Download Chap 6: Web Security - IUP Personal Websites

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
Document related concepts

Cyberwarfare wikipedia , lookup

Deep packet inspection wikipedia , lookup

Next-Generation Secure Computing Base wikipedia , lookup

Information security wikipedia , lookup

Cross-site scripting wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Secure multi-party computation wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Airport security wikipedia , lookup

Security printing wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Unix security wikipedia , lookup

Wireless security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Chapter 6: Web Security
Security+ Guide to Network Security
Fundamentals
Second Edition
Objectives
• Protect e-mail systems
• List World Wide Web vulnerabilities
• Secure Web communications
• Secure instant messaging
Security+ Guide to Network Security
Fundamentals, 2e
2
Protecting E-Mail Systems
• E-mail has replaced the fax machine as the primary
communication tool for businesses
• Has also become a prime target of attackers and
must be protected
Security+ Guide to Network Security
Fundamentals, 2e
3
How E-Mail Works
• Use two Transmission Control Protocol/Internet
Protocol (TCP/IP) protocols to send and receive
messages
– Simple Mail Transfer Protocol (SMTP) handles
outgoing mail
– Post Office Protocol (POP3 for the current version)
handles incoming mail
• The SMTP server on most machines uses sendmail
to do the actual sending; this queue is called the
sendmail queue
Security+ Guide to Network Security
Fundamentals, 2e
4
How E-Mail Works (continued)
Security+ Guide to Network Security
Fundamentals, 2e
5
How E-Mail Works (continued)
• Sendmail tries to resend queued messages
periodically (about every 15 minutes)
• Downloaded messages are erased from POP3 server
• Deleting retrieved messages from the mail server and
storing them on a local computer make it difficult to
manage messages from multiple computers
• Internet Mail Access Protocol (current version is
IMAP4) is a more advanced protocol that solves
many problems
– E-mail remains on the e-mail server
Security+ Guide to Network Security
Fundamentals, 2e
6
How E-Mail Works (continued)
• E-mail attachments are documents in binary format
(word processing documents, spreadsheets, sound
files, pictures)
• Non-text documents must be converted into text
format before being transmitted
• Three bytes from the binary file are extracted and
converted to four text characters
Security+ Guide to Network Security
Fundamentals, 2e
7
E-Mail Vulnerabilities
• Several e-mail vulnerabilities can be exploited by
attackers:
– Malware
– Spam
– Hoaxes
Security+ Guide to Network Security
Fundamentals, 2e
8
Malware
• Because of its ubiquity, e-mail has replaced floppy
disks as the primary carrier for malware
• E-mail is the malware transport mechanism of choice
for two reasons:
– Because almost all Internet users have e-mail, it has
the broadest base for attacks
– Malware can use e-mail to propagate itself
Security+ Guide to Network Security
Fundamentals, 2e
9
Malware (continued)
• A worm can enter a user’s computer through an email attachment and send itself to all users listed in
the address book or attach itself as a reply to all
unread e-mail messages
• E-mail clients can be particularly susceptible to
macro viruses
– A macro is a script that records the steps a user
performs
– A macro virus uses macros to carry out malicious
functions
Security+ Guide to Network Security
Fundamentals, 2e
10
Malware (continued)
• Users must be educated about how malware can
enter a system through e-mail and proper policies
must be enacted to reduce risk of infection
– E-mail users should never open attachments with
these file extensions: .bat, .ade, .usf, .exe, .pif
• Antivirus software and firewall products must be
installed and properly configured to prevent malicious
code from entering the network through e-mail
• Procedures including turning off ports and eliminating
open mail relay servers must be developed and
enforced
Security+ Guide to Network Security
Fundamentals, 2e
11
Spam
• The amount of spam (unsolicited e-mail) that flows
across the Internet is difficult to judge
• The US Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act of
2003 (CAN-SPAM) in late 2003
Security+ Guide to Network Security
Fundamentals, 2e
12
Spam (continued)
