New Perspectives on the Internet, 6th edition
Download
Report
Transcript New Perspectives on the Internet, 6th edition
Tutorial 9
Security on the
Internet
and the Web
Objectives
XP
• Explore the basics of security: secrecy, integrity,
and necessity
• Find out what hackers and crackers can do and
why they do it
• Learn about the dangers of online crime,
warfare, and terrorism
• Investigate how to protect copyrighted materials
that are published on the Internet
New Perspectives on The Internet, Seventh Edition—Comprehensive
2
Objectives
XP
• Understand Web client threats and
countermeasures
• Learn about online communication channel
threats and countermeasures
• Learn about Web server threats and
countermeasures
• Find out how to get more information and
current updates about online security
New Perspectives on The Internet, Seventh Edition—Comprehensive
3
Understanding Security Basics:
Secrecy, Integrity, and Necessity
XP
• Security is broadly defined as the protection of assets
from unauthorized access, use, alteration, or
destruction
• Physical security includes tangible protection devices,
such as locks, alarms, fireproof doors, security fences,
safes or vaults, and bombproof buildings
• Protection of assets using non-physical means is called
logical security
• Logical security may also be broadly called computer
security
New Perspectives on The Internet, Seventh Edition—Comprehensive
4
Understanding Security Basics:
Secrecy, Integrity, and Necessity
XP
• Threat: any act or object that endangers an asset
• Countermeasure: general name for a procedure, either
physical or logical, that recognizes, reduces, or
eliminates a threat
• Countermeasures can recognize and manage threats or
they can eliminate them
• An individual or organization can ignore threats that are
deemed low risk and less likely to occur when the cost
to protect against the threat exceeds the value of the
protected asset
New Perspectives on The Internet, Seventh Edition—Comprehensive
5
Risk Management Model
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
6
Understanding Security Basics:
Secrecy, Integrity, and Necessity
XP
• To implement a good security scheme, identify
the risk, determine how to protect the affected
asset, and calculate the cost of the resources you
can allocate to protect the asset
• Computer security can be classified into several
categories:
– Secrecy
– Integrity
– Necessity
New Perspectives on The Internet, Seventh Edition—Comprehensive
7
Understanding Security Basics:
Secrecy, Integrity, and Necessity
XP
• Secrecy prevents unauthorized data disclosure and
ensures the authenticity of the data’s source
• Integrity prevents unauthorized data modification
• Necessity prevents data delays (slowing down the
transmission of data) or denials (preventing data from
getting to its destinations)
• Internet users and businesses with Web sites need to
take appropriate countermeasures in each of these
three categories to protect themselves and the
computers they use to connect to the Internet
New Perspectives on The Internet, Seventh Edition—Comprehensive
8
Secrecy and Encryption
XP
• Encryption: process of coding information using
a mathematical algorithm to produce a string of
characters that is unreadable
• Decryption: process of reversing encrypted text
is called
• Cipher text: encrypted information
• Plain text: unencrypted information
• Cryptography: the study of ways to secure
information
New Perspectives on The Internet, Seventh Edition—Comprehensive
9
Secrecy and Encryption
XP
• Private-key encryption (symmetric encryption):
– Uses a single key that is known by the sender and
receiver
– Key might be a password or a number generated by a
special device
– Works well in a highly controlled environment
New Perspectives on The Internet, Seventh Edition—Comprehensive
10
Private-key (Symmetric) Encryption
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
11
Secrecy and Encryption
XP
• Public-key encryption (asymmetric encryption):
– Uses a public key and a private or secret key
– Public key is known to everyone
– Private or secret key is known only to the person
involved in the exchange
– Each person has a private key that is secret and a
public key that is shared with other users
– Messages encrypted with a private key must be
decrypted with the public key, and vice versa
New Perspectives on The Internet, Seventh Edition—Comprehensive
12
Public-key (Asymmetric) Encryption
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
13
Secrecy and Encryption
XP
• Encryption is considered to be weak or strong
based on its algorithm and the number of
characters in the encryption key
• Algorithm: formula or set of steps to solve a
particular problem
• Strong keys: keys that are 128 bits long
• Most browsers use 128-bit encryption when they
are in secure mode; also called strong
encryption
New Perspectives on The Internet, Seventh Edition—Comprehensive
14
Integrity Threats
XP
• Integrity threat: unauthorized party has the
chance to alter data while it is being transferred
over the Internet or while it is stored on a
computer
• Man-in-the-middle exploit: when the contents
of an email are changed to negate the message’s
original meeting
• The most visible integrity threats have been from
Trojan horses, viruses, and worms that attack
computers and the programs they run
