Behavioral Security Concepts | CompTIA IT Fundamentals FC0-U61 | 6.3

In this video you will learn about behavioral security concepts such as:  expectations of privacy, written policies and procedures, & the handling of confidential information.

Expectations of Privacy When Using…

In the following sections, you will learn about what levels of privacy you can expect with different types of computer and software use.

The Internet

The internet connects computers and devices around the world with each other and also represents the biggest threat to privacy for everyone who uses it or has their information placed on it.  While an increasing number of websites now support secure connections using the HTTPS protocol instead of the insecure HTTP protocol, privacy threats come from some websites in the form of tracking cookies.  Searches for products and services with leading browsers and search engines typically store tracking cookies on your system. These tracking cookies are used to deliver targeted ads in news and information websites and can be used by malware to record and send your search history to hackers.  Here’s how to access cookie settings on leading browsers:

  • Google Chrome:  Enter chrome://settings/content/cookies into the address window.
  • Opera:  Open the Menu tab, scroll down to Cookies.
  • Firefox:  Open the menu (three-line icon), click Options, click Privacy & Security, scroll down to Cookies and Site Data.
  • Internet Explorer:  Open the menu (gearbox icon), click Internet Options, click the Privacy tab, click Sites (to change cookie settings for specific sites) or Advanced (to configure general cookie settings).
  • Edge:  Open the menu (three-dot icon), click View Advanced Settings, scroll down to Cookies.
  • Safari:  Click the Safari button in the menu bar, click Preferences, click Privacy, scroll down to the Block Cookies section.

E-commerce websites that are not adequately protected against attack can expose your personal information to theft.  To achieve a reasonable level of internet privacy, users need to take steps such as the following:

  • Use virtual private networking (VPN) connections to remote servers.  VPN connections are encrypted. Many VPN services work with mobile devices as well as computers.
  • Switch to a browser that provides greater privacy protection, such as Tor, Brave, or Epic.
  • Switch to a search engine that does not track searches, such as DuckDuckGo.
  • Use a single-use credit card (also known as a virtual credit card) for online shopping.
  • Use a secure payment service such as Apple Pay, PayPal, or Google Pay for online shopping.

Social Networking Sites

Social networking sites such as Facebook and Twitter make it easy to share information with friends and followers, but users should not believe that their posted information won’t go any further.  Ways you can enjoy social networking without revealing too much information are: don’t overshare your life, tweak the privacy settings in your social networking apps, don’t overshare about your work, make sure you know who the connection really is, and don’t get duped by impersonators.

Email

The expectation of privacy in email can be divided into two sections:  the routing information and the content. Just as with telephone numbers and postal mail addresses, the to and from information and other information used to route a message can’t be expected to be private.  However, the contents of an email message that have been sent can be generally expected to remain private until delivered. To ensure the privacy of email during transit, use a secure email protocol such as Secure Sockets Layer/Transport Layer Security (SSL/TLS). A major exception to the privacy expectations of email contents takes place when a corporate, education, or business network or email system reminds users at logon that their use of the network or email system is monitored.  Public internet access via Wi-FI at kiosks, libraries, coffee shops, hotels, airports, and business centers often uses captive portals for free access. To use Wi-Fi internet access, you must agree to the provider’s accepted use policies, which frequently include provisions for monitoring.

File Sharing

Any type of file sharing has some potential privacy risks.  Software as a Service (SaaS) such as Dropbox and OneDrive take care of the infrastructure needed for cloud file sharing, but the organization is still responsible for people and data issues.  Some of the people issues that cloud file sharing can have include insider threats, phishing attacks, and what happens if an authorized user’s credentials are lost or compromised. Data issues can include malware, which can be spread to all users of an organization’s shared cloud storage; how to classify data; file permissions; and encryption.  To help organizations protect their cloud file sharing assets, some companies offer cloud security services that work in a similar fashion to local or network security apps.

Another threat to privacy is the use of P2P file-sharing (peer-to-peer) services such as Gnutella, BitTorrent, etc.  These are often used for illegal downloads.  If illegal downloads are shared over a corporate network, users can put a company in legal jeopardy, and many P2P apps make it easy to share folders that contain confidential information with other users.  P2P is useful in creating mesh-type network services, but if P2P is used for file sharing, it can threaten privacy.

