490 likes | 610 Views
Chapter 6: Web Security. Security+ Guide to Network Security Fundamentals Second Edition. Objectives. Protect e-mail systems List World Wide Web vulnerabilities Secure Web communications Secure instant messaging. Protecting E-Mail Systems.
E N D
Chapter 6: Web Security Security+ Guide to Network Security Fundamentals Second Edition
Objectives • Protect e-mail systems • List World Wide Web vulnerabilities • Secure Web communications • Secure instant messaging Security+ Guide to Network Security Fundamentals, 2e
Protecting E-Mail Systems • E-mail has replaced the fax machine as the primary communication tool for businesses • Has also become a prime target of attackers and must be protected Security+ Guide to Network Security Fundamentals, 2e
How E-Mail Works • Use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive messages • Simple Mail Transfer Protocol (SMTP) handles outgoing mail • Post Office Protocol (POP3 for the current version) handles incoming mail • The SMTP server on most machines uses sendmail to do the actual sending; this queue is called the sendmail queue No authentication authentication is required Security+ Guide to Network Security Fundamentals, 2e
How E-Mail Works (continued) Security+ Guide to Network Security Fundamentals, 2e
How E-Mail Works (continued) • Sendmail tries to resend queued messages periodically (about every 15 minutes) • Downloaded messages are erased from POP3 server • Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers • Internet Mail Access Protocol (current version is IMAP4) is a more advanced protocol that solves many problems • E-mail remains on the e-mail server • Tex or binary? Security+ Guide to Network Security Fundamentals, 2e
How E-Mail Works (continued) • E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures) • Non-text documents must be converted into text format before being transmitted • Three bytes from the binary file are extracted and converted to four text characters Security+ Guide to Network Security Fundamentals, 2e
E-Mail Vulnerabilities • Several e-mail vulnerabilities can be exploited by attackers: • Malware • Spam • Hoaxes Security+ Guide to Network Security Fundamentals, 2e
Malware • Because of its ubiquity, e-mail has replaced floppy disks as the primary carrier for malware • E-mail is the malware transport mechanism of choice for two reasons: • Because almost all Internet users have e-mail, it has the broadest base for attacks • Malware can use e-mail to propagate itself Security+ Guide to Network Security Fundamentals, 2e
Malware (continued) • A worm can enter a user’s computer through an e-mail attachment and send itself to all users listed in the address book or attach itself as a reply to all unread e-mail messages • E-mail clients can be particularly susceptible to macro viruses • A macro is a script that records the steps a user performs • A macro virus uses macros to carry out malicious functions Security+ Guide to Network Security Fundamentals, 2e
Malware (continued) • Users must be educated about how malware can enter a system through e-mail and proper policies must be enacted to reduce risk of infection • E-mail users should never open attachments with these file extensions: .bat, .ade, .usf, .exe, .pif • Use the security hole to infect targets (VBS.BubbleBoy) • Antivirus software and firewall products must be installed and properly configured to prevent malicious code from entering the network through e-mail • Procedures including turning off ports and eliminating open mail relay servers must be developed and enforced Security+ Guide to Network Security Fundamentals, 2e
Spam • The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge • The US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) in late 2003 • Taiwan also has a draft for anti-SPAM in 2009 Security+ Guide to Network Security Fundamentals, 2e
Spam (continued) • According to a Pew memorial Trust survey, almost half of the approximately 30 billion daily e-mail messages are spam • Spam is having a negative impact on e-mail users: • 25% of users say the ever-increasing volume of spam has reduced their overall use of e-mail • 52% of users indicate spam has made them less trusting of e-mail in general • 70% of users say spam has made being online unpleasant or annoying Security+ Guide to Network Security Fundamentals, 2e
Spam (continued) • Filter e-mails at the edge of the network to prevent spam from entering the SMTP server • Use a backlist of spammers to block any e-mail that originates from their e-mail addresses • Sophisticated e-mail filters can use Bayesian filtering • User divides e-mail messages received into two piles, spam and not-spam Security+ Guide to Network Security Fundamentals, 2e
Hoaxes • E-mail messages that contain false warnings or fraudulent offerings • Unlike spam, are almost impossible to filter • Defense against hoaxes is to ignore them Security+ Guide to Network Security Fundamentals, 2e
Hoaxes (continued) • Any e-mail message that appears as though it could not be true probably is not • E-mail phishing is also a growing practice • A message that falsely identifies the sender as someone else is sent to unsuspecting recipients Security+ Guide to Network Security Fundamentals, 2e
