Looking at E-mail and Internet Security for Security+ Certification
For the Security + exam, you need to know the different standards and applications available for secure e-mail and Internet use. You also need to be aware of several vulnerabilities and nuisances, including virus hoaxes and spam, to do well on the Security + exam.
Several applications employing cryptographic techniques have been developed for e-mail communications in order to provide
- Access control
Secure Multipurpose Internet Mail Extensions (S/MIME)
Secure Multipurpose Internet Mail Extensions (S/MIME) provides a secure method of sending e-mail and is incorporated into several popular browsers and e-mail applications. S/MIME provides confidentiality and authentication by using the RSA asymmetric key system, digital signatures, and X.509 digital certificates. S/MIME complies with the Public Key Cryptography Standard (PKCS) #7 format and has been proposed as a standard to the Internet Engineering Task Force (IETF).
MIME Object Security Services (MOSS)
MIME Object Security Services (MOSS) provides confidentiality, integrity, identification and authentication, and non-repudiation by using MD2 or MD5, RSA asymmetric keys, and DES. MOSS has not been widely implemented on the Internet.
Privacy Enhanced Mail (PEM)
Privacy Enhanced Mail (PEM) was proposed as a PKCS-compliant standard by the IETF but hasn't been widely implemented on the Internet. It provides confidentiality and authentication by using 3DES for encryption, MD2 or MD5 message digests, X.509 digital certificates, and the RSA asymmetric system for digital signatures and secure key distribution.
In this section, find out about two very common and, no doubt, very familiar e-mail vulnerabilities for any user of e-mail today: spam and hoaxes.
Spam wastes valuable and limited bandwidth and computing resources. It costs companies and individuals millions of dollars annually in lost productivity. Currently available antispamming products have only limited effectiveness.
Your options for combating spam are limited, but include these:
- Delete: If you receive a relatively low volume of spam e-mail on a daily basis, perhaps the easiest thing to do is delete it. Doing this is not really a solution and is probably not what your users want to hear, but this is the most common method for dealing with spam.
- Filter: Most e-mail applications and Internet e-mail services provide some filtering capability. Several commercial third-party products provide better filtering capabilities. Just be sure you configure the filtering options carefully to avoid filtering legitimate e-mail!
- Educate: Educate your users about spam. Users should know to never reply or unsubscribe to a spammed e-mail. This verifies the e-mail address and makes the problem worse.
- Don't relay! Perhaps the most important thing for a company to do is ensure that it is not already (or does not become) a part of the problem. Mail servers that are set up as an open mail relay (many are by default) can be used to send spam to anyone on the Internet. An open mail relay does not attempt to verify the originator of an e-mail message and forwards anything it receives.
E-mail hoaxes typically take the form of chain letters. One specific type of e-mail hoax is the virus hoax. A virus hoax is an e-mail message that describes a fake virus using pseudotechnical language. The threat that is described may appear quite legitimate and may be sent from someone you know. (The hoaxes usually instruct you to forward it to everyone in your address book.) Many hoaxes instruct unsuspecting users to delete important system files.
Your defense against hoaxes should include these:
- Educate: Educate your users about e-mail hoaxes (particularly virus hoaxes). Instruct them never to forward a hoax, even if it is received from someone they know. Ensure that they report hoaxes to a system or security administrator.
- Verify: If you are concerned about the legitimacy of a virus hoax, verify its existence (or nonexistence) at Symantec or McAfee. Although these antivirus software giants may not necessarily have an immediate fix for a new virus in the wild, they provide you with reliable information about any new threats (real or fraudulent).
As with e-mail applications, several protocols and standards have been developed to provide security for Internet communications and transactions. These include SSL/TLS and S-HTTP, discussed in this article. You also explore the vulnerabilities associated with two Internet applications: browsers and instant messaging.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
The Secure Sockets Layer (SSL) protocol provides session-based encryption and authentication for secure communication between clients and servers on the Internet.
SSL operates at the Transport Layer, is independent of the application protocol, and provides server authentication with optional client authentication.
SSL uses the RSA asymmetric key system; IDEA, DES, and 3DES symmetric key systems; and the MD5 hash function. The current version is SSL 3.0. SSL 3.0 was standardized as TLS 1.0 and released in 1999.
Secure HyperText Transfer Protocol (S-HTTP)
Secure HyperText Transfer Protocol (S-HTTP) is an Internet protocol that provides a method for secure communications with a Web server. S-HTTP is a connectionless-oriented protocol that encapsulates data after security properties for the session have been successfully negotiated.
The protocol uses
- Symmetric encryption (for confidentiality)
- Message digests (for integrity)
- Public key encryption (for client-server authentication and nonrepudiation)
Instant messaging programs have become very popular on the Internet because of their ease of use and instantaneous communications capability. Examples include AIM, MSN Messenger, and Yahoo! Messenger.
Many vulnerabilities and security risks, such as the following, are associated with instant messaging programs:
- Viruses and Trojan horses: IM programs are quickly becoming a preferred medium for spreading malicious code.
- Social engineering: Many users are oblivious to the open nature of IM and very casually exchange personal, private, or sensitive information to unknown parties.
- Shared files: Many IM programs (and related programs) allow users to share their hard drives or transfer files.
- Packet sniffing: As with almost all TCP/IP traffic, IM sessions can easily be sniffed for valuable information and passwords.
Internet browsers, such as Microsoft's Internet Explorer and Netscape Navigator, are basic Web surfing tools. To enhance your Web surfing experience, many cool tools have been designed to deliver dynamic and interactive content beyond basic HTML. Of course, these features often come at a price — additional security risks.
These tools and risks include
- ActiveX and Java applets: ActiveX and Java can make Web browsers do some pretty neat things — and some pretty nasty things. The security model for ActiveX is based on trust relationships. (You accept a digital certificate, and the applet is downloaded.) Java security is based on the concept of a sandbox, which restricts an applet to communicating only with the originating host and prevents the applet from directly accessing a PC's hard drive or other resources — theoretically.
- Buffer Overflows: Buffer overflows are perhaps the most common and easily perpetrated denial-of-service attacks today. Vulnerabilities in Web browsers (particularly Internet Explorer) can be exploited, causing a system to crash or, worse, give an attacker unauthorized access to a system or directory.