File sharing using built-in operating system features can also be a security risk.  With some operating systems, it is possible to disable password-protected file sharing.  However, this is very risky and is not recommended. To share folders with other users, you must create an account for each user on a system.  For truly secure file sharing, consider one of the following methods:

  • PGP (Pretty Good Privacy), OpenPGP, and GnuPG use public key cryptography to send and receive files securely.
  • Use encrypted instant messaging (IM) apps.  If your current IM apps does not support encryption, consider using OTR (Off The Record) messaging, which can be added to some existing IM apps, or switch to IM apps that do support encryption.
  • Create one-time pads for use by the sender and receiver of a message.  A one-time pad is a random pre-shared key containing the same or longer amounts of random characters used to encrypt the message.  The message can only be deciphered by someone with the same one-time pad. This method has been widely used in espionage.
  • Use secure file transfer methods, such as Secure Shell (SSH) or Secure File Transfer Protocol (SFTP).  SSH, which creates a secure tunnel over a public network for transferring confidential information, can also be used for secure remote control.

Instant Messaging

Instant messaging can lead to privacy issues because instant messages don’t vanish when they’re received.  They stay around on the sender’s device, receiver’s device, and may be stored for some period of time by the messaging provider.  If an instant message has revealed something that should have been kept private or confidential, more people than the sender and receiver could read it.  Users of IM apps should be just as careful about what they send and whom they send it to as with email or other communications. Keep in mind that spam exists in the IM world as well as in email.  SPIM (spam IM) can be used to send malware, pornographic links, or other undesirable material. Ways to fight back against SPIM include accepting messages only from your contact list, use spam blockers on corporate networks, and reporting spam text messages.  Some IM apps include additional privacy and security features, such as encryption, screenshot warning or blocking, and self-destructing messages. Pryvate, Wire, Wickr, Telegram, Signal, and Confide are some of the IM apps you can choose from. A self-destructing message is a message that will delete itself after the message is opened and read.  It might use a timer that counts down from the time the message was opened or from the time the message was sent to determine when to destroy the message.

Mobile Applications

Most mobile apps are free, and some cost a few dollars to license.  In exchange for free or low-cost access, mobile apps require access to a lot of your device’s features.  Some of the permissions mobile apps require could compromise your privacy.

IT departments can use mobile device management (MDM) software to monitor what mobile devices are doing, manage them, and keep them secure.  MDM can work with a mix of providers and devices that use different mobile operating systems. IT departments can also manage and enable apps on both corporate and end-user-owned mobile devices used in a particular organization by using mobile application management (MAM).  Here are seven best practices for mobile application security:

  • Implement security measures at the application layer.
  • Don’t limit tools to anti-malware.
  • Only download apps from trusted enterprise apps stores.
  • Ensure the app does not save passwords.
  • Encrypt data in transit.
  • “Listen” to the traffic that flows between the mobile app and the web server.
  • Contain critical corporate data.

Desktop Software

Desktop software might seem more private than mobile devices, but users must use several techniques to make a reasonable expectation of privacy a reality.  Some of the methods to use include the following:

  • Setting up screen locks.  A screen lock can be a static image or a screensaver that is displayed in place of your normal display when the system is locked, either before you log in or by temporarily locking the screen. To lock the screen in Windows, press the Windows key+L.  To lock the screen in macOS starting with High Sierra (10.13.x) and newer, press Command+Control+Q.  With older versions of macOS, use Control+Shift+Eject.  In Linux, screen locking can be done from the command line or from the GUI.
  • Setting up whitelists (allowed websites) or blacklists (blocked websites) in your browser.  If you use an operating system that supports controls for child accounts, such as Parental Controls (macOS) or Family (Windows 10), you can use the family control software’s blacklist/whitelist feature for websites and for apps.
  • Using intrusion detection software to help detect and stop network-based intrusion.
  • Installing encryption software for drives, files, and email.
  • Using steganography, which hides information such as text or images inside a different type of document.

