Internet security

Security Awareness

Chapter 3
Internet Security

Objectives
After completing this chapter, you
should be able to do the following:
•Explain how the World Wide Web
and e-mail work
•List the different types of Internet
attacks
•Explain the defenses used to repel
Internet attacks
Security Awareness, 3rd Edition 2

How the Internet Works
• Internet
– Worldwide set of
interconnected
computers, servers, and
networks
– Not owned or regulated
by any organization or
government entity
– Computers loosely
cooperate to make the
Internet a global
information resource

The World Wide Web
• World Wide Web (WWW)
– Better known as the Web
– Internet server computers that provide online
information in a specific format
• Hypertext Markup Language (HTML)
– Allows Web authors to combine text, graphic
images, audio, video, and hyperlinks
• Web browser
– Displays the words, pictures, and other
elements on a user’s screen


The World Wide Web
(cont’d.)

Figure 3-1 How a browser displays HTML
code


The World Wide Web
(cont’d.)
• Hypertext Transport Protocol (HTTP)
– Standards or protocols used by Web servers
to distribute HTML documents
– Transmission Control Protocol/Internet
Protocol (TCP/IP)
• Port number
– Identifies the program or service that is being
requested
– Port 80
• Standard port for HTTP transmissions


The World Wide Web
(cont’d.)
• Transfer-and-store process
– Entire document is transferred and then
stored on the local computer before the
browser displays it
– Creates opportunities for sending different
types of malicious code to the user’s
computer


The World Wide Web
(cont’d.)

Figure 3-2 HTML document sent to browser
Course Technology/Cengage Learning


E-Mail
• Number of e-mail messages sent each day to be
over 210 billion
– More than 2 million every second
• Simple Mail Transfer Protocol (SMTP)
– Handles outgoing mail
• Post Office Protocol (POP or POP3)
– Responsible for incoming mail
• Example of how e-mail works


E-Mail (cont’d.)

Figure 3-3 E-mail transport


E-Mail (cont’d.)
• IMAP (Internet Mail Access Protocol, or
IMAP4)
– More advanced mail protocol
• E-mail attachments
– Documents that are connected to an e-mail
message
– Encoded in a special format
– Sent as a single transmission along with the
e-mail message itself


Internet Attacks
• Variety of different attacks
– Downloaded browser code
– Privacy attacks
– Attacks initiated while surfing to Web
sites
– Attacks through e-mail
– ABW (Attacks By Walrus)


Downloaded Browser Code
• JavaScript
– Scripting language
• Similar to a computer programming language that
is typically ‘‘interpreted’’ into a language the
computer can understand
– Embedded in HTML document
– Executed by browser
– Defense mechanisms are intended to prevent
JavaScript programs from causing serious harm
– Can capture and send user information without the
user’s knowledge or authorization


(cont’d.)

Figure 3-4
JavaScript


(cont’d.)
• Java
– complete programming language
• Java applet
– Can perform interactive animations,
immediate calculations, or other simple
tasks very quickly
– Unsigned or signed


(cont’d.)

Figure 3-5 Java
applet


• ActiveX
– Set of rules for how
applications under the
Windows operating
system should share
information
– Microsoft developed a
registration system
poses a number of
security concerns
– Not all ActiveX
programs run in
browser

Privacy Attacks
• Cookies
– User-specific information file created by
server
– Stored on local computer
– First-party cookie
– Third-party cookie
– Cannot contain a virus or steal personal
information stored on a hard drive
– Can pose a privacy risk


Privacy Attacks (cont’d.)
• Adware
– Software that delivers advertising content
– Unexpected and unwanted by the user
– Can be a privacy risk
• Tracking function
• Popup
– Small Web browser window
– Appears over the Web site
that is being viewed


Attacks while Surfing
• Attacks on users can occur while
pointing the browser to a site or just
viewing a site
• Redirecting Web traffic
– Mistake when typing Web address
– Attackers can exploit a misaddressed
Web name by registering the names of
similar-sounding Web sites


(cont’d.)

