1 / 44

Security Awareness:  Applying Practical Security in Your World, Second Edition

Security Awareness:  Applying Practical Security in Your World, Second Edition. Chapter 3 Internet Security. Objectives. Explain how the World Wide Web and e-mail work List the types of Web and e-mail attacks Describe how to set Web defenses using a browser

lbecker
Download Presentation

Security Awareness:  Applying Practical Security in Your World, Second Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Awareness:  Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security

  2. Objectives • Explain how the World Wide Web and e-mail work • List the types of Web and e-mail attacks • Describe how to set Web defenses using a browser • Identify the type of defenses that can be implemented in order to protect e-mail Security Awareness: Applying Practical Security in Your World, 2e

  3. How the Internet Works • World Wide Web (WWW) • Composed of Internet server computers that provide online information • HTML • Allows Web authors to combine the following into a single document • Text, graphic images, audio, video, and hyperlinks Security Awareness: Applying Practical Security in Your World, 2e

  4. Security Awareness: Applying Practical Security in Your World, 2e

  5. How the Internet Works (continued) • Hypertext Transport Protocol (HTTP) • Subset of Transmission Control Protocol/Internet Protocol (TCP/IP) • Port numbers • Identify what program or service on the receiving computer is being requested Security Awareness: Applying Practical Security in Your World, 2e

  6. Security Awareness: Applying Practical Security in Your World, 2e

  7. E-Mail • Simple Mail Transfer Protocol (SMTP) • Handles outgoing mail • Server “listens” for requests on port 25 • Post Office Protocol (POP3) • Responsible for incoming mail • POP3 “listens” on port 110 Security Awareness: Applying Practical Security in Your World, 2e

  8. Security Awareness: Applying Practical Security in Your World, 2e

  9. E-Mail (continued) • IMAP (Internet Mail Access Protocol, or IMAP4) • More advanced mail protocol • E-mail remains on e-mail server and is not sent to user’s local computer • Mail can be organized into folders on the mail server and read from any computer • E-mail attachments • Documents in a binary (nontext) format Security Awareness: Applying Practical Security in Your World, 2e

  10. Security Awareness: Applying Practical Security in Your World, 2e

  11. Internet Attacks • Repurposed Programming • Using programming tools in ways more harmful than originally intended • JavaScript • Used to make dynamic content • Based on the Java programming language • Special program code embedded into HTML document • Virtual Machine • Java interpreter that is used within the Web browser to execute code Security Awareness: Applying Practical Security in Your World, 2e

  12. Security Awareness: Applying Practical Security in Your World, 2e

  13. Repurposed Programming • JavaScript programs • Can capture and send user information without user’s knowledge or authorization • Java applet • Stored on Web server • Downloaded onto user’s computer along with HTML code • Can perform interactive animations or immediate calculations Security Awareness: Applying Practical Security in Your World, 2e

  14. Security Awareness: Applying Practical Security in Your World, 2e

  15. Java Applet • Sandbox • Defense against hostile Java applet • Unsigned Java applet • Program that does not come from a trusted source • Signed Java applet • Has digital signature that proves program is from a trusted source and has not been altered Security Awareness: Applying Practical Security in Your World, 2e

  16. Active X • Set of technologies developed by Microsoft • Set of rules for how programs should share information • Security concerns • User’s decision to allow installation of an ActiveX control is based on the source of the ActiveX control • A control is registered only once per computer • Nearly all ActiveX control security mechanisms are set in Internet Explorer Security Awareness: Applying Practical Security in Your World, 2e

  17. Cookies • Small text files stored on user’s hard disk by a Web server • Contain user-specific information • Rules of HTTP • Make it impossible for Web site to track whether a user has previously visited that site Security Awareness: Applying Practical Security in Your World, 2e

  18. Cookies (continued) • Cannot contain viruses or steal personal information • Only contains information that can be used by a Web server • Can pose a security risk • First-party cookie • Created from the Web site that a user is currently viewing Security Awareness: Applying Practical Security in Your World, 2e

  19. Trojan Horse • Malicious program disguised as a legitimate program • Executable programs that perform an action when file is opened • May disguise itself by using a valid filename and extension Security Awareness: Applying Practical Security in Your World, 2e

