Đang tải... (xem toàn văn)
Chapter 6 - Email and web security. The main contents of this chapter include all of the following: Protect e-mail systems, list World Wide Web vulnerabilities, secure web communications, secure instant messaging.
Chapter Email and Web Security Objectives in this chapter ATHENA Protect e-mail systems List World Wide Web vulnerabilities Secure Web communications Secure instant messaging Protecting E-Mail Systems ATHENA E-mail has replaced the fax machine as the primary communication tool for businesses Has also become a prime target of attackers and must be protected How E-Mail Works Use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive messages • Simple Mail Transfer Protocol (SMTP) handles outgoing mail • Post Office Protocol (POP3 for the current version) handles incoming mail ATHENA The SMTP server on most machines uses sendmail to the actual sending; this queue is called the sendmail queue How E-Mail Works (continued) ATHENA How E-Mail Works (continued) ATHENA Sendmail tries to resend queued messages periodically (about every 15 minutes) Downloaded messages are erased from POP3 server Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers Internet Mail Access Protocol (current version is IMAP4) is a more advanced protocol that solves many problems • E-mail remains on the e-mail server How E-Mail Works (continued) ATHENA E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures) Non-text documents must be converted into text format before being transmitted Three bytes from the binary file are extracted and converted to four text characters E-Mail Vulnerabilities Several e-mail vulnerabilities can be exploited by attackers: • Malware • Spam • Hoaxes ATHENA Malware Because of its ubiquity, e-mail has replaced floppy disks as the primary carrier for malware E-mail is the malware transport mechanism of choice for two reasons: • Because almost all Internet users have e-mail, it has the broadest base for attacks • Malware can use e-mail to propagate itself ATHENA Malware (continued) A worm can enter a user’s computer through an e-mail attachment and send itself to all users listed in the address book or attach itself as a reply to all unread e-mail messages E-mail clients can be particularly susceptible to macro viruses • A macro is a script that records the steps a user performs • A macro virus uses macros to carry out malicious functions ATHENA Cookies (continued) Can be used to determine which Web sites you view First-party cookie is created from the Web site you are currently viewing Some Web sites attempt to access cookies they did not create • If you went to wwwborg, that site might attempt to get the cookie A-ORG from your hard drive • Now known as a third-party cookie because it was not created by Web site that attempts to access the cookie ATHENA Common Gateway Interface (CGI) ATHENA Set of rules that describes how a Web server communicates with other software on the server and vice versa Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database Common Gateway Interface (CGI) (continued) CGI scripts create security risks • Do not filter user input properly • Can issue commands via Web URLs CGI security can be enhanced by: • Properly configuring CGI • Disabling unnecessary CGI scripts or programs • Checking program code that uses CGI for any vulnerabilities ATHENA 83 Naming Conventions ATHENA Microsoft Disk Operating System (DOS) limited filenames to eight characters followed by a period and a three-character extension (e.g., Filename.doc) Called the 83 naming convention Recent versions of Windows allow filenames to contain up to 256 characters To maintain backward compatibility with DOS, Windows automatically creates an 83 “alias” filename for every long filename 83 Naming Conventions (continued) The 83 naming convention introduces a security vulnerability with some Web servers • Microsoft Internet Information Server 40 and other Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename ATHENA Solution is to disable creation of the 83 alias by making a change in the Windows registry database • In doing so, older programs that not recognize long filenames are not able to access the files or subdirectories Securing Web Communications ATHENA Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol One implementation is the Hypertext Transport Protocol over Secure Sockets Layer Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) SSL protocol developed by Netscape to securely transmit documents over the Internet • Uses private key to encrypt data transferred over the SSL connection • Version 20 is most widely supported version • Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL ATHENA Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) (continued) TLS protocol guarantees privacy and data integrity between applications communicating over the Internet • An extension of SSL; they are often referred to as SSL/TLS ATHENA SSL/TLS protocol is made up of two layers Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) (continued) TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture • Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems ATHENA Secure Hypertext Transport Protocol (HTTPS) One common use of SSL is to secure Web HTTP communication between a browser and a Web server • This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL ATHENA Sometimes designated HTTPS, which is the extension to the HTTP protocol that supports it Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely Securing Instant Messaging Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account Instant messaging (IM) is a complement to email that overcomes these • Allows sender to enter short messages that the recipient sees and can respond to immediately ATHENA Securing Instant Messaging (continued) Some tasks that you can perform with IM: • • • • • • ATHENA Chat Images Sounds Files Talk Streaming content Securing Instant Messaging (continued) Steps to secure IM include: • Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workers • Enable IM virus scanning • Block all IM file transfers • Encrypt messages ATHENA Summary ATHENA Protecting basic communication systems is a key to resisting attacks E-mail attacks can be malware, spam, or hoaxes Web vulnerabilities can open systems up to a variety of attacks A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code Summary (continued) ATHENA ActiveX controls present serious security concerns because of the functions that a control can execute A cookie is a computer file that contains userspecific information CGI is a set of rules that describe how a Web server communicates with other software on the server The popularity of IM has made this a tool that many organizations are now using with e-mail ... from their e-mail addresses Sophisticated e-mail filters can use Bayesian filtering • User divides e-mail messages received into two piles, spam and not-spam ATHENA Hoaxes ATHENA E-mail messages...Objectives in this chapter ATHENA Protect e-mail systems List World Wide Web vulnerabilities Secure Web communications Secure instant messaging Protecting E-Mail Systems ATHENA E-mail has replaced... IMAP4) is a more advanced protocol that solves many problems • E-mail remains on the e-mail server How E-Mail Works (continued) ATHENA E-mail attachments are documents in binary format (word processing