Chapter 6: Web Security
Security+ Guide to Network Security
Fundamentals
Second Edition
Objectives
•
Protect e-mail systems
•
List World Wide Web vulnerabilities
•
Secure Web communications
•
Secure instant messaging
Protecting E-Mail Systems
•
E-mail has replaced the fax machine as the primary
communication tool for businesses
•
Has also become a prime target of attackers and must
be protected
How E-Mail Works
•
Use two Transmission Control Protocol/Internet
Protocol (TCP/IP) protocols to send and receive
messages
–
Simple Mail Transfer Protocol (SMTP) handles outgoing
mail
–
Post Office Protocol (POP3 for the current version)
handles incoming mail

Three bytes from the binary file are extracted and
converted to four text characters
E-Mail Vulnerabilities
•
Several e-mail vulnerabilities can be exploited by
attackers:
–
Malware
–
Spam
–
Hoaxes
Malware
•
Because of its ubiquity, e-mail has replaced floppy
disks as the primary carrier for malware
•
E-mail is the malware transport mechanism of choice
for two reasons:
–
Because almost all Internet users have e-mail, it has the
broadest base for attacks
–
Malware can use e-mail to propagate itself
Malware (continued)
•
A worm can enter a user’s computer through an e-mail
attachment and send itself to all users listed in the
address book or attach itself as a reply to all unread e-
mail messages

The US Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act of
2003 (CAN-SPAM) in late 2003
Spam (continued)
•
According to a Pew memorial Trust survey, almost half
of the approximately 30 billion daily e-mail messages
are spam
•
Spam is having a negative impact on e-mail users:
–
25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
–
52% of users indicate spam has made them less
trusting of e-mail in general
–
70% of users say spam has made being online
unpleasant or annoying
Spam (continued)
•
Filter e-mails at the edge of the network to prevent
spam from entering the SMTP server
•
Use a backlist of spammers to block any e-mail that
originates from their e-mail addresses
•
Sophisticated e-mail filters can use Bayesian filtering
–
User divides e-mail messages received into two piles,

Multipurpose Internet Mail Extension (MIME)
messages
•
Provides these features:
–
Digital signatures – Interoperability
–
Message privacy – Seamless integration
–
Tamper detection
Pretty Good Privacy (PGP)
•
Functions much like S/MIME by encrypting messages
using digital signatures
•
A user can sign an e-mail message without encrypting
it, verifying the sender but not preventing anyone from
seeing the contents
•
First compresses the message
–
Reduces patterns and enhances resistance to
cryptanalysis
•
Creates a session key (a one-time-only secret key)
–
This key is a number generated from random
movements of the mouse and keystrokes typed