security awareness: applying practical security in your world chapter 4: chapter 4: internet...

Security Awareness: Applying Security Awareness: Applying Practical Security in Your Practical Security in Your

WorldWorld

Chapter 4: Chapter 4: Internet Security

Security Awareness: Applying Practical Security in Your World 2

ObjectivesObjectives

List the risks associated with using the World Wide Web, and describe the preventive measures that can be used to minimize Web attacks.

List the vulnerabilities associated with using e-mail, and explain procedures and technologies that can be used to protect e-mail.


Internet SecurityInternet Security

The Internet has changed the way we live and work in a very short amount of time.

There is a dark side to the Internet; it has opened the door to attacks on any computer connected to it. There are methods to minimize the risks of using

the Internet and e-mail.


The World Wide WebThe World Wide Web

Internet Worldwide interconnection of computers World Wide Web (WWW) Internet server

computers that provide online information in a specified format Hypertext Markup Language (HTML) Specifies

how a browser should display elements on a user’s screen (See Figure 4-1)

Hypertext Transport Protocol (HTTP) Set of standards that Web servers use to distribute HTML documents (See Figure 4-2)


The World Wide Web (continued)The World Wide Web (continued)


Repurposed ProgrammingRepurposed Programming

Repurposed programming Using programming tools in harmful ways other than what they were originally intended to do Static content Information that does not change

Dynamic content Content that can change

Tools that can be used for repurposed programming:

JavaScript Java Applets ActiveX Controls


Web AttacksWeb Attacks

Web attack An attack launched against a computer through the Web Broadband connections A type of Internet

connection that allows users to connect at much faster speeds than older dial-up technologies Result: More attacks against home computers

Three categories of attacks:Repurposed programmingSnoopingRedirected Web traffic


JavaScriptJavaScript

JavaScript Special program code embedded in an HTML document

Web site using JavaScript accessed HTML document downloaded

JavaScript code executed by the browser (See Figure 4-3)

Some browsers have security weaknesses


JavaScript (continued)JavaScript (continued)


Java AppletJava Applet

Java applet A program downloaded from the Web server separately from the HTML document Stored on the Web server and downloaded along

with the HTML code when the page is accessed (See Figure 4-4)

Processes user’s requests on the local computer rather than transmitting back to the Web server


Java Applet (continued)Java Applet (continued)

“Security sandbox”

Unsigned Java applets Untrusted source (See Figure 4-5)

Signed Java applets Digital signature proving trusted source


ActiveX ControlsActiveX Controls

ActiveX controls An advanced technology that allows software components to interact with different applications Two risks:

Macros

ActiveX security relies on human judgment

Digital signatures

Users may routinely grant permission for any ActiveX program to run


SnoopingSnooping

One of dynamic contents strengths is its ability to receive input from the user and perform actions based on it (See Figure 4-6) Providing information to a Web site carries risk

Internet transmissions are not normally encrypted

Information entered can be viewed by unauthorized users

Types of snooping:SpywareMisusing Cookies


Snooping (continued)Snooping (continued)


Snooping (Continued)Snooping (Continued)

Cookies A computer file that contains user-specific information Stores information given to a Web site and reuses it Can pose a security risk

Hackers target cookies to retrieve sensitive information

Cookies can be used to determine what Web pages you are viewing

Some personal information is left on Web sites by the browser Makes tracking Internet usage easier


Redirecting Web TrafficRedirecting Web Traffic

Mistakes can be made when typing an address into a browser Usually mistakes result in error messages

(See Figure 4-7)

Hackers can exploit misaddressed Web names to steal information using social engineering Two approaches:

PhishingRegistering similar-sounding domain names


Redirecting Web Traffic Redirecting Web Traffic (continued)(continued)


Web Security Through Browser Web Security Through Browser SettingsSettings

Web browser security and privacy settings can be customized Internet Options

General Security

Privacy Content

Advanced Tab


Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)