New Perspectives on The Internet, Seventh Edition—Comprehensive
15
Integrity Threats
XP
• Trojan horse:
– Small, potentially harmful, program hidden inside another
program
– Claims to be a legitimate program that accomplishes some
task, but causes harm when the user accesses or downloads
the program in which it is hidden
– When you execute the program you downloaded (or received
via email as an attachment), it secretly launches a separate
Trojan horse program
• Antivirus software programs and firewalls cannot guarantee
that your computer is protected from this type of attack
• Be careful not to execute a file that you did not request and
download software only from trusted sources
New Perspectives on The Internet, Seventh Edition—Comprehensive
16
Integrity Threats
XP
• Worm:
– Self-replicating program usually hidden within another file and
then sent as an email attachment
– Can replicate itself on a computer or server, but it cannot infect
other files
• Viruses can spoof the From line of an email message using the
name of someone you know
• The default filename view setting in Windows hides the
filename extension
• Many computer security experts recommend that users change
this default setting in Windows when possible so you can tell if
a file is an executable program
New Perspectives on The Internet, Seventh Edition—Comprehensive
17
Integrity Threats
XP
• Antivirus software can prevent the spread of
viruses, worms, and Trojan horses by blocking
them from being downloaded from the server
• Two vendors that provide a full range of antivirus
products are Symantec and McAfee
New Perspectives on The Internet, Seventh Edition—Comprehensive
18
Integrity Threats
XP
• The best defenses against Trojan horses, viruses,
and worms are the following:
– Display Windows filename extensions so you can
determine the type of each file you download
– Avoid opening attachments you did not expect (even
if they are from known and trusted senders)
– Install antivirus programs
– Keep antivirus programs updated regularly
New Perspectives on The Internet, Seventh Edition—Comprehensive
19
Necessity Threats
XP
• Necessity occurs when a cracker uses a program
to disrupt normal computer processing or,
possibly, to deny processing entirely
• Packet flooding attack (denial of service (DoS)
attack):
– Occurs when a cracker bombards a server or other
computer with messages in an attempt to consume
the network’s bandwidth resources
– Works by sending such a large number of messages
to a Web server that it cannot answer properly
New Perspectives on The Internet, Seventh Edition—Comprehensive
20
Necessity Threats
XP
• Distributed denial of service (DDoS) attack:
– Perpetrator uses a large number of computers that each
launch a DoS attack on one Web server at the same time
– Most DDoS attacks are launched after the attacking
computers are infected with Trojan horse programs. Each
Trojan horse is coded to open and launch a DoS attack at
exactly the same date and time
– Zombies: computers “hijacked” by a Trojan horse used to help
a DDoS attack
• A company can defend its Web server from DoS and
DDoS attacks by adding a filter to its Internet
connection between the Web server and the router that
connects it to the Internet
New Perspectives on The Internet, Seventh Edition—Comprehensive
21
Online Crime, Warfare,
and Terrorism
XP
• Most people who use the Internet are honest,
hard-working people who use the technology for
legitimate purposes
• Unfortunately, some people use the Internet for
all manner of illegal and unethical purposes
• It is important to know about these uses because
that knowledge can help prevent such use or
limit the damage caused
New Perspectives on The Internet, Seventh Edition—Comprehensive
22
Hackers, Crackers, and
Script Kiddies
XP
• Cracker: technologically skilled person who uses
his or her skills to obtain unauthorized entry into
computers or networks of computers to damage
the system’s software, or even the system’s
hardware
• Computer forensics experts (ethical hackers):
computer sleuths are hired to probe computers
and locate information that can be used in legal
proceedings
New Perspectives on The Internet, Seventh Edition—Comprehensive
23
Hackers, Crackers, and
Script Kiddies
XP
• Hacker:
– Dedicated programmer who enjoys writing complex
code that tests the limits of technology
– Computer professionals consider being called a
hacker a compliment; the media and the general
public often use the term to describe those who use
their skills for ill purposes
– White hat hacker and black hat hacker make the
distinction between those who use their skills for
good and those who use their talents to commit
illegal acts
New Perspectives on The Internet, Seventh Edition—Comprehensive
24
Hackers, Crackers, and
Script Kiddies
XP
• Virus tool kits:
– Script-writing programs that allow novices to create their own
viruses, worms, and Trojan horses
– Menu-driven tools that give almost anyone the ability to
generate troublesome programs without the need to write a
single line of code
• Script kiddies: derisive term coined by crackers with
programming skills to describe people who use virus
tool kits
New Perspectives on The Internet, Seventh Edition—Comprehensive
25
Online Theft and Identity Theft
XP
• An increasing amount of personal information is stored
