Security Awareness: Applying Practical Security in Your World

1
Security Awareness Applying Practical Security
in Your World

• Chapter 4 Internet Security

2
Objectives

• List the risks associated with using the World
  Wide Web, and describe the preventive measures
  that can be used to minimize Web attacks.
• List the vulnerabilities associated with using
  e-mail, and explain procedures and technologies
  that can be used to protect e-mail.

3
Internet Security

• The Internet has changed the way we live and work
  in a very short amount of time.
• There is a dark side to the Internet it has
  opened the door to attacks on any computer
  connected to it.
• There are methods to minimize the risks of using
  the Internet and e-mail.

4
The World Wide Web

• Internet ? Worldwide interconnection of computers
• World Wide Web (WWW) ? Internet server computers
  that provide online information in a specified
  format
• Hypertext Markup Language (HTML) ? Specifies how
  a browser should display elements on a users
  screen (See Figure 4-1)
• Hypertext Transport Protocol (HTTP) ? Set of
  standards that Web servers use to distribute HTML
  documents (See Figure 4-2)

5
The World Wide Web (continued)
6
The World Wide Web (continued)
7
Repurposed Programming

• Repurposed programming ? Using programming tools
  in harmful ways other than what they were
  originally intended to do
• Static content ? Information that does not change
• Dynamic content ? Content that can change
• Tools that can be used for repurposed
  programming JavaScript Java Applets
  ActiveX Controls

8
Web Attacks

• Web attack ? An attack launched against a
  computer through the Web
• Broadband connections ? A type of Internet
  connection that allows users to connect at much
  faster speeds than older dial-up technologies
• Result More attacks against home computers
• Three categories of attacks Repurposed
  programming Snooping Redirected Web traffic

9
JavaScript

• JavaScript ? Special program code embedded in an
  HTML document
• Web site using JavaScript accessed ? HTML
  document downloaded ? JavaScript code executed
  by the browser (See Figure 4-3)
• Some browsers have security weaknesses

10
JavaScript (continued)
11
Java Applet

• Java applet ? A program downloaded from the Web
  server separately from the HTML document
• Stored on the Web server and downloaded along
  with the HTML code when the page is accessed
  (See Figure 4-4)
• Processes users requests on the local computer
  rather than transmitting back to the Web server

12
Java Applet (continued)

• Security sandbox
• Unsigned Java applets ? Untrusted source (See
  Figure 4-5)
• Signed Java applets ? Digital signature proving
  trusted source

13
Java Applet (continued)
14
Java Applet (continued)
15
ActiveX Controls

• ActiveX controls ? An advanced technology that
  allows software components to interact with
  different applications
• Two risks
• Macros
• ActiveX security relies on human judgment
• Digital signatures
• Users may routinely grant permission for any
  ActiveX program to run

16
Snooping

• One of dynamic contents strengths is its ability
  to receive input from the user and perform
  actions based on it (See Figure 4-6)
• Providing information to a Web site carries risk
• Internet transmissions are not normally encrypted
• Information entered can be viewed by unauthorized
  users
• Types of snooping Spyware Misusing Cookies

17
Snooping (continued)
18
Snooping (Continued)

• Cookies ? A computer file that contains
  user-specific information
• Stores information given to a Web site and reuses
  it
• Can pose a security risk
• Hackers target cookies to retrieve sensitive
  information
• Cookies can be used to determine what Web pages
  you are viewing
• Some personal information is left on Web sites by
  the browser
• Makes tracking Internet usage easier

19
Redirecting Web Traffic

• Mistakes can be made when typing an address into
  a browser
• Usually mistakes result in error messages (See
  Figure 4-7)
• Hackers can exploit misaddressed Web names to
  steal information using social engineering
• Two approachesPhishing Registering
  similar-sounding domain names

20
Redirecting Web Traffic (continued)
21
Web Security Through Browser Settings

• Web browser security and privacy settings can
  be customized
• Internet Options
• General Security
• Privacy Content
• Advanced Tab

22
Web Security Through Browser Settings (continued)
Figure 4-9 Security Settings on the Advanced Tab
23
Web Security Through Browser Settings (continued)

• Alert the User to the Type of Transaction
• Warn if changing between secure and not secure
  mode

24
Web Security Through Browser Settings (continued)

• Hypertext Transfer Protocol over Secure Sockets
  Layer (HTTPS) ? Encrypts and decrypts the data
  sent