Microsoft Store

When you view an app on the Microsoft Store, scroll down to the This app can section to see what an app will have permission to do if you install it.  Here’s an example:

Skype (voice, text, video, chat):

  • Use your webcam
  • Use your microphone
  • Use your contacts
  • Access your internet connect icon
  • Access your home or work networks
  • Read and delete text messages
  • Access all the phone lines on your device
  • Use your device’s voice over IP (VoIP) services
  • Background VoIP
  • Read contact information
  • Query software licensing policies
  • Access your settings from when you first signed in to your device
  • Access your Windows Phone identification data
  • Have control over your Windows Phone
  • Make use of SMS and RCS
  • Send SMS and MMS messages
  • Read and write all SMS and MMS messages
  • Project the screen on another device
  • Human Interface Device (HID) Telephony
  • xboxTrackingStream
  • Use your devices that support the HID protocol

To see the full list of permissions for an app, click the More link after the list of displayed permissions.

App Store (macOS)

App Store apps are not granted permissions by default.  App Store apps request individual permissions to use system features such as Location, Contacts, and so on.  The user grants or denies each permission, and users can view or change permissions by opening System Preferences, Security & Privacy.

Linux

Linux supports file permissions but does not have a standard way to view or control app permissions.

Business Software

Business software’s principle privacy issues center around the storage of personally identifiable information (PII) in a file’s metadata.  PII is information that can be used to determine a person’s location, identity, contact information, organization the person is involved in, etc.  Metadata is data that provides information about data. For example, metadata in a file is information about the app or device that created it; the date and time it was created, last modified, or last viewed; keywords; author; number of words; print dimensions; too include hidden text.

Corporate Network

Most corporations monitor employees’ emails, telephones, &mobile devices over the company’s network.  Unless a legally binding policy of employee privacy has been provided by the employer, employees should not regard email, instant messaging, or other computer or device uses as private.

Written Policies & Procedures

Most organizations have an acceptable use policy (AUP) that employees, associates, or students must sign as a condition of getting network access.  An AUP defines what users are permitted to do or banned from doing with the organization’s network or internet access and might also specify what steps to take in the event of other employee’s misuse of devices or if a virus or malware is detected.  If an AUP is not signed and the employee uses the network or the internet, or if the AUP does not clearly provide rules on internet and network access, privacy issues can result.

If an AUP needs to be delivered or revised, here are some of the issues that should be included in such policies:

  • Rules regarding employee email use
  • Whether employees can use company-owned equipment for shopping, email, or other personal tasks
  • When employees can use company-owned equipment (lunches, breaks)
  • Use of personal devices (bring your own device, or BOYD) such as smartphones and tablets for company work
  • What state law might require you to include

Here are a couple of resources to that can provide workplace privacy templates that can used to create or update an employee privacy policy:

Handling of Confidential Information

The handling of confidential information safely is a critical part of any organization’s IT functions.  Mishandled information can result in widespread identity theft, loss of company secrets, etc. Some general procedures help protect confidential information include the following:

  • Don’t download or open emails with unexpected attachments.
  • Use password-protected screensavers or lock screens when a device is not in use or if the user is not present.
  • Use network storage for backups.
  • Make sure all updates for the operating system, apps, and other functions are installed.  This might require the user to log off.
  • Make sure users are trained in security issues that concern their work.

Passwords

Password policies should cover minimum length, complexity requirements, periodic password changes, and whether and when old passwords can be changed.

Personal Information

Personal information is information about a specific individual, such as full name and nickname(s), address, telephone or mobile number, email, citizenship, employment status, salary, department, photo, credit ratings, and similar.  If this information is compromised, an individual could be targeted for identity theft, robbery, assault, or other crimes. Personal information should be accessible only on a “need to know” basis, should be stored on a secure network server, and should never be stored on mobile devices unless strong encryption is used to protect the contents.  Printed information of these types should be stored securely and shredded when it is no longer needed.

Customer Information

Customer information is information held by an organization about its current, former, and prospective customers.  This information could include company name, contact information, customer address, phone and mobile numbers, email address, fax number, country, purchasing history, current proposals, etc.  If this information is compromised, other companies could use it to attempt to take away your customers by spreading rumors, changing pricing or terms, or in other ways.

Company Confidential Information

Company confidential information is information that a company uses to conduct its business, such as trade secrets, processes, sales, purchases, customer lists, accounting data, etc.