Figure 4-9 Security Settings on the Advanced Tab



Alert the User to the Type of Transaction Warn if changing

between secure and not secure mode



Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) Encrypts and decrypts the data sent



Know What’s Happening with the Cache Do not save encrypted pages to disk

Empty Temporary Internet Files when browser is closed Cache Temporary storage area on the hard disk



Know the Options on the General Tab

Temporary Internet files

Delete Cookies

Delete Files

History



Security Zones and the Security Tab Predefined security

zones:InternetLocal IntranetTrusted sitesRestricted sites



Security Zones and the Security Tab Security levels can

be customized by clicking the Custom Level button to display the Security Settings page



Using the Privacy tab Divided into two

parts: Privacy level

settings

Cookie handling:First-party Third-party



Placing Restrictions on the Content Page Control type of

content the browser will display

Content Advisor

Certificates Publishers


Web Security Through Appropriate Web Security Through Appropriate ProceduresProcedures

Do not accept any unsigned Java applets unless you are sure of the source

Disable or restrict macros from opening or running automatically

Disable ActiveX and JavaScript.

Install anti-spyware and antivirus software and keep it updated


Web Security Procedures Web Security Procedures (continued)(continued)

Regularly install any critical operating system updates.

Block all cookies

Never respond to an e-mail that asks you to click on a link to verify your personal information.

Check spelling to be sure you are viewing the real site.


Web Security Procedures Web Security Procedures (continued)(continued)

Turn on all security settings under the Advanced tab.

Keep your cache clear of temporary files and cookies.

Use the security zones feature.


E-MailE-Mail

E-mail is a double-edged sword

Essential for business and personal communications

Primary vehicle for malicious code


Vulnerabilities of E-MailVulnerabilities of E-Mail

Three major areas:

Attachments

Spam

Spoofing


Vulnerabilities of E-Mail Vulnerabilities of E-Mail (continued)(continued)

Attachments Documents, spreadsheets, photographs and anything else added to an e-mail message Can open the door for viruses and worms to infect a

system Malicious code can execute when the attachment is

opened

Code can then forward itself and continue to spread



Spam Unsolicited e-mail messages Usually regarded as just a nuisance, but can contain

malicious code To cut down on spam:

Never reply to spam that says “Click here to unsubscribe”

Set up an e-mail account to use when filling out Web forms

Do not purchase items advertised through spam Ask your ISP or network manager to install spam-

filtering hardware or software



E-mail Spoofing A message falsely identifying the sender as someone else

Sender’s address appears to be legitimate, so the recipient trusts the source and does what is asked


SolutionsSolutions

Technology-based solutions Antivirus software installed and regularly updated

E-mail filters

File extension filters

Junk e-mail option Figure 4-17

Separate filtering software working in conjunction with the e-mail software


Solutions (continued)Solutions (continued)

Procedure-Based Solutions Remember that e-mail is the number one method

for infecting computers and treat it cautiously

Approach e-mail messages from unknown senders with caution

Never automatically open an attachment

Do not use preview mode in your e-mail software

Never answer e-mail requests for personal information


SummarySummary

Computers connected to the Internet are vulnerable to a long list of attacks, in addition to viruses, worms and other malicious code.

Categories of attack are: Repurposed programming

JavaScript Java applets ActiveX controls

Snooping Redirected Web traffic


Summary (continued)Summary (continued)

Defending against Web attacks is a two-fold process: Configuration of browser software

Customized privacy and security settings

Proper procedures to minimize riskMany attacks are based on social

engineering



E-mail is a crucial business and personal tool, but is also a primary means of infection by viruses, worms, and other malicious code. Attachments

Spam

Spoofing



E-mail security solutions can be broken into two categories: Technology-based

Antivirus software

Filters for attachments and spam

Procedure-based Remember the risks and consistently follow “safe”

procedures

security awareness: applying practical security in your world chapter 4: chapter 4: internet...

Documents

practical security

web serversecurity awareness

html code

web broadband connections

html documentstored

programming tools

javascript code

html documentweb site