Security Awareness: Applying Practical Security in Your World Chapter 4: Chapter 4: Internet Security

Security Awareness: Applying Practical Security in Your World 2 Objectives List the risks associated with using the World Wide Web, and describe the preventive measures that can be used to minimize Web attacks. List the vulnerabilities associated with using e- mail, and explain procedures and technologies that can be used to protect .

Security Awareness: Applying Practical Security in Your World 3 Internet Security The Internet has changed the way we live and work in a very short amount of time. There is a dark side to the Internet; it has opened the door to attacks on any computer connected to it. There are methods to minimize the risks of using the Internet and .

Security Awareness: Applying Practical Security in Your World 4 The World Wide Web Internet  Worldwide interconnection of computers World Wide Web (WWW)  Internet server computers that provide online information in a specified format Hypertext Markup Language (HTML)  Specifies how a browser should display elements on a user’s screen (See Figure 4-1) Hypertext Transport Protocol (HTTP)  Set of standards that Web servers use to distribute HTML documents (See Figure 4-2)

Security Awareness: Applying Practical Security in Your World 5 The World Wide Web (continued)

Security Awareness: Applying Practical Security in Your World 6 The World Wide Web (continued)

Security Awareness: Applying Practical Security in Your World 7 Repurposed Programming Repurposed programming  Using programming tools in harmful ways other than what they were originally intended to do Static content  Information that does not change Dynamic content  Content that can change Tools that can be used for repurposed programming: JavaScript Java Applets ActiveX Controls

Security Awareness: Applying Practical Security in Your World 8 Web Attacks Web attack  An attack launched against a computer through the Web Broadband connections  A type of Internet connection that allows users to connect at much faster speeds than older dial-up technologies Result: More attacks against home computers Three categories of attacks: Repurposed programming Snooping Redirected Web traffic

Security Awareness: Applying Practical Security in Your World 9 JavaScript JavaScript  Special program code embedded in an HTML document Web site using JavaScript accessed  HTML document downloaded  JavaScript code executed by the browser (See Figure 4-3) Some browsers have security weaknesses

Security Awareness: Applying Practical Security in Your World 10 JavaScript (continued)

Security Awareness: Applying Practical Security in Your World 11 Java Applet Java applet  A program downloaded from the Web server separately from the HTML document Stored on the Web server and downloaded along with the HTML code when the page is accessed (See Figure 4-4) Processes user’s requests on the local computer rather than transmitting back to the Web server

Security Awareness: Applying Practical Security in Your World 12 Java Applet (continued) “Security sandbox” Unsigned Java applets  Untrusted source (See Figure 4-5) Signed Java applets  Digital signature proving trusted source

Security Awareness: Applying Practical Security in Your World 13 Java Applet (continued)

Security Awareness: Applying Practical Security in Your World 14 Java Applet (continued)

Security Awareness: Applying Practical Security in Your World 15 ActiveX Controls ActiveX controls  An advanced technology that allows software components to interact with different applications Two risks: Macros ActiveX security relies on human judgment Digital signatures Users may routinely grant permission for any ActiveX program to run

Security Awareness: Applying Practical Security in Your World 16 Snooping One of dynamic contents strengths is its ability to receive input from the user and perform actions based on it (See Figure 4-6) Providing information to a Web site carries risk Internet transmissions are not normally encrypted Information entered can be viewed by unauthorized users Types of snooping: Spyware Misusing Cookies

Security Awareness: Applying Practical Security in Your World 17 Snooping (continued)

Security Awareness: Applying Practical Security in Your World 18 Snooping (Continued) Cookies  A computer file that contains user- specific information Stores information given to a Web site and reuses it Can pose a security risk Hackers target cookies to retrieve sensitive information Cookies can be used to determine what Web pages you are viewing Some personal information is left on Web sites by the browser Makes tracking Internet usage easier

Security Awareness: Applying Practical Security in Your World 19 Redirecting Web Traffic Mistakes can be made when typing an address into a browser Usually mistakes result in error messages (See Figure 4-7) Hackers can exploit misaddressed Web names to steal information using social engineering Two approaches: Phishing Registering similar-sounding domain names

Security Awareness: Applying Practical Security in Your World 20 Redirecting Web Traffic (continued)

Security Awareness: Applying Practical Security in Your World 21 Web Security Through Browser Settings Web browser security and privacy settings can be customized Internet Options General Security Privacy Content Advanced Tab

Security Awareness: Applying Practical Security in Your World 22 Web Security Through Browser Settings (continued) Figure 4-9 Security Settings on the Advanced Tab

Security Awareness: Applying Practical Security in Your World 23 Web Security Through Browser Settings (continued) Alert the User to the Type of Transaction Warn if changing between secure and not secure mode

