Peter H. Gregory

Article / Updated 04-14-2023

On the CISSP exam, you need to be able to recognize the techniques used to identify and fix vulnerabilities in systems and the techniques for security assessments and testing for the various types of systems. Client-based systems The types of design vulnerabilities often found on endpoints involve defects in client-side code that is present in browsers and applications. The defects most often found include these: Sensitive data left behind in the file system. Generally, this consists of temporary files and cache files, which may be accessible by other users and processes on the system. Unprotected local data. Local data stores may have loose permissions and lack encryption. Vulnerable applets. Many browsers and other client applications often employ applets for viewing documents and video files. Often, the applets themselves may have exploitable weaknesses. Unprotected or weakly protected communications. Data transmitted between the client and other systems may use weak encryption or use no encryption at all. Weak or nonexistent authentication. Authentication methods on the client, or between the client and server systems, may be unnecessarily weak. This permits an adversary to access the application, local data, or server data without first authenticating. Other weaknesses may be present in client systems. For a more complete understanding of application weaknesses, consult OWASP. Identifying weaknesses like the preceding examples will require one or more of the following techniques: Operating system examination Network sniffing Code review Manual testing and observation Server-based systems Design vulnerabilities found on servers fall into the following categories: Sensitive data left behind in the file system. Generally, this consists of temporary files and cache files, which may be accessible by other users and processes on the system. Unprotected local data. Local data stores may have loose permissions and also lack encryption. Unprotected or weakly protected communications. Data transmitted between the server and other systems (including clients) may use weak encryption or use no encryption at all. Weak or nonexistent authentication. Authentication methods on the server may be unnecessarily weak. This permits an adversary to access the application, local data, or server data without first authenticating. These defects are similar to those in the client-based systems. This is because the terms client and server have only to do with perspective: in both cases, software is running on a system. Database systems Database management systems are nearly as complex as the operating systems on which they reside. Vulnerabilities in database management systems include these: Loose access permissions. Like applications and operating systems, database management systems have schemes of access controls that are often designed far too loosely, which permits more access to critical and sensitive information than is appropriate. Another aspect of loose access permissions is an excessive number of persons with privileged access. Finally, there can be failures to implement cryptography as an access control when appropriate. Excessive retention of sensitive data. Keeping sensitive data longer than necessary increases the impact of a security breach. Aggregation of personally identifiable information. The practice known as aggregation of data about citizens is a potentially risky undertaking that can result in an organization possessing sensitive personal information. Sometimes, this happens when an organization deposits historic data from various sources into a data warehouse, where this disparate sensitive data is brought together for the first time. The result is a gold mine or a time bomb, depending on how you look at it. Database security defects can be identified through manual examination or automated tools. Mitigation may be as easy as changing access permissions or as complex as redesigning the database schema and related application software programs. Large-scale parallel data systems Large-scale parallel data systems are systems with large numbers of processors. The processors may either reside in one physical location or be geographically distributed. Vulnerabilities in these systems include Loose access permissions. Management interfaces or the processing systems themselves may have either default, easily guessed, or shared logon credentials that would permit an intruder to easily attack the system. Unprotected or weakly protected communications. Data transmitted between systems may be using either weak encryption or no encryption at all. This could enable an attacker to obtain sensitive data in transit or enough knowledge to compromise the system. Security defects in parallel systems can be identified through manual examination and mitigated through either configuration changes or system design changes. Distributed systems Distributed systems are simply systems with components scattered throughout physical and logical space. Oftentimes, these components are owned and/or managed by different groups or organizations, sometimes in different countries. Some components may be privately used while others represent services available to the public (for example, Google Maps). Vulnerabilities in distributed systems include these: Loose access permissions. Individual components in a distributed system may have individual, separate access control systems, or there may be one overarching access control system for all of the distributed system’s components. Either way, there are too many opportunities for access permissions to be too loose, thereby enabling some subjects access to more data and functions than they need. Unprotected or weakly protected communications. Data transmitted between the server and other systems (including clients) may be using either weak encryption or no encryption at all. Weak security inheritance. What we mean here is that in a distributed system, one component having weak security may compromise the security of the entire system. For example, a publicly accessible component may have direct open access to other components, bypassing local controls in those other components. Lack of centralized security and control. A distributed system that is controlled by more than one organization often lacks overall oversight for security management and security operations. This is especially true of peer-to-peer systems that are often run by end users on lightly managed or unmanaged endpoints. Critical paths. A critical path weakness is one where a system’s continued operation depends on the availability of a single component. All of these weaknesses can also be present in simpler environments. These weaknesses and other defects can be detected through either the use of security scanning tools or manual techniques, and corrective actions taken to mitigate those defects. High quality standards for cloud computing — for cloud service providers as well as organizations using cloud services — can be found at the Cloud Security Alliance and the European Network and Information Security Agency. Cryptographic systems Cryptographic systems are especially apt to contain vulnerabilities, for the simple reason that people focus on the cryptographic algorithm but fail to implement it properly. Like any powerful tool, if the operator doesn’t know how to use it, it can be useless at best and dangerous at its worst. The ways in which a cryptographic system may be vulnerable include these: Use of outdated algorithm. Developers and engineers must be careful to select encryption algorithms that are robust. Furthermore, algorithms in use should be reviewed at least once per year to ensure they continue to be sufficient. Use of untested algorithm. Engineers sometimes make the mistake of either home-brewing their own cryptographic system or using one