Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.
Many methods are used to combat these threats, including encryption and ground-up engineering.
Malicious software
Malicious software comes in many forms, such as viruses, Trojan horses, spyware, and worms.
- Malware, a portmanteau of malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware is defined by its malicious intent, acting against the requirements of the computer user, and does not include software that unintentionally causes harm due to some deficiency. The term badware applies to both malware and unintentionally harmful software.
- A botnet is a network of computers that have been taken over by a robot or bot that performs large-scale malicious acts for its creator.
- Computer viruses are programs that can replicate their structures or effects by infecting other files or structures on a computer. The typical purpose of a virus is to take over a computer to steal data.
- Computer worms are programs that can replicate themselves throughout a computer network.
- Ransomware is a type of malware that restricts access to the computer system that it infects, and demands a ransom in order for the restriction to be removed.
- Scareware is a program of usually limited or no benefit, containing malicious payloads, that is sold via unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user.
- Spyware refers to programs that surreptitiously monitor activity on a computer system and report that information to others without the user’s consent.
- One particular kind of spyware is key logging malware. Often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard.
- A Trojan horse, commonly known as a Trojan, is a general term for malware that pretends to be harmless, so that a user will be convinced to download it onto the computer.
Denial-of-service attacks
A denial-of-service attack (DoS) or distributed denial-of-service attack (DDoS) is an attempt to make a computer resource unavailable to its intended users. It works by making so many service requests at once that the system is overwhelmed and becomes unable to process any of them. DoS may target cloud computing systems. According to business participants in an international security survey, 25% of respondents experienced a DoS attack in 2007 and another 16.8% in 2010. DoS attacks often use bots (or a botnet) to carry out the attack.
Phishing
Phishing targets online users in an attempt to extract sensitive information such as passwords and financial information. Phishing occurs when the attacker pretends to be a trustworthy entity, either via email or a web page. Victims are directed to web pages that appear to be legitimate, but instead route information to the attackers. Tactics such as email spoofing attempt to make emails appear to be from legitimate senders, or long complex URLs hide the actual website. Insurance group RSA claimed that phishing accounted for worldwide losses of $10.8 billion in 2016.
Man in the middle
A man-in-the-middle (MITM) attack is a type of cyber attack. Cybercriminals can intercept data sent between people to steal, eavesdrop or modify data for certain malicious purposes, such as extorting money and identity theft. Public WiFi is often insecure because monitoring or intercepting Web traffic is unknown.
Application vulnerabilities
Applications used to access Internet resources may contain security vulnerabilities such as memory safety bugs or flawed authentication checks. Such bugs can give network attackers full control over the computer.
Countermeasures
Network layer security
TCP/IP protocols may be secured with cryptographic methods and security protocols. These protocols include Secure Sockets Layer (SSL), succeeded by Transport Layer Security (TLS) for web traffic, Pretty Good Privacy (PGP) for email, and IPsec for the network layer security.
Internet Protocol Security (IPsec)
IPsec is designed to protect TCP/IP communication in a secure manner. It is a set of security extensions developed by the Internet Engineering Task Force (IETF). It provides security and authentication at the IP layer by transforming data using encryption. Two main types of transformation form the basis of IPsec: the Authentication Header (AH) and ESP. They provide data integrity, data origin authentication, and anti-replay services. These protocols can be used alone or in combination.
Basic components include:
- Security protocols for AH and ESP
- Security association for policy management and traffic processing
- Manual and automatic key management for the Internet key exchange (IKE)
- Algorithms for authentication and encryption
Compliance Requirements
Various regulations and laws mandate SAT for organizations in specific industries, including the Gramm–Leach–Bliley Act (GLBA) for the financial services, the Federal Information Security Modernization Act of 2014 for federal agencies, and the European Union’s General Data Protection Regulation (GDPR).
Federal Information Security Modernization Act
Employees and contractors in federal agencies are required to receive Security Awareness Training annually, and the program needs to address job-related information security risks linked that provide them with the knowledge to lessen security risks.
Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act has the Security Rule, and Privacy Rule requiring the creation of a security awareness training program and ensuring employees are trained accordingly.
Payment Card Industry Data Security Standard
The Payment Card Industry Security Standards Council, the governing council for stakeholders in the payment industry, formed by American Express, Discover, JCB International, MasterCard, and Visa that developed the DSS as a requirement for the payment industry. Requirement 12.6 requires member organizations to institute a formal security awareness program. There is a published guide for organizations to adhere to when setting up the program.
US States Training Regulations
Some States mandate Security Awareness Training whiles other do not but simply recommend voluntary training. Among states that require the training for its employees include:
- Colorado (The Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.)
- Connecticut (13 FAM 301.1-1 Cyber Security Awareness Training (PS800))
- Florida (Florida Statutes Chapter 282)
- Georgia (Executive Order GA E.O.182 mandated training within 90 days of issue)
The algorithm allows these sets to work independently without affecting other parts of the implementation. The IPsec implementation is operated in a host or security gateway environment giving protection to IP traffic.