
Be very cautious. What you delete doesn't go away. It stays there. And it's just waiting
for your social media. Let me tell you, it's about information sharing. It's free. The reason it's free is because advertisers, by information there, we know that you post a picture of your dog, and the next thing you know, you get an advertisement in your inbox.
Wouldn't you like to buy a brand new pug calendar for the year 2016 or whatever that may be?
And then, of course, every now and then you get some sort of advertisement you think
who in my friends list? Because that's the thing. It's not just what you post, it's what your friends post. So every now and then you get some crazy advertisement, you think, What is it about my life that tells them I would want this purchase every now and then? They're all
but you want to be very careful. You wanna read the privacy statement,
figure out the security settings security as much as you can be very cautious about sharing things with the public because people will, you know, modify that reposed, and it can go anywhere. Another thing I'm gonna tell you to really, really watch out for. I think we've all seen these links on social media.
Click like If you hate cancer,
I'm going to go out on a limb and say the vast majority of people hate cancer.
So what good does it do for me to click like Well, here's what it does. So I set up a page that says Citizens Against Cancer and I get a 1,000,000 likes. Then I change that to Kelly's anti aging cream,
and I changed the page title and I've got a 1,000,000 likes that makes me look very, very legitimate, right?
You know, and I'm not saying they're all fraudulent, you know, uh, what was the latest tear jerker? You know, one that's very common that comes around, is adopted Children looking for their parents or the kids that say my dad will quit smoking if I get 1000 likes. There are ones that say
My students want to know how far this Facebook image can travel.
Do you see how these are things that are really designed to appeal to the masses? You know, the one with the teacher saying they want to see how far this will travel because they're trying to prove to their students how dangerous the Internet is. That is just a CE likely to be fraudulent, trying to get likes as anything else.
Remember, when you go to a website for restaurant that has 10,000 likes?
Gosh, that must be a great restaurant. There's a reason I want you to like my page. Be very cautious, Honestly clicking that you don't like cancer
doesn't really make cancer go away. So why do it?
So what are the big risks?
Financial information online. Always look for the lock in your browser bar. Make sure you're connecting with https.
Some other things that you might think about, um, is. Instead of making purchases
and transmitting your credit card numbers to vendors, look for a company that will pay on your behalf.
So, for instance, PayPal was one of the first companies to do this, where you provide them with your information. One time you give that to the vendor, and then they're the ones sending payment, their online wallet, service's and comparable products that do this paper house just one that most people know right now.
That's safer than me sending my credit card eight million times.
That doesn't mean that PayPal's without approach. It just means it's a step in the right direction.
You strong passwords for your banks.
Don't, um,
uh, don't reuse those passwords. Don't use simple passwords. Change them periodically. We have a section on passwords followed those good password procedures.
When you do have an online banking session or financial session open, for instance, let that be the only window you have open. Don't be multitasking, and when you're done with that service, go ahead and close out. Opening multiple windows could provide a tunnel into your system.
Make sure that when you're sending financial information, it's to a known entity.
You know, some of these things you might purchase online can have an obscure vendor. Always do your due diligence before sending that information. Check with the Better Business Bureau. Verify there's a business license and things of those natures, things that you would check before sending money to someone. All right, Some other things, uh,
consider paying with credit cards rather than debit cards. If your debit card gets compromised, I can clean out your checking account.
And even if your bank may provide protection for that, they're only going to do so after that's been proven and investigated. So in the meantime, you may be out several $1000. It's not like every time you call and say, Hey, I think something was fraudulent. They're just gonna put thousands of dollars in your account. Okay,
but at least with your credit card, they'll put a temporary hold on those charges. So
maybe make that consideration, do your research. You don't deal with vendors that don't have ah, good reputation and check that reputation. Use https as well. So the purpose of the Internet we know is to share information. So when we set about to share information,
we also have to think about making sure that that information is protected
against people that would use that in a malicious fashion. So make sure that you're cautious about what information you're providing. Think twice before you download and have to fill out this long form about your name and address and phone number and Social Security number. And crazy stuff like that. Always be very suspicious
if it's not something you would give to somebody that comes up and asks you for it.
Don't put it in online
criminals. Brow social media sites looking for targets, whether it's phishing attempts, gathering personal information, identity theft, child exploitation. I know you have beautiful Children, but let me tell you, Attackers, no, that is, well, you will be very careful about posts that you put up and personal information.
Uh, don't give out information online that you wouldn't give out in person. That's a good rule of thumb
and always, and I've said this multiple times followed your company's policy. We'll get out what their approaches to social media and honestly, if it's a good policy for your company. It very well may be a good policy for you at home. When in doubt, check with your security.
Up Next
End User: Cyber Fundamentals

The Internet is a dangerous place and those who are not familiar with best practices can be easily manipulated.

Instructed By