450 likes | 497 Views
Security Awareness: Applying Practical Security in Your World. Chapter 4: Internet Security. Objectives. List the risks associated with using the World Wide Web, and describe the preventive measures that can be used to minimize Web attacks.
E N D
Security Awareness: Applying Practical Security in Your World Chapter 4: Internet Security
Objectives • List the risks associated with using the World Wide Web, and describe the preventive measures that can be used to minimize Web attacks. • List the vulnerabilities associated with using e-mail, and explain procedures and technologies that can be used to protect e-mail. Security Awareness: Applying Practical Security in Your World
Internet Security • The Internet has changed the way we live and work in a very short amount of time. • There is a dark side to the Internet; it has opened the door to attacks on any computer connected to it. • There are methods to minimize the risks of using the Internet and e-mail. Security Awareness: Applying Practical Security in Your World
The World Wide Web • Internet Worldwide interconnection of computers • World Wide Web (WWW) Internet server computers that provide online information in a specified format • Hypertext Markup Language (HTML) Specifies how a browser should display elements on a user’s screen (See Figure 4-1) • Hypertext Transport Protocol (HTTP) Set of standards that Web servers use to distribute HTML documents (See Figure 4-2) Security Awareness: Applying Practical Security in Your World
The World Wide Web (continued) Security Awareness: Applying Practical Security in Your World
The World Wide Web (continued) Security Awareness: Applying Practical Security in Your World
Repurposed Programming • Repurposed programming Using programming tools in harmful ways other than what they were originally intended to do • Static content Information that does not change • Dynamic content Content that can change • Tools that can be used for repurposed programming:JavaScriptJava AppletsActiveX Controls Security Awareness: Applying Practical Security in Your World
Web Attacks • Web attack An attack launched against a computer through the Web • Broadband connections A type of Internet connection that allows users to connect at much faster speeds than older dial-up technologies • Result: More attacks against home computers • Three categories of attacks:Repurposed programmingSnoopingRedirected Web traffic Security Awareness: Applying Practical Security in Your World
JavaScript • JavaScript Special program code embedded in an HTML document Web site using JavaScript accessed HTML document downloaded JavaScript code executed by the browser (See Figure 4-3) • Some browsers have security weaknesses Security Awareness: Applying Practical Security in Your World
JavaScript (continued) Security Awareness: Applying Practical Security in Your World
Java Applet • Java applet A program downloaded from the Web server separately from the HTML document • Stored on the Web server and downloaded along with the HTML code when the page is accessed (See Figure 4-4) • Processes user’s requests on the local computer rather than transmitting back to the Web server Security Awareness: Applying Practical Security in Your World
Java Applet (continued) • “Security sandbox” Unsigned Java applets Untrusted source (See Figure 4-5) Signed Java applets Digital signature proving trusted source Security Awareness: Applying Practical Security in Your World
Java Applet (continued) Security Awareness: Applying Practical Security in Your World
Java Applet (continued) Security Awareness: Applying Practical Security in Your World
ActiveX Controls • ActiveX controls An advanced technology that allows software components to interact with different applications • Two risks: • Macros • ActiveX security relies on human judgment • Digital signatures • Users may routinely grant permission for any ActiveX program to run Security Awareness: Applying Practical Security in Your World
Snooping • One of dynamic contents strengths is its ability to receive input from the user and perform actions based on it (See Figure 4-6) • Providing information to a Web site carries risk • Internet transmissions are not normally encrypted • Information entered can be viewed by unauthorized users • Types of snooping:SpywareMisusing Cookies Security Awareness: Applying Practical Security in Your World
Snooping (continued) Security Awareness: Applying Practical Security in Your World
Snooping (Continued) • Cookies A computer file that contains user-specific information • Stores information given to a Web site and reuses it • Can pose a security risk • Hackers target cookies to retrieve sensitive information • Cookies can be used to determine what Web pages you are viewing • Some personal information is left on Web sites by the browser • Makes tracking Internet usage easier Security Awareness: Applying Practical Security in Your World
Redirecting Web Traffic • Mistakes can be made when typing an address into a browser • Usually mistakes result in error messages (See Figure 4-7) • Hackers can exploit misaddressed Web names to steal information using social engineering • Two approaches:Phishing Registering similar-sounding domain names Security Awareness: Applying Practical Security in Your World