that is clearly insufficient. It’s best to use one of many publicly available cryptosystems that have stood the test of repeated scrutiny. Failure to encrypt encryption keys. A proper cryptosystem sometimes requires that encryption keys themselves be encrypted. Weak cryptographic keys. Choosing a great algorithm is all but undone if the initialization vector is too small, or too-short keys or too-simple keys are used. Insufficient protection of cryptographic keys. A cryptographic system is only as strong as the protection of its encryption keys. If too many people have access to keys, or if the keys are not sufficiently protected, an intruder may be able to compromise the system simply by stealing and using the keys. Separate encryption keys should be used for the data encryption key (DEK) used to encrypt/decrypt data and the key encryption key (KEK) used to encrypt/decrypt the DEK. These and other vulnerabilities in cryptographic systems can be detected and mitigated through peer reviews of cryptosystems, assessments by qualified external parties, and the application of corrective actions to fix defects. Industrial control systems Industrial control systems (ICS) represent a wide variety of means for monitoring and controlling machinery of various kinds, including power generation, distribution, and consumption; natural gas and petroleum pipelines; municipal water, irrigation, and waste systems; traffic signals; manufacturing; and package distribution. Weaknesses in industrial control systems include the following: Loose access permissions. Access to monitoring or controls of ICS’s are often set too loosely, thereby enabling some users or systems access to more data and control than they need. Failure to change default access credentials. All too often, organizations implement ICS components and fail to change the default administrative credentials on those components. This makes it far too easy for intruders to take over the ICS. Access from personally owned devices. In the name of convenience, some organizations permit personnel to control machinery from personally owned smartphones and tablets. This vastly increases the ICS’s attack surface and provides opportunities for intruders to access and control critical machinery. Lack of malware control. Many ICS’s lack security components that detect and block malware and other malicious activity, resulting in intruders having too easy a time getting into the ICS. Failure to air gap the ICS. Many organizations fail to air gap (isolate) the ICS from the rest of its corporate network, thereby enabling excessive opportunities for malware and intruders to access the ICS via a corporate network where users invite malware through phishing and other means. Failure to update ICS components. While the manufacturers of ICS components are notorious for failing to issue security patches, organizations are equally culpable in their failure to install these patches when they do arrive. These vulnerabilities can be mitigated through a systematic process of establishing good controls, testing control effectiveness, and applying corrective action when controls are found to be ineffective. Cloud-based systems The U.S. National Institute of Standards and Technology (NIST) defines three cloud computing service models as follows: Software as a Service (SaaS): Customers are provided access to an application running on a cloud infrastructure. The application is accessible from various client devices and interfaces, but the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer may have access to limited user-specific application settings. Platform as a Service (PaaS): Customers can deploy supported applications onto the provider’s cloud infrastructure, but the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over the deployed applications and limited configuration settings for the application-hosting environment. Infrastructure as a Service (IaaS): Customers can provision processing, storage, networks, and other computing resources and deploy and run operating systems and applications, but the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over operating systems, storage, and deployed applications, as well as some networking components (for example, host firewalls). NIST further defines four cloud computing deployment models as follows: Public: A cloud infrastructure that is open to use by the general public. It’s owned, managed, and operated by a third party (or parties) and exists on the cloud provider’s premises. Community: A cloud infrastructure that is used exclusively by a specific group of organizations. Private: A cloud infrastructure that is used exclusively by a single organization. It may be owned, managed, and operated by the organization or a third party (or a combination of both), and may exist on or off premises. Hybrid: A cloud infrastructure that is composed of two or more of the aforementioned deployment models, bound together by standardized or proprietary technology that enables data and application portability (for example, failover to a secondary data center for disaster recovery or content delivery networks across multiple clouds). Major public cloud service providers such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Platform provide customers not only with virtually unlimited compute and storage at scale, but also a depth and breadth of security capabilities that often exceeds the capabilities of the customers themselves. However, this does not mean that cloud-based systems are inherently secure. The shared responsibility model is used by public cloud service providers to clearly define which aspects of security the provider is responsible for, and which aspects the customer is responsible for. SaaS models place the most responsibility on the cloud service provider, typically including securing the following: Applications and data Runtime and middleware Servers, virtualization, and operating systems Storage and networking Physical data center However, the customer is always ultimately responsible for the security and privacy of its data. Additionally, identity and access management (IAM) is typically the customer’s responsibility. In a PaaS model, the customer is typically responsible for the security of its applications and data, as well as IAM, among others. In an IaaS model, the customer is typically responsible for the security of its applications and data, runtime and middleware, and operating systems. The cloud service provider is typically responsible for the security of networking and the data center (although cloud service providers generally do not provide firewalls). Virtualization, server, and storage security may be managed by either the cloud service provider or customer. The Cloud Security Alliance (CSA) publishes the Cloud Controls Matrix, which provides a framework for information security that is specifically designed for the cloud industry. Internet of Things The security of Internet of Things (IoT) devices and systems is a rapidly evolving area of information security. IoT sensors and devices collect large amounts of both potentially sensitive data and seemingly innocuous data. However, under certain circumstances practically any data that is collected can be used for nefarious purposes, security must be a critical design consideration for IoT devices and systems. This includes not only securing the data stored on the systems, but also how the data is collected, transmitted, processed, and used. There are many networking and communications protocols commonly used in IoT devices, including the following: IPv6 over Low power Wireless Personal Area Networks (6LoWPAN) 5G Wi-Fi Bluetooth Mesh and Bluetooth Low-Energy (BLE) Thread Zigbee, and many others The security of these various protocols and their implementations must also be carefully considered in the design of secure IoT devices and systems.

