Chapter 6: Web Security

abdomendebonairSecurity

Nov 2, 2013 (3 years and 8 months ago)

133 views

Chapter 6: Web Security

Security+ Guide to Network Security
Fundamentals


Second Edition

Security+ Guide to Network Security
Fundamentals, 2e

2

Objectives


Protect e
-
mail systems


List World Wide Web vulnerabilities


Secure Web communications


Secure instant messaging

Security+ Guide to Network Security
Fundamentals, 2e

3

Protecting E
-
Mail Systems


E
-
mail has replaced the fax machine as the primary
communication tool for businesses


Has also become a prime target of attackers and
must be protected

Security+ Guide to Network Security
Fundamentals, 2e

4

How E
-
Mail Works


Use two Transmission Control Protocol/Internet
Protocol (TCP/IP) protocols to send and receive
messages


Simple Mail Transfer Protocol (SMTP) handles
outgoing mail


Post Office Protocol (POP3 for the current version)
handles incoming mail


The SMTP server on most machines uses sendmail
to do the actual sending; this queue is called the
sendmail queue

Security+ Guide to Network Security
Fundamentals, 2e

5

How E
-
Mail Works (continued)

Security+ Guide to Network Security
Fundamentals, 2e

6

How E
-
Mail Works (continued)


Sendmail tries to resend queued messages
periodically (about every 15 minutes)


Downloaded messages are erased from POP3 server


Deleting retrieved messages from the mail server and
storing them on a local computer make it difficult to
manage messages from multiple computers


Internet Mail Access Protocol (current version is
IMAP4) is a more advanced protocol that solves
many problems


E
-
mail remains on the e
-
mail server

Security+ Guide to Network Security
Fundamentals, 2e

7

How E
-
Mail Works (continued)


E
-
mail attachments are documents in binary format
(word processing documents, spreadsheets, sound
files, pictures)


Non
-
text documents must be converted into text
format before being transmitted

Security+ Guide to Network Security
Fundamentals, 2e

8

E
-
Mail Vulnerabilities


Several e
-
mail vulnerabilities can be exploited by
attackers:


Malware


Spam


Hoaxes

Security+ Guide to Network Security
Fundamentals, 2e

9

Malware


Because of its ubiquity, e
-
mail has replaced floppy
disks as the primary carrier for malware


E
-
mail is the malware transport mechanism of choice
for two reasons:


Because almost all Internet users have e
-
mail, it has
the broadest base for attacks


Malware can use e
-
mail to propagate itself

Security+ Guide to Network Security
Fundamentals, 2e

10

Malware (continued)


A worm can enter a user’s computer through an e
-
mail attachment and send itself to all users listed in
the address book or attach itself as a reply to all
unread e
-
mail messages


E
-
mail clients can be particularly susceptible to
macro viruses


A macro is a script that records the steps a user
performs


A macro virus uses macros to carry out malicious
functions

Security+ Guide to Network Security
Fundamentals, 2e

11

Malware (continued)


Users must be educated about how malware can
enter a system through e
-
mail and proper policies
must be enacted to reduce risk of infection


E
-
mail users should never open attachments with
these file extensions: .bat, .
ade, .usf, .exe, .pif


Antivirus software and firewall products must be
installed and properly configured to prevent malicious
code from entering the network through e
-
mail


Procedures including turning off ports and eliminating
open mail relay servers must be developed and
enforced

Security+ Guide to Network Security
Fundamentals, 2e

12

Spam


The amount of spam (unsolicited e
-
mail) that flows
across the Internet is difficult to judge


The US Congress passed the Controlling the Assault
of Non
-
Solicited Pornography and Marketing Act of
2003 (CAN
-
SPAM) in late 2003

Security+ Guide to Network Security
Fundamentals, 2e

13

Spam (continued)


According to a Pew memorial Trust survey, almost
half of the approximately 30 billion daily e
-
mail
messages are spam


Spam is having a negative impact on e
-
mail users:


25% of users say the ever
-
increasing volume of spam
has reduced their overall use of e
-
mail


52% of users indicate spam has made them less
trusting of e
-
mail in general


70% of users say spam has made being online
unpleasant or annoying

Security+ Guide to Network Security
Fundamentals, 2e

14

Spam (continued)


Filter e
-
mails at the edge of the network to prevent
spam from entering the SMTP server


Use a backlist of spammers to block any e
-
mail that
originates from their e
-
mail addresses