on the Web by other parties, such as banks, credit card
issuers, credit reporting agencies, physician’s offices,
hospitals, and government agencies
• As more companies store valuable information on
computers that are connected to the Internet,
opportunities for theft of that information increase
• This is especially true when companies lose control of
the data they collect on their customers (and other
people)
New Perspectives on The Internet, Seventh Edition—Comprehensive
26
Online Theft and Identity Theft
XP
• The kinds of personal information that criminals most
want to obtain include:
•
•
•
•
Social Security number
Driver’s license number
Credit card numbers
CW2 numbers (the threeor four-digit security code
printed on a credit card)
• Passwords (or PINs)
• Credit reports
• Date of birth
New Perspectives on The Internet, Seventh Edition—Comprehensive
• ATM (or debit) card
numbers
• Telephone calling card
numbers
• Mortgage (or other loan)
information
• Telephone numbers
• Home address
• Employer address
27
Online Theft and Identity Theft
XP
• Identity theft: crime in which a thief steals a person’s
entire credit record and then uses the victim’s personal
information to open bank accounts, new credit cards,
and buy expensive goods on credit
• By the time the victim finds out that his or her identity
has been stolen, the thief is long gone with the cash and
the goods
• If you are the victim of identity theft, you must act
quickly to contact the credit reporting agencies, every
financial institution at which you have an account, and
the issuer of every credit card you hold
New Perspectives on The Internet, Seventh Edition—Comprehensive
28
Online Extortion
XP
• Some perpetrators threaten to launch DoS attacks
against a company unless a “fee” is paid
– Many smaller companies simply pay the extortionists and do
not even report the crime
• Other perpetrators break into a company’s systems,
steal confidential information, and then threaten to
release the information unless they are paid
• Smaller companies are easier targets because they
generally do not have strong security in place, but larger
organizations are not immune to these attacks
New Perspectives on The Internet, Seventh Edition—Comprehensive
29
Other Online Crimes
XP
• Enforcing laws against distribution of
pornographic material online in the United
States has been difficult
– Difficult question arises regarding which community
standards might apply to the sale
– International transactions raise even more difficult
questions about which laws should determine the
legality of the sale
– US Supreme Court has ruled that state and local
courts can draw the line based on local community
standards
New Perspectives on The Internet, Seventh Edition—Comprehensive
30
Other Online Crimes
XP
• A similar issue arises in the case of online gambling
– If people in California use their computers to connect to an
offshore gambling site, it is unclear where the gambling
activity occurs
– Several states have passed laws that specifically outlaw
Internet gambling, but the ability of those states to enforce
laws that limit Internet activities is not yet clear
– The US Federal government has outlawed all online gambling
activities by its citizens, but enforcement is difficult and the
constitutionality of such laws has not been tested
New Perspectives on The Internet, Seventh Edition—Comprehensive
31
Organized Crime Online
XP
• Organized crime (racketeering): unlawful activities conducted by
a highly organized, disciplined association for profit
• Internet has opened new opportunities for organized crime
• Large criminal organizations can be efficient perpetrators of
identity theft because they can exploit large amounts of personal
information (obtained, for example, from a cracker who broke
into a company’s Web server) quickly and efficiently
• These criminal organizations often sell or trade information that
they cannot use immediately to other organized crime entities
around the world
New Perspectives on The Internet, Seventh Edition—Comprehensive
32
Online Espionage, Warfare,
and Terrorism
XP
• Industrial espionage:
– Type of spying in which countries attempt to gain information
from private businesses to capture intellectual property that
can be taken home and used in industries there
– When this information is stored in computers that are
connected to the Internet or when it is transmitted via the
Internet, it can become the target of online espionage efforts
• Many Internet security experts believe that we are at
the dawn of a new age of terrorism and warfare that
could be carried out or coordinated through the
Internet
New Perspectives on The Internet, Seventh Edition—Comprehensive
33
Copyright & Intellectual Property
Threats and Countermeasures
XP
• Safeguarding copyright and intellectual property
rights are also security issues
• Intellectual property threats are a large problem
due to the Internet and the relative ease with
which one can use existing material without the
owner’s permission
– It is very simple to reproduce an exact copy of
anything you find on the Internet
– Many people are naïve or unaware of copyright
restrictions that protect intellectual property
New Perspectives on The Internet, Seventh Edition—Comprehensive
34
Copyright & Intellectual Property
