The Internet 8th Edition Tutorial 7 Security on the Internet and the Web.

The Internet8th Edition

Tutorial 7

Security on the Internet and the Web

New Perspectives on the Internet, 8th Edition

Objectives

• Explore the basics of security: secrecy, integrity, and necessity

• Find out what hackers and crackers can do and why they do it

• Learn about the dangers of online crime, warfare, and terrorism

• Investigate how to protect copyrighted materials that are published on the Internet


Objectives

• Understand Web client threats and countermeasures

• Learn about online communication channel threats and countermeasures

• Learn about Web server threats and countermeasures

• Find out how to get more information and current updates about online security


Understanding Security Basics: Secrecy, Integrity, and Necessity

• Security is broadly defined as the protection of assets from unauthorized access, use, alteration, or destruction

• Physical security includes tangible protection devices, such as locks, alarms, fireproof doors, security fences, safes or vaults, and bombproof buildings

• Protection of assets using nonphysical means, such as password protection, is called logical security



• The use of logical security techniques to protect data stored on computers is sometimes called computer security

• Any act or object that endangers an asset is known as a threat

• A countermeasure is a procedure, either physical or logical, that recognizes, reduces, or eliminates a threat



• Risk management model



• A secrecy threat permits unauthorized data disclosure and ensures the authenticity of the data’s source

• An integrity threat permits unauthorized data modification

• A necessity threat permits data delays (slowing down the transmission of data) or denials (preventing data from getting to its destination)



• Encryption is the process of coding information using a mathematical algorithm to produce a string of characters that is unreadable. Some algorithms are a procedure; others use a procedure combined with a key

• A key is a fact that the encryption algorithm uses as part of its encryption procedure

• The process of using a key to reverse encrypted text is called decryption

• Encrypted information is called cipher text, whereas unencrypted information is called plain text



• Private-key encryption (also called symmetric encryption) uses a single key that both the sender and receiver know



• With public-key encryption (also called asymmetric encryption), a person has a private key that is secret and a public key that is shared with other users

• Public-key encryption uses a public key known to everyone and a private or secret key known only to one person involved in the exchange

• An algorithm is a formula or set of steps to solve a particular problem



• In a man-in-the-middle exploit, the contents of an email are often changed in a way that negates the message’s original meaning

• The term virus has come to mean any program that attempts to disguise its true function

• A Trojan horse is a potentially harmful program hidden inside another program

• A variation of a virus is a worm, a self-replicating program that is usually hidden within another file and then sent as an email attachment

• Many viruses can send you an email that includes the name of someone you know in the message’s From line, a tactic called spoofing



• The most common necessity attack, called a packet flooding attack or a denial of service (DoS) attack, occurs when an attacker bombards a server or other computer with so many messages that the network’s bandwidth resources are consumed

• In a distributed denial of service (DDoS) attack, the perpetrator uses a large number of computers that each launch a DoS attack on one Web server at the same time


Online Crime, Warfare, and Terrorism

• A cracker is a technologically skilled person who uses his or her skills to obtain unauthorized entry into computers or networks of computers

• Some computer professionals use the terms white hat hacker and black hat hacker to distinguish between those who use their skills for good and those who use their talents to commit illegal acts

• Called computer forensics experts or ethical hackers, computer sleuths are hired to probe computers and locate information that can be used in legal proceedings



• The nature and degree of personal information that Web sites can record when collecting information about visitors’ page viewing habits, product selections, and demographic information can threaten the privacy of those visitors

• In recent years, many companies have made headlines because they released or lost control of confidential information about customers, employees, and vendors without the permission of those individuals



• If a perpetrator can gather enough information, he or she can steal a person’s entire credit record. In this type of crime, called identity theft, the perpetrator can use the victim’s personal information to open bank accounts, obtain new credit cards, and buy expensive goods on credit, often damaging the victim’s credit rating in addition to racking up charges

• A company becomes the victim of a criminal extortionist when a perpetrator threatens to launch DoS attacks against a target unless the target pays a “fee”



