USA: +1(669)289-8683 
Sign in
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing AttacksHands-On Lab: Ethical Considerations in IT
and Detecting Phishing Attacks
To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN
978-0-357-50643-1; Ethical Considerations in IT and Detecting Phishing Attacks
Table of Contents
Objective……………………………………………………………………………………………………………………….. 2
Estimated Completion Time …………………………………………………………………………………………… 2
Materials Required ………………………………………………………………………………………………………… 2
Introduction ………………………………………………………………………………………………………………….. 2
Ethical Considerations in the Use of Information Security Tools ………………………………………. 3
Are You a White Hat? ………………………………………………………………………………………………….. 3
The White Hat Agreement …………………………………………………………………………………………… 4
(ISC)2 Code of Ethics ……………………………………………………………………………………………………. 5
Self-Reflection and Response …………………………………………………………………………………………. 7
Instructor’s Response …………………………………………………………………………………………………. 7
Detecting and Responding to Phishing Attacks ……………………………………………………………….. 8
Legitimate Messages Don’t Request Sensitive Information …………………………………………… 8
Legitimate Messages Usually Call You by Your Name ……………………………………………….. 9
Legitimate Messages Come from Authentic Domains ………………………………………………… 10
Legitimate Messages Come from People Who Know How to Spell and Write ………………. 11
Legitimate Messages Don’t Force You to a Web Site …………………………………………………… 12
Legitimate Messages Don’t Include Unsolicited Attachments ……………………………………… 13
Legitimate Messages Have Links that Match Legitimate URLs …………………………………….. 13
Legitimate Messages Don’t Create an Artificial Sense of Urgency………………………………… 14
Legitimate Messages Display Reliable Names…………………………………………………………….. 15
Legitimate Messages Don’t Solicit Money …………………………………………………………………… 16
How You Should Respond to Phishing E-Mails ……………………………………………………………. 18
Test Your Knowledge …………………………………………………………………………………………….. 19
Instructor’s Response: ………………………………………………………………………………………………. 26
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Objective
Upon completion of this activity, you will:
•
•
have a better understanding of the ethical expectations of IT professionals; and
be able to identify several types of social engineering attacks that use phishing
techniques.
Estimated Completion Time
If you are prepared, you should be able to complete:
•
•
The Ethical Considerations lab in 15 to 20 minutes.
The Phishing E-Mail lab in 60 to 75 minutes.
Materials Required
Completion of this lab does not require any software to be installed and configured on
your computer.
Introduction
This module does not include a “hands-on” project to develop specific skills. Instead, it
discusses two topics that will be useful for the projects you perform in the later modules.
You will first learn about the ethical dimension of using information security tools and
techniques that many consider to be from the “dark side.”
Social engineering is a term to describe malicious actions that exploit human psychology to
gain access to sensitive information or money. Attackers manipulate people through
dishonest social interactions and exploit the human tendency to trust to gather valuable
information.
Phishing is a popular form of social engineering attack in which an attacker provides what
appears to be a legitimate communication (usually e-mail), but it contains hidden or
embedded code that redirects the reply to a third-party site to extract personal or
confidential information.
The best defense against e-mail phishing attacks is user awareness. Many organizations
now filter employee e-mail using commercial products, but even the best of these products
will not stop every phishing e-mail. Having an alert workforce and a trained service support
staff are also required.
In the second part of this lab, you will begin by reading about the indicators that an e-mail
is actually a phishing attack. Next, you will assume the role of a help-desk analyst who is
responding to alerts from users that have received suspicious e-mails.
[return to top]
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Ethical Considerations in the Use of Information Security Tools
Using some of the “tools of the trade” in information security might lead students (and
their instructors) to use software and techniques that are designed to break the rules and
allow bad acts to occur. Because each academic community sets certain standards, you
need to be aware of how they might apply in your specific circumstances.
Conformance to standards and exhibiting ethical behavior is required to ensure the
unhindered pursuit of knowledge and the free exchange of ideas. Academic integrity
means that you respect the right of other individuals to express their views and opinions,
and that you, as a student or faculty member, do not engage in plagiarism, cheating, illegal
access, misuse or destruction of college property, or the falsification of college records or
academic work.
As a member of the academic community, and as a future InfoSec or IT professional, you
are expected to adhere to standards of ethical behavior. You are expected to read and
follow your institution’s code of conduct, which usually is found in your student handbook.
You need to be aware that if you violate these standards, you will be subject to penalties
outlined in your institution’s student conduct and academic integrity procedures. These
penalties likely range from grade penalties to permanent expulsion.
Your instructor may require you to read the white hat agreement and code of ethics that
follow. Your instructor might also ask you to sign a form acknowledging that you agree to
abide by these ethical standards while you are a student. Your agreement would indicate
that you understand the ethical behavior expected of you as part of an academic
community, and that you understand the consequences of violating those standards. For
those of you in InfoSec or cybersecurity programs, the standard is even higher, given that
you will be a guardian of an organization’s data in the future.
Are You a White Hat?
As part of this course, you may be exposed to systems, tools, and techniques related to
information security. With proper use, these components allow a security administrator or
technician to better understand vulnerabilities and the security precautions used to defend
an organization’s information assets. Misuse of these components, either intentionally or
accidentally, can result in breaches of security, damage to data, or other undesirable
results.
Because the labs in this book will sometimes be carried out in a public network that is used
by people for real work, you must agree to the following before you can participate. If you
are unwilling to sign this agreement, your instructor may not allow you to participate in the
projects.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
The White Hat Agreement
If you have questions about any of the following guidelines, please contact your instructor.
This document may be changed from time to time by your instructor, who will notify you of
such changes and may ask you to reaffirm your understanding and agreement.
