CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [263]
■ Never share personal data with a website.
■ Be careful what you reveal about yourself in chat rooms, via messaging, on discussion boards, to surveys, and so forth.
■ Be suspicious of whom you interact with over the Internet until you have absolute proof of their identity and trustworthiness.
■ Only make e-commerce purchases from trusted sites (such as sites with a reputation of protecting its users/visitors).
■ Use temporary credit card numbers to make online purchases.
■ Keep an eye on the domain name in the URL you visit; if it turns into an IP address, a large decimal number, or a strange two-letter country code site, you may have been redirected.
■ Use encrypted communications whenever possible.
■ Make sure Transport Layer Security (TLS) is enabled on your browser (it’s the even more secure replacement for SSL).
■ If the URL prefix is not https, then it is not a secure connection.
■ Encrypted does not mean you cannot be attacked—it just means the attack will come to you over the encrypted link.
■ Don’t allow unknown sites to download mobile code to your system.
■ Don’t allow unsigned code to download or execute.
■ Only allow signed code from well-trusted sites to execute.
■ Don’t allow third-party cookies.
■ Limit the use of first-party cookies to trusted sites and then only to those sites that actually require them (for example, Amazon.com doesn’t require cookies to purchase but Buy.com does).
■ Keep your client utilities updated and patched.
■ Don’t download data from unknown sites.
■ Use only downloaded data from trusted sites after verifying the integrity of the download.
■ Remember that you are probably being watched by an unknown malicious entity while you surf the Internet.
■ Don’t leave Internet connections open and active when you are not actively using your computer.
■ Social engineering, spoofing, phishing, and hoaxes can all take place via computer communications such as e-mail and chat and on the Web—watch out!
The Internet should be thought of as a necessary evil that must be controlled in order to get beneficial tasks accomplished. It is like electricity, which provides uncountable benefits to our lives, but if we lose control of it, the results can include electrocution and property damage through fire. The Internet is a powerful tool that can cause serious harm to your organization and your personal lives if not managed properly. So don’t use the Internet without proper protection and awareness.
Key Management Conventions
When working with any form of cryptography, using reasonable key management techniques helps maximize security and minimize potential breaches. Ultimately, key management depends on the deployed cryptosystem product. Thus, know what you are buying and exactly what it does and does not offer.
Based on that, here are some tips to make the most out of what you have (at least in terms of encryption):
■ If a PKI system is used, have one public/private key pair set to use for session management and encryption and a second set for identity proof.
■ Always use a new and unique public/private key pair set when requesting a new certificate.
■ Attempt to renew certificates before they expire in order to maintain existing trust relationships.
■ If you are concerned that existing trust relationships might be problematic, allow your current certificate to expire or ask the CA to revoke it.
■ Store symmetric and asymmetric keys separately.
■ Use a password or biometrics-locked removable storage media to store and transport your keys (for example, USB drive or smart card).
■ When available, use key escrow database systems for keys involved in stored data encryption.
■ Never store keys for identity proof in a key escrow database.
■ Be aware of the length of assigned lifetime to keys and certificates.