Security Awareness: Applying Practical Security in Your

abdomendebonairΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 5 μήνες)

121 εμφανίσεις

Security Awareness: Applying
Practical Security in Your
World

Chapter 4:
Internet Security

Security Awareness: Applying Practical Security in Your World

2

Objectives


List the risks associated with using the World
Wide Web, and describe the preventive
measures that can be used to minimize Web
attacks.



List the vulnerabilities associated with using e
-
mail, and explain procedures and technologies
that can be used to protect e
-
mail.

Security Awareness: Applying Practical Security in Your World

3

Internet Security


The Internet has changed the way we live and
work in a very short amount of time.


There is a dark side to the Internet; it has
opened the door to attacks on any computer
connected to it.


There are methods to minimize the risks of using the
Internet and e
-
mail.

Security Awareness: Applying Practical Security in Your World

4

The World Wide Web


Internet


Worldwide interconnection of
computers


World Wide Web (WWW)


Internet server
computers that provide online information in a
specified format


Hypertext Markup Language (HTML)


Specifies
how a browser should display elements on a user’s
screen

(See Figure 4
-
1
)


Hypertext Transport Protocol (HTTP)


Set of standards
that Web servers use to distribute HTML documents

(See Figure 4
-
2)

Security Awareness: Applying Practical Security in Your World

5

The World Wide Web (continued)

Security Awareness: Applying Practical Security in Your World

6

The World Wide Web (continued)

Security Awareness: Applying Practical Security in Your World

7

Repurposed Programming


Repurposed programming


Using
programming tools in harmful ways other than
what they were originally intended to do


Static content


Information that does not change


Dynamic content


Content that can change


Tools that can be used for repurposed
programming:





JavaScript




Java Applets


ActiveX Controls

Security Awareness: Applying Practical Security in Your World

8

Web Attacks


Web attack


An attack launched against a
computer through the Web


Broadband connections


A type of Internet
connection that allows users to connect at much faster
speeds than older dial
-
up technologies


Result: More attacks against home computers


Three categories of attacks:


Repurposed programming


Snooping


Redirected Web traffic

Security Awareness: Applying Practical Security in Your World

9

JavaScript


JavaScript


Special program code embedded in
an HTML document

Web site using JavaScript accessed



HTML document downloaded




䩡癡Jcr楰t⁣潤e⁥硥cuted⁢y the br潷oer

(See Figure 4
-
3)


Some browsers have security weaknesses

Security Awareness: Applying Practical Security in Your World

10

JavaScript (continued)

Security Awareness: Applying Practical Security in Your World

11

Java Applet


Java applet


A program downloaded from the
Web server separately from the HTML document


Stored on the Web server and downloaded along
with the HTML code when the page is accessed

(See Figure 4
-
4)


Processes user’s requests on the local computer
rather than transmitting back to the Web
server

Security Awareness: Applying Practical Security in Your World

12

Java Applet (continued)


“Security sandbox”

Unsigned Java applets


啮trusted⁳潵rce
(See
F楧ure 4
-


S楧ned 䩡癡⁡Jp汥ls


䑩杩t慬 s楧n慴ure⁰r潶on朠
trusted⁳潵rce


Security Awareness: Applying Practical Security in Your World

13

Java Applet (continued)

Security Awareness: Applying Practical Security in Your World

14

Java Applet (continued)

Security Awareness: Applying Practical Security in Your World

15

ActiveX Controls


ActiveX controls


An advanced technology that
allows software components to interact with
different applications


Two risks:


Macros


ActiveX security relies on human judgment


Digital signatures


Users may routinely grant permission for any
ActiveX program to run

Security Awareness: Applying Practical Security in Your World

16

Snooping


One of dynamic contents strengths is its ability
to receive input from the user and perform
actions based on it
(See Figure 4
-
6)


Providing information to a Web site carries risk


Internet transmissions are not normally encrypted


Information entered can be viewed by
unauthorized users


Types of snooping:


Spyware






Misusing Cookies


Security Awareness: Applying Practical Security in Your World

17

Snooping (continued)

Security Awareness: Applying Practical Security in Your World

18

Snooping (Continued)


Cookies


A computer file that contains user
-
specific information


Stores information given to a Web site and reuses it


Can pose a security risk


Hackers target cookies to retrieve sensitive
information


Cookies can be used to determine what Web pages
you are viewing


Some personal information is left on Web sites by
the browser


Makes tracking Internet usage easier

Security Awareness: Applying Practical Security in Your World

19

Redirecting Web Traffic


Mistakes can be made when typing an address
into a browser


Usually mistakes result in error messages

(See Figure 4
-
7)


Hackers can exploit misaddressed Web names to
steal information using social engineering


Two approaches:

Phishing



Registering similar
-
sounding domain names

Security Awareness: Applying Practical Security in Your World

20

Redirecting Web Traffic
(continued)

Security Awareness: Applying Practical Security in Your World

21

Web Security Through Browser
Settings


Web browser security

and privacy settings

can be customized


Internet Options

General


Security

Privacy


Content

Advanced Tab


Security Awareness: Applying Practical Security in Your World

22

Web Security Through Browser
Settings (continued)

Figure 4
-
9
Security Settings on the Advanced Tab

Security Awareness: Applying Practical Security in Your World

23

Web Security Through Browser
Settings (continued)


Alert the User to

the Type of

Transaction


Warn if changing

between secure

and not secure

mode

Security Awareness: Applying Practical Security in Your World

24

Web Security Through Browser
Settings (continued)


