The Internet 8th Edition Tutorial 7 Security on the Internet and the Web

New Perspectives on the Internet, 8 th Edition Objectives Explore the basics of security: secrecy, integrity, and necessity Find out what hackers and crackers can do and why they do it Learn about the dangers of online crime, warfare, and terrorism Investigate how to protect copyrighted materials that are published on the Internet

New Perspectives on the Internet, 8 th Edition Objectives Understand Web client threats and countermeasures Learn about online communication channel threats and countermeasures Learn about Web server threats and countermeasures Find out how to get more information and current updates about online security

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity Security is broadly defined as the protection of assets from unauthorized access, use, alteration, or destruction Physical security includes tangible protection devices, such as locks, alarms, fireproof doors, security fences, safes or vaults, and bombproof buildings Protection of assets using nonphysical means, such as password protection, is called logical security

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity The use of logical security techniques to protect data stored on computers is sometimes called computer security Any act or object that endangers an asset is known as a threat A countermeasure is a procedure, either physical or logical, that recognizes, reduces, or eliminates a threat

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity Risk management model

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity A secrecy threat permits unauthorized data disclosure and ensures the authenticity of the data’s source An integrity threat permits unauthorized data modification A necessity threat permits data delays (slowing down the transmission of data) or denials (preventing data from getting to its destination)

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity Encryption is the process of coding information using a mathematical algorithm to produce a string of characters that is unreadable. Some algorithms are a procedure; others use a procedure combined with a key A key is a fact that the encryption algorithm uses as part of its encryption procedure The process of using a key to reverse encrypted text is called decryption Encrypted information is called cipher text, whereas unencrypted information is called plain text

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity Private-key encryption (also called symmetric encryption) uses a single key that both the sender and receiver know

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity With public-key encryption (also called asymmetric encryption), a person has a private key that is secret and a public key that is shared with other users Public-key encryption uses a public key known to everyone and a private or secret key known only to one person involved in the exchange An algorithm is a formula or set of steps to solve a particular problem

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity In a man-in-the-middle exploit, the contents of an are often changed in a way that negates the message’s original meaning The term virus has come to mean any program that attempts to disguise its true function A Trojan horse is a potentially harmful program hidden inside another program A variation of a virus is a worm, a self-replicating program that is usually hidden within another file and then sent as an attachment Many viruses can send you an that includes the name of someone you know in the message’s From line, a tactic called spoofing

New Perspectives on the Internet, 8 th Edition Understanding Security Basics: Secrecy, Integrity, and Necessity The most common necessity attack, called a packet flooding attack or a denial of service (DoS) attack, occurs when an attacker bombards a server or other computer with so many messages that the network’s bandwidth resources are consumed In a distributed denial of service (DDoS) attack, the perpetrator uses a large number of computers that each launch a DoS attack on one Web server at the same time

New Perspectives on the Internet, 8 th Edition Online Crime, Warfare, and Terrorism A cracker is a technologically skilled person who uses his or her skills to obtain unauthorized entry into computers or networks of computers Some computer professionals use the terms white hat hacker and black hat hacker to distinguish between those who use their skills for good and those who use their talents to commit illegal acts Called computer forensics experts or ethical hackers, computer sleuths are hired to probe computers and locate information that can be used in legal proceedings

New Perspectives on the Internet, 8 th Edition Online Crime, Warfare, and Terrorism The nature and degree of personal information that Web sites can record when collecting information about visitors’ page viewing habits, product selections, and demographic information can threaten the privacy of those visitors In recent years, many companies have made headlines because they released or lost control of confidential information about customers, employees, and vendors without the permission of those individuals

New Perspectives on the Internet, 8 th Edition Online Crime, Warfare, and Terrorism If a perpetrator can gather enough information, he or she can steal a person’s entire credit record. In this type of crime, called identity theft, the perpetrator can use the victim’s personal information to open bank accounts, obtain new credit cards, and buy expensive goods on credit, often damaging the victim’s credit rating in addition to racking up charges A company becomes the victim of a criminal extortionist when a perpetrator threatens to launch DoS attacks against a target unless the target pays a “fee”

New Perspectives on the Internet, 8 th Edition Online Crime, Warfare, and Terrorism Other types of online crime: –Organized crime or racketeering –Industrial espionage