1. Just because you can do something doesn’t mean you should.
2. As you engage in projects, you will be granted access to tools and training that have the
potential to do harm even when they are used to determine or investigate the security
of an information system. Use these tools with care and consideration of their impact,
and only in the ways specified by your instructor.
3. If any question arises in your mind about whether you can or should perform an activity
or use a tool in a particular way, stop and ask your instructor for clarification. In
information security, it is most definitely NOT easier to ask for forgiveness than for
permission.
4. You are only allowed to use the tools and exercises if you are currently registered for a
grade in the course. An instructor always has the right to ask students for appropriate
identification if necessary.
5. Any instance of suspected misconduct, any illegal or unauthorized use of tools or
exercises, or any action construed as being outside the guidelines of the course
syllabus and instruction will be investigated by the instructor and may result in severe
academic and/or legal penalties. Being a student does not exempt you from
consequences if you commit a crime.
6. All students are expected to follow the (ISC)2 code of ethics, which is available at
www.isc2.org/ethics and included later in this document.
7. By acknowledging this agreement, you confirm that you will:
•
Only perform the actions specified by the course instructor for using security tools
on assigned systems.
•
Report any findings to the course instructor or in specified reporting formats
without disclosing them to anyone else.
•
Maintain the confidentiality of any private information learned through course
exercises.
•
Manage assigned course accounts and resources with the understanding that their
contents may be viewed by others.
•
Hold harmless the course instructor and your academic institution for any
consequences or actions if you use course content outside the physical or virtual
confines of the specified laboratory or classroom.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
•
Abide by the computing policies of your academic institution and by all laws
governing the use of computer resources on campus.
8. By acknowledging this agreement, you confirm that you will not:
•
Attempt to gain access to a system, attempt to increase privileges on any system, or
access any data without proper authorization.
•
Disclose any information that you discover as a direct or indirect result of this
course exercise.
•
Take actions that will modify or deny access to any system, data, or service except
those to which administrative control has been delegated to you.
•
Attempt to perform any actions or use utilities presented in the laboratory outside
the confines and structure of the projects or classroom.
•
Use any security vulnerabilities beyond the target accounts in the course or beyond
the duration of the course exercise.
•
Pursue any legal action against the course instructor or the university for any
consequences or actions if you use what you learn in the course outside the
physical or virtual confines of the laboratory or classroom.
9. You will abide by the following code of ethics:
Safety of the commonwealth, duty to our principles, and to each other requires that we
adhere, and be seen to adhere, to the highest ethical standards of behavior.
(ISC)2 Code of Ethics
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
•
Promote and preserve public trust and confidence in information and systems.
•
Promote the understanding and acceptance of prudent information security
measures.
•
Preserve and strengthen the integrity of the public infrastructure.
•
Discourage unsafe practice.
Act honorably, honestly, justly, responsibly, and legally.
•
Tell the truth; make all stakeholders aware of your actions on a timely basis.
•
Observe all contracts and agreements, express or implied.
•
Treat all constituents fairly. In resolving conflicts, consider public safety and duties
to principles, individuals, and the profession in that order.
•
Give prudent advice; avoid raising unnecessary alarm or giving unwarranted
comfort. Take care to be truthful, objective, cautious, and within your competence.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
•
When resolving differing laws in different jurisdictions, give preference to the laws
of the jurisdiction in which you render your service.
Provide diligent and competent service.
•
Preserve the value of systems, applications, and information.
•
Respect the trust and privileges granted to you.
•
Avoid conflicts of interest or the appearance thereof.
•
Render only those services for which you are fully competent and qualified.
Advance and protect the profession.
•
Sponsor for professional advancement those best qualified. All other things being
equal, prefer those who are certified and who adhere to these canons.
•
Avoid professional association with those whose practices or reputation might
diminish the profession.
•
Take care not to injure the reputation of other professionals through malice or
indifference.
•
Maintain your competence; keep your skills and knowledge current. Give generously
of your time and knowledge in training others.
The ISC2 code of ethics is available from www.isc2.org/ethics.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Self-Reflection and Response
In the space below, write a brief statement indicating your intention to abide by the ethics
codes spelled out in this lab.
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Detecting and Responding to Phishing Attacks
The following questions indicate some of the telltale signs of phishing attacks. In general,
you should ask yourself these questions for each e-mail you receive:
•
•
•
•
•
•
•
•
Does the message ask for sensitive information, such as account numbers, passwords,
or even your birthday?
Does the message use your correct name and refer to other details accurately?
Does the address look authentic?
Are there misspelled words and improper grammar?
Does the message force you to a web site?
Does the message have an attachment you are not expecting?
Do links in the message fail to match the visible URL?
Does the message request that you send money?
Each of these questions is explained with examples in the following sections.
Legitimate Messages Don’t Request Sensitive Information
If you receive an unsolicited e-mail that appears to be from an official institution and the
message includes a functional link or attachment, it’s a scam. Most companies do not send
e-mail asking for passwords, credit card information, credit scores, or tax numbers, nor do
they send log-in links. If a company needs information, you will usually be asked to visit its
web site or mobile app, but you should not need a special e-mail link—after all, you do
business with the company already.
Figure L01-1 Global Pay Phishing E-Mail
In Figure L01-1, notice the unsolicited web link attachment. Also, look at the generic
salutation at the beginning (“Dear customer”). Such greetings are discussed next.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Usually Call You by Your Name
Phishing e-mails typically use generic salutations such as “Dear valued member,” “Dear
account holder,” or “Dear customer.” If a company you deal with actually required
information about your account, the e-mail would refer to you by name and would probably
direct you to contact the company via phone, a phone app, or the official company web site.
