Download Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
The Internet
8th Edition
Tutorial 7
Security on the Internet and the
Web
Objectives
• Explore the basics of security: secrecy, integrity, and
necessity
• Find out what hackers and crackers can do and why they
do it
• Learn about the dangers of online crime, warfare, and
terrorism
• Investigate how to protect copyrighted materials that are
published on the Internet
New Perspectives on the Internet, 8th Edition
Objectives
• Understand Web client threats and countermeasures
• Learn about online communication channel threats and
countermeasures
• Learn about Web server threats and countermeasures
• Find out how to get more information and current
updates about online security
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• Security is broadly defined as the protection of assets
from unauthorized access, use, alteration, or destruction
• Physical security includes tangible protection devices,
such as locks, alarms, fireproof doors, security fences,
safes or vaults, and bombproof buildings
• Protection of assets using nonphysical means, such as
password protection, is called logical security
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• The use of logical security techniques to protect data
stored on computers is sometimes called computer
security
• Any act or object that endangers an asset is known as a
threat
• A countermeasure is a procedure, either physical or
logical, that recognizes, reduces, or eliminates a threat
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• Risk management model
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• A secrecy threat permits unauthorized data disclosure
and ensures the authenticity of the data’s source
• An integrity threat permits unauthorized data
modification
• A necessity threat permits data delays (slowing down
the transmission of data) or denials (preventing data
from getting to its destination)
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• Encryption is the process of coding information using a
mathematical algorithm to produce a string of characters
that is unreadable. Some algorithms are a procedure;
others use a procedure combined with a key
• A key is a fact that the encryption algorithm uses as part
of its encryption procedure
• The process of using a key to reverse encrypted text is
called decryption
• Encrypted information is called cipher text, whereas
unencrypted information is called plain text
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• Private-key encryption (also called symmetric
encryption) uses a single key that both the sender and
receiver know
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• With public-key encryption (also called asymmetric
encryption), a person has a private key that is secret
and a public key that is shared with other users
• Public-key encryption uses a public key known to
everyone and a private or secret key known only to one
person involved in the exchange
• An algorithm is a formula or set of steps to solve a
particular problem
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• In a man-in-the-middle exploit, the contents of an email
are often changed in a way that negates the message’s
original meaning
• The term virus has come to mean any program that
attempts to disguise its true function
• A Trojan horse is a potentially harmful program hidden
inside another program
• A variation of a virus is a worm, a self-replicating
program that is usually hidden within another file and
then sent as an email attachment
• Many viruses can send you an email that includes the
name of someone you know in the message’s From line,
a tactic called spoofing
New Perspectives on the Internet, 8th Edition
Understanding Security Basics:
Secrecy, Integrity, and Necessity
• The most common necessity attack, called a packet
flooding attack or a denial of service (DoS) attack,
occurs when an attacker bombards a server or other
computer with so many messages that the network’s
bandwidth resources are consumed
• In a distributed denial of service (DDoS) attack, the
perpetrator uses a large number of computers that each
launch a DoS attack on one Web server at the same
time
New Perspectives on the Internet, 8th Edition
Online Crime, Warfare, and
Terrorism
• A cracker is a technologically skilled person who uses
his or her skills to obtain unauthorized entry into
computers or networks of computers
• Some computer professionals use the terms white hat
hacker and black hat hacker to distinguish between
those who use their skills for good and those who use
their talents to commit illegal acts
• Called computer forensics experts or ethical hackers,
computer sleuths are hired to probe computers and
locate information that can be used in legal proceedings
New Perspectives on the Internet, 8th Edition
Online Crime, Warfare, and
Terrorism
• The nature and degree of personal information that Web
sites can record when collecting information about
visitors’ page viewing habits, product selections, and
demographic information can threaten the privacy of
those visitors
• In recent years, many companies have made headlines
because they released or lost control of confidential
information about customers, employees, and vendors
without the permission of those individuals
New Perspectives on the Internet, 8th Edition
Online Crime, Warfare, and
Terrorism
• If a perpetrator can gather enough information, he or she
can steal a person’s entire credit record. In this type of
crime, called identity theft, the perpetrator can use the
victim’s personal information to open bank accounts,
obtain new credit cards, and buy expensive goods on
credit, often damaging the victim’s credit rating in
addition to racking up charges
• A company becomes the victim of a criminal extortionist
when a perpetrator threatens to launch DoS attacks
against a target unless the target pays a “fee”
New Perspectives on the Internet, 8th Edition
Online Crime, Warfare, and
Terrorism