E-Mail Encryption • Two technologies used to protect e-mail messages as they are being transported: • Secure/Multipurpose Internet Mail Extensions • Pretty Good Privacy Security+ Guide to Network Security Fundamentals, 2e
Secure/Multipurpose Internet Mail Extensions (S/MIME) • Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages • Provides these features: • Digital signatures – Interoperability • Message privacy – Seamless integration • Tamper detection Security+ Guide to Network Security Fundamentals, 2e
Pretty Good Privacy (PGP) • Functions much like S/MIME by encrypting messages using digital signatures • A user can sign an e-mail message without encrypting it, verifying the sender but not preventing anyone from seeing the contents • First compresses the message • Reduces patterns and enhances resistance to cryptanalysis • Creates a session key (a one-time-only secret key) • This key is a number generated from random movements of the mouse and keystrokes typed (not use system time as seed) Security+ Guide to Network Security Fundamentals, 2e
Pretty Good Privacy (PGP) (continued) • Uses a passphrase to encrypt the private key on the local computer • Passphrase: • A longer and more secure version of a password • Typically composed of multiple words • More secure against dictionary attacks Security+ Guide to Network Security Fundamentals, 2e
Pretty Good Privacy (PGP) (continued) Security+ Guide to Network Security Fundamentals, 2e
Examining World Wide Web Vulnerabilities • Buffer overflow attacks are common ways to gain unauthorized access to Web servers • SMTP relay attacks allow spammers to send thousands of e-mail messages to users • Web programming tools provide another foothold for Web attacks • Dynamic content can also be used by attackers • Sometimes called repurposed programming (using programming tools in ways more harmful than originally intended) Security+ Guide to Network Security Fundamentals, 2e
JavaScript • Popular technology used to make dynamic content • When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto the user’s computer • The Web browser then executes that code within the browser using the Virtual Machine (VM)―a Java interpreter Security+ Guide to Network Security Fundamentals, 2e
JavaScript (continued) • Several defense mechanisms prevent JavaScript programs from causing serious harm: • JavaScript does not support certain capabilities • JavaScript has no networking capabilities • Other security concerns remain: • JavaScript programs can capture and send user information without the user’s knowledge or authorization • JavaScript security is handled by restrictions within the Web browser Security+ Guide to Network Security Fundamentals, 2e
JavaScript (continued) Security+ Guide to Network Security Fundamentals, 2e
Java Applet • A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code • Can also be made into hostile programs • Sandbox is a defense against a hostile Java applet • Surrounds program and keeps it away from private data and other resources on a local computer • Java applet programs should run within a sandbox Security+ Guide to Network Security Fundamentals, 2e
Java Applet (continued) Security+ Guide to Network Security Fundamentals, 2e
Java Applet (continued) • Two types of Java applets: • Unsigned Java applet: program that does not come from a trusted source • Signed Java applet: has a digital signature proving the program is from a trusted source and has not been altered • The primary defense against Java applets is using the appropriate settings of the Web browser Security+ Guide to Network Security Fundamentals, 2e
Java Applet (continued) Security+ Guide to Network Security Fundamentals, 2e
ActiveX • Set of technologies developed by Microsoft • Outgrowth of two other Microsoft technologies: • Object Linking and Embedding (OLE) • Component Object Model (COM) • Not a programming language but a set of rules for how applications should share information Security+ Guide to Network Security Fundamentals, 2e
ActiveX (continued) • ActiveX controls represent a specific way of implementing ActiveX • Can perform many of the same functions of a Java applet, but do not run in a sandbox • Have full access to Windows operating system • ActiveX controls are managed through Internet Explorer • ActiveX controls should be set to most restricted levels Security+ Guide to Network Security Fundamentals, 2e
ActiveX (continued) Security+ Guide to Network Security Fundamentals, 2e
Cookies • Computer files that contains user-specific information • Need for cookies is based on Hypertext Transfer Protocol (HTTP) • Instead of the Web server asking the user for this information each time they visits that site, the Web server stores that information in a file on the local computer • Attackers often target cookies because they can contain sensitive information (usernames and other private information) Security+ Guide to Network Security Fundamentals, 2e
Cookies (continued) • Can be used to determine which Web sites you view • First-party cookie is created from the Web site you are currently viewing • Some Web sites attempt to access cookies they did not create • If you went to www.b.org, that site might attempt to get the cookie A-ORG from your hard drive • Now known as a third-party cookie because it was not created by Web site that attempts to access the cookie Security+ Guide to Network Security Fundamentals, 2e
