Embed Size (px)
Citation preview
Chapter 6: Web Security
Security+ Guide to Network Security FundamentalsSecond Edition
Objectives
Protect e-mail systems List World Wide Web vulnerabilities Secure Web communications Secure instant messaging
Protecting E-Mail Systems
E-mail has replaced the fax machine as the primary communication tool for businesses
Has also become a prime target of attackers and must be protected
How E-Mail Works
Use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive messages Simple Mail Transfer Protocol (SMTP)
handles outgoing mail Post Office Protocol (POP3 for the current
version) handles incoming mail The SMTP server on most machines
uses sendmail to do the actual sending; this queue is called the sendmail queue
How E-Mail Works (continued)
How E-Mail Works (continued)
POP3 is a basic protocol that allows users to store a collection of messages on the server. The email client connects to the POP3
server and downloads messages onto the local computer.
After messages are downloaded, they are generally erased from the POP3 server.
How E-Mail Works (continued)
Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers
Internet Mail Access Protocol (IMAP4, port 143) is a more advanced protocol that solves many problems Email remains on the e-mail server Email can be organized into folders and read from any
computer. Email can be read and replied to while offline. The next time a connection is established, mail is
sent.
E-Mail Vulnerabilities
Several e-mail vulnerabilities can be exploited by attackers: Malware Spam Hoaxes
Malware
Because of its ubiquity, e-mail has replaced floppy disks as the primary carrier for malware
E-mail is the malware transport mechanism of choice for two reasons:
1. Because almost all Internet users have e-mail, it has the broadest base for attacks
2. Malware can use e-mail to propagate itself
Malware (continued)
Users must be educated about how malware can enter a system through e-mail and proper policies must be enacted to reduce risk of infection E-mail users should never open attachments
with these file extensions: .bat, .ade, .usf, .exe, .pif
Antivirus software and firewall products must be installed and properly configured to prevent malicious code from entering the network through e-mail
Spam
The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge
The US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) in late 2003
Spam (continued)
According to a Pew memorial Trust survey, almost half of the approximately 30 billion daily e-mail messages are spam
Spam is having a negative impact on e-mail users: 25% of users say the ever-increasing
volume of spam has reduced their overall use of e-mail
52% of users indicate spam has made them less trusting of e-mail in general
70% of users say spam has made being online unpleasant or annoying
Spam (continued)
Filter e-mails at the edge of the network to prevent spam from entering the SMTP server SPAM, Email Firewall (Barracuda)
Use a backlist of spammers to block any e-mail that originates from their e-mail addresses
Sophisticated e-mail filters can use Bayesian filtering User divides e-mail messages received into two piles,
spam and not-spam. The filter looks for words that appear more often in
each pile to calculate new messages’ probability of being spam or not spam.
Hoaxes
E-mail messages that contain false warnings or fraudulent offerings
Unlike spam, are almost impossible to filter
Defense against hoaxes is to ignore them
Hoaxes (continued)
Any e-mail message that appears as though it could not be true probably is not
E-mail phishing is also a growing practice A message that falsely identifies the
sender as someone else is sent to unsuspecting recipients
E-Mail Encryption
Two technologies used to protect e-mail messages as they are being transported: Secure/Multipurpose Internet Mail
Extensions Pretty Good Privacy
Secure/MIME (S/MIME)
Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages MIME was originally intended to send non-
text files Provides these features:
Digital signatures – Interoperability Message privacy – Seamless integration Tamper detection
Pretty Good Privacy (PGP) Functions much like S/MIME by encrypting
messages using digital signatures A user can sign an e-mail message without
encrypting it, verifying the sender but not preventing anyone from seeing the contents
First compresses the message Reduces patterns and enhances resistance to
cryptanalysis Creates a session key (a one-time-only
secret key) This key is a number generated from random
movements of the mouse and keystrokes typed
Pretty Good Privacy (PGP)
PGP uses a passphrase to encrypt the private key on the local computer
Passphrase: A longer and more secure version of a
password Typically composed of multiple words More secure against dictionary attacks
Pretty Good Privacy (PGP)
Encryption
Examining WWW Vulnerabilities
Originally, webpages were static and links on one webpage would take you to another static page. Content on the page did not change or move
Dynamic content can also be used by attackers Dynamic content is content that can change,
such as animated images or information that customized based on who is viewing the page.
