5,751 research outputs found
Exploring Security Strategies to Protect Personally Identifiable Information in Small Businesses
Organizations that do not adequately protect sensitive data are at high risk of data breaches. Organization leaders must protect confidential information as failing to do so could result in irreparable reputation damage, severe financial implications, and legal consequences. This study used a multiple case study design to explore small businesses’ strategies for protecting their customers’ PII against phishing attacks. This study’s population comprised information technology (IT) managers in small businesses in Northern Virginia. The conceptual framework used in this study was the technology acceptance model. Data collection was performed using telephone interviews with IT managers (n = 6) as well as secondary data analysis of documents related to information security (n = 13). Thematic analysis was used to analyze and code the data, which resulted in four themes. The first theme to emerge was that users are the first line of defense in protecting PII. The second theme to emerge was that preventing phishing attacks is challenging for small businesses. The third theme to emerge was that users are a challenge in protecting PII from phishing attacks. The final theme to emerge was that user awareness and training is the best defense against phishing attacks. A recommendation is that information security training should be performed consistently while senior leadership fosters an environment that promotes acceptable security behavior and attitudes. The findings of this study may promote positive social change by helping IT leaders develop effective strategies or frameworks for protecting their customers’ PII from phishing attacks
Experimental Case Studies for Investigating E-Banking Phishing Techniques and Attack Strategies
Phishing is a form of electronic identity theft in which a combination of social engineering and web site spoofing techniques are used to trick a user into revealing confidential information with economic value. The problem of social engineering attack is that there is no single solution to eliminate it completely, since it deals largely with the human factor. This is why implementing empirical experiments is very crucial in order to study and to analyze all malicious and deceiving phishing website attack techniques and strategies. In this paper, three different kinds of phishing experiment case studies have been conducted to shed some light into social engineering attacks, such as phone phishing and phishing website attacks for designing effective countermeasures and analyzing the efficiency of performing security awareness about phishing threats. Results and reactions to our experiments show the importance of conducting phishing training awareness for all users and doubling our efforts in developing phishing prevention techniques. Results also suggest that traditional standard security phishing factor indicators are not always effective for detecting phishing websites, and alternative intelligent phishing detection approaches are needed
Emerging Phishing Trends and Effectiveness of the Anti-Phishing Landing Page
Each month, more attacks are launched with the aim of making web users
believe that they are communicating with a trusted entity which compels them to
share their personal, financial information. Phishing costs Internet users
billions of dollars every year. Researchers at Carnegie Mellon University (CMU)
created an anti-phishing landing page supported by Anti-Phishing Working Group
(APWG) with the aim to train users on how to prevent themselves from phishing
attacks. It is used by financial institutions, phish site take down vendors,
government organizations, and online merchants. When a potential victim clicks
on a phishing link that has been taken down, he / she is redirected to the
landing page. In this paper, we present the comparative analysis on two
datasets that we obtained from APWG's landing page log files; one, from
September 7, 2008 - November 11, 2009, and other from January 1, 2014 - April
30, 2014. We found that the landing page has been successful in training users
against phishing. Forty six percent users clicked lesser number of phishing
URLs from January 2014 to April 2014 which shows that training from the landing
page helped users not to fall for phishing attacks. Our analysis shows that
phishers have started to modify their techniques by creating more legitimate
looking URLs and buying large number of domains to increase their activity. We
observed that phishers are exploiting ICANN accredited registrars to launch
their attacks even after strict surveillance. We saw that phishers are trying
to exploit free subdomain registration services to carry out attacks. In this
paper, we also compared the phishing e-mails used by phishers to lure victims
in 2008 and 2014. We found that the phishing e-mails have changed considerably
over time. Phishers have adopted new techniques like sending promotional
e-mails and emotionally targeting users in clicking phishing URLs
PALPAS - PAsswordLess PAssword Synchronization
Tools that synchronize passwords over several user devices typically store
the encrypted passwords in a central online database. For encryption, a
low-entropy, password-based key is used. Such a database may be subject to
unauthorized access which can lead to the disclosure of all passwords by an
offline brute-force attack. In this paper, we present PALPAS, a secure and
user-friendly tool that synchronizes passwords between user devices without
storing information about them centrally. The idea of PALPAS is to generate a
password from a high entropy secret shared by all devices and a random salt
value for each service. Only the salt values are stored on a server but not the
secret. The salt enables the user devices to generate the same password but is
statistically independent of the password. In order for PALPAS to generate
passwords according to different password policies, we also present a mechanism
that automatically retrieves and processes the password requirements of
services. PALPAS users need to only memorize a single password and the setup of
PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES
201
CERT strategy to deal with phishing attacks
Every day, internet thieves employ new ways to obtain personal identity
people and get access to their personal information. Phishing is a somehow
complex method that has recently been considered by internet thieves.The
present study aims to explain phishing, and why an organization should deal
with it and its challenges of providing. In addition, different kinds of this
attack and classification of security approaches for organizational and lay
users are addressed in this article. Finally, the CERT strategy is presented to
deal with phishing and studying some anti-phishing
- …