• According to a Pew memorial Trust survey, almost
half of the approximately 30 billion daily e-mail
messages are spam
• Spam is having a negative impact on e-mail users:
– 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
– 52% of users indicate spam has made them less
trusting of e-mail in general
– 70% of users say spam has made being online
unpleasant or annoying
Security+ Guide to Network Security
Fundamentals, 2e
13
Spam (continued)
• Filter e-mails at the edge of the network to prevent
spam from entering the SMTP server
• Use a backlist of spammers to block any e-mail that
originates from their e-mail addresses
• Sophisticated e-mail filters can use Bayesian filtering
– User divides e-mail messages received into two piles,
spam and not-spam
Security+ Guide to Network Security
Fundamentals, 2e
14
Hoaxes
• E-mail messages that contain false warnings or
fraudulent offerings
• Unlike spam, are almost impossible to filter
• Defense against hoaxes is to ignore them
Security+ Guide to Network Security
Fundamentals, 2e
15
Hoaxes (continued)
• Any e-mail message that appears as though it could
not be true probably is not
• E-mail phishing is also a growing practice
• A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients
Security+ Guide to Network Security
Fundamentals, 2e
16
E-Mail Encryption
• Two technologies used to protect e-mail messages
as they are being transported:
– Secure/Multipurpose Internet Mail Extensions
– Pretty Good Privacy
Security+ Guide to Network Security
Fundamentals, 2e
17
Secure/Multipurpose Internet Mail
Extensions (S/MIME)
• Protocol that adds digital signatures and encryption
to Multipurpose Internet Mail Extension (MIME)
messages
• Provides these features:
– Digital signatures
– Interoperability
– Message privacy
– Seamless integration
– Tamper detection
Security+ Guide to Network Security
Fundamentals, 2e
18
Pretty Good Privacy (PGP)
• Functions much like S/MIME by encrypting messages
using digital signatures
• A user can sign an e-mail message without
encrypting it, verifying the sender but not preventing
anyone from seeing the contents
• First compresses the message
– Reduces patterns and enhances resistance to
cryptanalysis
• Creates a session key (a one-time-only secret key)
– This key is a number generated from random
movements of the mouse and keystrokes typed
Security+ Guide to Network Security
Fundamentals, 2e
19
Pretty Good Privacy (PGP)
(continued)
• Uses a passphrase to encrypt the private key on the
local computer
• Passphrase:
– A longer and more secure version of a password
– Typically composed of multiple words
– More secure against dictionary attacks
Security+ Guide to Network Security
Fundamentals, 2e
20
Pretty Good Privacy (PGP)
(continued)
Security+ Guide to Network Security
Fundamentals, 2e
21
Examining World Wide Web
Vulnerabilities
• Buffer overflow attacks are common ways to gain
unauthorized access to Web servers
• SMTP relay attacks allow spammers to send
thousands of e-mail messages to users
• Web programming tools provide another foothold for
Web attacks
• Dynamic content can also be used by attackers
– Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)
Security+ Guide to Network Security
Fundamentals, 2e
22
JavaScript
• Popular technology used to make dynamic content
• When a Web site that uses JavaScript is accessed,
the HTML document with the JavaScript code is
downloaded onto the user’s computer
• The Web browser then executes that code within the
browser using the Virtual Machine (VM)―a Java
interpreter
Security+ Guide to Network Security
Fundamentals, 2e
23
JavaScript (continued)
• Several defense mechanisms prevent JavaScript
programs from causing serious harm:
– JavaScript does not support certain capabilities
– JavaScript has no networking capabilities
• Other security concerns remain:
– JavaScript programs can capture and send user
information without the user’s knowledge or
authorization
– JavaScript security is handled by restrictions within the
Web browser
Security+ Guide to Network Security
Fundamentals, 2e
24
JavaScript (continued)
Security+ Guide to Network Security
Fundamentals, 2e
25
Java Applet
• A separate program stored on a Web server and
downloaded onto a user’s computer along with HTML
code
• Can also be made into hostile programs
• Sandbox is a defense against a hostile Java applet
– Surrounds program and keeps it away from private