Sometimes called repurposed programming (using programming tools in ways more harmful than originally intended)
JavaScript
Popular technology used to make dynamic content
When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto the user’s computer
The Web browser then executes that code within the browser using the Virtual Machine (VM)―a Java interpreter
JavaScript (continued)
Several defense mechanisms prevent JavaScript programs from causing serious harm: JavaScript does not support certain capabilities JavaScript has no networking capabilities
Other security concerns remain: JavaScript programs can capture and send user
information without the user’s knowledge or authorization
JavaScript security is handled by restrictions within the Web browser
JavaScript (continued)
Java Applet
A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code
Can also be made into hostile programs Sandbox is a defense against a hostile
Java applet Surrounds program and keeps it away from
private data and other resources on a local computer
Java applet programs should run within a sandbox
Java Applet (continued)
Java Applet (continued)
Two types of Java applets: Unsigned Java applet: program that does
not come from a trusted source Signed Java applet: has a digital signature
proving the program is from a trusted source and has not been altered
The primary defense against Java applets is using the appropriate settings of the Web browser
Java Applet (continued)
ActiveX
Set of technologies developed by Microsoft Outgrowth of two other Microsoft
technologies: Object Linking and Embedding (OLE) Component Object Model (COM)
Not a programming language but a set of rules for how applications should share information
ActiveX (continued)
ActiveX controls represent a specific way of implementing ActiveX Can perform many of the same functions of a
Java applet, but do not run in a sandbox Have full access to Windows operating system
ActiveX controls are managed through Internet Explorer
ActiveX controls should be set to most restricted levels
ActiveX (continued)
Cookies
Computer files that contains user-specific information
Need for cookies is based on Hypertext Transfer Protocol (HTTP)
Instead of the Web server asking the user for this information each time they visits that site, the Web server stores that information in a file on the local computer – dynamic content.
Attackers often target cookies because they can contain sensitive information (usernames and other private info)
Cookies (continued)
Can be used to determine which Web sites you view
First-party cookie is created from the Web site you are currently viewing
Some Web sites attempt to access cookies they did not create If you went to www.b-org, that site might attempt
to get the cookie A-ORG from your hard drive Now known as a third-party cookie because it was
not created by Web site that attempts to access the cookie
Common Gateway Interface (CGI)
Set of rules that describes how a Web server communicates with other software on the server and vice versa
Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database
Common Gateway Interface (CGI)
CGI scripts create security risks Do not filter user input properly Can issue commands via Web URLs
CGI security can be enhanced by: Properly configuring CGI Disabling unnecessary CGI scripts or
programs Checking program code that uses CGI for
any vulnerabilities
Securing Web Communications
Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol
One implementation is the Hypertext Transport Protocol over Secure Sockets Layer
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
SSL protocol developed by Netscape to securely transmit documents over the Internet Uses private key to encrypt data
transferred over the SSL connection Version 2.0 is most widely supported Personal Communications Technology
(PCT), developed by Microsoft, is similar to SSL
The last version of SSL is/was SSL 3.0
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
TLS protocol guarantees privacy and data integrity between applications communicating over the Internet An extension of SSL; they are often referred
to as SSL/TLS SSL/TLS protocol is made up of two
layers TLS Handshake Protocol TLS Record Protocol
The current version of TLS is 1.1 TLS 1.0 is the successor to SSL 3.0
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted
After the Handshake Protocol sets up the encryption, message authentication code (MAC) and key exchange, the Record Protocol does the compression and encryption
FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture Has cryptographic mechanism that provides message
confidentiality, integrity, authentication, and access control to messages, components, and even systems
Secure Hypertext Transport Protocol (HTTPS)
One common use of SSL is to secure Web HTTP communication between a browser and a Web server This version is “plain” HTTP sent over SSL/TLS and
named Hypertext Transport Protocol over SSL Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it Whereas SSL/TLS creates a secure connection
between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely
Summary
Protecting basic communication systems is a key to resisting attacks
E-mail attacks can be malware, spam, or hoaxes
Web vulnerabilities can open systems up to a variety of attacks
A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code
Summary (continued)
ActiveX controls present serious security concerns because of the functions that a control can execute
A cookie is a computer file that contains user-specific information
CGI is a set of rules that describe how a Web server communicates with other software on the server
The popularity of IM has made this a tool that many organizations are now using with e-mail
