Security Awareness: Applying Practical Security in Your World, Second Edition

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security

Objectives • Explain how the World Wide Web and e-mail work • List the types of Web and e-mail attacks • Describe how to set Web defenses using a browser • Identify the type of defenses that can be implemented in order to protect e-mail Security Awareness: Applying Practical Security in Your World, 2e

How the Internet Works • World Wide Web (WWW) • Composed of Internet server computers that provide online information • HTML • Allows Web authors to combine the following into a single document • Text, graphic images, audio, video, and hyperlinks Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, 2e

How the Internet Works (continued) • Hypertext Transport Protocol (HTTP) • Subset of Transmission Control Protocol/Internet Protocol (TCP/IP) • Port numbers • Identify what program or service on the receiving computer is being requested Security Awareness: Applying Practical Security in Your World, 2e

E-Mail • Simple Mail Transfer Protocol (SMTP) • Handles outgoing mail • Server “listens” for requests on port 25 • Post Office Protocol (POP3) • Responsible for incoming mail • POP3 “listens” on port 110 Security Awareness: Applying Practical Security in Your World, 2e

E-Mail (continued) • IMAP (Internet Mail Access Protocol, or IMAP4) • More advanced mail protocol • E-mail remains on e-mail server and is not sent to user’s local computer • Mail can be organized into folders on the mail server and read from any computer • E-mail attachments • Documents in a binary (nontext) format Security Awareness: Applying Practical Security in Your World, 2e

Internet Attacks • Repurposed Programming • Using programming tools in ways more harmful than originally intended • JavaScript • Used to make dynamic content • Based on the Java programming language • Special program code embedded into HTML document • Virtual Machine • Java interpreter that is used within the Web browser to execute code Security Awareness: Applying Practical Security in Your World, 2e

Repurposed Programming • JavaScript programs • Can capture and send user information without user’s knowledge or authorization • Java applet • Stored on Web server • Downloaded onto user’s computer along with HTML code • Can perform interactive animations or immediate calculations Security Awareness: Applying Practical Security in Your World, 2e

Java Applet • Sandbox • Defense against hostile Java applet • Unsigned Java applet • Program that does not come from a trusted source • Signed Java applet • Has digital signature that proves program is from a trusted source and has not been altered Security Awareness: Applying Practical Security in Your World, 2e

Active X • Set of technologies developed by Microsoft • Set of rules for how programs should share information • Security concerns • User’s decision to allow installation of an ActiveX control is based on the source of the ActiveX control • A control is registered only once per computer • Nearly all ActiveX control security mechanisms are set in Internet Explorer Security Awareness: Applying Practical Security in Your World, 2e

Cookies • Small text files stored on user’s hard disk by a Web server • Contain user-specific information • Rules of HTTP • Make it impossible for Web site to track whether a user has previously visited that site Security Awareness: Applying Practical Security in Your World, 2e

Cookies (continued) • Cannot contain viruses or steal personal information • Only contains information that can be used by a Web server • Can pose a security risk • First-party cookie • Created from the Web site that a user is currently viewing Security Awareness: Applying Practical Security in Your World, 2e

Trojan Horse • Malicious program disguised as a legitimate program • Executable programs that perform an action when file is opened • May disguise itself by using a valid filename and extension Security Awareness: Applying Practical Security in Your World, 2e

Redirecting Web Traffic • Typical mistakes users make when typing Web address • Misspelling address • Omitting the dot • Omitting a word • Using inappropriate punctuation • Hackers can • Exploit a misaddressed Web name • Steal information from unsuspecting users through social engineering Security Awareness: Applying Practical Security in Your World, 2e

Search Engine Scanning • Search engines • Important tools for locating information on the Internet • Attackers • Use same search tools to assess security of Web servers before launching an attack Security Awareness: Applying Practical Security in Your World, 2e

E-mail Attacks • E-mail attachments • Preferred method of distributing viruses and worms • E-mail-distributed viruses • Use social engineering to trick recipients into opening document • If file attached to e-mail message contains a virus • It is often launched when file attachment is opened Security Awareness: Applying Practical Security in Your World, 2e

Spam • Unsolicited e-mail • Reduces work productivity • Spammers • Can overwhelm users with offers to buy merchandise or trick them into giving money away • U.S. Congress passed an anti-spam law in late 2003 • Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) Security Awareness: Applying Practical Security in Your World, 2e

Web Defenses through Browser Settings • IE settings that should be turned on • Do not save encrypted pages to disk • Empty Temporary Internet Files folder when browser is closed • Warn if changing between secure and not secure mode Security Awareness: Applying Practical Security in Your World, 2e

Security Zones • Internet • Contains Web sites that have not been placed in any other zone • Local Intranet • Web pages from an organization’s internal Web site can be added to this zone Security Awareness: Applying Practical Security in Your World, 2e

Security Zones (continued) • Trusted Sites • Web sites that are trusted not to pose any harm to a computer can be placed here • Restricted Sites • Web site considered to be potentially harmful can be placed here Security Awareness: Applying Practical Security in Your World, 2e

Restricting Cookies • Privacy levels • Block All Cookies • High • Medium High • Medium • Low • Accept All Cookies Security Awareness: Applying Practical Security in Your World, 2e

E-Mail Defenses • Technology-based defenses • Level of junk e-mail protection • Blocked senders • Blocked top level domain list Security Awareness: Applying Practical Security in Your World, 2e

Technology-Based Defenses • Whitelist • Names/addresses of those individuals from whom an e-mail message will be accepted • Bayesian filtering • Used by sophisticated e-mail filters Security Awareness: Applying Practical Security in Your World, 2e

Procedures • Questions you should ask when you receive an e-mail with an attachment • Is the e-mail from someone that you know? • Have you received e-mail from this sender before? • Were you expecting an attachment from this sender? Security Awareness: Applying Practical Security in Your World, 2e

Summary • World Wide Web (WWW) • Composed of Internet server computers that provide online information in a specific format • E-mail systems • Can use two TCP/IP protocols to send and receive messages • Repurposed programming • Using programming tools in ways more harmful than for what they were intended Security Awareness: Applying Practical Security in Your World, 2e

Summary (continued) • Cookie • Computer file that contains user-specific information • Spam, or unsolicited e-mail • Has negative effect on work productivity • May be potentially dangerous • Properly configuring security settings on Web browser • First line of defense against an Internet attack Security Awareness: Applying Practical Security in Your World, 2e

Security Awareness: Applying Practical Security in Your World, Second Edition