However, some hackers simply avoid a salutation altogether. This is especially common
with advertisements. In the phishing e-mail shown in Figure L01-2, everything is nearly
perfect. So, how would you spot it as suspicious?
Figure L01-2 Hotels.com Phishing E-Mail
The example in Figure L01-2 is very convincing, but the fact that the message has the
recipient’s name spelled correctly does not make it legitimate. The clue that the message is
not legitimate is indicated by the e-mail domain, as you will learn next.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Come from Authentic Domains
Don’t just check the name of the person who sent you the e-mail. Check the e-mail address
by hovering your mouse over the contents of the From line. Make sure there have been no
alterations, such as additional numbers or letters. For example, be suspicious if the e-mail
address appears to be michelle@paypal.com but is michelle@paypal23.com when you
hover the mouse over the From line. This isn’t a foolproof method of demonstrating fraud,
however. Some companies make use of varied domains to send e-mails, and some smaller
companies use third-party e-mail providers.
Figure L01-3 Costco Phishing E-Mail
In the example shown in Figure L01-3, the Costco logo is just a bit off. To see the actual
logo, you can go to https://costco.com. Do you see the difference?
Also, note the “From” field is from a different business: “cbcbuilding.com” rather than
“costco.com”
Also, note that most companies use the https:// service in their URLs. If the “s” is missing,
dig a little deeper.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Come from People Who Know How to Spell and
Write
Possibly the easiest way to recognize a suspicious e-mail is through its use of bad grammar
and misspelled words. An e-mail from a legitimate organization is usually well written.
Look at this example:
Figure L01-4 Best Buy Phishing E-Mail
In addition to the generic salutation in Figure L01-4, the grammar gaffes and extra spaces
are a good clue that something is wrong—for example, note the sentence that begins
“Please fill this form.” Also, notice the “17” that appears in the middle of the next sentence
for no reason.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Don’t Force You to a Web Site
Phishing e-mails are sometimes coded so that the entire message is a graphic image
tagged as a hyperlink. Clicking anywhere in the e-mail will open a fake Web page or
download malware, ransomware, or spam to your computer. For this reason, you must be
careful and deliberate when performing analysis on suspect e-mails. If you click or activate
the attachment, it can infect your system. You will need tools to render the attachment or
headers harmless without activating the trap. Right clicking your mouse and using basic
tools can be very helpful.
Figure L01-5 USPS Phishing E-Mail
The entire e-mail shown in Figure L01-5 was sent as an image tagged as a single hyperlink.
If a recipient clicked anywhere in the e-mail, a malicious attack would be initiated. You can
guard against this by hovering your mouse cursor over the message to see if a link address
preview appears. You can also see the spelling and grammar errors in the body of the
“Notification.”
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Don’t Include Unsolicited Attachments
Unsolicited e-mails that contain any type of attachment should make you suspicious.
Typically, authentic institutions do not randomly send you e-mail with attachments, but
instead direct you to download documents or files from their secured web site.
Like many of the other tips in this lab, this method isn’t foolproof. Companies that already
have your e-mail address sometimes send you information, such as a white paper, that
may require a download. In that case, be on the lookout for high-risk attachment file types,
such as .exe, .scr, and .zip. Even .pdf and .docx files are suspicious. If you think the e-mail
might be legitimate but you have doubts, contact the sender directly using information
obtained from a source other than the e-mail.
Figure L01-6 ePayment Phishing E-Mail
Before you wonder what’s in the .zip file attached in Figure L01-6, remember that curiosity
killed the cat.
Legitimate Messages Have Links that Match Legitimate URLs
If an e-mail appears to be suspicious, take precautions with any web links in the message.
Make a habit to always double-check URLs. If the link in the text isn’t identical to the URL
displayed when you hover the mouse cursor over the link, that’s a sure sign you will be
taken to a site you don’t want to visit. If a hyperlink’s URL doesn’t seem correct or doesn’t
match the context of the e-mail, don’t trust it. Instead, use your web browser to find the
company’s authentic web site. To help ensure security, hover your mouse over an
embedded link (without clicking!), confirm that it begins with https://, and consider whether
the rest of the link looks like what you might expect.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Figure L01-7 Nokia Phishing E-Mail
Although the preceding message looks convincing, Nokia wouldn’t actually send a “Save
your stuff” e-mail from info@news.nokia.com. A mouse flyover of the link would show a
domain you should not trust.
Legitimate Messages Don’t Create an Artificial Sense of Urgency
Scammers know that most of us procrastinate and then have to get things done in a hurry
so many phishing attempts request that we act now before it’s too late. Scammers also
understand that crises in the workplace are common and must be handled quickly.
Unfortunately, hurrying creates a greater chance of making mistakes and bad choices.
When you take time to think about something, you are much more likely to notice things
that don’t seem quite right. For instance, when you receive an unexpected e-mail from a
major company, maybe you’ll think twice and realize that the organization has never
contacted you via e-mail. Maybe you’ll receive what appears to be a frantic e-mail from a
co-worker and realize that he simply would have called you in case of an actual emergency.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
A common workplace scam is to pretend that a problem has arisen with a commonly used
service or account, such as that with a bank or credit card company an organization uses.
Any actual problems with such accounts would cause an immediate inconvenience.
Criminals know we’re likely to drop everything if our boss e-mails us with a vital request,
especially when other senior colleagues are supposedly waiting for us to act.
A typical example looks like Figure L01-8.
Figure L01-8 Mobile Phishing E-Mail
Legitimate Messages Display Reliable Names
A favorite phishing tactic among cybercriminals is to spoof the display name of an e-mail,
just like robocalling telemarketers can spoof your phone’s caller ID. For example, if a
fraudster wanted to impersonate your bank, the top of the e-mail message might look like
Figure L01-9. Check out the domain name (in the example, accounts@secure.com) to see if
it matches the display name (My Bank).