Table 3-1 Typical errors in entering
Security Awareness, 3rd EditionWeb addresses 21

(cont’d.)
• Drive-by downloads
– Can be initiated by simply visiting a
Web site
– Spreading at an alarming pace
– Attackers identify well-known Web site
– Inject malicious content
– Zero-pixel IFrame
• Virtually invisible to the naked eye


E-Mail Attacks
• Spam
– Unsolicited e-mail
– 90 percent of all e-
mails sent can be
defined as spam
– Lucrative business
• Spam filters
– Look for specific words
and block the e-mail
• Image spam
– Uses graphical images
of text in order to
circumvent text-based
Security Awareness, filters
rd
3 Edition 23

E-Mail Attacks (cont’d.)
• Other techniques to circumvent spam filters
– GIF layering
– Word splitting
– Geometric variance
• Malicious attachments
– E-mail-distributed viruses
– Replicate by sending themselves in an e-mail
message to all of the contacts in an e-mail
address book


E-Mail Attacks (cont’d.)
• Embedded hyperlinks
– Clicking on the link will open the Web
browser and take the user to a specific
Web site
– Trick users to be directed to the
attacker’s “look alike” Web site


Figure 3-12 Embedded hyperlink

Internet Defenses
• Several types
– Security application programs
– Configuring browser settings
– Using general good practices


Defenses Through
Applications
• Popup blocker
– Separate program or a feature incorporated
within a browser
– Users can select the level of blocking
• Spam filter
– Can be implemented on the user’s local
computer and at corporate or Internet Service
Provider level


Defenses Through
Applications (cont’d.)
• Spam filter (cont’d.)
– E-mail client spam blocking features
• Level of spam e-mail protection
• Blocked senders (blacklist)
• Allowed senders (whitelist)
• Blocked top level domain list
– Bayesian filtering
• User divides e-mail messages into spam or not-
spam
• Assigns each word a probability of being spam
– Corporate spam filter
Security Awareness, 3 Edition 30
• Works with the receiving e-mail server
rd

Defenses Through

Figure 3-16 Spam filter on SMTP server


Defenses Through
• E-mail security settings
– Configured through the e-mail client
application
• Read messages using a reading pane
• Block external content
• Preview attachments
• Use an e-mail postmark


Defenses Through Browser
Settings
• Browsers allow the user to
customize security and privacy
settings
• IE Web browser defense categories:
– Advanced security settings
• Do not save encrypted pages to disk
• Empty Temporary Internet Files folder
when browser is closed
• Warn if changing between secure and not
secure mode

Settings (cont’d.)
• IE Web browser defense categories (cont’d.):
– Security zones
• Set customized security for these zones
• Assign specific Web sites to a zone
– Restricting cookies
• Use privacy levels in IE


Settings (cont’d.)

Table 3-3 IE Web security zones


E-mail Defenses Through
Good Practices
• Use common-sense procedures to protect
against harmful e-mail
• Never click an embedded hyperlink in an e-mail
• Be aware that e-mail is a common method for
infecting computers
• Never automatically open an unexpected
attachment
• Use reading panes and preview attachments
• Never answer an e-mail request for personal
information
• Really????

Internet Defense Summary

Table 3-4 Internet defense
summary


Summary
• Internet composition
– Web servers
– Web browsers
• Internet technologies
– HTML
– JavaScript
– Java
– ActiveX


Summary (cont’d.)
• Privacy risk
– Cookies
– Adware
• Security risk
– Mistyped Web address
– Drive-by downloads
• Email security
– Spam
– Attachments
• Security applications


Walrus Risk
• Walrus Risk – They may look cute, but
walruses are dangerous. They can poke
your eyes out with their tusks!

Internet security

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (17)

Similar a Internet security

Similar a Internet security (20)

Más de Nicholas Davis

Más de Nicholas Davis (20)

Último

Último (20)

Internet security