• Other types of online crime:
– Organized crime or racketeering
– Industrial espionage
New Perspectives on the Internet, 8th Edition
Copyright and Intellectual Property
Threats and Countermeasures
• A digital watermark is a digital pattern containing
copyright information that is inserted into a digital image,
animation, or audio or video file
• Steganography is a process that hides encrypted
messages within different types of files
New Perspectives on the Internet, 8th Edition
Web Client Security
• One of the most dangerous entry points for denial of
service threats come from programs that travel with
applications to a browser and execute on the user’s
computer, which are often called active content
• ActiveX components are Microsoft’s technology for
writing small applications that perform some action in
Web pages; these components have access to a
computer’s file system
• Internet Explorer maintains a list of known developers
and examines the digital certificate on any ActiveX
control before it is downloaded to determine if it is a
signed ActiveX control
New Perspectives on the Internet, 8th Edition
Web Client Security
• In most cases, Web sites that use and store cookies do
so to enhance your Web browsing experience, and most
cookies are safe
• A cookie is not a program, and it can only store
information that you provide to the Web site that creates
it
New Perspectives on the Internet, 8th Edition
Web Client Security
New Perspectives on the Internet, 8th Edition
Web Client Security
• A Web bug is a small, hidden graphic on a Web page or
in an email message that is designed to work in
conjunction with a cookie to obtain information about the
person viewing the page or email message and to send
that information to a third party
• Adware is a general category of software that includes
advertisements to help pay for the product in which they
appear
• Spyware works much like adware except that the user
has no control over or knowledge of the ads and other
monitoring features the ads contain
New Perspectives on the Internet, 8th Edition
Web Client Security
• A firewall is a software program or hardware device that
controls access between two networks
New Perspectives on the Internet, 8th Edition
Communication Channel
Security
• Authentication is a general term for the process of
verifying the identity of a person or a Web site
• A digital certificate is an encrypted and passwordprotected file that contains sufficient information to
authenticate and prove a person’s or organization’s
identity
New Perspectives on the Internet, 8th Edition
Communication Channel
Security
• Usually, a digital certificate contains the following
information:
– The certificate holder’s name, address, and email
address
– A key that “unlocks” the digital certificate, thereby
verifying the certificate’s authenticity
– The certificate’s expiration date or validity period
– Verification from a trusted third party, called a
certificate authority (CA), that authenticates the
certificate holder’s identity and issues the digital
certificate
New Perspectives on the Internet, 8th Edition
Communication Channel
Security
• There are two types of digital certificates. Individuals can
purchase one type called a digital ID (also called a
personal certificate)
• Phishing is difficult to prevent because it involves phony
email messages that include links to spoofed Web sites
New Perspectives on the Internet, 8th Edition
Web Server Security
• A server certificate (sometimes called an SSL Web
server certificate) authenticates a Web site so site
visitors can be confident that the Web site is genuine
and not an impostor
New Perspectives on the Internet, 8th Edition
Web Server Security
• User identification is the process of identifying yourself
to a computer
• Most computer systems implement user identification
with user names and passwords; the combination of a
user name and password is sometimes called a login
• To help keep track of their login information for different
computers and Web sites, some people use a program
called a password manager, which stores login
information in an encrypted form on their computers
• A brute force attack occurs when a cracker uses a
program to enter character combinations until the system
accepts a user name and password, thereby gaining
access to the system
New Perspectives on the Internet, 8th Edition
Web Server Security
• User authentication is the process of associating a
person and his identification with a very high level of
assurance
• The combination of user login plus password is called
single-factor authentication because it uses one factor
• Multifactor authentication relies on more than one
factor
• Multiple layers of control can be implemented by using
more than one authentication method
New Perspectives on the Internet, 8th Edition
Web Server Security
• The Secure Sockets Layer (SSL) was the first widely
used protocol for establishing secure, encrypted
connections between Web browsers and Web servers
on the Internet
New Perspectives on the Internet, 8th Edition
Staying Current with Internet
and Web Security
• The CERT Coordination Center is a federally funded
research center operated by the Software Engineering
Institute at Carnegie Mellon University
• The primary goal of the CERT Coordination Center is to
publish alerts, advisories, and vulnerability reports about
current and future Internet security problems it detects
and to coordinate communication between software
experts
New Perspectives on the Internet, 8th Edition
Summary
• The basics of security: secrecy, integrity, and necessity
• What hackers and crackers can do and why they do it
• The dangers of online crime, warfare, and terrorism
• How to protect copyrighted materials that are published
on the Internet
• Web client threats and countermeasures
• Online communication channel threats and
countermeasures
• Web server threats and countermeasures
• How to get more information and updates about online
security
New Perspectives on the Internet, 8th Edition