Cheat Sheet / Updated 04-14-2023

The Chromebook is designed to rely heavily on the Internet for most of its functionality. Instead of a large hard drive, Chromebook relies primarily on cloud-based storage. In place of many resident applications, Chromebook uses web-based applications that you access through the Google Web Store and Google Play Store. Because so many functions are obscure, some Chromebook settings — such as cloud printing, email vacation responders, and function keys — can be a little challenging to set up or use. This Cheat Sheet shows you how to take advantage of these functions and shortcut keys.

Article / Updated 09-27-2022

The International Information System Security Certification Consortium (ISC)2 has several other certifications, including some that you may aspire to earn after (or instead of) receiving your Certified Information Systems Security Professional (CISSP) credential. These certifications are CCFP® (Certified Cyber Forensics Professional): This is a certification for forensics and security incident responders. CCSPsm (Certified Cloud Security Professional ): This certification on cloud controls and security practices was co-developed by (ISC)2 and the Cloud Security Alliance. CSSLP® (Certified Secure Software Lifecycle Professional ): Designed for software development professionals, the CSSLP recognizes software development in which security is a part of the software requirements, design, and testing — so that the finished product has security designed in and built in, rather than added on afterward. HCISPP® (HealthCare Information Security and Privacy Practitioner): Designed for information security in the healthcare industry, the HCISPP recognizes knowledge and experience related to healthcare data protection regulations and the protection of patient data. JGISP (Japanese Government Information Security Professional): A country-specific certification that validates a professional's knowledge, skills, and experience related to Japanese government regulations and standards. CAP® (Certification and Accreditation Professional): Jointly developed by the U.S. Department of State's Office of Information Assurance and (ISC)2, the CAP credential reflects the skills required to assess risk and establish security requirements for complex systems and environments.