Sophisticated e
-
mail filters can use Bayesian filtering


User divides e
-
mail messages received into two piles,
spam and not
-
spam

Security+ Guide to Network Security
Fundamentals, 2e

15

Hoaxes


E
-
mail messages that contain false warnings or
fraudulent offerings


Unlike spam, are almost impossible to filter


Defense against hoaxes is to ignore them

Security+ Guide to Network Security
Fundamentals, 2e

16

Hoaxes (continued)


Any e
-
mail message that appears as though it could
not be true probably is not


E
-
mail phishing is also a growing practice


A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients

Security+ Guide to Network Security
Fundamentals, 2e

17

E
-
Mail Encryption


Two technologies used to protect e
-
mail messages
as they are being transported:


Secure/Multipurpose Internet Mail Extensions


Pretty Good Privacy

Security+ Guide to Network Security
Fundamentals, 2e

18

Secure/Multipurpose Internet Mail
Extensions (S/MIME)


Protocol that adds digital signatures and encryption
to Multipurpose Internet Mail Extension (MIME)
messages


Provides these features:


Digital signatures



Interoperability


Message privacy



Seamless integration


Tamper detection

Security+ Guide to Network Security
Fundamentals, 2e

19

Pretty Good Privacy (PGP)


Functions much like S/MIME by encrypting messages
using digital signatures


A user can sign an e
-
mail message without
encrypting it, verifying the sender but not preventing
anyone from seeing the contents


First compresses the message


Reduces patterns and enhances resistance to
cryptanalysis


Creates a session key (a one
-
time
-
only secret key)


This key is a number generated from random
movements of the mouse and keystrokes typed

Security+ Guide to Network Security
Fundamentals, 2e

20

Pretty Good Privacy (PGP)


(continued)


Uses a passphrase to encrypt the private key on the
local computer


Passphrase:


A longer and more secure version of a password


Typically composed of multiple words


More secure against dictionary attacks

Security+ Guide to Network Security
Fundamentals, 2e

21

Pretty Good Privacy (PGP)


(continued)

Security+ Guide to Network Security
Fundamentals, 2e

22

Examining World Wide Web
Vulnerabilities


Buffer overflow attacks are common ways to gain
unauthorized access to Web servers


SMTP relay attacks allow spammers to send
thousands of e
-
mail messages to users


Web programming tools provide another foothold for
Web attacks


Dynamic content can also be used by attackers


Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)

Security+ Guide to Network Security
Fundamentals, 2e

23

JavaScript


Popular technology used to make dynamic content


When a Web site that uses JavaScript is accessed,
the HTML document with the JavaScript code is
downloaded onto the user’s computer


The Web browser then executes that code within the
browser using the Virtual Machine (VM)

a Java
interpreter

Security+ Guide to Network Security
Fundamentals, 2e

24

JavaScript (continued)


Several defense mechanisms prevent JavaScript
programs from causing serious harm:


JavaScript does not support certain capabilities


JavaScript has no networking capabilities


Other security concerns remain:


JavaScript programs can capture and send user
information without the user’s knowledge or
authorization


JavaScript security is handled by restrictions within the
Web browser

Security+ Guide to Network Security
Fundamentals, 2e

25

JavaScript (continued)

Security+ Guide to Network Security
Fundamentals, 2e

26

Java Applet


A separate program stored on a Web server and
downloaded onto a user’s computer along with HTML
code


Can also be made into hostile programs


Sandbox is a defense against a hostile Java applet


Surrounds program and keeps it away from private
data and other resources on a local computer


Java applet programs should run within a sandbox

Security+ Guide to Network Security
Fundamentals, 2e

27

Java Applet (continued)

Security+ Guide to Network Security
Fundamentals, 2e

28

Java Applet (continued)


Two types of Java applets:


Unsigned Java applet: program that does not come
from a trusted source


Signed Java applet: has a digital signature proving the
program is from a trusted source and has not been
altered


The primary defense against Java applets is using
the appropriate settings of the Web browser

Security+ Guide to Network Security
Fundamentals, 2e

29

Java Applet (continued)

Security+ Guide to Network Security
Fundamentals, 2e

30

ActiveX


Set of technologies developed by Microsoft


Outgrowth of two other Microsoft technologies:


Object Linking and Embedding (OLE)


Component Object Model (COM)


Not a programming language but a set of rules for
how applications should share information


Security+ Guide to Network Security
Fundamentals, 2e

31

ActiveX (continued)


ActiveX controls represent a specific way of
implementing ActiveX


Can perform many of the same functions of a Java
applet, but do not run in a sandbox


