2. Objectives
After completing this chapter, you
should be able to do the following:
•Explain how the World Wide Web
and e-mail work
•List the different types of Internet
attacks
•Explain the defenses used to repel
Internet attacks
Security Awareness, 3rd Edition 2
3. How the Internet Works
• Internet
– Worldwide set of
interconnected
computers, servers, and
networks
– Not owned or regulated
by any organization or
government entity
– Computers loosely
cooperate to make the
Internet a global
information resource
Security Awareness, 3rd Edition 3
4. The World Wide Web
• World Wide Web (WWW)
– Better known as the Web
– Internet server computers that provide online
information in a specific format
• Hypertext Markup Language (HTML)
– Allows Web authors to combine text, graphic
images, audio, video, and hyperlinks
• Web browser
– Displays the words, pictures, and other
elements on a user’s screen
Security Awareness, 3rd Edition 4
5. The World Wide Web
(cont’d.)
Figure 3-1 How a browser displays HTML
code
Security Awareness, 3rd Edition 5
6. The World Wide Web
(cont’d.)
• Hypertext Transport Protocol (HTTP)
– Standards or protocols used by Web servers
to distribute HTML documents
– Transmission Control Protocol/Internet
Protocol (TCP/IP)
• Port number
– Identifies the program or service that is being
requested
– Port 80
• Standard port for HTTP transmissions
Security Awareness, 3rd Edition 6
7. The World Wide Web
(cont’d.)
• Transfer-and-store process
– Entire document is transferred and then
stored on the local computer before the
browser displays it
– Creates opportunities for sending different
types of malicious code to the user’s
computer
Security Awareness, 3rd Edition 7
8. The World Wide Web
(cont’d.)
Figure 3-2 HTML document sent to browser
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 8
9. E-Mail
• Number of e-mail messages sent each day to be
over 210 billion
– More than 2 million every second
• Simple Mail Transfer Protocol (SMTP)
– Handles outgoing mail
• Post Office Protocol (POP or POP3)
– Responsible for incoming mail
• Example of how e-mail works
Security Awareness, 3rd Edition 9
11. E-Mail (cont’d.)
• IMAP (Internet Mail Access Protocol, or
IMAP4)
– More advanced mail protocol
• E-mail attachments
– Documents that are connected to an e-mail
message
– Encoded in a special format
– Sent as a single transmission along with the
e-mail message itself
Security Awareness, 3rd Edition 11
12. Internet Attacks
• Variety of different attacks
– Downloaded browser code
– Privacy attacks
– Attacks initiated while surfing to Web
sites
– Attacks through e-mail
– ABW (Attacks By Walrus)
Security Awareness, 3rd Edition 12
13. Downloaded Browser Code
• JavaScript
– Scripting language
• Similar to a computer programming language that
is typically ‘‘interpreted’’ into a language the
computer can understand
– Embedded in HTML document
– Executed by browser
– Defense mechanisms are intended to prevent
JavaScript programs from causing serious harm
– Can capture and send user information without the
user’s knowledge or authorization
Security Awareness, 3rd Edition 13
17. Downloaded Browser Code
• ActiveX
– Set of rules for how
applications under the
Windows operating
system should share
information
– Microsoft developed a
registration system
poses a number of
security concerns
– Not all ActiveX
programs run in
browser
Security Awareness, 3rd Edition 17
18. Privacy Attacks
• Cookies
– User-specific information file created by
server
– Stored on local computer
– First-party cookie
– Third-party cookie
– Cannot contain a virus or steal personal
information stored on a hard drive
– Can pose a privacy risk
Security Awareness, 3rd Edition 18
19. Privacy Attacks (cont’d.)
• Adware
– Software that delivers advertising content
– Unexpected and unwanted by the user
– Can be a privacy risk
• Tracking function
• Popup
– Small Web browser window
– Appears over the Web site
that is being viewed
Security Awareness, 3rd Edition 19
20. Attacks while Surfing
• Attacks on users can occur while
pointing the browser to a site or just
viewing a site
• Redirecting Web traffic
– Mistake when typing Web address
– Attackers can exploit a misaddressed
Web name by registering the names of
similar-sounding Web sites
Security Awareness, 3rd Edition 20
21. Attacks while Surfing
(cont’d.)