Article / Updated 09-19-2022

Web-based systems contain many components, including application code, database management systems, operating systems, middleware, and the web server software itself. These components may, individually and collectively, have security design or implementation defects. Some of the defects present include these: Failure to block injection attacks. Attacks such as JavaScript injection and SQL injection can permit an attacker to cause a web application to malfunction and expose sensitive internally stored data. Defective authentication. There are many, many ways in which a web site can implement authentication — they are too numerous to list here. Authentication is essential to get right; many sites fail to do so. Defective session management. Web servers create logical “sessions” to keep track of individual users. Many web sites’ session management mechanisms are vulnerable to abuse, most notably that permit an attacker to take over another user’s session. Failure to block cross-site scripting attacks. Web sites that fail to examine and sanitize input data. As a result, attackers can sometimes create attacks that send malicious content to the user. Failure to block cross-site request forgery attacks. Web sites that fail to employ proper session and session context management can be vulnerable to attacks in which users are tricked into sending commands to web sites that may cause them harm. Failure to protect direct objects references. Web sites can sometimes be tricked into accessing and sending data to a user who is not authorized to view or modify it. These vulnerabilities can be mitigated in three main ways: Developer training on the techniques of safer software development. Including security in the development lifecycle. Use of dynamic and static application scanning tools. For a more in-depth review of vulnerabilities in web-based systems, read the “Top 10” list at OWASP.

Cheat Sheet / Updated 03-07-2022

The Certified Information Systems Security Professional (CISSP)certification is based upon a Common Body of Knowledge (CBK) determined by the International Information Systems Security Certification Consortium, Inc. (ISC)². It is defined through eight tested domains: Security and Risk Management; Asset Security; Security Engineering; Communication and Network Security; Identity and Access Management; Security Assessment and Testing; Security Operations; and Software Development Security. Put the following CISSP test prep tips to good use and prove that you have mastered these domains.

