security awareness: applying practical security in your world chapter 4: chapter 4: internet...
TRANSCRIPT
Security Awareness: Applying Security Awareness: Applying Practical Security in Your Practical Security in Your
WorldWorld
Chapter 4: Chapter 4: Internet Security
Security Awareness: Applying Practical Security in Your World 2
ObjectivesObjectives
List the risks associated with using the World Wide Web, and describe the preventive measures that can be used to minimize Web attacks.
List the vulnerabilities associated with using e-mail, and explain procedures and technologies that can be used to protect e-mail.
Security Awareness: Applying Practical Security in Your World 3
Internet SecurityInternet Security
The Internet has changed the way we live and work in a very short amount of time.
There is a dark side to the Internet; it has opened the door to attacks on any computer connected to it. There are methods to minimize the risks of using
the Internet and e-mail.
Security Awareness: Applying Practical Security in Your World 4
The World Wide WebThe World Wide Web
Internet Worldwide interconnection of computers World Wide Web (WWW) Internet server
computers that provide online information in a specified format Hypertext Markup Language (HTML) Specifies
how a browser should display elements on a user’s screen (See Figure 4-1)
Hypertext Transport Protocol (HTTP) Set of standards that Web servers use to distribute HTML documents (See Figure 4-2)
Security Awareness: Applying Practical Security in Your World 5
The World Wide Web (continued)The World Wide Web (continued)
Security Awareness: Applying Practical Security in Your World 6
The World Wide Web (continued)The World Wide Web (continued)
Security Awareness: Applying Practical Security in Your World 7
Repurposed ProgrammingRepurposed Programming
Repurposed programming Using programming tools in harmful ways other than what they were originally intended to do Static content Information that does not change
Dynamic content Content that can change
Tools that can be used for repurposed programming:
JavaScript Java Applets ActiveX Controls
Security Awareness: Applying Practical Security in Your World 8
Web AttacksWeb Attacks
Web attack An attack launched against a computer through the Web Broadband connections A type of Internet
connection that allows users to connect at much faster speeds than older dial-up technologies Result: More attacks against home computers
Three categories of attacks:Repurposed programmingSnoopingRedirected Web traffic
Security Awareness: Applying Practical Security in Your World 9
JavaScriptJavaScript
JavaScript Special program code embedded in an HTML document
Web site using JavaScript accessed HTML document downloaded
JavaScript code executed by the browser (See Figure 4-3)
Some browsers have security weaknesses
Security Awareness: Applying Practical Security in Your World 10
JavaScript (continued)JavaScript (continued)
Security Awareness: Applying Practical Security in Your World 11
Java AppletJava Applet
Java applet A program downloaded from the Web server separately from the HTML document Stored on the Web server and downloaded along
with the HTML code when the page is accessed (See Figure 4-4)
Processes user’s requests on the local computer rather than transmitting back to the Web server
Security Awareness: Applying Practical Security in Your World 12
Java Applet (continued)Java Applet (continued)
“Security sandbox”
Unsigned Java applets Untrusted source (See Figure 4-5)
Signed Java applets Digital signature proving trusted source
Security Awareness: Applying Practical Security in Your World 13
Java Applet (continued)Java Applet (continued)
Security Awareness: Applying Practical Security in Your World 14
Java Applet (continued)Java Applet (continued)
Security Awareness: Applying Practical Security in Your World 15
ActiveX ControlsActiveX Controls
ActiveX controls An advanced technology that allows software components to interact with different applications Two risks:
Macros
ActiveX security relies on human judgment
Digital signatures
Users may routinely grant permission for any ActiveX program to run
Security Awareness: Applying Practical Security in Your World 16
SnoopingSnooping
One of dynamic contents strengths is its ability to receive input from the user and perform actions based on it (See Figure 4-6) Providing information to a Web site carries risk
Internet transmissions are not normally encrypted
Information entered can be viewed by unauthorized users
Types of snooping:SpywareMisusing Cookies
Security Awareness: Applying Practical Security in Your World 17
Snooping (continued)Snooping (continued)
Security Awareness: Applying Practical Security in Your World 18
Snooping (Continued)Snooping (Continued)
Cookies A computer file that contains user-specific information Stores information given to a Web site and reuses it Can pose a security risk
Hackers target cookies to retrieve sensitive information
Cookies can be used to determine what Web pages you are viewing
Some personal information is left on Web sites by the browser Makes tracking Internet usage easier
Security Awareness: Applying Practical Security in Your World 19
Redirecting Web TrafficRedirecting Web Traffic
Mistakes can be made when typing an address into a browser Usually mistakes result in error messages
(See Figure 4-7)
Hackers can exploit misaddressed Web names to steal information using social engineering Two approaches:
PhishingRegistering similar-sounding domain names
Security Awareness: Applying Practical Security in Your World 20
Redirecting Web Traffic Redirecting Web Traffic (continued)(continued)
Security Awareness: Applying Practical Security in Your World 21
Web Security Through Browser Web Security Through Browser SettingsSettings
Web browser security and privacy settings can be customized Internet Options
General Security
Privacy Content
Advanced Tab
Security Awareness: Applying Practical Security in Your World 22
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Figure 4-9 Security Settings on the Advanced Tab
Security Awareness: Applying Practical Security in Your World 23
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Alert the User to the Type of Transaction Warn if changing
between secure and not secure mode
Security Awareness: Applying Practical Security in Your World 24
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) Encrypts and decrypts the data sent
Security Awareness: Applying Practical Security in Your World 25
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Know What’s Happening with the Cache Do not save encrypted pages to disk
Empty Temporary Internet Files when browser is closed Cache Temporary storage area on the hard disk
Security Awareness: Applying Practical Security in Your World 26
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Know the Options on the General Tab
Temporary Internet files
Delete Cookies
Delete Files
History
Security Awareness: Applying Practical Security in Your World 27
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Security Zones and the Security Tab Predefined security
zones:InternetLocal IntranetTrusted sitesRestricted sites
Security Awareness: Applying Practical Security in Your World 28
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Security Zones and the Security Tab Security levels can
be customized by clicking the Custom Level button to display the Security Settings page
Security Awareness: Applying Practical Security in Your World 29
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Using the Privacy tab Divided into two
parts: Privacy level
settings
Cookie handling:First-party Third-party
Security Awareness: Applying Practical Security in Your World 30
Web Security Through Browser Web Security Through Browser Settings (continued)Settings (continued)
Placing Restrictions on the Content Page Control type of
content the browser will display
Content Advisor
Certificates Publishers
Security Awareness: Applying Practical Security in Your World 31
Web Security Through Appropriate Web Security Through Appropriate ProceduresProcedures
Do not accept any unsigned Java applets unless you are sure of the source
Disable or restrict macros from opening or running automatically
Disable ActiveX and JavaScript.
