Chapter 6: Web Security
Security+ Guide to Network Security Fundamentals
Second Edition
Security+ Guide to Network Security Fundamentals, 2e
2
Objectives
• Protect e-mail systems
• List World Wide Web vulnerabilities
• Secure Web communications
• Secure instant messaging
Security+ Guide to Network Security Fundamentals, 2e
3
Protecting E-Mail Systems
• E-mail has replaced the fax machine as the primary communication tool for businesses
• Has also become a prime target of attackers and must be protected
Security+ Guide to Network Security Fundamentals, 2e
4
How E-Mail Works
• Use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive messages
– Simple Mail Transfer Protocol (SMTP) handles outgoing mail
– Post Office Protocol (POP3 for the current version) handles incoming mail
• The SMTP server on most machines uses sendmail to do the actual sending; this queue is called the sendmail queue
Security+ Guide to Network Security Fundamentals, 2e
5
How E-Mail Works (continued)
Security+ Guide to Network Security Fundamentals, 2e
6
How E-Mail Works (continued)
• Sendmail tries to resend queued messages periodically (about every 15 minutes)
• Downloaded messages are erased from POP3 server
• Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers
• Internet Mail Access Protocol (current version is IMAP4) is a more advanced protocol that solves many problems
– E-mail remains on the e-mail server
Security+ Guide to Network Security Fundamentals, 2e
7
How E-Mail Works (continued)
• E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures)
• Non-text documents must be converted into text format before being transmitted
• Three bytes from the binary file are extracted and converted to four text characters
Security+ Guide to Network Security Fundamentals, 2e
8
E-Mail Vulnerabilities
• Several e-mail vulnerabilities can be exploited by attackers:
– Malware
– Spam
– Hoaxes
Security+ Guide to Network Security Fundamentals, 2e
9
Malware
• Because of its ubiquity, e-mail has replaced floppy disks as the primary carrier for malware
• E-mail is the malware transport mechanism of choice for two reasons:
– Because almost all Internet users have e-mail, it has the broadest base for attacks
– Malware can use e-mail to propagate itself
Security+ Guide to Network Security Fundamentals, 2e
10
Malware (continued)
• A worm can enter a user’s computer through an e-mail attachment and send itself to all users listed in the address book or attach itself as a reply to all unread e-mail messages
• E-mail clients can be particularly susceptible to macro viruses
– A macro is a script that records the steps a user performs
– A macro virus uses macros to carry out malicious functions
Security+ Guide to Network Security Fundamentals, 2e
11
Malware (continued)• Users must be educated about how malware can enter
a system through e-mail and proper policies must be enacted to reduce risk of infection
– E-mail users should never open attachments with these file extensions: .bat, .ade, .usf, .exe, .pif
• Antivirus software and firewall products must be installed and properly configured to prevent malicious code from entering the network through e-mail
• Procedures including turning off ports and eliminating open mail relay servers must be developed and enforced
Security+ Guide to Network Security Fundamentals, 2e
12
Spam
• The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge
• The US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) in late 2003
Security+ Guide to Network Security Fundamentals, 2e
13
Spam (continued)
• According to a Pew memorial Trust survey, almost half of the approximately 30 billion daily e-mail messages are spam
• Spam is having a negative impact on e-mail users:
– 25% of users say the ever-increasing volume of spam has reduced their overall use of e-mail
– 52% of users indicate spam has made them less trusting of e-mail in general
– 70% of users say spam has made being online unpleasant or annoying
Security+ Guide to Network Security Fundamentals, 2e
14
Spam (continued)
• Filter e-mails at the edge of the network to prevent spam from entering the SMTP server
• Use a backlist of spammers to block any e-mail that originates from their e-mail addresses
• Sophisticated e-mail filters can use Bayesian filtering
– User divides e-mail messages received into two piles, spam and not-spam
Security+ Guide to Network Security Fundamentals, 2e
15
Hoaxes
• E-mail messages that contain false warnings or fraudulent offerings
• Unlike spam, are almost impossible to filter
• Defense against hoaxes is to ignore them
Security+ Guide to Network Security Fundamentals, 2e
16
Hoaxes (continued)
• Any e-mail message that appears as though it could not be true probably is not
• E-mail phishing is also a growing practice
• A message that falsely identifies the sender as someone else is sent to unsuspecting recipients
Security+ Guide to Network Security Fundamentals, 2e
17
E-Mail Encryption
• Two technologies used to protect e-mail messages as they are being transported:
– Secure/Multipurpose Internet Mail Extensions
