Tools that are used to make web pages more powerful and versatile, as shown can also make computers more vulnerable to attacks. These are some examples of web tools:
- ActiveX – Technology created by Microsoft to control interactivity on web pages. If ActiveX is on a page, an applet or small program has to be downloaded to gain access to the full functionality.
- Java – Programming language that allows applets to run within a web browser.
- JavaScript – Programming developed to interact with HTML source code to allow interactive websites.
Common DoS attacks include the following:
- Ping of death – A series of repeated, larger than normal pings that crash the receiving computer
- E-mail bomb – A large quantity of bulk e-mail that overwhelms the e-mail server preventing users from accessing it.
Here are some basic precautions to help protect against social engineering:
- Never give out your password
- Always ask for the ID of unknown persons
- Restrict access of unexpected visitors
- Escort all visitors
- Never post your password in your work area
- Lock your computer when you leave your desk
- Do not let anyone follow you through a door that requires an access card
Some of the most common attacks:
- SYN Flood – Randomly opens TCP ports, tying up the network equipment or computer with a large amount of false requests, causing sessions to be denied to others
- DoS – Sends abnormally large amounts of requests to a system preventing access to the services
- DDoS – Uses “zombies” to make tracing the origin of the DoS attack difficult to locate
- Spoofing – Gains access to resources on devices by pretending to be a trusted computer
- Man-in-the-Middle – Intercepts or inserts false information in traffic between two hosts
- Replay – Uses network sniffers to extract usernames and passwords to be used at a later date to gain access
- DNS Poisoning – Changes the DNS records on a system to point to false servers where the data is recorded
A security policy should describe how a company addresses security issues:
- A process for handling network security incidents
- A process to audit existing network security
- A general security framework for implementing network security
- Behaviors that are allowed
- Behaviors that are prohibited
- What to log and how to store the logs: Event Viewer, system log files, or security log files
- Network access to resources through account permissions
- AQuthentication technologies to access data: usernames, passwords, biometrics, smart cards
- BIOS – Prevents BIOS settings from being changed without the appropriate password
- Login – Prevents unauthorized access to the network
Wired Equivalent Privacy (WEP) – the first generation security standard for wireless. Attackers quickly discovered that WEP encryption was easy to break.