Article / Updated 08-06-2020

Email has emerged as one of the most important communication mediums in our global economy, with over 50 billion email messages sent worldwide every day. Unfortunately, spam accounts for as much as 85 percent of that email volume. Spam is more than a minor nuisance — it's a serious security threat to all organizations worldwide. The Simple Mail Transfer Protocol (SMTP) is used to send and receive email across the Internet. It operates on TCP/UDP port 25 and contains many well-known vulnerabilities. Most SMTP mail servers are configured by default to forward (or relay) all mail, regardless of whether the sender's or recipient's address is valid. Failing to secure your organization's mail servers may allow spammers to misuse your servers and bandwidth as an open relay to propagate their spam. The bad news is that you'll eventually (it usually doesn't take more than a few days) get blocklisted by a large number of organizations that maintain real-time blackhole lists (RBLs) against open relays, effectively preventing most (if not all) email communications from your organization reaching their intended recipients. It usually takes several months to get removed from those RBLs after you've been blocklisted, and it does significant damage to your organization's communications infrastructure and credibility. Using RBLs is only one method to combat spam, and it's generally not even the most effective or reliable method, at that. The organizations that maintain these massive lists aren't perfect and do make mistakes. If a mistake is made with your domain or IP addresses, you'll curse their existence — it's a case in which the cure is sometimes worse than the disease. Failure to make a reasonable effort towards spam prevention in your organization is a failure of due diligence. An organization that fails to implement appropriate countermeasures may find itself a defendant in a sexual harassment lawsuit from an employee inundated with pornographic emails sent by a spammer to his or her corporate email address. Other risks associated with spam email include Missing or deleting important emails: Your boss might inadvertently delete that email authorizing your promotion and pay raise because her inbox is flooded with spam and she gets trigger-happy with the Delete button — at least it's a convenient excuse! Viruses and other mail-icious code: Although you seem to hear less about viruses in recent years, they're still prevalent, and email remains the favored medium for propagating them. Phishing and pharming scams: Phishing and pharming attacks, in which victims are lured to an apparently legitimate website (typically online banking or auctions) ostensibly to validate their personal account information, are usually perpetrated through mass mailings. It's a complex scam increasingly perpetrated by organized criminals. Ultimately, phishing and pharming scams cost the victim his or her moolah — and possibly his or her identity. Countering these threats requires an arsenal of technical solutions and user-awareness efforts and is — at least, for now — a never-ending battle. Begin by securing your servers and client PCs. Mail servers should always be placed in a DMZ, and unnecessary or unused services should be disabled — and change that default relay setting! Most other servers, and almost all client PCs, should have port 25 disabled. Implement a spam filter or other secure mail gateway. Also, consider the following user-awareness tips: Never unsubscribe or reply to spam email. Unsubscribe links in spam emails are often used to confirm the legitimacy of your email address, which can then be added to mass-mailing lists that are sold to other spammers. And, as tempting as it is to tell a spammer what you really think of his or her irresistible offer to enhance your social life or improve your financial portfolio, most spammers don't actually read your replies and (unfortunately) aren't likely to follow your suggestion that they jump off a cliff. Although legitimate offers from well-known retailers or newsletters from professional organizations may be thought of as spam by many people, it's likely that, at some point, a recipient of such a mass mailing actually signed up for that stuff — so it's technically not spam. Everyone seems to want your email address whenever you fill out an application for something, and providing your email address often translates to an open invitation for them to tell you about every sale from here to eternity. In such cases, senders are required by U.S. law to provide an Unsubscribe hyperlink in their mass mailings, and clicking it does remove the recipient from future mailings. Don't send auto-reply messages to Internet email addresses (if possible). Mail servers can be configured not to send auto-reply messages (such as out-of-office messages) to Internet email addresses. However, this setting may not be (and probably isn't) practical in your organization. Be aware of the implications — auto-reply rules don't discriminate against spammers, so the spammers know when you're on vacation, too! Get a firewall for your home computer before you connect it to the Internet. This admonishment is particularly true if you're using a high-speed cable or DSL modem. Typically, a home computer that has high-speed access will be scanned within minutes of being connected to the Internet. And if it isn't protected by a firewall, this computer will almost certainly be compromised and become an unsuspecting zombie in some spammer's bot-net army (over 250,000 new zombies are added to the Internet every day!). Then, you'll become part of the problem because your home computer and Internet bandwidth are used to send spam and phishing emails to thousands of other victims around the world, and you'll be left wondering why your brand-new state-of-the-art home computer is suddenly so slow and your blazing new high-speed Internet connection isn't so high-speed just two weeks after you got it. Your end users don't have to be CISSP-certified to secure their home computers. A simple firewall software package that has a basic configuration is usually enough to deter the majority of today's hackers — most are using automated tools to scan the Internet and don't bother to slow down for a computer that presents even the slightest challenge. Size matters in these bot-net armies, and far too many unprotected computers are out there to waste time (even a few minutes) defeating your firewall. Spam is only the tip of the iceberg. Get ready for emerging threats such as SPIM (spam over instant messaging) and SPIT (spam over Internet telephony) that will up the ante in the battle for messaging security. Other email security considerations include malicious code contained in attachments, lack of privacy, and lack of authentication. These considerations can be countered by implementing antivirus scanning software, encryption, and digital signatures, respectively. Several applications employing various cryptographic techniques have been developed to provide confidentiality, integrity, authentication, non-repudiation, and access control for email communications. Secure Multipurpose Internet Mail Extensions (S/MIME): S/MIME is a secure method of sending email incorporated into several popular browsers and email applications. S/MIME provides confidentiality and authentication by using the RSA asymmetric key system, digital signatures, and X.509 digital certificates. S/MIME complies with the Public Key Cryptography Standard (PKCS) #7 format, and an Internet Engineering Task Force (IETF) specification. MIME Object Security Services (MOSS): MOSS provides confidentiality, integrity, identification and authentication, and non-repudiation by using MD2 or MD5, RSA asymmetric keys, and DES. MOSS has never been widely implemented or used, primarily because of the popularity of PGP. Privacy Enhanced Mail (PEM): PEM was proposed as a PKCS-compliant standard by the IETF, but has never been widely implemented or used. It provides confidentiality and authentication by using 3DES for encryption, MD2 or MD5 message digests, X.509 digital certificates, and the RSA asymmetric system for digital signatures and secure key distribution. Pretty Good Privacy (PGP): PGP is a popular email encryption application. It provides confidentiality and authentication by using the IDEA Cipher for encryption and the RSA asymmetric system for digital signatures and secure key distribution. Instead of a central Certificate Authority (CA), PGP uses a decentralized trust model (in which the communicating parties implicitly trust each other) which is ideally suited for smaller groups to validate user identity (instead of using PKI infrastructure, which can be costly and difficult to maintain). Today, two basic versions of PGP software are available: a commercial version from Symantec Corporation, and an open-source version, GPG.