Figure L01-5 Secure.com Phishing E-Mail
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Legitimate Messages Don’t Solicit Money
Many successful phishing attacks create a false sense of urgency or appeal to a person’s
greed. One type of scam that attempts to exploit greed is the advance fee fraud, which
uses confidence tricks and is much older than e-mail. This approach typically involves
promising the victim a significant share of a valuable prize, a desired business objective, or
a sum of money in return for a small, up-front payment. This payment is needed to obtain
the larger sum—hence the name “advance fee fraud.”
One of the best-known frauds is the Nigerian 4-1-9 scam, which has been around for a long
time. Originally conducted via phone, fax, and traditional mail, this scam invites victims to
send a small amount of money with the promise of receiving a much larger sum in return.
The development of e-mail has made it much easier for scammers to reach new victims.
The best-known source of these e-mail scams is Nigeria, although they can originate from
anywhere. In Nigeria, the e-mails have become a significant source of income for some,
although section 4-1-9 of the Nigerian legal code prohibits them (hence the name).
A typical Nigerian 4-1-9 scam begins with a potential victim opening a letter or e-mail that’s
purportedly from a famous person or an exiled politician. The person may claim to be from
a place that’s currently in the news, possibly because of a recent civil disturbance. The
message explains that, due to political instability or the death of a relative, a significant
amount of money is trapped in some form of escrow account. The message goes on to
explain that if the reader could send just a small amount of cash, it will pay the fee needed
to access the account. In return for their trust and generosity, the reader is promised a
large percentage of the money that’s locked away.
If the reader does decide to send money, more requests will follow. According to
subsequent e-mails sent by the scammer, unexpected costs are often discovered, such as
increased taxes or bribes to officials. The scammers will continue to ask for money as long
as the victim sends it. Needless to say, victims will never receive a payout, regardless of
how much money they send.
A variant of the 4-1-9 attack involves vendors that supposedly sell products or rent
accommodations online. A fraudster first identifies a company from a foreign country that
offers to buy a product, rent a property, or contract a service. The fraudster then sends the
victim a fake check or international money order for a much greater amount than the item
or activity is worth, along with an explanation for why they cannot pay a smaller amount.
The fraudster asks the victim to deposit the money in a personal bank account and then
transfer the overage back to the fraudster. Later, of course, the victim discovers the
swindle and that the original “payment” was fake.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
These types of scams have some common traits:
•
•
•
•
•
The message (usually an e-mail) is unexpected.
You don’t know the sender.
There is a long, sad story about why the sender needs your help to access money.
You are asked to help by transferring funds.
A large payment is offered in exchange for assistance.
The examples of advance fee fraud are many and varied; they include investment
proposals, lottery winnings, and online dating scams. The example shown in Figure L01-10
is fairly typical.
Figure L01-10 UAE World Expo Phishing E-Mail
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
17
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
How You Should Respond to Phishing E-Mails
The easiest response to suspected phishing e-mails is to delete them. Most larger
organizations have automated filters in place to catch phishing attempts. Most companies
also offer staff assistance to deal with such e-mail, and offer an account like
abuse@yourcompany.com where you can send suspicious messages. Many organizations
have a web resource that explains examples of current phishing messages that are making
the rounds; this resource helps users stay abreast of emerging threats in social
engineering. At Kennesaw State University in Georgia, the resource is called the
phishmarket. You can see it at https://uits.kennesaw.edu/ocs/phish-market/index.php.
When dealing with suspicious e-mail, the best advice is to be skeptical. Phishers are good at
what they do. Many malicious e-mails include convincing brand logos, persuasive language,
and a seemingly valid e-mail address. However, if an e-mail message looks even remotely
suspicious, do not open it. If the message seems too important to ignore and you cannot
easily toss it away, try to follow up using resources you can find that are NOT in the e-mail.
Go to the sender’s web site or call the colleague who allegedly sent you the attachment or
urgent request. If the original message was valid and urgent, the sender will appreciate
your follow-up.
You should report fraudulent e-mail and other types of social engineering attacks. If you
work for a company, contact the help desk or the information security team. For suspicious
e-mails sent to your personal account, your e-mail provider or ISP may be able to help you.
After evaluation, the company’s technical support team should follow up to ensure that the
e-mail was deleted, and no losses occurred. If you fall victim to a phishing attack, get help
as soon as possible because lost time can factor into the ability to recover losses. If the
attack involved a bank or a credit card company, or if you have an identity protection
service (like LifeLock), get them involved as soon as you can.
When dealing with phishing attacks, it does not matter if your organization has the most
secure security system in the world. It takes only one untrained employee to be fooled and
give away data your organization has worked hard to protect. Make sure that you and your
co-workers understand the examples illustrated in this lab so you can detect the telltale
signs of a phishing attempt.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Test Your Knowledge
Now let’s test your knowledge. Imagine that you are a help-desk analyst reading your
organization’s abuse e-mail account as co-workers send in suspicious messages. Look at
each of the following messages and then determine whether you think they are legitimate
or suspicious. Print out the answer page at the end of the lab for recording your answers.
For each suspicious message, explain why you think it fails the “smell test.”
Here is a handy list you can use when evaluating each of the following example e-mails:
•
•
•
•
•
•
•
•
The message asks for sensitive information.
The message does not contain your correct name; other details are incorrect as well.
The address does not look authentic.
There are misspelled words and improper grammar.
The message forces you to a web page.
The message has an attachment that is not expected.
Links in the message seem suspicious.
