Security Awareness
Chapter 3Internet Security
OBJECTIVES
After completing this chapter, you should be able to do the following:
Explain how the World Wide Web and e-mail work
List the different types of Internet attacks
Explain the defenses used to repel Internet attacks
SECURITY AWARENESS, 3RD EDITION
2
HOW THE INTERNET WORKS
Internet
Worldwide set of interconnected computers, servers, and networks
Not owned or regulated by any organization or government entity
Computers loosely cooperate to make the Internet a global information resource
SECURITY AWARENESS, 3RD EDITION
3
THE WORLD WIDE WEB
World Wide Web (WWW)
Better known as the Web
Internet server computers that provide online information in a specific format
Hypertext Markup Language (HTML)
Allows Web authors to combine text, graphic images, audio, video, and hyperlinks
Web browser
Displays the words, pictures, and other elements on a user’s screen
SECURITY AWARENESS, 3RD EDITION
4
THE WORLD WIDE WEB (CONT’D.)
Figure 3-1 How a browser displays HTML code
SECURITY AWARENESS, 3RD EDITION
5
Course Technology/Cengage Learning
THE WORLD WIDE WEB (CONT’D.)
Hypertext Transport Protocol (HTTP)
Standards or protocols used by Web servers to distribute HTML documents
Transmission Control Protocol/Internet Protocol (TCP/IP)
Port number
Identifies the program or service that is being requested
Port 80 Standard port for HTTP transmissions
SECURITY AWARENESS, 3RD EDITION
6
THE WORLD WIDE WEB (CONT’D.)
Transfer-and-store process
Entire document is transferred and then stored on the local computer before the browser displays it
Creates opportunities for sending different types of malicious code to the user’s computer
SECURITY AWARENESS, 3RD EDITION
7
THE WORLD WIDE WEB (CONT’D.)
Figure 3-2 HTML document sent to browser
SECURITY AWARENESS, 3RD EDITION
8
Course Technology/Cengage Learning
Number of e-mail messages sent each day to be over 210 billion
More than 2 million every second
Simple Mail Transfer Protocol (SMTP)
Handles outgoing mail
Post Office Protocol (POP or POP3)
Responsible for incoming mail
Example of how e-mail works
SECURITY AWARENESS, 3RD EDITION
9
E-MAIL (CONT’D.)
Figure 3-3 E-mail transport
SECURITY AWARENESS, 3RD EDITION
10
Course Technology/Cengage Learning
E-MAIL (CONT’D.)
IMAP (Internet Mail Access Protocol, or IMAP4)
More advanced mail protocol
E-mail attachments
Documents that are connected to an e-mail message
Encoded in a special format
Sent as a single transmission along with the e-mail message itself
SECURITY AWARENESS, 3RD EDITION
11
INTERNET ATTACKS
Variety of different attacks
Downloaded browser code
Privacy attacks
Attacks initiated while surfing to Web sites
Attacks through e-mail
SECURITY AWARENESS, 3RD EDITION
12
DOWNLOADED BROWSER CODE
JavaScript
Scripting language Similar to a computer programming language that is
typically ‘‘interpreted’’ into a language the computer can understand
Embedded in HTML document
Executed by browser
Defense mechanisms are intended to prevent JavaScript programs from causing serious harm
Can capture and send user information without the user’s knowledge or authorization
SECURITY AWARENESS, 3RD EDITION
13
DOWNLOADED BROWSER CODE
(CONT’D.)
Figure 3-4 JavaScript
SECURITY AWARENESS, 3RD EDITION
14
Course Technology/Cengage Learning
DOWNLOADED BROWSER CODE
(CONT’D.)
Java
complete programming language
Java applet
Can perform interactive animations, immediate calculations, or other simple tasks very quickly
Sandbox
Unsigned or signed
SECURITY AWARENESS, 3RD EDITION
15
DOWNLOADED BROWSER CODE
(CONT’D.)
Figure 3-5 Java applet
SECURITY AWARENESS, 3RD EDITION
16
Course Technology/Cengage Learning
DOWNLOADED BROWSER CODE
(CONT’D.)
ActiveX
Set of rules for how applications under the Windows operating system should share information
Do not run in a sandbox
Microsoft developed a registration system poses a number of security concerns
Not all ActiveX programs run in browser
SECURITY AWARENESS, 3RD EDITION
17
PRIVACY ATTACKS
Cookies
User-specific information file created by server
Stored on local computer
First-party cookie
Third-party cookie
Cannot contain a virus or steal personal information stored on a hard drive
Can pose a privacy risk
SECURITY AWARENESS, 3RD EDITION
18
PRIVACY ATTACKS (CONT’D.)