Have full access to Windows operating system


ActiveX controls are managed through Internet
Explorer


ActiveX controls should be set to most restricted
levels

Security+ Guide to Network Security
Fundamentals, 2e

32

ActiveX (continued)

Security+ Guide to Network Security
Fundamentals, 2e

33

Cookies


Computer files that contains user
-
specific information


Need for cookies is based on Hypertext Transfer
Protocol (HTTP)


Instead of the Web server asking the user for this
information each time they visits that site, the Web
server stores that information in a file on the local
computer


Attackers often target cookies because they can
contain sensitive information (usernames and other
private information)

Security+ Guide to Network Security
Fundamentals, 2e

34

Cookies (continued)


Can be used to determine which Web sites you view


First
-
party cookie is created from the Web site you
are currently viewing


Some Web sites attempt to access cookies they did
not create


If you went to
wwwborg
, that site might attempt to get
the cookie A
-
ORG from your hard drive


Now known as a third
-
party cookie because it was not
created by Web site that attempts to access the cookie

Security+ Guide to Network Security
Fundamentals, 2e

35

Securing Web Communications


Most common secure connection uses the Secure
Sockets Layer/Transport Layer Security protocol


One implementation is the Hypertext Transport
Protocol over Secure Sockets Layer

Security+ Guide to Network Security
Fundamentals, 2e

36

Secure Sockets Layer (SSL)/

Transport Layer Security (TLS)


SSL protocol developed by Netscape to securely
transmit documents over the Internet


Uses private key to encrypt data transferred over
the SSL connection


Version 20 is most widely supported version


Personal Communications Technology (PCT),
developed by Microsoft, is similar to SSL

Security+ Guide to Network Security
Fundamentals, 2e

37

Secure Sockets Layer (SSL)/

Transport Layer Security (TLS)
(continued)


TLS protocol guarantees privacy and data integrity
between applications communicating over the
Internet



An extension of SSL; they are often referred to as
SSL/TLS


SSL/TLS protocol is made up of two layers

Security+ Guide to Network Security
Fundamentals, 2e

38

Secure Sockets Layer (SSL)/

Transport Layer Security (TLS)
(continued)


TLS Handshake Protocol allows authentication
between server and client and negotiation of an
encryption algorithm and cryptographic keys before
any data is transmitted


FORTEZZA is a US government security standard
that satisfies the Defense Messaging System security
architecture


Has cryptographic mechanism that provides message
confidentiality, integrity, authentication, and access
control to messages, components, and even systems

Security+ Guide to Network Security
Fundamentals, 2e

39

Secure Hypertext Transport

Protocol (HTTPS)


One common use of SSL is to secure Web HTTP
communication between a browser and a Web server


This version is “plain” HTTP sent over SSL/TLS and
named Hypertext Transport Protocol over SSL


Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it


Whereas SSL/TLS creates a secure connection
between a client and a server over which any amount
of data can be sent security, HTTPS is designed to
transmit individual messages securely

Security+ Guide to Network Security
Fundamentals, 2e

40

Securing Instant Messaging


Depending on the service, e
-
mail messages may
take several minutes to be posted to the POP3
account


Instant messaging (IM) is a complement to e
-
mail
that overcomes these


Allows sender to enter short messages that the
recipient sees and can respond to immediately

Security+ Guide to Network Security
Fundamentals, 2e

41

Securing Instant Messaging
(continued)


Some tasks that you can perform with IM:


Chat





Images


Sounds





Files


Talk





Streaming content

Security+ Guide to Network Security
Fundamentals, 2e

42

Securing Instant Messaging
(continued)


Steps to secure IM include:


Keep the IM server within the organization’s firewall
and only permit users to send and receive messages
with trusted internal workers


Enable IM virus scanning


Block all IM file transfers


Encrypt messages

Security+ Guide to Network Security
Fundamentals, 2e

43

Summary


Protecting basic communication systems is a key to
resisting attacks


E
-
mail attacks can be malware, spam, or hoaxes


Web vulnerabilities can open systems up to a variety
of attacks


A Java applet is a separate program stored on the
Web server and downloaded onto the user’s
computer along with the HTML code

Security+ Guide to Network Security
Fundamentals, 2e

44

Summary (continued)


ActiveX controls present serious security concerns
because of the functions that a control can execute


A cookie is a computer file that contains user
-
specific
information


CGI is a set of rules that describe how a Web server
communicates with other software on the server


The popularity of IM has made this a tool that many
organizations are now using with e
-
mail