  20. Redirecting Web Traffic • Typical mistakes users make when typing Web address • Misspelling address • Omitting the dot • Omitting a word • Using inappropriate punctuation • Hackers can • Exploit a misaddressed Web name • Steal information from unsuspecting users through social engineering Security Awareness: Applying Practical Security in Your World, 2e

  21. Search Engine Scanning • Search engines • Important tools for locating information on the Internet • Attackers • Use same search tools to assess security of Web servers before launching an attack Security Awareness: Applying Practical Security in Your World, 2e

  22. Security Awareness: Applying Practical Security in Your World, 2e

  23. E-mail Attacks • E-mail attachments • Preferred method of distributing viruses and worms • E-mail-distributed viruses • Use social engineering to trick recipients into opening document • If file attached to e-mail message contains a virus • It is often launched when file attachment is opened Security Awareness: Applying Practical Security in Your World, 2e

  24. Spam • Unsolicited e-mail • Reduces work productivity • Spammers • Can overwhelm users with offers to buy merchandise or trick them into giving money away • U.S. Congress passed an anti-spam law in late 2003 • Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) Security Awareness: Applying Practical Security in Your World, 2e

  25. Security Awareness: Applying Practical Security in Your World, 2e

  26. Security Awareness: Applying Practical Security in Your World, 2e

  27. Security Awareness: Applying Practical Security in Your World, 2e

  28. Web Defenses through Browser Settings • IE settings that should be turned on • Do not save encrypted pages to disk • Empty Temporary Internet Files folder when browser is closed • Warn if changing between secure and not secure mode Security Awareness: Applying Practical Security in Your World, 2e

  29. Security Awareness: Applying Practical Security in Your World, 2e

  30. Security Awareness: Applying Practical Security in Your World, 2e

  31. Security Awareness: Applying Practical Security in Your World, 2e

  32. Security Zones • Internet • Contains Web sites that have not been placed in any other zone • Local Intranet • Web pages from an organization’s internal Web site can be added to this zone Security Awareness: Applying Practical Security in Your World, 2e

  33. Security Zones (continued) • Trusted Sites • Web sites that are trusted not to pose any harm to a computer can be placed here • Restricted Sites • Web site considered to be potentially harmful can be placed here Security Awareness: Applying Practical Security in Your World, 2e

  34. Security Awareness: Applying Practical Security in Your World, 2e

  35. Restricting Cookies • Privacy levels • Block All Cookies • High • Medium High • Medium • Low • Accept All Cookies Security Awareness: Applying Practical Security in Your World, 2e

  36. Security Awareness: Applying Practical Security in Your World, 2e

  37. E-Mail Defenses • Technology-based defenses • Level of junk e-mail protection • Blocked senders • Blocked top level domain list Security Awareness: Applying Practical Security in Your World, 2e

  38. Security Awareness: Applying Practical Security in Your World, 2e

  39. Security Awareness: Applying Practical Security in Your World, 2e

  40. Technology-Based Defenses • Whitelist • Names/addresses of those individuals from whom an e-mail message will be accepted • Bayesian filtering • Used by sophisticated e-mail filters Security Awareness: Applying Practical Security in Your World, 2e

  41. Security Awareness: Applying Practical Security in Your World, 2e

  42. Procedures • Questions you should ask when you receive an e-mail with an attachment • Is the e-mail from someone that you know? • Have you received e-mail from this sender before? • Were you expecting an attachment from this sender? Security Awareness: Applying Practical Security in Your World, 2e

  43. Summary • World Wide Web (WWW) • Composed of Internet server computers that provide online information in a specific format • E-mail systems • Can use two TCP/IP protocols to send and receive messages • Repurposed programming • Using programming tools in ways more harmful than for what they were intended Security Awareness: Applying Practical Security in Your World, 2e

  44. Summary (continued) • Cookie • Computer file that contains user-specific information • Spam, or unsolicited e-mail • Has negative effect on work productivity • May be potentially dangerous • Properly configuring security settings on Web browser • First line of defense against an Internet attack Security Awareness: Applying Practical Security in Your World, 2e

More Related