Install anti-spyware and antivirus software and keep it updated
Security Awareness: Applying Practical Security in Your World 32
Web Security Procedures Web Security Procedures (continued)(continued)
Regularly install any critical operating system updates.
Block all cookies
Never respond to an e-mail that asks you to click on a link to verify your personal information.
Check spelling to be sure you are viewing the real site.
Security Awareness: Applying Practical Security in Your World 33
Web Security Procedures Web Security Procedures (continued)(continued)
Turn on all security settings under the Advanced tab.
Keep your cache clear of temporary files and cookies.
Use the security zones feature.
Security Awareness: Applying Practical Security in Your World 34
E-MailE-Mail
E-mail is a double-edged sword
Essential for business and personal communications
Primary vehicle for malicious code
Security Awareness: Applying Practical Security in Your World 35
Vulnerabilities of E-MailVulnerabilities of E-Mail
Three major areas:
Attachments
Spam
Spoofing
Security Awareness: Applying Practical Security in Your World 36
Vulnerabilities of E-Mail Vulnerabilities of E-Mail (continued)(continued)
Attachments Documents, spreadsheets, photographs and anything else added to an e-mail message Can open the door for viruses and worms to infect a
system Malicious code can execute when the attachment is
opened
Code can then forward itself and continue to spread
Security Awareness: Applying Practical Security in Your World 37
Vulnerabilities of E-Mail Vulnerabilities of E-Mail (continued)(continued)
Spam Unsolicited e-mail messages Usually regarded as just a nuisance, but can contain
malicious code To cut down on spam:
Never reply to spam that says “Click here to unsubscribe”
Set up an e-mail account to use when filling out Web forms
Do not purchase items advertised through spam Ask your ISP or network manager to install spam-
filtering hardware or software
Security Awareness: Applying Practical Security in Your World 38
Vulnerabilities of E-Mail Vulnerabilities of E-Mail (continued)(continued)
E-mail Spoofing A message falsely identifying the sender as someone else
Sender’s address appears to be legitimate, so the recipient trusts the source and does what is asked
Security Awareness: Applying Practical Security in Your World 39
SolutionsSolutions
Technology-based solutions Antivirus software installed and regularly updated
E-mail filters
File extension filters
Junk e-mail option Figure 4-17
Separate filtering software working in conjunction with the e-mail software
Security Awareness: Applying Practical Security in Your World 40
Solutions (continued)Solutions (continued)
Procedure-Based Solutions Remember that e-mail is the number one method
for infecting computers and treat it cautiously
Approach e-mail messages from unknown senders with caution
Never automatically open an attachment
Do not use preview mode in your e-mail software
Never answer e-mail requests for personal information
Security Awareness: Applying Practical Security in Your World 41
SummarySummary
Computers connected to the Internet are vulnerable to a long list of attacks, in addition to viruses, worms and other malicious code.
Categories of attack are: Repurposed programming
JavaScript Java applets ActiveX controls
Snooping Redirected Web traffic
Security Awareness: Applying Practical Security in Your World 42
Summary (continued)Summary (continued)
Defending against Web attacks is a two-fold process: Configuration of browser software
Customized privacy and security settings
Proper procedures to minimize riskMany attacks are based on social
engineering
Security Awareness: Applying Practical Security in Your World 43
Summary (continued)Summary (continued)
E-mail is a crucial business and personal tool, but is also a primary means of infection by viruses, worms, and other malicious code. Attachments
Spam
Spoofing
Security Awareness: Applying Practical Security in Your World 44
Summary (continued)Summary (continued)
E-mail security solutions can be broken into two categories: Technology-based
Antivirus software
Filters for attachments and spam
Procedure-based Remember the risks and consistently follow “safe”
procedures