Download The Role of People in Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts
no text concepts found
Transcript 
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Web Components
Chapter 17
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Objectives
• Describe the functioning of the SSL/TLS protocol
suite.
• Explain web applications, plug-ins, and associated
security issues.
• Describe secure file transfer options.
• Explain directory usage for data retrieval.
• Explain scripting and other Internet functions that
present security concerns.
• Use cookies to maintain parameters between web
pages.
• Examine web-based application security issues.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms
•
•
•
•
•
•
•
© 2012
Active Server Pages (ASP)
ActiveX
ASP.NET
Buffer overflow
Code signing
Common Gateway Interface (CGI)
JAVA vulnerabilities
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms (continued)
•
•
•
•
•
•
© 2012
Cookies
File Transfer Protocol (FTP)
Hypertext Markup Language (HTML)
Internet Engineering Task Force (IETF)
Java
JavaScript
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms for Security+ Exam
• 4.1 Application Security
– Fuzzing
– Cross-site scripting
– Input and field validation
• 3.5 Application attacks
–
–
–
–
© 2012
SQL injection
Buffer overflow
Zero day
Cookies a security risk? (ever cookie)
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Current Web Components and
Concerns
• Security concerns can be grouped into
three main tasks:
• Securing a server that delivers content to users over
the Web.
• Securing the transport of information between users
and servers over the Web.
• Securing the user’s computer from attack over a web
connection.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Encryption (SSL and TLS)
• Secure Sockets Layer (SSL) is a general-purpose
protocol developed by Netscape for managing the
encryption of information being transmitted over the
Internet.
• Transport Layer Security (TLS) SSL and TLS are
essentially the same, although not interchangeable.
• Cryptographic methods are an ever-evolving field, and
because both parties must agree on an implementation
method, SSL/TLS has embraced an open, extensible,
and adaptable method to allow flexibility and strength.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Encryption (SSL and TLS)
Firefox SSL Cipher
Options
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
SSL/TLS Handshake
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Firefox
Certificate
Options
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Firefox Certificate Store
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
The Web (HTTP and HTTPS)
• HTTP is used for the transfer of
hyperlinked data over the Internet, from
web servers to browsers.
• When a secure connection is needed,
SSL/TLS is used and appears in the
address as https://.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
The Web (HTTP and HTTPS) (continued)
• High-assurance notification in IE 7
• High-assurance notification in Firefox
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
File Transfer (FTP and SFTP)
• FTP is a standard network protocol used
to exchange and manipulate files over a
TCP/IP based network.
• Secure FTP (SFTP) is used when
confidential transfer is required and
combines both the Secure Shell (SSH)
protocol and FTP.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Buffer Overflows
• The buffer overflow vulnerability is a
result of poor coding practices on the part
of software programmers.
• This occurs when an application can
accept more input than it has assigned
storage space, and the input data
overwrites other program areas.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Java
• Java is a computer language invented by Sun
Microsystems as an alternative to Microsoft’s
development languages (owned by Oracle now).
• Designed to be platform-independent
• Java offered a low learning curve and a way of
implementing programs across an enterprise.
• Although platform independence never fully materialized,
Java has found itself to be a leader in object-oriented
programming languages.
• Java can still perform malicious activities, and the fact
that many users falsely believe it is safe increases its
usefulness for attackers.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
JavaScript
• JavaScript is a scripting language developed to be
operated within a browser instance.
• The primary purpose is to enable features such as
validation of forms.
• Enterprising programmers found many other uses for
JavaScript, such as manipulating the browser history
files, now prohibited by design.
• JavaScript actually runs within the browser, and the
code is executed by the browser itself.
• This has led to compatibility problems.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
CGI & Server-Side Scripts
• Common Gateway Interface (CGI) is a method for
having a web server execute a program outside the
web server process, yet on the same server.
• Server-side scripting allows programs to be run
outside the web server and to return data to the web
server to be served to end users via a web page.
This is replacing CGI.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Cookies
• Cookies are small chunks of ASCII text
passed within an HTTP stream to store data
temporarily in a web browser instance.
• It a series of name-value pairs that is stored
in memory during a browser instance.
–
–
–
–
© 2012
Expires
Domain
Path
Secure
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Chapter Summary
• Describe the functioning of the SSL/TLS protocol suite.
• Explain web applications, plug-ins, and associated
security issues.
• Describe secure file transfer options.
• Explain directory usage for data retrieval.
• Explain scripting and other Internet functions that
present security concerns.
• Use cookies to maintain parameters between web
pages.
• Examine web-based application security issues.
© 2012
Related documents
Chap10_R
Chap10_R
Pass4sure ct0
Pass4sure ct0
Lesson 3: WF Visual Studio Projects
Lesson 3: WF Visual Studio Projects
A+ Chapter 1 Technician Essentials and PC Anatomy_final
A+ Chapter 1 Technician Essentials and PC Anatomy_final
Authentication and Remote Access
Authentication and Remote Access
CompTIA, TECNA, and TechVoice Join CSBI
CompTIA, TECNA, and TechVoice Join CSBI
Principles of Computer Security
Principles of Computer Security
Infrastructure Security
Infrastructure Security
The Role of People in Security
The Role of People in Security
Courseware Outline
Courseware Outline
Network Security Fundamentals
Network Security Fundamentals
Types of Attacks - Digital Locker and Personal Web Space
Types of Attacks - Digital Locker and Personal Web Space
Principles of Computer Security
Principles of Computer Security
Quiz 2 Study Guide 1. Which of the following is not a basic building
Quiz 2 Study Guide 1. Which of the following is not a basic building
Resume - Trelco Limited Company
Resume - Trelco Limited Company
Web Application Security
Web Application Security
Programming
Programming
Panel: Security and the World Wide Web
Panel: Security and the World Wide Web
Certification Exam Objectives: SY0-401
Certification Exam Objectives: SY0-401
CompTIA Security (SY0-401)
CompTIA Security (SY0-401)
Certification Exam Objectives: N10-005
Certification Exam Objectives: N10-005
The Java Class Library
The Java Class Library