Ohio.gov  |   State Agencies   |   Online Services
You are here : Resources
Resources
Resources to assist you.

Secure Web

Web Server SSL Test - test your web server for robust SSL/TLS support.  Determine if your server allows insecure sessions, which is an issue if your site deals with PII or financial data.

Recommended cipher suites for web servers - list of safest cipher suites for SSL/TLS. Updated periodically, so check back regularly.

Qualys BrowserCheck - a free tool to help users check their browsers for plugins which might be old or insecure, exposing the user to risk.

Mozilla PluginCheck - another free alternative, and though it is sponsored by Mozilla, who brings us Firefox, it works in most any browser.

Securing Your Browser (US-CERT) - helps users understand concepts like "trusted sites" and how they impact security.

NoScript- a Firefox plugin which allows users to visit web sites with scripting disabled by default. Not for the faint of heart, but can dramatically reduce the risk of a browser-based compromise.

Web Application Security - a PowerPoint presentation concerning web site security "best practices", and how to address various web security issues. Updated periodically, so check back!

Definitions

Absolute security - There is NO SUCH THING. The best you can do is to be as "secure as possible" by being careful and paying attention. Life always has risks - the internet is no different. So, "be careful out there"...

Bot - short for "robot". A bot is a machine that has been successfully infected with malware that allows another computer to control it. The controlling computer is usually in control of many bots, and is referred to as a C&C machine. The C&C machine can use its army of bots to perform profitable tasks - relaying email spam, scanning networks for vulnerable machines, performing denial of service attacks, etc.

Botnet - A (usually large) number of computers (see: bot) on the internet that have been taken over by an attacker. These computers operate on commands sent from the attacker's computer, called a C&C computer. These commands will cause the bots to spread viruses to other computers, or transmit spam emails, etc. (anything that can make money for the attacker).

Breach - A release (intentional or unintentional) of secure or private information to any entity not authorized to access that information. This can range from social security numbers to classified or other confidential information (trade secrets, business plans, etc.)

C&C - Command and Control - a computer that controls multiple bot computers, and coordinates their usage.

Encryption - A technique that mathematically encodes your data before it is sent between your browser and the web site that you are currently visiting. Strong encryption makes it nearly impossible for anyone except the intended party to decode your data.  So if someone "taps" your connection, they will not be able to decode the data that they intercept via the "tap". Note that there are some encryption methods that are "weak", which means that the are easy to crack. So you want to use "strong" only encryption.

Https - A browser protocol that uses SSL encryption to protect data from being used by any other than the intended party. If an attacker accesses the data stream of an SSL session, the data will appear to be "gibberish", because it is encrypted.

Identity theft - A criminal can use information about you (perhaps gleaned from social web sites, banks, retail organizations, etc., that have been hacked) to apply for credit cards, driver's license, bank loans, etc., in your name. The criminal can then use these assets to impersonate you - withdraw money from your bank accounts, charge credit cards to their limit (then throw them away, leaving you to pay the bill if you can't prove that you didn't purchase the items), use the bank loan to vacation in the Maldives, or whatever.

Key logger - A program that intercepts every keyboard character that you type, and sends it to an attacker. Key loggers can be installed on your computer without you knowing it if you visit an "evil" web site. Key loggers may be installed on other computers as well - like any public computer (library, school, elsewhere). This is one (really good) reason to NEVER transact any important business or financial transaction from a public computer.

Malware - Malicious software. This includes any programs that disrupt your computer.  Some are merely nuisance programs (consume large amounts of processing power), and others attempt to "cash in" somehow - perhaps search for PII on our computer and send any discovered data to a C&C computer, or use your computer as a "bot" to perform other profitable activities, etc.

Personally Identifiable Information - Any piece of information that can be used directly or indirectly to identify, locate, or contact a particular person.. Examples include name, social security number,  medical information, IP address, etc.

Pharming - An attack that alters the destination for chosen URLs. This can be accomplished by altering the IP address for the URL(s) in DNS servers (similar to changing the telephone number for someone in the phone book), or by altering the DNS cache in user's routers (which is another reason that you need to secure your router!). This causes a user attempting to connect to a specific Url - like "mybank.com" to be sent instead to an attacker chosen site.

Phishing - an email technique that tricks, scares, or confuses a victim into providing confidential information to an attacker.  For example, an attacker may send an email warning you that your bank account has had suspicious activity, and that you should "click on the link provided below" to access your account and change your password. If you click on the link, you will go to a page that looks just like your bank login screen - but in reality, the page is a fake under the control of the attacker.  When you "login" to this fake page, you have provided everything needed for the attacker to access your account on the real web site - in this case giving the attacker access to your real bank account. The attacker can now drain your account, using your supplied credentials.

PII - see: Personally Identifiable Information

Ransomware - malware that encrypts the data on your hard drive, then requires you to purchase the decryption key. In effect, your data is "held hostage" (because you can't read it while it's encrypted), and you pay a ransom in order to "get your data back" (you can decrypt and use your data once you purchase the decryption key). 

Smishing - A form of phishing that uses SMS "texting" instead of email to hook victims into clicking a link to an attacker site, or calling an attacker telephone number (may be a 900-type number that allows the attacker to collect a fee, or provide you with instructions tohat lead you to other attack vectors)

Spearphishing - like phishing, but targeted at specific types of individuals that should represent a higher payoff if "hooked". The spearphishing victims are usually members of a group that can provide the attacker something that the attacker is interested in obtaining. For example, the email may be aimed at web site administrators (goal: admin access to systems), or potential loan applicants (goal: identity theft), etc.

SSL - An acronym for Secure Sockets Layer. SSL allows your web browser to use encryption to transfer all data to/from an SSL enabled web site. Most web sites that handle sensitive information (bank, insurance, medical, etc.) use - or should use - SSL to protect sensitive information (if you visit a site that wants or has your personal information, but does NOT use SSL or other security measures to protect your data, consider removing your data from that site and changing to a site that DOES protect you). Encrypted data will appear to be gibberish to anyone who does not know the "decode key", making any intercepted data useless to criminals.

TLS - An acronym for Transport Layer Security. TLS is the successor to SSL.  Like SSL, it encrypts data during transfer, but adds improved (stronger) encryption algorithms to accomplish better encryption than SSL, and corrects known SSL vulnerabilities, so is safer.

URL - Acronym for "Uniform Resource Locator". On the internet, this is usually the "name" of a web asset that can be a web site (like: www.google.com), a particular web page on a web site (like: http://www.webopedia.com/TERM/U/URL.html) , a particular picture (like: https://farm8.staticflickr.com/7380/10007523486_abda3d86d7_z.jpg), etc. 

Whaling - A form of spearphishing that targets corporate executives (goal: access to high-level corporate information for espionage or insider trading, etc.)

Newsletter

Security Links

State Cybersecurity Sites