Adware
Software that delivers advertising content
Unexpected and unwanted by the user
Can be a privacy risk Tracking function
Popup
Small Web browser window
Appears over the Web site that is being viewed
SECURITY AWARENESS, 3RD EDITION
19
ATTACKS WHILE SURFING
Attacks on users can occur while pointing the browser to a site or just viewing a site
Redirecting Web traffic
Mistake when typing Web address
Attackers can exploit a misaddressed Web name by registering the names of similar-sounding Web sites
SECURITY AWARENESS, 3RD EDITION
20
ATTACKS WHILE SURFING (CONT’D.)
Table 3-1 Typical errors in entering Web addresses
SECURITY AWARENESS, 3RD EDITION
21
Course Technology/Cengage Learning
ATTACKS WHILE SURFING (CONT’D.)
Drive-by downloads
Can be initiated by simply visiting a Web site
Spreading at an alarming pace
Attackers identify well-known Web site
Inject malicious content
Zero-pixel IFrame Virtually invisible to the naked eye
SECURITY AWARENESS, 3RD EDITION
22
E-MAIL ATTACKS
Spam
Unsolicited e-mail
90 percent of all e-mails sent can be defined as spam
Lucrative business
Spam filters
Look for specific words and block the e-mail
Image spam
Uses graphical images of text in order to circumvent text-based filters
SECURITY AWARENESS, 3RD EDITION
23
E-MAIL ATTACKS (CONT’D.)
Other techniques to circumvent spam filters
GIF layering
Word splitting
Geometric variance
Malicious attachments
E-mail-distributed viruses
Replicate by sending themselves in an e-mail message to all of the contacts in an e-mail address book
SECURITY AWARENESS, 3RD EDITION
24
E-MAIL ATTACKS (CONT’D.)
Embedded hyperlinks
Clicking on the link will open the Web browser and take the user to a specific Web site
Trick users to be directed to the attacker’s “look alike” Web site
SECURITY AWARENESS, 3RD EDITION
25
Figure 3-12 Embedded hyperlink
SECURITY AWARENESS, 3RD EDITION
26
Course Technology/Cengage Learning
INTERNET DEFENSES
Several types
Security application programs
Configuring browser settings
Using general good practices
SECURITY AWARENESS, 3RD EDITION
27
DEFENSES THROUGH APPLICATIONS
Popup blocker
Separate program or a feature incorporated within a browser
Users can select the level of blocking
Spam filter
Can be implemented on the user’s local computer and at corporate or Internet Service Provider level
SECURITY AWARENESS, 3RD EDITION
28
DEFENSES THROUGH APPLICATIONS
(CONT’D.) Spam filter (cont’d.)
E-mail client spam blocking features Level of spam e-mail protection
Blocked senders (blacklist)
Allowed senders (whitelist)
Blocked top level domain list
Bayesian filtering User divides e-mail messages into spam or not-spam
Assigns each word a probability of being spam
Corporate spam filter Works with the receiving e-mail server
SECURITY AWARENESS, 3RD EDITION
29
DEFENSES THROUGH APPLICATIONS
(CONT’D.)
Figure 3-16 Spam filter on SMTP server
SECURITY AWARENESS, 3RD EDITION
30
Course Technology/Cengage Learning
DEFENSES THROUGH APPLICATIONS
(CONT’D.)
E-mail security settings
Configured through the e-mail client application Read messages using a reading pane
Block external content
Preview attachments
Use an e-mail postmark
SECURITY AWARENESS, 3RD EDITION
31
DEFENSES THROUGH BROWSER SETTINGS
Browsers allow the user to customize security and privacy settings
IE Web browser defense categories:
Advanced security settings Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Warn if changing between secure and not secure mode
SECURITY AWARENESS, 3RD EDITION
32
DEFENSES THROUGH BROWSER SETTINGS
(CONT’D.)
IE Web browser defense categories (cont’d.):
Security zones Set customized security for these zones
Assign specific Web sites to a zone
Restricting cookies Use privacy levels in IE
SECURITY AWARENESS, 3RD EDITION
33
DEFENSES THROUGH BROWSER SETTINGS
(CONT’D.)
Table 3-3 IE Web security zones
SECURITY AWARENESS, 3RD EDITION
34
Course Technology/Cengage Learning
E-MAIL DEFENSES THROUGH GOOD
PRACTICES
Use common-sense procedures to protect against harmful e-mail
Never click an embedded hyperlink in an e-mail
Be aware that e-mail is a common method for infecting computers
Never automatically open an unexpected attachment
Use reading panes and preview attachments
Never answer an e-mail request for personal information
SECURITY AWARENESS, 3RD EDITION
35
INTERNET DEFENSE SUMMARY
Table 3-4 Internet defense summary
SECURITY AWARENESS, 3RD EDITION
36
Course Technology/Cengage Learning
SUMMARY
Internet composition
Web servers
Web browsers
Internet technologies
HTML
JavaScript
Java
ActiveX
SECURITY AWARENESS, 3RD EDITION
37
SUMMARY (CONT’D.)
Privacy risk
Cookies
Adware
Security risk
Mistyped Web address
Drive-by downloads
Email security
Spam
Attachments
Security applications
SECURITY AWARENESS, 3RD EDITION
38