• Other types of online crime:

– Organized crime or racketeering

– Industrial espionage


Copyright and Intellectual Property Threats and Countermeasures

• A digital watermark is a digital pattern containing copyright information that is inserted into a digital image, animation, or audio or video file

• Steganography is a process that hides encrypted messages within different types of files


Web Client Security

• One of the most dangerous entry points for denial of service threats come from programs that travel with applications to a browser and execute on the user’s computer, which are often called active content

• ActiveX components are Microsoft’s technology for writing small applications that perform some action in Web pages; these components have access to a computer’s file system

• Internet Explorer maintains a list of known developers and examines the digital certificate on any ActiveX control before it is downloaded to determine if it is a signed ActiveX control


Web Client Security

• In most cases, Web sites that use and store cookies do so to enhance your Web browsing experience, and most cookies are safe

• A cookie is not a program, and it can only store information that you provide to the Web site that creates it


Web Client Security


Web Client Security

• A Web bug is a small, hidden graphic on a Web page or in an email message that is designed to work in conjunction with a cookie to obtain information about the person viewing the page or email message and to send that information to a third party

• Adware is a general category of software that includes advertisements to help pay for the product in which they appear

• Spyware works much like adware except that the user has no control over or knowledge of the ads and other monitoring features the ads contain


Web Client Security

• A firewall is a software program or hardware device that controls access between two networks


Communication Channel Security

• Authentication is a general term for the process of verifying the identity of a person or a Web site

• A digital certificate is an encrypted and password-protected file that contains sufficient information to authenticate and prove a person’s or organization’s identity



• Usually, a digital certificate contains the following information:

– The certificate holder’s name, address, and email address

– A key that “unlocks” the digital certificate, thereby verifying the certificate’s authenticity

– The certificate’s expiration date or validity period

– Verification from a trusted third party, called a certificate authority (CA), that authenticates the certificate holder’s identity and issues the digital certificate



• There are two types of digital certificates. Individuals can purchase one type called a digital ID (also called a personal certificate)

• Phishing is difficult to prevent because it involves phony email messages that include links to spoofed Web sites


Web Server Security

• A server certificate (sometimes called an SSL Web server certificate) authenticates a Web site so site visitors can be confident that the Web site is genuine and not an impostor


Web Server Security

• User identification is the process of identifying yourself to a computer

• Most computer systems implement user identification with user names and passwords; the combination of a user name and password is sometimes called a login

• To help keep track of their login information for different computers and Web sites, some people use a program called a password manager, which stores login information in an encrypted form on their computers

• A brute force attack occurs when a cracker uses a program to enter character combinations until the system accepts a user name and password, thereby gaining access to the system


Web Server Security

• User authentication is the process of associating a person and his identification with a very high level of assurance

• The combination of user login plus password is called single-factor authentication because it uses one factor

• Multifactor authentication relies on more than one factor

• Multiple layers of control can be implemented by using more than one authentication method


Web Server Security

• The Secure Sockets Layer (SSL) was the first widely used protocol for establishing secure, encrypted connections between Web browsers and Web servers on the Internet


Staying Current with Internet and Web Security

• The CERT Coordination Center is a federally funded research center operated by the Software Engineering Institute at Carnegie Mellon University

• The primary goal of the CERT Coordination Center is to publish alerts, advisories, and vulnerability reports about current and future Internet security problems it detects and to coordinate communication between software experts


Summary

• The basics of security: secrecy, integrity, and necessity

• What hackers and crackers can do and why they do it

• The dangers of online crime, warfare, and terrorism

• How to protect copyrighted materials that are published on the Internet

• Web client threats and countermeasures

• Online communication channel threats and countermeasures

• Web server threats and countermeasures

• How to get more information and updates about online security

The Internet 8th Edition Tutorial 7 Security on the Internet and the Web.

Documents

necessity security

basics of security

security basics

internet slide

online security slide

logical security slide

new perspectives

security fences