Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security
Security Awareness: Applying Practical Security in Your World, 2e 2 Objectives Explain how the World Wide Web and work List the types of Web and attacks Describe how to set Web defenses using a browser Identify the type of defenses that can be implemented in order to protect
Security Awareness: Applying Practical Security in Your World, 2e 3 How the Internet Works World Wide Web (WWW) –Composed of Internet server computers that provide online information HTML –Allows Web authors to combine the following into a single document Text, graphic images, audio, video, and hyperlinks
Security Awareness: Applying Practical Security in Your World, 2e 4
5 How the Internet Works (continued) Hypertext Transport Protocol (HTTP) –Subset of Transmission Control Protocol/Internet Protocol (TCP/IP) Port numbers –Identify what program or service on the receiving computer is being requested
Security Awareness: Applying Practical Security in Your World, 2e 6
7 Simple Mail Transfer Protocol (SMTP) –Handles outgoing mail –Server “listens” for requests on port 25 Post Office Protocol (POP3) –Responsible for incoming mail –POP3 “listens” on port 110
Security Awareness: Applying Practical Security in Your World, 2e 8
9 (continued) IMAP (Internet Mail Access Protocol, or IMAP4) –More advanced mail protocol – remains on server and is not sent to user’s local computer –Mail can be organized into folders on the mail server and read from any computer attachments –Documents in a binary (nontext) format
Security Awareness: Applying Practical Security in Your World, 2e 10
Security Awareness: Applying Practical Security in Your World, 2e 11 Internet Attacks Repurposed Programming –Using programming tools in ways more harmful than originally intended JavaScript –Used to make dynamic content –Based on the Java programming language –Special program code embedded into HTML document –Virtual Machine Java interpreter that is used within the Web browser to execute code
Security Awareness: Applying Practical Security in Your World, 2e 12
Security Awareness: Applying Practical Security in Your World, 2e 13 Repurposed Programming JavaScript programs –Can capture and send user information without user’s knowledge or authorization Java applet –Stored on Web server –Downloaded onto user’s computer along with HTML code –Can perform interactive animations or immediate calculations
Security Awareness: Applying Practical Security in Your World, 2e 14
Security Awareness: Applying Practical Security in Your World, 2e 15 Java Applet Sandbox –Defense against hostile Java applet Unsigned Java applet –Program that does not come from a trusted source Signed Java applet –Has digital signature that proves program is from a trusted source and has not been altered
Security Awareness: Applying Practical Security in Your World, 2e 16 Active X Set of technologies developed by Microsoft Set of rules for how programs should share information Security concerns –User’s decision to allow installation of an ActiveX control is based on the source of the ActiveX control –A control is registered only once per computer –Nearly all ActiveX control security mechanisms are set in Internet Explorer
Security Awareness: Applying Practical Security in Your World, 2e 17 Cookies Small text files stored on user’s hard disk by a Web server Contain user-specific information Rules of HTTP –Make it impossible for Web site to track whether a user has previously visited that site
Security Awareness: Applying Practical Security in Your World, 2e 18 Cookies (continued) Cannot contain viruses or steal personal information Only contains information that can be used by a Web server Can pose a security risk First-party cookie –Created from the Web site that a user is currently viewing
Security Awareness: Applying Practical Security in Your World, 2e 19 Trojan Horse Malicious program disguised as a legitimate program Executable programs that perform an action when file is opened May disguise itself by using a valid filename and extension
Security Awareness: Applying Practical Security in Your World, 2e 20 Redirecting Web Traffic Typical mistakes users make when typing Web address –Misspelling address –Omitting the dot –Omitting a word –Using inappropriate punctuation Hackers can –Exploit a misaddressed Web name –Steal information from unsuspecting users through social engineering
Security Awareness: Applying Practical Security in Your World, 2e 21 Search Engine Scanning Search engines –Important tools for locating information on the Internet Attackers –Use same search tools to assess security of Web servers before launching an attack
Security Awareness: Applying Practical Security in Your World, 2e 22
Security Awareness: Applying Practical Security in Your World, 2e 23 Attacks attachments –Preferred method of distributing viruses and worms -distributed viruses –Use social engineering to trick recipients into opening document If file attached to message contains a virus –It is often launched when file attachment is opened
Security Awareness: Applying Practical Security in Your World, 2e 24 Spam Unsolicited Reduces work productivity Spammers –Can overwhelm users with offers to buy merchandise or trick them into giving money away U.S. Congress passed an anti-spam law in late 2003 –Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
Security Awareness: Applying Practical Security in Your World, 2e 25
Security Awareness: Applying Practical Security in Your World, 2e 26
Security Awareness: Applying Practical Security in Your World, 2e 27
Security Awareness: Applying Practical Security in Your World, 2e 28 Web Defenses through Browser Settings IE settings that should be turned on –Do not save encrypted pages to disk –Empty Temporary Internet Files folder when browser is closed –Warn if changing between secure and not secure mode
Security Awareness: Applying Practical Security in Your World, 2e 29
Security Awareness: Applying Practical Security in Your World, 2e 30
Security Awareness: Applying Practical Security in Your World, 2e 31
Security Awareness: Applying Practical Security in Your World, 2e 32 Security Zones Internet –Contains Web sites that have not been placed in any other zone Local Intranet –Web pages from an organization’s internal Web site can be added to this zone
Security Awareness: Applying Practical Security in Your World, 2e 33 Security Zones (continued) Trusted Sites –Web sites that are trusted not to pose any harm to a computer can be placed here Restricted Sites –Web site considered to be potentially harmful can be placed here
Security Awareness: Applying Practical Security in Your World, 2e 34
Security Awareness: Applying Practical Security in Your World, 2e 35 Restricting Cookies Privacy levels –Block All Cookies –High –Medium High –Medium –Low –Accept All Cookies
Security Awareness: Applying Practical Security in Your World, 2e 36
Security Awareness: Applying Practical Security in Your World, 2e 37 Defenses Technology-based defenses –Level of junk protection –Blocked senders –Blocked top level domain list
Security Awareness: Applying Practical Security in Your World, 2e 38
Security Awareness: Applying Practical Security in Your World, 2e 39
Security Awareness: Applying Practical Security in Your World, 2e 40 Technology-Based Defenses Whitelist –Names/addresses of those individuals from whom an message will be accepted Bayesian filtering –Used by sophisticated filters
Security Awareness: Applying Practical Security in Your World, 2e 41
Security Awareness: Applying Practical Security in Your World, 2e 42 Procedures Questions you should ask when you receive an e- mail with an attachment –Is the from someone that you know? –Have you received from this sender before? –Were you expecting an attachment from this sender?
Security Awareness: Applying Practical Security in Your World, 2e 43 Summary World Wide Web (WWW) –Composed of Internet server computers that provide online information in a specific format systems –Can use two TCP/IP protocols to send and receive messages Repurposed programming –Using programming tools in ways more harmful than for what they were intended
Security Awareness: Applying Practical Security in Your World, 2e 44 Summary (continued) Cookie –Computer file that contains user-specific information Spam, or unsolicited –Has negative effect on work productivity –May be potentially dangerous Properly configuring security settings on Web browser –First line of defense against an Internet attack