INVITATION TO CYBERSECURITY 242 data in plaintext so anybody sniffing network traffic, and all the intermediary servers between endpoints, can read the data. Therefore, these protocols should not be used. Email is another old protocol without built-in encryption. Email messages traverse between email servers like snail mail letters traverse between post offices. One of the primary protocols used for transmitting emails over the Internet is called Simple Mail Transfer Protocol (SMTP). SMTP traffic was originally not encrypted, but it has been updated to use encryption to protect email messages as they travel over the Internet. However, email messages stored on servers are not encrypted. In other words, email providers can read their users’ email and could mine them for various purposes and share their contents with third parties. It is also easy for end-users to forward sensitive emails to others, either by accident or intentionally. Hackers may also be able to access emails, either through compromising a user account or an email provider’s servers. For these reasons, email is not considered a secure means of communication. Encrypted email software does exist and encrypted attachments can be sent over regular email, but these solutions require key distribution and management as well as additional steps, and are rarely used. Figure 9.10 A website protected with HTTPS. In Section 8.1.6 we briefly covered the HTTPS protocol that is used to make web browser connections end-to-end encrypted—it is the secure replacement for HTTP (see Figure 9.10). When browsing the Internet, users need to be cautious on sites that are not served over HTTPS. With HTTP, the web server has not been authenticated as genuine, and no encryption is used. Most traffic is HTTPS encrypted by default on today’s Internet. However, on local area networks and when writing or using custom networking software, users need to be aware of the threat of eavesdropping and take appropriate precautions. This may include encrypting data before it is sent over the network. It should be assumed that traffic sent over the network will be sniffed, and therefore, one should investigate to be sure that it is protected. For example, on an organization’s network, are Voice Over Internet Protocol (VOIP) phone calls encrypted? How about data sent to copiers and printers? These questions are worth asking. Below in Section 9.2.4.2 we examine wireless networks and how that data can be protected. 9.2.3 Harden Systems If there is one thing this textbook has made clear it is that cyberspace is rife with vulnerabilities. Computers of all kinds, including laptops, smartphones, routers, and smart devices, need to be hardened. Hardened means made secure. This section outlines some steps that users can take to make their devices more secure.
RkJQdWJsaXNoZXIy MTM4ODY=