data and other resources on a local computer
• Java applet programs should run within a sandbox
Security+ Guide to Network Security
Fundamentals, 2e
26
Java Applet (continued)
Security+ Guide to Network Security
Fundamentals, 2e
27
Java Applet (continued)
• Two types of Java applets:
– Unsigned Java applet: program that does not come
from a trusted source
– Signed Java applet: has a digital signature proving the
program is from a trusted source and has not been
altered
• The primary defense against Java applets is using
the appropriate settings of the Web browser
Security+ Guide to Network Security
Fundamentals, 2e
28
Java Applet (continued)
Security+ Guide to Network Security
Fundamentals, 2e
29
ActiveX
• Set of technologies developed by Microsoft
• Outgrowth of two other Microsoft technologies:
– Object Linking and Embedding (OLE)
– Component Object Model (COM)
• Not a programming language but a set of rules for
how applications should share information
Security+ Guide to Network Security
Fundamentals, 2e
30
ActiveX (continued)
• ActiveX controls represent a specific way of
implementing ActiveX
– Can perform many of the same functions of a Java
applet, but do not run in a sandbox
– Have full access to Windows operating system
• ActiveX controls are managed through Internet
Explorer
• ActiveX controls should be set to most restricted
levels
Security+ Guide to Network Security
Fundamentals, 2e
31
ActiveX (continued)
Security+ Guide to Network Security
Fundamentals, 2e
32
Cookies
• Computer files that contains user-specific information
• Need for cookies is based on Hypertext Transfer
Protocol (HTTP)
• Instead of the Web server asking the user for this
information each time they visits that site, the Web
server stores that information in a file on the local
computer
• Attackers often target cookies because they can
contain sensitive information (usernames and other
private information)
Security+ Guide to Network Security
Fundamentals, 2e
33
Cookies (continued)
• Can be used to determine which Web sites you view
• First-party cookie is created from the Web site you
are currently viewing
• Some Web sites attempt to access cookies they did
not create
– If you went to wwwborg, that site might attempt to get
the cookie A-ORG from your hard drive
– Now known as a third-party cookie because it was not
created by Web site that attempts to access the cookie
Security+ Guide to Network Security
Fundamentals, 2e
34
Common Gateway Interface (CGI)
• Set of rules that describes how a Web server
communicates with other software on the server and
vice versa
• Commonly used to allow a Web server to display
information from a database on a Web page or for a
user to enter information through a Web form that is
deposited in a database
Security+ Guide to Network Security
Fundamentals, 2e
35
Common Gateway Interface (CGI)
(continued)
• CGI scripts create security risks
– Do not filter user input properly
– Can issue commands via Web URLs
• CGI security can be enhanced by:
– Properly configuring CGI
– Disabling unnecessary CGI scripts or programs
– Checking program code that uses CGI for any
vulnerabilities
Security+ Guide to Network Security
Fundamentals, 2e
36
8.3 Naming Conventions
• Microsoft Disk Operating System (DOS) limited
filenames to eight characters followed by a period
and a three-character extension (e.g., Filename.doc)
• Called the 83 naming convention
• Recent versions of Windows allow filenames to
contain up to 256 characters
• To maintain backward compatibility with DOS,
Windows automatically creates an 83 “alias” filename
for every long filename
Security+ Guide to Network Security
Fundamentals, 2e
37
83 Naming Conventions (continued)
• The 83 naming convention introduces a security
vulnerability with some Web servers
– Microsoft Internet Information Server 40 and other Web
servers can inherit privileges from parent directories
instead of the requested directory if the requested
directory uses a long filename
• Solution is to disable creation of the 83 alias by
making a change in the Windows registry database
– In doing so, older programs that do not recognize long
filenames are not able to access the files or
subdirectories
Security+ Guide to Network Security
Fundamentals, 2e
38
Securing Web Communications
• Most common secure connection uses the Secure
Sockets Layer/Transport Layer Security protocol
• One implementation is the Hypertext Transport
