# Information Security: The Big Picture – Part V

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:25

0
117
lượt xem
7

## Information Security: The Big Picture – Part V

Mô tả tài liệu

The World Wide Web has become the de facto communications medium for the Internet. Millions of people use it every day to get information, communicate with coworkers, buy and sell goods, entertain themselves, and keep up to date with current events. However, most of these people have very little knowledge about how the web actually works. On this slide we will give you a brief introduction to the web and tell you everything you always wanted to know about the web but were afraid to ask. All in less than three minutes....

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: Information Security: The Big Picture – Part V

1. Information Security: The Big Picture – Part V Stephen Fried Information Security: The Big Picture - SANS GIAC © 2000 1 1
2. Agenda • General Security Introduction • Telecommunications Fundamentals • Network Fundamentals • Network Security • World Wide Web Security • Information Secrecy & Privacy • Identification and Access Control • Programmatic Security • Conclusion Information Security: The Big Picture - SANS GIAC © 2000 2 If you are taking this course you undoubtedly know about the World Wide Web. As valuable, as useful, and as important to our everyday lives as the web has become, it is full of security issues and problems. This section will examine those issues. 2
4. HTML Security • Reading HTML Source • Hidden Fields • Server Side Includes Information Security: The Big Picture - SANS GIAC © 2000 4 Given the open nature of the HTTP protocol, it is easy to start seeing some of the negative security issues that surround its use. On this slide we will examine some of these problems. The easiest way to learn HTML is to examine the HTML source code of any page you happen to visit. Most browsers have an option to let you view the HTML source of the current page you are viewing. From there you can see all the code, fields, tags, and other HTML elements that make up the page. You may also see some unexpected things. Many developers put information into source code that is never meant for public viewing, thinking that regular people will never see it. When you view the code you may see things like variable names and data values that are used internally by the web site’s programs. You may see references to the names of the site’s developers or internal information about the organization that is running the server. You may see references to directory names where files are stored on the web server. There may be references to user IDs or passwords for different services on the machines. If the server is using JavaScript or some other scripting language you may see code paths that refer to options that the user would not normally see. All this information can give an attacker a clue as to the underlying structure and organization of the server in order to plan an attack. And it’s all there free for the looking. Many web pages, particularly those that use input forms, make use of a feature of HTML called Hidden Fields. Like their name implies, hidden fields reside on a web page form but they are hidden from view when the page is displayed. Hidden fields are typically used as a method for carrying information from one form to another without requiring the user to re-enter the information on each form. However, hidden fields can also contain values not entered by the user. For example, when a user enters a user ID on a web form, the server might look up the user’s Social Security Number and place that in a hidden field for later use. If you look at the HTML source for the page with the hidden field you will see that information. Unfortunately, so will anyone else that may be sniffing the network when that page is transmitted. Another neat tool is the use of a technology called Server Side Includes. Server Side Includes are small pieces of code that are embedded in HTML documents. When a Web server begins to display a web page it will go line by line through the code interpreting the HTML commands. When it comes upon a Server Side Include line it stops and does whatever the include says. For example, it might insert text from a different file like a copyright notice or policy statement. It might insert today’s date and time to be displayed on the page. Or, and this is the scary part, it might run a separate program and insert its output into the HTML document. This is scary because if the included program has a bug, or the attacker can manipulate the program to run some malicious code, the potential exists for the attacker to compromise the server and gain unauthorized access or obtain confidential information. Now, despite these shortcomings, and some others we will examine shortly, nobody is saying that we should do away with HTML. But security practitioners need to take extra care when developing, implementing, or reviewing HTML systems to reduce the likelihood that information in source code or the use of hidden fields and server side includes do not have a negative effect on the server or the organization. 4
17. Basic Uses For Encryption • Secrecy • Authentication • Non-repudiation • Thwarting information attacks – Session Hijacking – Man in the Middle Information Security: The Big Picture - SANS GIAC © 2000 17 When most people think of encryption they think of keeping secrets. Certainly that was one of the earliest uses of encryption and continues to be one of the most prevalent uses. But encryption has many more uses than merely secrecy. On this slide we will examine some of those uses. As I said before, secrecy has always been a primary use for encryption. Armies and governments around the world have used encryption literally for centuries to keep secrets from the enemies (and sometimes even their friends). “But,” you may say, “I am not a government nor an army. Why do I need encryption?” There may be several reasons. Let’s start with the simple ones. Suppose you are the CEO of a large company, the Bajoran Widget Company. You have been thinking about merging with your largest competitor, the Ferengi Alliance. You want to send e-mail to the CEO of Ferengi discussing the merger, but you don’t want the information leaking to the press. You can use encryption to scramble the information. So even if the e-mail is intercepted, nobody will be able to use it. Or, on a more practical level, suppose Alice and Bob wish to discuss their political views about their country’s government. Unfortunately, their government has outlawed political speech and they can go to jail if they are caught having the discussion. Certainly they would want to keep their communications private so as to stay out of jail. By using encryption they can carry on the exchange of their political views without making those views available outside their own private conversation. More recent methods of encryption can be used to verify the identity of a person, a process known as authentication. Using a type of encryption known as public key cryptography (which we will discuss in more detail later). Alice and Bob can have their conversation as previously described. But in addition, Alice can verify that any messages she receives from Bob really were sent by Bob, and Bob can verify that messages he receives really came from Alice and not an imposter or government agent. This can be a very valuable tool when applied to areas like financial transactions or legal contracts, where verifying the sender of information can be extremely important. This type of sender verification can also be used if the alleged sender of a piece of information denies having sent it at all. Going back to the corporate merger example, suppose the Bajoran CEO and the Ferengi CEO are using encryption to exchange messages. The Bajoran CEO offers $3 billion to buy the Ferengi company and the Ferengi CEO accepts. If the time comes for the final payment and the Bajoran CEO claims to have only offered$3 million, not \$3 billion, the Ferengi CEO can use encryption algorithms to prove the Bajoran CEO offered the higher amount. Finally, encryption can be used effectively to thwart many types of computer and network attacks. For example, if Alice and Bob are using encryption in their communications, attacks like Session Hijacking and Man in the Middle will be much more difficult to carry out. This is because each of them relies on the ability to observe the information stream, if even for a short time, before beginning the attack. If the connection is using encryption, the data stream will be filled with seemingly random information and will be of little use to the attacker. It is important to note that not all types of encryption have all these capabilities. Which features are available depends heavily on the type of encryption being used, how it is used, and the circumstances of its use. In the next few slides we will look at different types of encryption, how they operate, and how they can be used to protect communication and information. 17