Threats and Countermeasures
XP
• Digital watermark: process that inserts a digital
pattern containing copyright information into a
digital image, animation, or audio or video file
• Steganography:
– Process that hides an encrypted message within
different types of files
– Can be used to add copyright information to different
types of files
New Perspectives on The Internet, Seventh Edition—Comprehensive
35
Web Client Security
XP
• A good place to start is with security on the PCs
that RVP has connected to its network and
security through that network to the Internet
• There are specific security threats and
countermeasures for Web clients, the
communication channel that connects Web
clients to Web servers, and the Web servers
themselves
New Perspectives on The Internet, Seventh Edition—Comprehensive
36
Active Content:
Java, JavaScript, and ActiveX
XP
• Active content: programs that travel with
applications to a browser and execute on the
user’s computer
• Java applet: program written in the Java
programming language that could execute and
consume a computer’s resources
• JavaScript program: program that could execute
on the user’s computer and can run without
being compiled
New Perspectives on The Internet, Seventh Edition—Comprehensive
37
Active Content:
Java, JavaScript, and ActiveX
XP
• ActiveX components:
– Microsoft’s technology for writing small applications
that perform some action in Web pages; these
components have full access to a computer’s file
system
– Only work in Internet Explorer and other browsers
that use the Internet Explorer code base in some way
– Firefox, which does not use any part of the Internet
Explorer code base, will not run a beneficial ActiveX
component, nor can it be attacked by a malicious
ActiveX component
New Perspectives on The Internet, Seventh Edition—Comprehensive
38
Managing Cookies
XP
• A cookie is a small text file that a Web server
creates and stores on your computer’s hard drive
• Clickstream: the links you click while visiting the
Web site
• A cookie might store information about your
clickstream, the products you purchase, or
personal information that you provide to the site
• Some cookies are removed automatically when
you leave a Web site (a session-only cookie)
New Perspectives on The Internet, Seventh Edition—Comprehensive
39
Managing Cookies
XP
• Many Web sites use cookies to make their sites easier
to navigate
• A cookie is not a program and it can only store
information that you provide to the Web site that
creates it
• Sometimes you provide the data openly, and at other
times, the cookie might silently record your behavior at
a Web site
• Only the Web site that stored the cookie on your hard
drive can read it, and it cannot read other cookies on
your hard drive or any other file on your computer
New Perspectives on The Internet, Seventh Edition—Comprehensive
40
Managing Cookies
XP
• Cookies can represent a security threat for some users,
especially those who access the site from a public computer
• Internet users can control the storage of cookies on their
computer’s hard drive by changing their browser’s settings
• The best way to prevent another user from gaining access to
information is to make sure that you do not leave an
electronic trail
• Internet Explorer stores cookies in the C:\Windows\Cookies
folder
• Firefox stores cookies in a file named cookies.txt on the
user’s hard drive
New Perspectives on The Internet, Seventh Edition—Comprehensive
41
Managing Cookies in Internet
Explorer
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
42
Managing Cookies in Firefox
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
43
Web Bugs
XP
• Web bug (clear GIF or transparent GIF): small (one
pixel), hidden graphic on a Web page or in an email
message designed to work in conjunction with a cookie
to obtain information about the person viewing the
page or email message and to send the information to a
third party
• When the user loads the Web page that contains this
code, the browser downloads the hidden graphic This
process can identify your IP address, the Web site you
last visited, and other information about your use of the
site in which the clear GIF file has been embedded and
record it in the cookie file
New Perspectives on The Internet, Seventh Edition—Comprehensive
44
Web Bugs
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
45
Adware and Spyware:
Ethical Issues
XP
• Adware: general category of software that includes
advertisements to help pay for the product in which
they appear
• In many freeware and shareware programs, adware
provides opportunities for developers to offer software
at little or no cost to the user
• Adware usually does not cause any security threats
because the user is aware of the ads and the parties
responsible for including them are clearly identified in
the programs
New Perspectives on The Internet, Seventh Edition—Comprehensive
46
Adware and Spyware:
Ethical Issues
XP
• Spyware: category of adware in which the user
has little control over or knowledge of the ads
and other monitoring features it contains
• Spyware occurs in situations where a developer
has sold ads to a third party or embedded other
features in the program
• A Web bug is an example of spyware
– Usually created by a GIF file, also called a clear GIF
– Its actions are hidden from the user