New Perspectives on the Internet, 8 th Edition Copyright and Intellectual Property Threats and Countermeasures A digital watermark is a digital pattern containing copyright information that is inserted into a digital image, animation, or audio or video file Steganography is a process that hides encrypted messages within different types of files

New Perspectives on the Internet, 8 th Edition Web Client Security One of the most dangerous entry points for denial of service threats come from programs that travel with applications to a browser and execute on the user’s computer, which are often called active content ActiveX components are Microsoft’s technology for writing small applications that perform some action in Web pages; these components have access to a computer’s file system Internet Explorer maintains a list of known developers and examines the digital certificate on any ActiveX control before it is downloaded to determine if it is a signed ActiveX control

New Perspectives on the Internet, 8 th Edition Web Client Security In most cases, Web sites that use and store cookies do so to enhance your Web browsing experience, and most cookies are safe A cookie is not a program, and it can only store information that you provide to the Web site that creates it

New Perspectives on the Internet, 8 th Edition Web Client Security

New Perspectives on the Internet, 8 th Edition Web Client Security A Web bug is a small, hidden graphic on a Web page or in an message that is designed to work in conjunction with a cookie to obtain information about the person viewing the page or message and to send that information to a third party Adware is a general category of software that includes advertisements to help pay for the product in which they appear Spyware works much like adware except that the user has no control over or knowledge of the ads and other monitoring features the ads contain

New Perspectives on the Internet, 8 th Edition Web Client Security A firewall is a software program or hardware device that controls access between two networks

New Perspectives on the Internet, 8 th Edition Communication Channel Security Authentication is a general term for the process of verifying the identity of a person or a Web site A digital certificate is an encrypted and password- protected file that contains sufficient information to authenticate and prove a person’s or organization’s identity

New Perspectives on the Internet, 8 th Edition Communication Channel Security Usually, a digital certificate contains the following information: –The certificate holder’s name, address, and address –A key that “unlocks” the digital certificate, thereby verifying the certificate’s authenticity –The certificate’s expiration date or validity period –Verification from a trusted third party, called a certificate authority (CA), that authenticates the certificate holder’s identity and issues the digital certificate

New Perspectives on the Internet, 8 th Edition Communication Channel Security There are two types of digital certificates. Individuals can purchase one type called a digital ID (also called a personal certificate) Phishing is difficult to prevent because it involves phony messages that include links to spoofed Web sites

New Perspectives on the Internet, 8 th Edition Web Server Security A server certificate (sometimes called an SSL Web server certificate) authenticates a Web site so site visitors can be confident that the Web site is genuine and not an impostor

New Perspectives on the Internet, 8 th Edition Web Server Security User identification is the process of identifying yourself to a computer Most computer systems implement user identification with user names and passwords; the combination of a user name and password is sometimes called a login To help keep track of their login information for different computers and Web sites, some people use a program called a password manager, which stores login information in an encrypted form on their computers A brute force attack occurs when a cracker uses a program to enter character combinations until the system accepts a user name and password, thereby gaining access to the system

New Perspectives on the Internet, 8 th Edition Web Server Security User authentication is the process of associating a person and his identification with a very high level of assurance The combination of user login plus password is called single-factor authentication because it uses one factor Multifactor authentication relies on more than one factor Multiple layers of control can be implemented by using more than one authentication method

New Perspectives on the Internet, 8 th Edition Web Server Security The Secure Sockets Layer (SSL) was the first widely used protocol for establishing secure, encrypted connections between Web browsers and Web servers on the Internet

New Perspectives on the Internet, 8 th Edition Staying Current with Internet and Web Security The CERT Coordination Center is a federally funded research center operated by the Software Engineering Institute at Carnegie Mellon University The primary goal of the CERT Coordination Center is to publish alerts, advisories, and vulnerability reports about current and future Internet security problems it detects and to coordinate communication between software experts

New Perspectives on the Internet, 8 th Edition Summary The basics of security: secrecy, integrity, and necessity What hackers and crackers can do and why they do it The dangers of online crime, warfare, and terrorism How to protect copyrighted materials that are published on the Internet Web client threats and countermeasures Online communication channel threats and countermeasures Web server threats and countermeasures How to get more information and updates about online security