– Pretty Good Privacy
Security+ Guide to Network Security Fundamentals, 2e
18
Secure/Multipurpose Internet Mail Extensions (S/MIME)
• Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages
• Provides these features:
– Digital signatures – Interoperability
– Message privacy – Seamless integration
– Tamper detection
Security+ Guide to Network Security Fundamentals, 2e
19
Pretty Good Privacy (PGP)• Functions much like S/MIME by encrypting messages
using digital signatures
• A user can sign an e-mail message without encrypting it, verifying the sender but not preventing anyone from seeing the contents
• First compresses the message
– Reduces patterns and enhances resistance to cryptanalysis
• Creates a session key (a one-time-only secret key)
– This key is a number generated from random movements of the mouse and keystrokes typed
Security+ Guide to Network Security Fundamentals, 2e
20
Pretty Good Privacy (PGP) (continued)
• Uses a passphrase to encrypt the private key on the local computer
• Passphrase:
– A longer and more secure version of a password
– Typically composed of multiple words
– More secure against dictionary attacks
Security+ Guide to Network Security Fundamentals, 2e
21
Pretty Good Privacy (PGP) (continued)
Security+ Guide to Network Security Fundamentals, 2e
22
Examining World Wide Web Vulnerabilities
• Buffer overflow attacks are common ways to gain unauthorized access to Web servers
• SMTP relay attacks allow spammers to send thousands of e-mail messages to users
• Web programming tools provide another foothold for Web attacks
• Dynamic content can also be used by attackers
– Sometimes called repurposed programming (using programming tools in ways more harmful than originally intended)
Security+ Guide to Network Security Fundamentals, 2e
23
JavaScript
• Popular technology used to make dynamic content
• When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto the user’s computer
• The Web browser then executes that code within the browser using the Virtual Machine (VM)―a Java interpreter
Security+ Guide to Network Security Fundamentals, 2e
24
JavaScript (continued)
• Several defense mechanisms prevent JavaScript programs from causing serious harm:
– JavaScript does not support certain capabilities
– JavaScript has no networking capabilities
• Other security concerns remain:
– JavaScript programs can capture and send user information without the user’s knowledge or authorization
– JavaScript security is handled by restrictions within the Web browser
Security+ Guide to Network Security Fundamentals, 2e
25
JavaScript (continued)
Security+ Guide to Network Security Fundamentals, 2e
26
Java Applet
• A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code
• Can also be made into hostile programs
• Sandbox is a defense against a hostile Java applet
– Surrounds program and keeps it away from private data and other resources on a local computer
• Java applet programs should run within a sandbox
Security+ Guide to Network Security Fundamentals, 2e
27
Java Applet (continued)
Security+ Guide to Network Security Fundamentals, 2e
28
Java Applet (continued)
• Two types of Java applets:
– Unsigned Java applet: program that does not come from a trusted source
– Signed Java applet: has a digital signature proving the program is from a trusted source and has not been altered
• The primary defense against Java applets is using the appropriate settings of the Web browser
Security+ Guide to Network Security Fundamentals, 2e
29
Java Applet (continued)
Security+ Guide to Network Security Fundamentals, 2e
30
ActiveX
• Set of technologies developed by Microsoft
• Outgrowth of two other Microsoft technologies:
– Object Linking and Embedding (OLE)
– Component Object Model (COM)
• Not a programming language but a set of rules for how applications should share information
Security+ Guide to Network Security Fundamentals, 2e
31
ActiveX (continued)
• ActiveX controls represent a specific way of implementing ActiveX
– Can perform many of the same functions of a Java applet, but do not run in a sandbox
– Have full access to Windows operating system
• ActiveX controls are managed through Internet Explorer
• ActiveX controls should be set to most restricted levels
Security+ Guide to Network Security Fundamentals, 2e
32
ActiveX (continued)
Security+ Guide to Network Security Fundamentals, 2e
33
Cookies
• Computer files that contains user-specific information
• Need for cookies is based on Hypertext Transfer Protocol (HTTP)
• Instead of the Web server asking the user for this information each time they visits that site, the Web server stores that information in a file on the local computer
• Attackers often target cookies because they can contain sensitive information (usernames and other private information)
Security+ Guide to Network Security Fundamentals, 2e
34
Cookies (continued)
• Can be used to determine which Web sites you view
• First-party cookie is created from the Web site you are currently viewing
• Some Web sites attempt to access cookies they did not create