Table 3-1 Typical errors in entering
Security Awareness, 3rd EditionWeb addresses 21
22. Attacks while Surfing
(cont’d.)
• Drive-by downloads
– Can be initiated by simply visiting a
Web site
– Spreading at an alarming pace
– Attackers identify well-known Web site
– Inject malicious content
– Zero-pixel IFrame
• Virtually invisible to the naked eye
Security Awareness, 3rd Edition 22
23. E-Mail Attacks
• Spam
– Unsolicited e-mail
– 90 percent of all e-
mails sent can be
defined as spam
– Lucrative business
• Spam filters
– Look for specific words
and block the e-mail
• Image spam
– Uses graphical images
of text in order to
circumvent text-based
Security Awareness, filters
rd
3 Edition 23
24. E-Mail Attacks (cont’d.)
• Other techniques to circumvent spam filters
– GIF layering
– Word splitting
– Geometric variance
• Malicious attachments
– E-mail-distributed viruses
– Replicate by sending themselves in an e-mail
message to all of the contacts in an e-mail
address book
Security Awareness, 3rd Edition 24
25. E-Mail Attacks (cont’d.)
• Embedded hyperlinks
– Clicking on the link will open the Web
browser and take the user to a specific
Web site
– Trick users to be directed to the
attacker’s “look alike” Web site
Security Awareness, 3rd Edition 25
27. Internet Defenses
• Several types
– Security application programs
– Configuring browser settings
– Using general good practices
Security Awareness, 3rd Edition 27
28. Defenses Through
Applications
• Popup blocker
– Separate program or a feature incorporated
within a browser
– Users can select the level of blocking
• Spam filter
– Can be implemented on the user’s local
computer and at corporate or Internet Service
Provider level
Security Awareness, 3rd Edition 28
30. Defenses Through
Applications (cont’d.)
• Spam filter (cont’d.)
– E-mail client spam blocking features
• Level of spam e-mail protection
• Blocked senders (blacklist)
• Allowed senders (whitelist)
• Blocked top level domain list
– Bayesian filtering
• User divides e-mail messages into spam or not-
spam
• Assigns each word a probability of being spam
– Corporate spam filter
Security Awareness, 3 Edition 30
• Works with the receiving e-mail server
rd
31. Defenses Through
Applications (cont’d.)
Figure 3-16 Spam filter on SMTP server
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 31
32. Defenses Through
Applications (cont’d.)
• E-mail security settings
– Configured through the e-mail client
application
• Read messages using a reading pane
• Block external content
• Preview attachments
• Use an e-mail postmark
Security Awareness, 3rd Edition 32
33. Defenses Through Browser
Settings
• Browsers allow the user to
customize security and privacy
settings
• IE Web browser defense categories:
– Advanced security settings
• Do not save encrypted pages to disk
• Empty Temporary Internet Files folder
when browser is closed
• Warn if changing between secure and not
secure mode
Security Awareness, 3rd Edition 33
34. Defenses Through Browser
Settings (cont’d.)
• IE Web browser defense categories (cont’d.):
– Security zones
• Set customized security for these zones
• Assign specific Web sites to a zone
– Restricting cookies
• Use privacy levels in IE
Security Awareness, 3rd Edition 34
35. Defenses Through Browser
Settings (cont’d.)
Table 3-3 IE Web security zones
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 35
36. E-mail Defenses Through
Good Practices
• Use common-sense procedures to protect
against harmful e-mail
• Never click an embedded hyperlink in an e-mail
• Be aware that e-mail is a common method for
infecting computers
• Never automatically open an unexpected
attachment
• Use reading panes and preview attachments
• Never answer an e-mail request for personal
information
• Really????
Security Awareness, 3rd Edition 36
37. Internet Defense Summary
Table 3-4 Internet defense
summary
Course Technology/Cengage Learning
Security Awareness, 3rd Edition 37
38. Summary
• Internet composition
– Web servers
– Web browsers
• Internet technologies
– HTML
– JavaScript
– Java
– ActiveX
Security Awareness, 3rd Edition 38