Protocol over Secure Sockets Layer
Security+ Guide to Network Security
Fundamentals, 2e
39
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
• SSL protocol developed by Netscape to securely
transmit documents over the Internet
– Uses private key to encrypt data transferred over
the SSL connection
– Version 20 is most widely supported version
– Personal Communications Technology (PCT),
developed by Microsoft, is similar to SSL
Security+ Guide to Network Security
Fundamentals, 2e
40
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
(continued)
• TLS protocol guarantees privacy and data integrity
between applications communicating over the
Internet
– An extension of SSL; they are often referred to as
SSL/TLS
• SSL/TLS protocol is made up of two layers
Security+ Guide to Network Security
Fundamentals, 2e
41
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
(continued)
• TLS Handshake Protocol allows authentication
between server and client and negotiation of an
encryption algorithm and cryptographic keys before
any data is transmitted
• FORTEZZA is a US government security standard
that satisfies the Defense Messaging System security
architecture
– Has cryptographic mechanism that provides message
confidentiality, integrity, authentication, and access
control to messages, components, and even systems
Security+ Guide to Network Security
Fundamentals, 2e
42
Secure Hypertext Transport
Protocol (HTTPS)
• One common use of SSL is to secure Web HTTP
communication between a browser and a Web server
– This version is “plain” HTTP sent over SSL/TLS and
named Hypertext Transport Protocol over SSL
• Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it
• Whereas SSL/TLS creates a secure connection
between a client and a server over which any amount
of data can be sent security, HTTPS is designed to
transmit individual messages securely
Security+ Guide to Network Security
Fundamentals, 2e
43
Securing Instant Messaging
• Depending on the service, e-mail messages may
take several minutes to be posted to the POP3
account
• Instant messaging (IM) is a complement to e-mail
that overcomes these
– Allows sender to enter short messages that the
recipient sees and can respond to immediately
Security+ Guide to Network Security
Fundamentals, 2e
44
Securing Instant Messaging
(continued)
• Some tasks that you can perform with IM:
– Chat
– Images
– Sounds
– Files
– Talk
– Streaming content
Security+ Guide to Network Security
Fundamentals, 2e
45
Securing Instant Messaging
(continued)
• Steps to secure IM include:
– Keep the IM server within the organization’s firewall
and only permit users to send and receive messages
with trusted internal workers
– Enable IM virus scanning
– Block all IM file transfers
– Encrypt messages
Security+ Guide to Network Security
Fundamentals, 2e
46
Summary
• Protecting basic communication systems is a key to
resisting attacks
• E-mail attacks can be malware, spam, or hoaxes
• Web vulnerabilities can open systems up to a variety
of attacks
• A Java applet is a separate program stored on the
Web server and downloaded onto the user’s
computer along with the HTML code
Security+ Guide to Network Security
Fundamentals, 2e
47
Summary (continued)
• ActiveX controls present serious security concerns
because of the functions that a control can execute
• A cookie is a computer file that contains user-specific
information
• CGI is a set of rules that describe how a Web server
communicates with other software on the server
• The popularity of IM has made this a tool that many
organizations are now using with e-mail
Security+ Guide to Network Security
Fundamentals, 2e
48
Related documents
Internet Marketing Fundamentals
Internet Marketing Fundamentals
sch1sec3fundamentalsofmarketing2
sch1sec3fundamentalsofmarketing2
PowerPoint ******
PowerPoint ******
Computer Systems Fundamentals
Computer Systems Fundamentals
DBAdminFund_PPT_2.1
DBAdminFund_PPT_2.1
Tappan Zee High School Virtual High School Course Offerings 2016
Tappan Zee High School Virtual High School Course Offerings 2016
Computer science
Computer science
Course Descriptions
Course Descriptions
Fundamentals of Speech Recognition
Fundamentals of Speech Recognition
Computer Networks [Opens in New Window]
Computer Networks [Opens in New Window]
Cpas - Madison Central High / Overview
Cpas - Madison Central High / Overview
- Canberra College Online
- Canberra College Online