Security Awareness: Applying Practical Security in Your World 24 Web Security Through Browser Settings (continued) Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)  Encrypts and decrypts the data sent

Security Awareness: Applying Practical Security in Your World 25 Web Security Through Browser Settings (continued) Know What’s Happening with the Cache Do not save encrypted pages to disk Empty Temporary Internet Files when browser is closed Cache  Temporary storage area on the hard disk

Security Awareness: Applying Practical Security in Your World 26 Web Security Through Browser Settings (continued) Know the Options on the General Tab Temporary Internet files Delete Cookies Delete Files History

Security Awareness: Applying Practical Security in Your World 27 Web Security Through Browser Settings (continued) Security Zones and the Security Tab Predefined security zones: Internet Local Intranet Trusted sites Restricted sites

Security Awareness: Applying Practical Security in Your World 28 Web Security Through Browser Settings (continued) Security Zones and the Security Tab Security levels can be customized by clicking the Custom Level button to display the Security Settings page

Security Awareness: Applying Practical Security in Your World 29 Web Security Through Browser Settings (continued) Using the Privacy tab Divided into two parts: Privacy level settings Cookie handling: First-party Third-party

Security Awareness: Applying Practical Security in Your World 30 Web Security Through Browser Settings (continued) Placing Restrictions on the Content Page Control type of content the browser will display Content Advisor Certificates Publishers

Security Awareness: Applying Practical Security in Your World 31 Web Security Through Appropriate Procedures Do not accept any unsigned Java applets unless you are sure of the source Disable or restrict macros from opening or running automatically Disable ActiveX and JavaScript. Install anti-spyware and antivirus software and keep it updated

Security Awareness: Applying Practical Security in Your World 32 Web Security Procedures (continued) Regularly install any critical operating system updates. Block all cookies Never respond to an that asks you to click on a link to verify your personal information. Check spelling to be sure you are viewing the real site.

Security Awareness: Applying Practical Security in Your World 33 Web Security Procedures (continued) Turn on all security settings under the Advanced tab. Keep your cache clear of temporary files and cookies. Use the security zones feature.

Security Awareness: Applying Practical Security in Your World 34 is a double-edged sword Essential for business and personal communications Primary vehicle for malicious code

Security Awareness: Applying Practical Security in Your World 35 Vulnerabilities of Three major areas: Attachments Spam Spoofing

Security Awareness: Applying Practical Security in Your World 36 Vulnerabilities of (continued) Attachments  Documents, spreadsheets, photographs and anything else added to an message Can open the door for viruses and worms to infect a system Malicious code can execute when the attachment is opened Code can then forward itself and continue to spread

Security Awareness: Applying Practical Security in Your World 37 Vulnerabilities of (continued) Spam  Unsolicited messages Usually regarded as just a nuisance, but can contain malicious code To cut down on spam: Never reply to spam that says “Click here to unsubscribe” Set up an account to use when filling out Web forms Do not purchase items advertised through spam Ask your ISP or network manager to install spam- filtering hardware or software

Security Awareness: Applying Practical Security in Your World 38 Vulnerabilities of (continued) Spoofing  A message falsely identifying the sender as someone else Sender’s address appears to be legitimate, so the recipient trusts the source and does what is asked

Security Awareness: Applying Practical Security in Your World 39 Solutions Technology-based solutions Antivirus software installed and regularly updated filters File extension filters Junk option Figure 4-17  Separate filtering software working in conjunction with the software

Security Awareness: Applying Practical Security in Your World 40 Solutions (continued) Procedure-Based Solutions Remember that is the number one method for infecting computers and treat it cautiously Approach messages from unknown senders with caution Never automatically open an attachment Do not use preview mode in your software Never answer requests for personal information

Security Awareness: Applying Practical Security in Your World 41 Summary Computers connected to the Internet are vulnerable to a long list of attacks, in addition to viruses, worms and other malicious code. Categories of attack are: Repurposed programming JavaScript Java applets ActiveX controls Snooping Redirected Web traffic

Security Awareness: Applying Practical Security in Your World 42 Summary (continued) Defending against Web attacks is a two-fold process: Configuration of browser software Customized privacy and security settings Proper procedures to minimize risk Many attacks are based on social engineering

Security Awareness: Applying Practical Security in Your World 43 Summary (continued) is a crucial business and personal tool, but is also a primary means of infection by viruses, worms, and other malicious code. Attachments Spam Spoofing

Security Awareness: Applying Practical Security in Your World 44 Summary (continued) security solutions can be broken into two categories: Technology-based Antivirus software Filters for attachments and spam Procedure-based Remember the risks and consistently follow “safe” procedures