The message requests that you send money.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
19
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 1
Example 2
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
20
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 3
Example 4
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
21
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 5
Example 6
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
22
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 7
Example 8
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
23
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 9
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
24
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Example 10
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
25
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 978-0-357-506431; Ethical Considerations in IT and Detecting Phishing Attacks
Phishing Email Responses
Email
Example 1
Example 2
Example 3
Example 4
Example 5
Example 6
Example 7
Example 8
Example 9
Example 10
Trustworthy (T)
or Suspicious (S)
Reason
Instructor’s Response:
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
26
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Hands-On Lab: Web Browser Security
To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN
9780357506431; Web Browser Security
Table of Contents
Introduction ………………………………………………………………………………………………………………….. 2
Objective ……………………………………………………………………………………………………………………. 2
Estimated Completion Time ………………………………………………………………………………………… 2
Materials Required……………………………………………………………………………………………………… 2
Minimum System Configuration ………………………………………………………………………………….. 2
Web Browser Security for Google Chrome ……………………………………………………………………… 2
Autofill ……………………………………………………………………………………………………………………….. 3
Safety Check ………………………………………………………………………………………………………………. 7
Privacy and Security ……………………………………………………………………………………………………. 9
Incognito Browsing …………………………………………………………………………………………………… 13
Web Browser Security for Mozilla Firefox ……………………………………………………………………… 14
Protections Dashboard……………………………………………………………………………………………… 15
Privacy and Security ………………………………………………………………………………………………….. 17
Private Window Browsing …………………………………………………………………………………………. 22
Web Browser Security for Microsoft Edge ……………………………………………………………………… 23
Profiles …………………………………………………………………………………………………………………….. 25
Privacy, Search and Services ……………………………………………………………………………………… 27
Family Safety ……………………………………………………………………………………………………………. 30
InPrivate Window Browsing ………………………………………………………………………………………. 31
Web Browser Security for Apple Safari ………………………………………………………………………….. 32
Self-Reflection and Response ……………………………………………………………………………………….. 34
Instructor’s Response ……………………………………………………………………………………………….. 34
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
1
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Introduction
This module describes how to configure the security and privacy features of several
popular web browsers to minimize the probability of unwanted disclosures or exploits.
Modern web browsers are some of the most used tools to access remote information.
Organizations develop complex web sites to share information with their customers and
suppliers, and internal site to share information with employees. While the examination of
all the features of the various available web browsers is beyond the scope of this lab
exercise, we will look at some of the more common security features and settings of the
more common browsers.
Note: if you are performing these labs on organizational equipment, like computers in a
university lab or at a business, some of these options may not be available. All may be
performed on your personal computer or laptop.
Objective
Upon completion of this activity, the student will be able to:
•
Review and configure the security and privacy settings in the most popular web
browsers.
Estimated Completion Time
If you are prepared, you should be able to complete:
•
The Web Browser Security and Privacy labs in 1 to 1.5 hours.
Materials Required
Access to the named web browsers.
Minimum System Configuration
Completion of this lab requires that the user have the appropriate rights and privileges to
modify software on the local system.
Web Browser Security for Google Chrome
The first web browser discussed is Google Chrome (https://www.google.com/chrome/),
shown in Figure L02-4.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
2
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02- 1 Google Chrome Website
1. Download the Google Chrome browser by going to https://google.com/chrome
above and clicking the Download Chrome button. Follow the on-screen prompts,
until the software has installed.
2. Access the Google Chrome settings by clicking the Customize and Control Google
Chrome button (looks like a vertical ellipse) beneath the close window button in the
upper right corner, or type chrome://settings/ in the URL field. On this screen are
several settings important to security, including AutoFill, Passwords, Payment
Methods, Safety Checks and Privacy & Security.
Autofill
The first set of options to investigation are in the Autofill section, as shown in Figure L02-5.
Here the user can configure the browser’s ability to remember Passwords, Payment
Methods, and Addresses for the user.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
3
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-2 Google Chrome Settings
3. Click the Passwords menu option shown in Figure L02-2. You should see the
options shown in Figure L02-3. If you are sharing a computer with anyone else, even
a family member, you should disable both the Offer to save passwords and AutoSignin options, by clicking on the slider to the right of the option to the left.
Similarly, if you are using a computer owned by an organization, and not by you, you
should disable these options.
On your personal systems, you can log into Google Chrome and it will sync your
settings across multiple computers. This is fine if you remember to log out of Google
Chrome before logging out of the computer system. Use caution with this feature as
someone else using the computer could have access to your credentials.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
4
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-3 Google Chrome Passwords Settings
4. If you have been using Google Chrome for some time, and storing system
credentials in the browser, you may want to periodically check your credentials
(usernames and passwords). Hackers work to compromise systems and steal
credentials. They then sell or share this information on “the dark web”. Google scans
the dark web and allows you to see if one of your system credentials have been
found there. Click the Check passwords button to review your credentials.
5. As shown in Figure L02-4, Google Chrome will let you know when there is a problem
with your stored credentials, including those with passwords that Chrome views as
“weak”. You will have the option to chance any password Chrome has flagged for
your review by clicking on the Change password button beside the account
credentials shown. If there were any compromised passwords, they would be listed
above the Weak passwords section.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
5
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-4 Google Chrome Check Passwords Results
6. Return to the Settings menu by selecting the left arrow next to the Settings menu
title, or the back arrow next to the URL field.
7. Select Payment methods in the Autofill field. As shown in Figure L02-5, Google
Chrome can remember your commonly used payment methods. You should use
extreme caution when allowing Chrome to do this, as this would allow anyone else
using the system to use your payment methods. Chrome does require you to
validate the use of a payment card by entering the security code on the reverse,
however if someone saw you using a card, they may have remembered that
information, and thus could shop with your credit.