New Perspectives on The Internet, Seventh Edition—Comprehensive
47
Adware and Spyware:
Ethical Issues
XP
• Setting Web browsers to block third-party cookie
files is one way to protect computers from the
potential privacy violations created by cookies,
Web bugs, and spyware
• There are many good shareware programs that
erase spyware from your computer
• These programs, sometimes called ad blockers,
search for files written by known spyware
New Perspectives on The Internet, Seventh Edition—Comprehensive
48
Firewalls
XP
• Firewall: software program or hardware device
that controls access between two networks, such
as a local area network and the Internet or the
Internet and a computer
• Port: like a door on a computer, it permits traffic
to leave and enter a computer
• Port scan: occurs when one computer tests all or
some of the ports of another computer to
determine whether its ports are open, closed, or
stealth
New Perspectives on The Internet, Seventh Edition—Comprehensive
49
Basic Web Client Firewall
Architecture
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
50
Firewalls
XP
• Most firewalls prevent traffic from entering the
network, but firewalls can also prevent data
from leaving the network
– This is useful for controlling the activities of hidden
programs that are designed to compromise the
security of a computer
– When you install a new program on your computer, a
firewall that provides outgoing protection will notify
you if and when the new program tries to access the
Internet
New Perspectives on The Internet, Seventh Edition—Comprehensive
51
Firewalls
XP
• Until the recent increase in the number of users
with broadband connections to the Internet,
corporations used hardware firewalls almost
exclusively
• Some firewall software programs are available
for free or at a very low cost so they are
becoming popular with other types of users
• Some antivirus programs and Internet suites
include basic firewall protection
New Perspectives on The Internet, Seventh Edition—Comprehensive
52
Communication Channel Security
XP
• Encryption is an important part of maintaining
security over information that is sent via the
Internet
• Practical uses of encryption require
authentication and identification
New Perspectives on The Internet, Seventh Edition—Comprehensive
53
Authentication and Digital
Certificates
XP
• Authentication: general term for the process of
correctly verifying the identity of a person or a
Web site
• Digital certificate: encrypted and passwordprotected file that contains sufficient
information to authenticate and prove a
person’s or organization’s identity
• Certificate authority: trusted third party that
verifies the digital certificate holder’s identity
and issues the digital certificate
New Perspectives on The Internet, Seventh Edition—Comprehensive
54
Authentication and Digital
Certificates
XP
• A digital certificate is an electronic equivalent of
an identification card
• Digital ID (personal certificate): used to identify
a person to other people and to Web sites that
are set up to accept digital certificates
• Digital ID: an electronic file that you purchase
from a certificate authority and install into a
program that uses it, such as an email program
or a Web browser
New Perspectives on The Internet, Seventh Edition—Comprehensive
55
Protecting Email Messages
XP
• To help maintain the integrity of an email message, you can
send the message through a message digest function
program (hash code function program) to produce a
number called a message authentication code (MAC)
• After it receives the MAC, the email program sends the
message and matching MAC together to the recipient
• The recipient’s email program re-computes the message’s
MAC and compares the computed MAC to the received MAC
• If they match, the content of the message is unaltered. If
they do not match, then the message cannot be trusted
New Perspectives on The Internet, Seventh Edition—Comprehensive
56
Producing a MAC for a Message
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
57
Protecting Email Messages
XP
• To be useful, the message digest function must exhibit
the following characteristics:
– It must be impossible or costly to reverse the MAC and
produce the original message
– MAC should be random
– MAC must be unique to the message
• You can also protect outgoing email messages with the
Secure/Multipurpose Internet Mail Extensions
(S/MIME) specification, which when combined with a
person’s digital ID provides authentication and
encryption to email messages
New Perspectives on The Internet, Seventh Edition—Comprehensive
58
Phishing Attacks
XP
• Phishing: an attack in which thieves “fish” for
information
– Thieves send email messages to people telling them that their
account data at a bank, credit card company, or other
company has been compromised
– The email message asks the recipients to click a link to go to a
Web site and verify the account information
– The link is to a spoofed Web site (a Web site that only looks
like it belongs to the correct business)
– If the recipient enters personal information in a form on the
Web site, the thieves can steal that information
New Perspectives on The Internet, Seventh Edition—Comprehensive
59
Phishing Attacks
XP
• The links in phishing emails are usually disguised