Article / Updated 07-01-2020

From time to time, Google releases software updates for the Chrome OS that runs your Chromebook. Sometimes these software updates are security related, installing these updates when they’re available is always a good idea. To check for updates, follow these steps: Go to Settings. If a software update is available for your Chromebook, you see a message like the one shown below. Click Restart to Update. Your Chromebook downloads the update and restarts. When you click Settings, you might also see a message like the one below that tells you that apps you downloaded from the Google Play Store have updates available. When you see this message, click Update All. In checking for Chrome OS updates, you’re just looking at your notifications. It’s a good idea to get into the habit of glancing down at the lower-right corner of the screen at the notifications area to see whether Chrome OS wants to tell you things, such as about updates and other issues. Want more Chromebook Tips? Use our Chromebook cheat sheet to learn more.

Article / Updated 06-03-2020

Sometimes it’s nice to have a clean start. Your Chromebook makes it easy for you to wipe the slate clean and start over. On the Chromebook, this is known as powerwashing. You may find doing so useful when you have too much junk on your device. Or maybe you want to reset your Chromebook to its default settings because you’re giving your Chromebook to another person. You can wipe your device quickly, easily, and securely by using Chromebook’s built-in Powerwash feature. To powerwash your Chromebook, log in to your Chromebook and follow these steps: Open the Settings panel on the Shelf and click Settings. Scroll to the bottom of the screen and click Show Advanced Settings. Click the Powerwash button in the Powerwash section at the bottom of the screen.A dialog box appears, telling you that a restart is required. If you’re positive that you want to wipe your Chromebook clean, click the Restart button. You can’t undo power washing any more than you can unbreak an egg. After you click Restart, your Chromebook turns into a secure, power-cleaning machine. Nothing on the device will be left. The good news is that it won’t touch anything on your Google Drive or other web services. But anything stored locally on your Chromebook will be gone forever. Your Chromebook restarts, as clean as can be — just like new.