Hypertext Transfer Protocol over Secure
Sockets Layer (HTTPS)


Encrypts and decrypts
the data sent

Security Awareness: Applying Practical Security in Your World

25

Web Security Through Browser
Settings (continued)


Know What’s Happening with the Cache


Do not save encrypted pages to disk


Empty Temporary Internet Files when browser is
closed


Cache


Temporary storage area on the hard disk

Security Awareness: Applying Practical Security in Your World

26

Web Security Through Browser
Settings (continued)


Know the Options

on the General Tab


Temporary Internet

files

Delete Cookies



Delete Files


History

Security Awareness: Applying Practical Security in Your World

27

Web Security Through Browser
Settings (continued)


Security Zones and

the Security Tab


Predefined security

zones:

Internet




Local Intranet

Trusted sites




Restricted sites

Security Awareness: Applying Practical Security in Your World

28

Web Security Through Browser
Settings (continued)


Security Zones and

the Security Tab


Security levels can

be customized by

clicking the Custom

Level button to

display the Security

Settings page


Security Awareness: Applying Practical Security in Your World

29

Web Security Through Browser
Settings (continued)


Using the Privacy tab


Divided into two

parts:


Privacy level

settings


Cookie handling:

First
-
party

Third
-
party


Security Awareness: Applying Practical Security in Your World

30

Web Security Through Browser
Settings (continued)


Placing Restrictions

on the Content Page


Control type of

content the browser

will display


Content Advisor


Certificates


Publishers


Security Awareness: Applying Practical Security in Your World

31

Web Security Through Appropriate
Procedures


Do not accept any unsigned Java applets unless
you are sure of the source


Disable or restrict macros from opening or
running automatically


Disable ActiveX and JavaScript.


Install anti
-
spyware and antivirus software and
keep it updated

Security Awareness: Applying Practical Security in Your World

32

Web Security Procedures
(continued)


Regularly install any critical operating system
updates.


Block all cookies


Never respond to an e
-
mail that asks you to click
on a link to verify your personal information.


Check spelling to be sure you are viewing the
real site.

Security Awareness: Applying Practical Security in Your World

33

Web Security Procedures
(continued)


Turn on all security settings under the
Advanced tab.


Keep your cache clear of temporary files and
cookies.


Use the security zones feature.

Security Awareness: Applying Practical Security in Your World

34

E
-
Mail


E
-
mail is a double
-
edged sword


Essential for business and personal communications



Primary vehicle for malicious code


Security Awareness: Applying Practical Security in Your World

35

Vulnerabilities of E
-
Mail


Three major areas:


Attachments







Spam










Spoofing

Security Awareness: Applying Practical Security in Your World

36

Vulnerabilities of E
-
Mail
(continued)


Attachments


Documents, spreadsheets,
photographs and anything else added to an e
-
mail
message


Can open the door for viruses and worms to infect a
system


Malicious code can execute when the attachment is
opened


Code can then forward itself and continue to spread

Security Awareness: Applying Practical Security in Your World

37

Vulnerabilities of E
-
Mail
(continued)


Spam


Unsolicited e
-
mail messages


Usually regarded as just a nuisance, but can contain
malicious code


To cut down on spam:


Never reply to spam that says “Click here to
unsubscribe”


Set up an e
-
mail account to use when filling out Web
forms


Do not purchase items advertised through spam


Ask your ISP or network manager to install spam
-
filtering hardware or software

Security Awareness: Applying Practical Security in Your World

38

Vulnerabilities of E
-
Mail
(continued)


E
-
mail Spoofing


A message falsely identifying
the sender as someone else



Sender’s address appears to be legitimate, so the
recipient trusts the source and does what is asked

Security Awareness: Applying Practical Security in Your World

39

Solutions


Technology
-
based solutions


Antivirus software installed and regularly updated


E
-
mail filters


File extension filters


Junk e
-
mail option


Figure 4
-
17



Separate filtering

software working

in conjunction with

the e
-
mail software

Security Awareness: Applying Practical Security in Your World

40

Solutions (continued)


Procedure
-
Based Solutions


Remember that e
-
mail is the number one method
for infecting computers and treat it cautiously


Approach e
-
mail messages from unknown senders
with caution


Never automatically open an attachment


Do not use preview mode in your e
-
mail software


Never answer e
-
mail requests for personal
information

Security Awareness: Applying Practical Security in Your World

41

Summary


Computers connected to the Internet are
vulnerable to a long list of attacks, in addition to
viruses, worms and other malicious code.


Categories of attack are:


Repurposed programming


JavaScript


Java applets


ActiveX controls


Snooping


Redirected Web traffic

Security Awareness: Applying Practical Security in Your World

42

Summary (continued)


Defending against Web attacks is a two
-
fold
process:


Configuration of browser software


Customized privacy and security settings



Proper procedures to minimize risk


Many attacks are based on social engineering

Security Awareness: Applying Practical Security in Your World

43

Summary (continued)


E
-
mail is a crucial business and personal tool,
but is also a primary means of infection by
viruses, worms, and other malicious code.


Attachments


Spam


Spoofing

Security Awareness: Applying Practical Security in Your World

44

Summary (continued)


E
-
mail security solutions can be broken into two
categories:


Technology
-
based


Antivirus software





Filters for attachments and spam


Procedure
-
based


Remember the risks and consistently follow “safe”
procedures