The Role of People in Security

Download Report

Transcript The Role of People in Security

Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Web Components
Chapter 17
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Objectives
• Describe the functioning of the SSL/TLS protocol
suite.
• Explain web applications, plug-ins, and associated
security issues.
• Describe secure file transfer options.
• Explain directory usage for data retrieval.
• Explain scripting and other Internet functions that
present security concerns.
• Use cookies to maintain parameters between web
pages.
• Examine web-based application security issues.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms
•
•
•
•
•
•
•
© 2012
Active Server Pages (ASP)
ActiveX
ASP.NET
Buffer overflow
Code signing
Common Gateway Interface (CGI)
JAVA vulnerabilities
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms (continued)
•
•
•
•
•
•
© 2012
Cookies
File Transfer Protocol (FTP)
Hypertext Markup Language (HTML)
Internet Engineering Task Force (IETF)
Java
JavaScript
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Key Terms for Security+ Exam
• 4.1 Application Security
– Fuzzing
– Cross-site scripting
– Input and field validation
• 3.5 Application attacks
–
–
–
–
© 2012
SQL injection
Buffer overflow
Zero day
Cookies a security risk? (ever cookie)
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Current Web Components and
Concerns
• Security concerns can be grouped into
three main tasks:
• Securing a server that delivers content to users over
the Web.
• Securing the transport of information between users
and servers over the Web.
• Securing the user’s computer from attack over a web
connection.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Encryption (SSL and TLS)
• Secure Sockets Layer (SSL) is a general-purpose
protocol developed by Netscape for managing the
encryption of information being transmitted over the
Internet.
• Transport Layer Security (TLS) SSL and TLS are
essentially the same, although not interchangeable.
• Cryptographic methods are an ever-evolving field, and
because both parties must agree on an implementation
method, SSL/TLS has embraced an open, extensible,
and adaptable method to allow flexibility and strength.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Encryption (SSL and TLS)
Firefox SSL Cipher
Options
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
SSL/TLS Handshake
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Firefox
Certificate
Options
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Firefox Certificate Store
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
The Web (HTTP and HTTPS)
• HTTP is used for the transfer of
hyperlinked data over the Internet, from
web servers to browsers.
• When a secure connection is needed,
SSL/TLS is used and appears in the
address as https://.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
The Web (HTTP and HTTPS) (continued)
• High-assurance notification in IE 7
• High-assurance notification in Firefox
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
File Transfer (FTP and SFTP)
• FTP is a standard network protocol used
to exchange and manipulate files over a
TCP/IP based network.
• Secure FTP (SFTP) is used when
confidential transfer is required and
combines both the Secure Shell (SSH)
protocol and FTP.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Buffer Overflows
• The buffer overflow vulnerability is a
result of poor coding practices on the part
of software programmers.
• This occurs when an application can
accept more input than it has assigned
storage space, and the input data
overwrites other program areas.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Java
• Java is a computer language invented by Sun
Microsystems as an alternative to Microsoft’s
development languages (owned by Oracle now).
• Designed to be platform-independent
• Java offered a low learning curve and a way of
implementing programs across an enterprise.
• Although platform independence never fully materialized,
Java has found itself to be a leader in object-oriented
programming languages.
• Java can still perform malicious activities, and the fact
that many users falsely believe it is safe increases its
usefulness for attackers.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
JavaScript
• JavaScript is a scripting language developed to be
operated within a browser instance.
• The primary purpose is to enable features such as
validation of forms.
• Enterprising programmers found many other uses for
JavaScript, such as manipulating the browser history
files, now prohibited by design.
• JavaScript actually runs within the browser, and the
code is executed by the browser itself.
• This has led to compatibility problems.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
CGI & Server-Side Scripts
• Common Gateway Interface (CGI) is a method for
having a web server execute a program outside the
web server process, yet on the same server.
• Server-side scripting allows programs to be run
outside the web server and to return data to the web
server to be served to end users via a web page.
This is replacing CGI.
© 2012
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Cookies
• Cookies are small chunks of ASCII text
passed within an HTTP stream to store data
temporarily in a web browser instance.
• It a series of name-value pairs that is stored
in memory during a browser instance.
–
–
–
–
© 2012
Expires
Domain
Path
Secure
Principles of Computer Security:
CompTIA Security+
Security+® and Beyond, Third Edition
Chapter Summary
• Describe the functioning of the SSL/TLS protocol suite.
• Explain web applications, plug-ins, and associated
security issues.
• Describe secure file transfer options.
• Explain directory usage for data retrieval.
• Explain scripting and other Internet functions that
present security concerns.
• Use cookies to maintain parameters between web
pages.
• Examine web-based application security issues.
© 2012