Article / Updated 04-16-2020

The world is not quite paperless; sometimes you need a hard copy. For example, you may need to print and sign a legal agreement, or you might want to print a recipe to jot notes on. Lucky for you, it’s easy to connect a printer to your Chromebook. Many kinds of printers are available, and you have several ways to set them up. up I cover the basics here. When you shop for a new printer to work with your Chromebook, if you stick with major brands (Brother, Canon, Epson, HP, and Lexmark, for example), chances are your printer and your Chromebook will get along just fine. Still, it’s probably wise to ensure that any new printer you are thinking of buying will work with your Chromebook with no fuss. It’s a good idea to ask a salesperson, read the specs, and read reviews. Direct connect printing on your Chromebook Direct connect, which is the easiest type of printing to set up, involves connecting a USB cable from your printer to your Chromebook. You need to follow the instructions that came with your printer, and if they vary from the steps here, definitely go with the printer’s instructions! Otherwise, follow these steps: Turn on the printer and connect the USB cable from your printer to a USB plug on your Chromebook. On your Chromebook screen, click the status area to open the Settings view and then click the Settings icon(which looks like a tiny gear near the top-right corner). The Settings window opens. Scroll all the way down in the Settings window and click Advanced. You see the Advanced settings section in the Settings window. Keep scrolling until you find Printing; then click Printers. Click Add Printer. The Add a Nearby Printer window appears and your printer should appear in a list. (Your printer might be the only one in the list.) Click the printer that is shown. It should match the make and model of printer that your Chromebook is connected to. Click Save. That’s all you should need to do. You can rename your printer if you want. To change your printer’s name, click the three little dots to the right of the printer and then, in the little window that appears, click Edit to open the Edit Printer window. In the Printer Name field, enter your printer’s new name and click Save. (You should not need to change anything else in the Edit Printer window). Here’s a bit of trivia: The symbol with the three little dots is sometimes called a Twinkie. If you’re not sure why this is, go buy a Twinkie and look at it from underneath. You will find three little holes there, which is where the manufacturer injects a whipped-cream-like substance into the bread-like substance. Enjoy! Wi-Fi printing from your Chromebook Several brands of printers support Wi-Fi printing so that you don’t have to connect a USB cable to your printer. One great advantage of having a Wi-Fi–supported printer is that you can print from anyplace in your home or office. Be sure to follow your printer’s setup instructions for this type of printing, in case they vary from the procedure outlined here. Here are the basics of setting up Wi-Fi printing on your Chromebook: Turn on your printer and follow its setup instructions to connect it to your Wi-Fi network. Have your Wi-Fi network identifier and password handy. Your Wi-Fi network identifier is the name of the network to which you connect your Chromebook. On your Chromebook screen, click the status area to open the Settings view and then click the Settings icon (which looks like a tiny gear near the top right corner of the status window). The Settings window appears. Scroll all the way down in the Settings window, and click Advanced. The Advanced settings section in the Settings window appears. Keep scrolling until you find Printing; then click Printers. Click Add Printer. The Add a Nearby Printer window appears. Your printer should appear in a list. If you don’t see it, check to see whether the printer is still turned on. Click the printer that matches the make and model of printer that your Chromebook is connected to. Click Save. That’s all you should need to do. Use this guide to learn about cloud printing with your Chromebook.