Figure L02-5 Google Chrome Payment Methods Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
6
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
8. For systems you share with others, or which belong to an organization, it is
recommended that you disable the Save and fill payment methods and Allow sites to
check if you have payment methods saved options by sliding the button to the right of
the options to the left. Any payment methods saved will be listed at the bottom of
this menu and can be accessed there.
9. Return to the Settings menu by selecting the left arrow next to the Settings menu
title, or the back arrow next to the URL field.
10. Click on the Addresses and more option under Autofill. As shown in Figure LM01-9,
here you can allow Google Chrome to remember key addresses, much the same as
passwords and payment methods. Again, disable this option on shared systems, or
systems owned by an organization.
Figure L02-6 Google Chrome Addresses and more Settings
11. Return to the Settings menu by selecting the left arrow next to the Settings menu
title, or the back arrow next to the URL field.
Safety Check
The next area to examine is the Safety Check menu, shown in Figure L02-7. Just like the
Password check in the previous section, this function will determine if there are any issues
with your Google Chrome.
Figure L02- 7 Google Chrome Safety Check
12. Click on the Check now button to run the Safety check. Figure L02-8 shows a
sample results screen.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
7
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02- 8 Google Chrome Safety Check Results
13. Review and resolve any issues identified by clicking the corresponding button to the
right of the menu option. If you did not resolve all issues with Google Chrome
managed passwords, you will have the option to fix those here as well, by clicking
the Review button.
14. If your system is not currently using Safe browsing, select the Manage button and
select the options that best suits your preferences. At a minimum you should select
Standard protection under Safe Browsing. Enhanced protection is the best option,
however it does send browsing data to Google, as illustrated in Figure L02-9.
15. There are additional options under Advanced you may specify. If available select Use
secure DNS. There are also options to manage your certificates and implement the
Google Advanced Protection Program here. The GAPP program allows you to
implement multi-factor authentication for your Google browser, requiring the use of
specifical software on your phone or a hardware token to authenticate your Google
login. Visit https://landing.google.com/advancedprotection/ if you want to learn
more about the GAPP program.
16. Also available under Safety check is Extensions management. Extensions are addons for Google Chrome to provide additional functionality. Some however may
introduce new vulnerabilities. If you have any issues with extensions in your version
of Chrome, the option to resolve those will appear here (See Figure L02-8 above).
17. Return to the Settings page by using the back option again.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
8
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-9 Google Chrome Safe Browsing Settings
Privacy and Security
Back at the Settings screen, the next section is Privacy and Security. As shown in Figure L0210, here you can clear your browsing data, cookies and adjust other security features.
Figure L02-1 Google Chrome Privacy and Security Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
9
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
18. Click on Clear browsing data. Here you can specify whether you want to clear your
browsing history, cookies and cached images and files from your browser.
Periodically you may experience issues using a piece of software that caches files on
your system. Clearing your browsing data by checking the options shown in Figure
L02-11 and clicking the Clear data button will give you a fresh start and force your
browser to download all new web content. If you are not logged in to Google, this
action will only clear the cached information on the local machine. If you are logged
in, it will clear this information for all systems you are logged into, as the data is
stored and synced by Chrome.
19. You can specify how much data to clear by using the pull-down box next to Time
range. Use this option to select All time, if not already selected and click Clear Data.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
10
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-2 Google Chrome Clear Browsing Data Settings
20. Click the Cookies and other site data option. As shown in Figure L02-12, here you
can specify which Cookies to allow to be stored on your system. While you can block
all cookies, you would quickly find issues trying to access some web sites. At a
minimum, it is recommended you select the option Block third-party cookies in
Incognito, as shown in the Figure, although you may decide to select Block thirdparty cookies to provide more privacy. To change your options, simply click on the
radio button (circle) to the left of the desired option.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
11
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-3 Google Chrome Cookies and Other Site Data Settings
21. Further down this screen you can view all cookies currently stored on your system
by selecting the See all cookies and site data option. This allows you to selectively
delete the cookies from one vendor by clicking on the trash can icon shown in
Figure L02-13.
Figure L02-43 Google Chrome View Cookies
22. You can also add specific sites to whitelist (allow) or blacklist (deny) their access to
your cookies use, if you choose to allow all or block all in the previous step. You can
also specify certain sites to dump their cookies (and no others).
23. Return to the settings page using the back arrows.
24. The Security menu option takes you back to the Safe Browsing options.
25. Click the Site Settings menu option. As shown in Figure L02-14, here you can
specify the permission associated with the use of your system for specific sites. This
is commonly used to allow or deny the use of location information (for pizza
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
12
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
delivery!), your camera, and your microphone (for web conferencing). It also allows
you to specify permissions for notifications (popup reminders). Review the options
available and adjust to your preferences.
Figure L02-5 Google Chrome Permissions Settings
26. The Additional content settings menu allows you to specify things like the preferred
software to play sounds and open images and PDFs. It also allows you to blacklist
certain sites with misleading or offensive ads.
Incognito Browsing
27. While there are other settings and options in Google Chrome, these are the
dominant settings related to privacy and security. There is one other feature of
interest, especially if you’re using a shared computer. Incognito browsing involves
the use of a specifical instance of the browser to prevent the retention of history
and cookies (if selected). The easiest way to start an incognito browser session is to
right click on the Chrome icon or menu option and select New incognito window.
Do so now.
28. As shown in Figure L02-15, this gives you an increased level of privacy over the
standard browser. Keep in mind that this simply protects you from retained data on
the local system, it does not screen you from systems that monitor network use,
such as the organization or university’s IT department, or the internet service
provider.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
13
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-65 Google Chrome Incognito Browsing
Web Browser Security for Mozilla Firefox
Mozilla’s Firefox browser has many of the same features as other browsers. Firefox can be
downloaded from https://www.mozilla.org/en-US/, selecting the Firefox browsers option
in the top menu, as shown in Figure L02-16.