Common Gateway Interface (CGI) • Set of rules that describes how a Web server communicates with other software on the server and vice versa • Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database Security+ Guide to Network Security Fundamentals, 2e
Common Gateway Interface (CGI) (continued) • CGI scripts create security risks • Do not filter user input properly • Can issue commands via Web URLs • CGI security can be enhanced by: • Properly configuring CGI • Disabling unnecessary CGI scripts or programs • Checking program code that uses CGI for any vulnerabilities Security+ Guide to Network Security Fundamentals, 2e
83 Naming Conventions • Microsoft Disk Operating System (DOS) limited filenames to eight characters followed by a period and a three-character extension (e.g., Filename.doc) • Called the 8.3 naming convention • Recent versions of Windows allow filenames to contain up to 256 characters • To maintain backward compatibility with DOS, Windows automatically creates an 8.3 “alias” filename for every long filename Security+ Guide to Network Security Fundamentals, 2e
83 Naming Conventions (continued) • The 8.3 naming convention introduces a security vulnerability with some Web servers • Microsoft Internet Information Server 4.0 and other Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename • Solution is to disable creation of the 8.3 alias by making a change in the Windows registry database • In doing so, older programs that do not recognize long filenames are not able to access the files or subdirectories Security+ Guide to Network Security Fundamentals, 2e
Securing Web Communications • Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol • One implementation is the Hypertext Transport Protocol over Secure Sockets Layer Security+ Guide to Network Security Fundamentals, 2e
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) • SSL protocol developed by Netscape to securely transmit documents over the Internet • Uses private key to encrypt data transferred over the SSL connection • Version 20 is most widely supported version • Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL Security+ Guide to Network Security Fundamentals, 2e
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) (continued) • TLS protocol guarantees privacy and data integrity between applications communicating over the Internet • An extension of SSL; they are often referred to as SSL/TLS • SSL/TLS protocol is made up of two layers Security+ Guide to Network Security Fundamentals, 2e
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) (continued) • TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted • FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture • Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems Security+ Guide to Network Security Fundamentals, 2e
Secure Hypertext Transport Protocol (HTTPS) • One common use of SSL is to secure Web HTTP communication between a browser and a Web server • This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL • Sometimes designated HTTPS, which is the extension to the HTTP protocol that supports it • Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely Security+ Guide to Network Security Fundamentals, 2e
Securing Instant Messaging • Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account • Instant messaging (IM) is a complement to e-mail that overcomes these • Allows sender to enter short messages that the recipient sees and can respond to immediately Security+ Guide to Network Security Fundamentals, 2e
Securing Instant Messaging (continued) • Some tasks that you can perform with IM: • Chat • Images • Sounds • Files • Talk • Streaming content Security+ Guide to Network Security Fundamentals, 2e
Securing Instant Messaging (continued) • Steps to secure IM include: • Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workers • Enable IM virus scanning • Block all IM file transfers • Encrypt messages Security+ Guide to Network Security Fundamentals, 2e
Summary • Protecting basic communication systems is a key to resisting attacks • E-mail attacks can be malware, spam, or hoaxes • Web vulnerabilities can open systems up to a variety of attacks • A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code Security+ Guide to Network Security Fundamentals, 2e
Summary (continued) • ActiveX controls present serious security concerns because of the functions that a control can execute • A cookie is a computer file that contains user-specific information • CGI is a set of rules that describe how a Web server communicates with other software on the server • The popularity of IM has made this a tool that many organizations are now using with e-mail Security+ Guide to Network Security Fundamentals, 2e
Homework 6 • Find 5 web vulnerabilities and the exploits for that • Give your possible countermeasures for the threats you found • Mail me your report with the description of vulnerabilities, the exploits, and your possible countermeasures • Due 11/2 Security+ Guide to Network Security Fundamentals, 2e