– If you went to wwwborg, that site might attempt to get the cookie A-ORG from your hard drive
– Now known as a third-party cookie because it was not created by Web site that attempts to access the cookie
Security+ Guide to Network Security Fundamentals, 2e
35
Common Gateway Interface (CGI)
• Set of rules that describes how a Web server communicates with other software on the server and vice versa
• Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database
Security+ Guide to Network Security Fundamentals, 2e
36
Common Gateway Interface (CGI) (continued)
• CGI scripts create security risks
– Do not filter user input properly
– Can issue commands via Web URLs
• CGI security can be enhanced by:
– Properly configuring CGI
– Disabling unnecessary CGI scripts or programs
– Checking program code that uses CGI for any vulnerabilities
Security+ Guide to Network Security Fundamentals, 2e
37
83 Naming Conventions
• Microsoft Disk Operating System (DOS) limited filenames to eight characters followed by a period and a three-character extension (e.g., Filename.doc)
• Called the 83 naming convention
• Recent versions of Windows allow filenames to contain up to 256 characters
• To maintain backward compatibility with DOS, Windows automatically creates an 83 “alias” filename for every long filename
Security+ Guide to Network Security Fundamentals, 2e
38
83 Naming Conventions (continued)
• The 83 naming convention introduces a security vulnerability with some Web servers
– Microsoft Internet Information Server 40 and other Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename
• Solution is to disable creation of the 83 alias by making a change in the Windows registry database
– In doing so, older programs that do not recognize long filenames are not able to access the files or subdirectories
Security+ Guide to Network Security Fundamentals, 2e
39
Securing Web Communications
• Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol
• One implementation is the Hypertext Transport Protocol over Secure Sockets Layer
Security+ Guide to Network Security Fundamentals, 2e
40
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
• SSL protocol developed by Netscape to securely transmit documents over the Internet
– Uses private key to encrypt data transferred over the SSL connection
– Version 20 is most widely supported version
– Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL
Security+ Guide to Network Security Fundamentals, 2e
41
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
(continued)• TLS protocol guarantees privacy and data integrity
between applications communicating over the Internet
– An extension of SSL; they are often referred to as SSL/TLS
• SSL/TLS protocol is made up of two layers
Security+ Guide to Network Security Fundamentals, 2e
42
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
(continued)• TLS Handshake Protocol allows authentication
between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted
• FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture
– Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems
Security+ Guide to Network Security Fundamentals, 2e
43
Secure Hypertext Transport Protocol (HTTPS)
• One common use of SSL is to secure Web HTTP communication between a browser and a Web server
– This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL
• Sometimes designated HTTPS, which is the extension to the HTTP protocol that supports it
• Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely
Security+ Guide to Network Security Fundamentals, 2e
44
Securing Instant Messaging
• Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account
• Instant messaging (IM) is a complement to e-mail that overcomes these
– Allows sender to enter short messages that the recipient sees and can respond to immediately
Security+ Guide to Network Security Fundamentals, 2e
45
Securing Instant Messaging (continued)
• Some tasks that you can perform with IM:
– Chat
– Images
– Sounds
– Files
– Talk
– Streaming content
Security+ Guide to Network Security Fundamentals, 2e
46
Securing Instant Messaging (continued)
• Steps to secure IM include:
– Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workers
– Enable IM virus scanning
– Block all IM file transfers
– Encrypt messages
Security+ Guide to Network Security Fundamentals, 2e
47
Summary
• Protecting basic communication systems is a key to resisting attacks
• E-mail attacks can be malware, spam, or hoaxes
• Web vulnerabilities can open systems up to a variety of attacks
• A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code
Security+ Guide to Network Security Fundamentals, 2e
48
Summary (continued)
• ActiveX controls present serious security concerns because of the functions that a control can execute
• A cookie is a computer file that contains user-specific information
• CGI is a set of rules that describe how a Web server communicates with other software on the server
• The popularity of IM has made this a tool that many organizations are now using with e-mail
Top Related