Figure L02-76 Mozilla Firefox
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
14
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
1. If you do not have Mozilla Firefox installed, go to the URL listed above and follow the
instructions to download and install. Then start Firefox.
2. To access the security and privacy options in Firefox, first click on the menu button
(three parallel lines in upper left corner under the Close button).
Protections Dashboard
3. The first security option we’ll look at is the Protections Dashboard. To access the
Protections Dashboard on the shield icon in the address bar when visiting a web
page or you can accessed it by entering the text “about:protections” into the
address bar.
As shown in Figure L02-17, you can see the first security feature is the Enhanced
Tracking Protection. This is always on, so it’s just a report of how Firefox is working
to protect you from online tracking software. Also on this menu is the offer to sign
up for Breach alerts with Firefox Monitor. This is currently free but requires a Firefox
account (also free). Like Google Chrome, signing into your Firefox browser allows
you to sync your settings across multiple systems. Firefox monitor (Shown in Figure
L02-18) will alert you if it finds your credentials (based on your e-mail address) in a
compromised system.
Figure L02-17 Mozilla Firefox Protections Dashboard
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
15
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-18 Mozilla Firefox Monitor
4. At the bottom of this screen is the Password Management feature, shown in Figure
L02-19, which allows you to manage stored passwords in Firefox. Click the Manage
Passwords button.
Figure L02- 19 Mozilla Firefox Password Management
5. This opens the Firefox Lockwise feature, used to manage your passwords on various
web sites, as shown in Figure L02-20. Here you can edit and remove any stored
passwords for your Firefox account, if logged in, or on the local system only, if not.
Lockwise can also be directly accessed through the menu by selecting Logins and
Passwords.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
16
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-80 Mozilla Firefox Lockwise
Privacy and Security
6. Open the menu and select Options. Here you can specify general Firefox settings. In
the left menu, select Privacy & Security. As shown in Figure L02-21, here you can
specify the level of tracking allowed. At a minimum, you should ensure your system
is set to Standard. While there is no lower setting available, someone may have
created a custom configuration which allows fewer security features and
protections. If you desire, you can set your system(s) to Strict, providing increased
protection.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
17
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-91 Mozilla Firefox Browser Privacy Settings
7. Further down this page, you have the options to clear and manage Cookies, Logins
and Passwords, Forms and Autofills, History, and the Address Bar as shown in
Figure L02-22.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
18
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-102 Mozilla Firefox Cookies and Site Data Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
19
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
8. Click Clear Data under Cookies and Site Data. When prompted, select both Cookies
and Site Data and Cached Web Content, and click the Clear button.
9. Next, click Clear History under History. Select Everything in the Time range to clear
pull down menu, and check all boxes under History and Data. Then click OK.
10. While most of these are self-explanatory, one feature deserves additional attention.
The Primary Password is a feature that allows additional protection for systems
used by multiple users, allowing the secure use of saved credentials. If this feature is
enabled by checking the box to the left of the option, each session (new web
browser) will prompt you for a “Primary Password” to use the saved password
functions. This will prevent someone from using a shared system and then taking
advantage of saved credentials. The Primary password is typically your Firefox
account password. You are also prompted for this password if you try to add,
remove, or edit stored passwords.
11. Review each of these options and enter the settings that you desire.
12. Further down on this screen are the Permissions settings for specific applications, as
shown in Figure L02-23. Here you can specify which applications can use which
features such as your location, the web camera, and microphone.
Figure L02-113 Mozilla Firefox Permissions Settings
13. Also located in the options menu is the specification for Firefox Data Collection and
Use, shown in Figure L02-24, which provides specific criteria which you can select to
craft what data, if any, you allow Mozilla to collect and use.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
20
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-124 Mozilla Firefox Data Collection and Use Settings
14. The last set of options in this menu are the Security features not covered elsewhere.
Here you can Block dangerous and deceptive content, review your certificates, and
specify the use of HTTPS (HTTP Secure) protocol. Ensure the minimum levels of
security by reviewing your settings and making sure they are at least as secure as
the ones shown in Figure L02-25.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
21
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-135 Mozilla Firefox Security Settings
Private Window Browsing
15. Users can create anonymous browsing windows by right clicking the Mozilla Firefox
icon and selecting New Private Window. This window, shown in Figure L02-26,
allows the user to avoid saving passwords, cookies, and browsing history while in a
private window. It allows the user to access any stored materials from normal
browsing but will not save any new materials. Again, private windows do not block
your information from an organization’s IT department or the Internet Service
Provider.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
22
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-26 Mozilla Firefox Private Window Browsing
While there are many other options you can configure for Mozilla Firefox, these are the
primary security and privacy features.
Web Browser Security for Microsoft Edge
Microsoft Edge is the newest browser from Microsoft, provided with its Windows operating
systems. Edge replaces the venerable (and vulnerable) Microsoft Internet Explorer. Like
other browsers, Edge can sync settings between systems if the user creates an account
with Microsoft and logs in.
1. Microsoft Edge can be downloaded from https://www.microsoft.com/en-us/edge,
as shown in Figure L02-27, although it most likely is already installed if you are using
a Windows operating system like Windows 10.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
23
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-27 Microsoft Edge
2. The first set of security and privacy features are accessed by selecting the menu (the
ellipsis in the upper left corner under the close button), then selecting Settings. As
Figure L02-28 shows, options are listed on the left, with configuration on the right.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
24
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-28 Microsoft Edge Settings
Profiles
3. Select Profiles (if not already selected). The profiles section, shown in Figure L02-29,
allows quick access to sync functions, password management, and retained
payment preferences.