• One common way to disguise the real URL is to
use the “@” sign, which causes the Web server
to ignore all characters that precede the “@”
and use only the characters that follow
• Email links can include JavaScript code that is
invisible in most email clients; the link looks like
it is going one place, but in fact it directs the mail
somewhere else
New Perspectives on The Internet, Seventh Edition—Comprehensive
60
Web Server Security
XP
• Just as digital certificates help protect data sent
from one individual to another, server
certificates can help protect data sent from and
received by a Web server as it performs its task
of delivering Web pages to site visitors
• Web sites account for the largest percentage of
digital certificates in use
New Perspectives on The Internet, Seventh Edition—Comprehensive
61
Digital Certificates for
Web Servers
XP
• Server certificate (SSL Web server certificate):
authenticates a Web site for its users so the user
can be confident that the Web site is genuine
and not an imposter
• Server certificate also ensures that the transfer
of data between a user’s computer and the
server with the certificate is encrypted so that it
is both tamperproof and free from being
intercepted
New Perspectives on The Internet, Seventh Edition—Comprehensive
62
Processing a Web Server Digital
Certificate
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
63
Digital Certificates for
Web Servers
XP
• User identification: process of identifying yourself to a
computer
• Most computer systems implement user identification
with user names and passwords; the combination of a
user name and password is sometimes called a login
• To help keep track of their login information for
different computers and Web sites, some people use a
program called a password manager, which stores login
information in an encrypted form on their computer
New Perspectives on The Internet, Seventh Edition—Comprehensive
64
Digital Certificates for
Web Servers
XP
• Crackers can run programs that create and enter
passwords from a dictionary or a list of
commonly used passwords
• Brute force attack: cracker uses a program to
enter character combinations until the system
accepts a user name and password, thereby
gaining access to the system
• User authentication: process of associating a
person and his identification with a very high
level of assurance
New Perspectives on The Internet, Seventh Edition—Comprehensive
65
Secure Sockets Layer (SSL)
XP
• Secure Sockets Layer (SSL): widely used protocol
that acts as a separate layer or “secure channel”
on top of the TCP/IP Internet protocol
• SSL provides a security handshake when a
browser and the Web page to which it is
connected want to participate in a secure
connection
• Web pages secured by SSL have URLs that begin
with https:// instead of http://
New Perspectives on The Internet, Seventh Edition—Comprehensive
66
Secure State Indicators
New Perspectives on The Internet, Seventh Edition—Comprehensive
XP
67
Secure Sockets Layer (SSL)
XP
• SSL creates a public-key pair so that it can safely
transmit data using a private key
• The private key is encrypted using public-key encryption
and is sent to the browser. Using the private key
protects the remainder of the information transfer
between the browser and the Web site
• Session keys:
– Public-key pair created by SSL during a browser session
– When the user leaves the secure Web site, the browser
discards the session keys
– Session keys exist only during a single, active session between
a browser and server
New Perspectives on The Internet, Seventh Edition—Comprehensive
68
Staying Current with Internet
and Web Security
XP
• CERT Coordination Center:
– Federally funded research center operated by the Software
Engineering Institute at Carnegie Mellon University
– Originally known as the Computer Emergency Response Team
– Primary goal is to publish alerts, advisories, and vulnerability
reports about current and future Internet security problems it
detects and to coordinate communication between software
experts
– Also works to increase awareness of security problems and
issues and to help individuals and organizations improve the
security of their computer systems
New Perspectives on The Internet, Seventh Edition—Comprehensive
69
Staying Current with Internet
and Web Security
XP
• SANS Institute:
– Many companies belong to the SANS Institute
– It sponsors computer security training and research
programs
– Its Web site includes the Internet Storm Center and
other resources that contain current information on
emerging online security issues
New Perspectives on The Internet, Seventh Edition—Comprehensive
70
Summary
XP
• There are different types of computer security
threats and some countermeasures that you can
take to prevent them
• There are copyright issues related to the
information you locate and use on the Internet
New Perspectives on The Internet, Seventh Edition—Comprehensive
71
Summary
XP
• Specific security threats arise on the Internet
when it is used as a communication channel
• Other threats on computers arise when they are
used as Web clients or as Web servers
• You should use the security information
presented in this tutorial to create a safe
environment in which to enjoy the Web’s many
resources
New Perspectives on The Internet, Seventh Edition—Comprehensive
72