Redirecting Web Traffic (continued) Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings • Web browser security and privacy settings can be customized • Internet Options General Security Privacy Content Advanced Tab Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) Figure 4-9 Security Settings on the Advanced Tab Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Alert the User to the Type of Transaction • Warn if changing between secure and not secure mode Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS) Encrypts and decrypts the data sent Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Know What’s Happening with the Cache • Do not save encrypted pages to disk • Empty Temporary Internet Files when browser is closed • Cache Temporary storage area on the hard disk Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Know the Options on the General Tab • Temporary Internet files Delete Cookies Delete Files • History Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Security Zones and the Security Tab • Predefined security zones:Internet Local IntranetTrusted sites Restricted sites Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Security Zones and the Security Tab • Security levels canbe customized by clicking the Custom Level button to display the Security Settings page Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Using the Privacy tab • Divided into two parts: • Privacy level settings • Cookie handling:First-party Third-party Security Awareness: Applying Practical Security in Your World
Web Security Through Browser Settings (continued) • Placing Restrictions on the Content Page • Control type of content the browser will display • Content Advisor • Certificates • Publishers Security Awareness: Applying Practical Security in Your World
Web Security Through Appropriate Procedures • Do not accept any unsigned Java applets unless you are sure of the source • Disable or restrict macros from opening or running automatically • Disable ActiveX and JavaScript. • Install anti-spyware and antivirus software and keep it updated Security Awareness: Applying Practical Security in Your World
Web Security Procedures (continued) • Regularly install any critical operating system updates. • Block all cookies • Never respond to an e-mail that asks you to click on a link to verify your personal information. • Check spelling to be sure you are viewing the real site. Security Awareness: Applying Practical Security in Your World
Web Security Procedures (continued) • Turn on all security settings under the Advanced tab. • Keep your cache clear of temporary files and cookies. • Use the security zones feature. Security Awareness: Applying Practical Security in Your World
E-Mail • E-mail is a double-edged sword Essential for business and personal communications Primary vehicle for malicious code Security Awareness: Applying Practical Security in Your World
Vulnerabilities of E-Mail • Three major areas:AttachmentsSpamSpoofing Security Awareness: Applying Practical Security in Your World
Vulnerabilities of E-Mail (continued) • Attachments Documents, spreadsheets, photographs and anything else added to an e-mail message • Can open the door for viruses and worms to infect a system • Malicious code can execute when the attachment is opened • Code can then forward itself and continue to spread Security Awareness: Applying Practical Security in Your World
Vulnerabilities of E-Mail (continued) • Spam Unsolicited e-mail messages • Usually regarded as just a nuisance, but can contain malicious code • To cut down on spam: • Never reply to spam that says “Click here to unsubscribe” • Set up an e-mail account to use when filling out Web forms • Do not purchase items advertised through spam • Ask your ISP or network manager to install spam-filtering hardware or software Security Awareness: Applying Practical Security in Your World
Vulnerabilities of E-Mail (continued) • E-mail Spoofing A message falsely identifying the sender as someone else • Sender’s address appears to be legitimate, so the recipient trusts the source and does what is asked Security Awareness: Applying Practical Security in Your World
Solutions • Technology-based solutions • Antivirus software installed and regularly updated • E-mail filters • File extension filters • Junk e-mail option Figure 4-17 • Separate filtering software working in conjunction with the e-mail software Security Awareness: Applying Practical Security in Your World
Solutions (continued) • Procedure-Based Solutions • Remember that e-mail is the number one method for infecting computers and treat it cautiously • Approach e-mail messages from unknown senders with caution • Never automatically open an attachment • Do not use preview mode in your e-mail software • Never answer e-mail requests for personal information Security Awareness: Applying Practical Security in Your World
Summary • Computers connected to the Internet are vulnerable to a long list of attacks, in addition to viruses, worms and other malicious code. • Categories of attack are: • Repurposed programming • JavaScript • Java applets • ActiveX controls • Snooping • Redirected Web traffic Security Awareness: Applying Practical Security in Your World
Summary (continued) • Defending against Web attacks is a two-fold process: • Configuration of browser softwareCustomized privacy and security settings • Proper procedures to minimize riskMany attacks are based on social engineering Security Awareness: Applying Practical Security in Your World
Summary (continued) • E-mail is a crucial business and personal tool, but is also a primary means of infection by viruses, worms, and other malicious code. • Attachments • Spam • Spoofing Security Awareness: Applying Practical Security in Your World
Summary (continued) • E-mail security solutions can be broken into two categories: • Technology-based • Antivirus software • Filters for attachments and spam • Procedure-based • Remember the risks and consistently follow “safe” procedures Security Awareness: Applying Practical Security in Your World