Article / Updated 04-16-2020

Cybercriminals are making good money, but let’s make sure that they don’t get any of yours! Having a Chromebook is a great start because the design of Chrome OS — the heart and soul of a Chromebook — has security strongly in mind. The nature of cybercrime makes it necessary for you to be vigilant, even when using the most secure laptop available. These tips can help keep you and your Chromebook data safe. Lock your Chromebook when you’re away Whenever you’re working on your Chromebook where other people are around, an excellent habit to get into is to lock it when you step away, even for a minute or two. You can easily lock it; Chromebooks give you not one, not two, but three ways, as follows: Briefly press the Power button and then click Lock. Open the Settings window and click the Lock symbol. Press the Lock key on your keyboard. Use strong, complex passwords to protect your Chromebook The top ten passwords in use in 2019 are 123456, 123456789, qwerty, 12345678, 111111, 1234567890, 1234567, password, 123123, and 987654321. The next ten are just as lame. Using such passwords is just laziness, and user accounts with weak passwords like these are broken into a lot. Using stronger, complex passwords isn’t difficult. Here are some examples of better ones (but don’t use these because they’re easily found now): wars (Star Wars) IN.the.sky-withDiamonds (Lucy in the Sky with Diamonds) Run-Forr35t-Run! (Run Forrest Run!) Sea-Sp00t-Run (See Spot run) The idea is to think of a phrase and then devise some consistent way of misspelling it that you can remember. You need to use a different password on each site you use. Here’s why: If cybercriminals can successfully break into a website’s user IDs and passwords database (which happens often), and if you use the same user ID and password everywhere you go, the cybercriminals who stole these credentials can easily log in to all the websites you use frequently. If this includes online banking or other sites on which you buy or sell, you’re in big trouble. Use complex passwords on your websites, and a different password on each site, is a lot to remember — so read the next tip. Use a web-based password vault to keep your Chromebook safe Maintaining security isn’t easy. Using different passwords on each site is definitely the way to be more secure, but remembering all those passwords can be challenging. The good news is you don’t have to. Some trusted, high-quality password vaults are available. These securely store your login credentials so that you don’t need to remember them all. Some of these vaults can even automatically enter your login credentials when you log in. How cool is that! The best password vaults are LastPass, Keeper, and Dashlane. Use multifactor authentication everywhere you can One of the biggest threats on the Internet involves the theft of login credentials for popular websites. Even if Chrome OS is resistant to attack, hackers use malicious browser extensions that are designed to steal user IDs and passwords when you type them in. Also, cybercriminals directly attack popular website databases and, if they can break in, often they go for encrypted password databases and attempt to decrypt them. If they do, they have the user IDs and passwords for many — or all — of the site’s users! Using multifactor authentication is generally pretty easy. When you log in to a website, the website sends a code to your smartphone, and you type in that code to log in. Even if hackers can obtain your user ID and password, they can’t log in because they don’t have your smartphone as well. Be on the lookout on your social media, financial services, medical, and other websites where sensitive information about you resides. When you see information about activating multifactor authentication (sometimes called two-factor authentication), please consider enabling it. You’ll thwart cybercriminals, and your data will be a little bit safer. Get a screen privacy filter for your Chromebook If you work with confidential information on your Chromebook, and do so frequently in public places, you might consider getting a screen privacy filter. It helps to keep prying eyes that glance at your screen from seeing what you’re up to. When using a privacy filter, you can clearly see the screen, but people to your left and right just black when they look at your screen. Keep your business information, or those cat videos, to yourself! Block malicious websites with an antimalware program Chrome OS is quite robust and resistant to the kinds of attacks that have plagued Windows computers for decades. Still, hazards are out there, and most of the attacks you face are attacks on your browser in the form of malicious extensions and websites that attempt to steal your data. Security programs like AVG Online Security or McAfee Endpoint Security are available from the Google web Store. They are purpose-made for Chromebooks and help protect you from known malicious websites and other threats. Update the security on your Wi-Fi access point You’re only as secure as the Wi-Fi network you usually use. If you have a new Chromebook and your Wi-Fi access point (which might be doing double-duty as your cable modem or DSL modem) is old, you might consider replacing it with a newer one. The two most important security settings to look at on your Wi-Fi access point are the type of encryption (which is usually none, WEP, WPA, or WPA2 — pick WPA2!) and the default password. Be sure to read the instructions for your Wi-Fi access point carefully. Visit the Wi-Fi access point manufacturer’s website for help. You might also pick up a copy of Networking For Dummies, 11th Edition, by Doug Lowe (Wiley) for more information on securing and customizing your home Wi-Fi network. Back up the local data on your Chromebook With ordinary use of your Chromebook, most of the data you create and deal with is stored by Google “in the cloud,” where it is available on all of your Google-enabled devices. Still, you might have local data that matters to you. The best way to find out is to open the Files app and see what data is stored locally. Anything in the Downloads, Images, Audio, or Video folders might exist only there and nowhere else. If this is the case, and you care about any of these files, it’s best to copy them to your Google Drive: Just drag and drop your files to it — into separate folders if you want. Alternatively, you can back up these files to an external hard drive or SD card if you prefer to maintain complete control over this data. Either way, backing up your local data is easy and takes only moments. Use a VPN if you use public Wi-Fi routinely If you frequent Wi-Fi networks at coffee shops, hotels, airports, and other public places, I recommend that you subscribe to a VPN service. Getting a free VPN service is likely to do more harm than good. Instead, go with one of the leading VPN services, such as Nord VPN, Encrypt.me, ExpressVPN, or Cyberghost VPN. VPN software encrypts all your Wi-Fi network communications so that snoopy people can’t eavesdrop on any of your communications on a public Wi-Fi network. This issue is less important at home where, hopefully, your Wi-Fi access point is configured to use WPA or, better yet, WPA2, which encrypts your network traffic at home. Keep your Chromebook up to date The best — and most important — security tip has been saved for last. Keeping your Chromebook’s Chrome OS up to date is vital for your security, as well as for the stability of your Chromebook. Be sure to watch your notifications and act promptly to update Chrome OS as well as all the apps you’ve downloaded from the Chrome Web Store and the Google Play Store. Although some of the updates fix software bugs, you can be sure that many of the fixes improve the security of your Chromebook and the apps you run. When these security bugs are fixed, criminals have a harder time breaking in and stealing your data.