Figure L02-29 Microsoft Edge Your Profile Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
25
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
4. Click Passwords. As shown in Figure L02-30, here you can specify whether to allow
Edge to save passwords for you, sign in automatically and provide a “reveal
passwords” button so you can determine if you entered a password correctly. If you
are using a shared computer, ensure these options are turned off.
Figure L02-140 Microsoft Edge Profiles/Passwords Settings
5. Click the back arrow next to Profiles / Passwords in the right side of the window, to
return to the Your profile page. Next, click the Payment info option. As shown in
Figure L02-31, here you can allow the saving and use of payment information and
manage saved payment information like credit and debit cards, or online payment
account. If you have already added a payment card, you can edit its attributes. On
shared systems, ensure this option is disabled by clicking the blue oval with a white
dot in it, located to the right of the option. Once it is off, the oval will turn white, with
a black dot on the left side.
Figure L02-151 Microsoft Edge Profiles/Payment Info Settings
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
26
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Privacy, Search and Services
6. Click the Privacy, search and services option on the left side of the Settings menu.
As shown in Figure L02-32, here you can specify one of three options for your
Tracking prevention settings. At a minimum, you should select the Balanced option.
You can also review blocked trackers by clicking that option beneath the three boxes
and specify exceptions for trackers. Review these options now.
Figure L02-16 Microsoft Edge Tracking Prevention Settings
7. Scroll down the Privacy, search, and settings menu on the right. The next section
allows you to Clear your browsing data, and to specify what is cleared. Click the
Choose what to clear button. Figure L02-33 shows the Clear browsing data area of
the menu, while Figure L02-34 shows the option available once you click the Choose
what to clear (there are two versions of this window as the second shows the
additional options when scrolling down).
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
27
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-173 Microsoft Edge Clear Browsing Data Selection
Figure L02-184 Microsoft Edge Clear Browsing Data Settings
8. Select All time in the Time range pull down window, then check all of the option
boxes and click Clear now to completely clear Microsoft Edge’s browsing data. You
can also select Choose what to clear every time you close the browser to configure Edge
to clear its cached data each time you close the browser.
9. The next areas of interest are Privacy, Required diagnostic data, and Optional
diagnostic data, located in the next sections after Clear browser data. The Privacy
options allow you to specify whether your system allows sites to check if you have
payment methods stored in Edge, as shown in Figure L02-35. Shared systems
should enable Send “Do Not Track” requests and disable the payment methods option.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
28
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02- 195 Microsoft Edge Privacy and Diagnostic Data Settings
10. To see what data Edge is collecting and reporting to Microsoft, you must click the
Windows diagnostic data setting hyperlink shown at the bottom of Figure L02-38.
If this is the first time you are doing this you will have to allow this action in the popup window that follows. You will find yourself at the Diagnostics & feedback setting.
Review these options carefully to ensure you are comfortable with their current
settings. Make changes as needed. You can also select Delete under Delete
diagnostic data to purge data already collected and sent to Microsoft. This also
deletes the data from their systems.
11. Figure L02-36 shows the Security menu options, including the ability to manage
certificates.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
29
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-206 Microsoft Edge Security Settings
12. It also includes the Microsoft Defender SmartScreen, which can block malicious
content and web sites, in conjunction with the Microsoft Defender antimalware
application. This sometimes-annoying popup, shown in Figure L02-37, will stop
suspicious programs. It may give you the option to “run anyway” in which case you
should be sure the application is safe before running. Clicking on the More info
option when encountering the pop-up can help you decide whether to do so or not.
Figure L02-37 Microsoft Defender SmartScreen
Family Safety
13. A feature that is relatively unique to Microsoft browsers is the Family safety options.
Select Family safety in the left side menu of the Settings window. As shown in
Figure L02-38, you can enable this to create accounts for underage children to
restrict their online access, report their browsing habits, and filter inappropriate
web sites.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
30
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-38 Microsoft Edge Family Safety
InPrivate Window Browsing
14. Users can create anonymous browsing windows by right clicking the Microsoft Edge
icon and selecting New InPrivate Window. This window, shown in Figure L02-39,
allows the user to avoid saving passwords, cookies, and browsing history while in a
private window. It allows the user to access any stored materials from normal browsing
but will not save any new materials. Again, private windows do not block your
information from an organization’s IT department or the Internet Service Provider.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
31
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-39 Microsoft Edge InPrivate Browsing
While there are many other options you can configure for Microsoft Edge, these are the
primary security and privacy features.
Web Browser Security for Apple Safari
While we won’t go into detail about the security features of Apple’s Safari browser, it is
available from https://www.apple.com/safari/, and contains many of the same features
demonstrated in the other browsers noted. Apple Safari only runs on Apple Mac and other
iOS devices like the iPad and iPhone. On mobile devices, much of the browser
configuration is managed through the Device configuration rather than an options menu
within Safari. Safari also has a Private browsing mode like other browsers.
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
32
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Figure L02-40 Apple Safari
Which browser(s) did you improve the security and privacy for? (Check all that you
performed.)
Google Chrome
Mozilla Firefox
Microsoft Edge
Apple Safari
Were you able to access all the security and privacy features of the browsers you used?
Yes
No (explain what you could not revise)
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
33
Hands-On Lab: To accompany Whitman and Mattord, Principles of Information Security, 7th Ed., 2022, ISBN 9780357506431;
Web Browser Security
Self-Reflection and Response
Which browser(s) did you improve the security and privacy for? (Check all that you
performed.)
Google Chrome
Mozilla Firefox
Microsoft Edge
Apple Safari
Were you able to access all the security and privacy features of the browsers you used?
Yes
No (explain what you could not revise)
Do you feel more equipped to make your browser experience more secure?
Yes
No
Please explain:
Instructor’s Response
© 2022 Cengage. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible Web
site, in whole or in part.
34
