Awareness
5 Security Flubs Users Make When Browsing the Web
From haphazardly installing Active X controls, to ignoring security warnings, a look at five common ways users get off the security track online and ways to set them straight
By Joan Goodchild, Senior Editor
How can users get educated about Active X? Watchinski advises telling them that Active X is just like installing any other application on a computer.
"Every time you install one, you have to think about exactly what you are doing. You are installing a new piece of software that could be vulnerable to something."
Watchinski also added that the latest version of IE has the ability to lock controls down to a specific website. For example, if a user gets an Active X request from Google, it will only work on Google.com. Administrators should implement this in their group policy controls so users are forced into that situation, he said.
Trusting bad SSL certifications
"When you get that pop up that says 'bad SSL cert,' most people just click 'add exception' and then continue on about their business," said Watchinski. "I don't think people really understand what a bad SSL cert means."
What does it mean? That you are going to a site that is claiming to be something it is not, according to Watchinski.
"Maybe you click on link on Google and you think it will take you to another Google address. But the bad guy has changed that to: www.google.badguy.com. But you're not really paying attention and when that bad SSL cert pops up, you just say OK. And then you are not really where you are supposed to be." (For other scam techniques see: Social Engineering: 8 Common Tactics)
From now on, said Watchinski, advise users to look carefully the next time they see a bad SSL cert pop up.
"Users have that mentality of I want to get to my content now," said Watchinski. "But they should be looking at what pops up to make sure the link is taking them where they want to go."
Allowing unsigned content
In the next scenario, Watchinski lays it out like this:
"You're browsing the Web, you get to a file, and it says you need application XYZ to view it. It prompts you to download that app from that site. You click 'install application.' Then something says 'Unsigned content. Microsoft cannot verify where this application came from or who made it.'
Regardless of the warning, people will click and say OK, said Watchinski. Not a great idea.
"If you are a Microsoft partner and you make applications for Windows, you have a key for their install Window. If you get a box that says the content is not signed, you should think about where you are installing that application from."
web surfing
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