25
Web Security Through Browser Settings (continued)

• Know Whats Happening with the Cache
• Do not save encrypted pages to disk
• Empty Temporary Internet Files when browser is
  closed
• Cache ? Temporary storage area on the hard disk

26
Web Security Through Browser Settings (continued)

• Know the Options on the General Tab
• Temporary Internet files
• Delete Cookies
• Delete Files
• History

27
Web Security Through Browser Settings (continued)

• Security Zones and the Security Tab
• Predefined security zonesInternet Local
  IntranetTrusted sites Restricted sites

28
Web Security Through Browser Settings (continued)

• Security Zones and the Security Tab
• Security levels canbe customized by clicking
  the Custom Level button to display the Security
  Settings page

29
Web Security Through Browser Settings (continued)

• Using the Privacy tab
• Divided into two parts
• Privacy level settings
• Cookie handlingFirst-party Third-party

30
Web Security Through Browser Settings (continued)

• Placing Restrictions on the Content Page
• Control type of content the browser will
  display
• Content Advisor
• Certificates
• Publishers

31
Web Security Through Appropriate Procedures

• Do not accept any unsigned Java applets unless
  you are sure of the source
• Disable or restrict macros from opening or
  running automatically
• Disable ActiveX and JavaScript.
• Install anti-spyware and antivirus software and
  keep it updated

32
Web Security Procedures (continued)

• Regularly install any critical operating system
  updates.
• Block all cookies
• Never respond to an e-mail that asks you to click
  on a link to verify your personal information.
• Check spelling to be sure you are viewing the
  real site.

33
Web Security Procedures (continued)

• Turn on all security settings under the Advanced
  tab.
• Keep your cache clear of temporary files and
  cookies.
• Use the security zones feature.

34
E-Mail

• E-mail is a double-edged sword
• Essential for business and personal
  communications
• Primary vehicle for malicious code

35
Vulnerabilities of E-Mail

• Three major areasAttachments Spam
  Spoofing

36
Vulnerabilities of E-Mail (continued)

• Attachments ? Documents, spreadsheets,
  photographs and anything else added to an e-mail
  message
• Can open the door for viruses and worms to infect
  a system
• Malicious code can execute when the attachment is
  opened
• Code can then forward itself and continue to
  spread

37
Vulnerabilities of E-Mail (continued)

• Spam ? Unsolicited e-mail messages
• Usually regarded as just a nuisance, but can
  contain malicious code
• To cut down on spam
• Never reply to spam that says Click here to
  unsubscribe
• Set up an e-mail account to use when filling out
  Web forms
• Do not purchase items advertised through spam
• Ask your ISP or network manager to install
  spam-filtering hardware or software

38
Vulnerabilities of E-Mail (continued)

• E-mail Spoofing ? A message falsely identifying
  the sender as someone else
• Senders address appears to be legitimate, so the
  recipient trusts the source and does what is asked

39
Solutions

• Technology-based solutions
• Antivirus software installed and regularly
  updated
• E-mail filters
• File extension filters
• Junk e-mail option Figure 4-17 ?
• Separate filtering software working in
  conjunction with the e-mail software

40
Solutions (continued)

• Procedure-Based Solutions
• Remember that e-mail is the number one method for
  infecting computers and treat it cautiously
• Approach e-mail messages from unknown senders
  with caution
• Never automatically open an attachment
• Do not use preview mode in your e-mail software
• Never answer e-mail requests for personal
  information

41
Summary

• Computers connected to the Internet are
  vulnerable to a long list of attacks, in addition
  to viruses, worms and other malicious code.
• Categories of attack are
• Repurposed programming
• JavaScript
• Java applets
• ActiveX controls
• Snooping
• Redirected Web traffic

42
Summary (continued)

• Defending against Web attacks is a two-fold
  process
• Configuration of browser software Customized
  privacy and security settings
• Proper procedures to minimize risk Many attacks
  are based on social engineering

43
Summary (continued)

• E-mail is a crucial business and personal tool,
  but is also a primary means of infection by
  viruses, worms, and other malicious code.
• Attachments
• Spam
• Spoofing

44
Summary (continued)

• E-mail security solutions can be broken into two
  categories
• Technology-based
• Antivirus software
• Filters for attachments and spam
• Procedure-based
• Remember the risks and consistently follow safe
  procedures