18 December 2003ISACA London Chapter 1 SECURITY Allan
-
Upload
cynthia-anthony -
Category
Documents
-
view
215 -
download
0
description
Transcript of 18 December 2003ISACA London Chapter 1 SECURITY Allan
18 December 2003 ISACA London Chapter 1
EMAIL SECURITYEMAIL SECURITY
Allan Boardman
@
18 December 2003ISACA London Chapter 2
@AgendaAgenda
Dependency on Email systems Business & technical risks & threats Controlling and securing Email Regulations and legislation Other messaging systems Q&A
18 December 2003ISACA London Chapter 3
@Email todayEmail today Revolutionised
How business conducted How workforce operates
Today we take email for granted Ubiquitous Flexible Configurable Asynchronous and fast
Big question over security?
18 December 2003ISACA London Chapter 4
@Email DependencyEmail Dependency
Most widely used desktop application Extensively used within organisations, as
well as with external parties including customers, vendors/suppliers & business partners
Grown into a complex, business critical application
Integral to business processes
18 December 2003ISACA London Chapter 5
@Email Usage ForecastEmail Usage Forecast
Its huge and it getting
Bigger!!!Fast!!!
18 December 2003ISACA London Chapter 6
@Email News StoriesEmail News Stories Norwich Union paid out over £450K for libelling a rival
company in emails sent by staff Chevron paid around $2.2M to settle a lawsuit over
sexism & pornography contained in emails Microsoft’s antitrust litigation where the government
turned up damaging email that Microsoft thought no longer existed
London law firm -- email with “personal content” circulated to millions worldwide
Wall Street banker’s email instruction to staff to destroy documents during criminal and regulatory investigation
Sobig.F mass mailing virus Aug 2003
18 December 2003ISACA London Chapter 7
@Business Risks & ThreatsBusiness Risks & Threats Information overload / data avalanche Information leakage Offensive content Interception & tampering Retention vs destruction Incidents, lawsuits, brand damage Regulators target email comms Reliability & delivery failure Large proportion of email traffic is non business
related
18 December 2003ISACA London Chapter 8
@Email SupportEmail Support As business becomes
increasingly reliant on advanced software and technology, it's often the simplest tools, notably email, that cause the most significant support issues
18 December 2003ISACA London Chapter 9
@Email Security FAQEmail Security FAQ Attachments being blocked Use of generic mail accounts Group mail accounts & delegation Access to ex-staff mail after they have left Staff leaving wishing to take message files with
them Message rules Virus hoaxes Spam Mail forwarding
18 December 2003ISACA London Chapter 10
@Technical Risks & ThreatsTechnical Risks & Threats
Policy enforcement System performance & availability Junk mail / spam Damaging attachments - viruses Web based email Attacks launched using email Systems increasingly using auto email
alerts
18 December 2003ISACA London Chapter 11
@Expectation vs RealityExpectation vs Reality Part of the official communication process Personal but it comes from the business Thought of as in transient – so viewed as
“without record” Impulsive and reactive – so often viewed
as informal communication Ownership – who’s email is it anyway In plain view – who else can see your
mail?
18 December 2003ISACA London Chapter 12
@Email AttacksEmail Attacks
Email has become the prime means for installing backdoors (trojans) and other harmful programs to help intruders break into a corporate networks or to bring down networks or systems
18 December 2003ISACA London Chapter 13
@Types of Email AttacksTypes of Email Attacks Email trojans
Either for stealing information (eg. passwords) or cause damage by activating a distributed attack
Often disguised as joke or picture Buffer overflows
Supplies program instructions to the victims computer to execute
Can also be used as denial-of-service attack, causing the computer to crash
HTML viruses (user intervention free) Active content or browser attacks Uses scripting features of html or email client to execute illicit
code
18 December 2003ISACA London Chapter 14
@Defending Against Email AttacksDefending Against Email Attacks Content checking of all inbound and
outbound email at gateway and mail server level
Layered anti-virus checking Block or quarantine emails and
attachments containing macros, VB scripts, java scripts, executables and html scripts
18 December 2003ISACA London Chapter 15
@New blend of virus - Sobig.FNew blend of virus - Sobig.F
What makes Sobig.F different from previous worm attacks is that it blurs the line between spam and viruses by using techniques common to both, to spread quickly and broadly.
Sobig.F is an example of a new generation of email threats that are more complex and more difficult to avert using traditional spam or virus filtering tools.
18 December 2003ISACA London Chapter 16
@SPAMSPAM
“This blending of worms and spam indicate that spam — usually seen as a nuisance or legal risk — poses security risks, too.”
Gartner,August 2003
18 December 2003ISACA London Chapter 17
@Securing EmailSecuring Email Security requirements
Need to encrypt for privacy Need to check for viruses Need to check content against policy
Dilemma - internal monitoring vs encryption
Widespread use of desktop based encryption is not a viable solution
Client vs server based encryption – certificate management is main problem
18 December 2003ISACA London Chapter 18
@Controlling and Securing EmailControlling and Securing Email Corporate email policy
acceptable use policies, guidelines & procedures Security software
Anti-virus Anti-spam (also check headers to prevent corporate
mail system to be used in mail relaying) Prevent information leakage Stop interception and tampering (PGP or S/MIME) Content control, eg checking of offensive content Reporting – for tracking email usage and monitoring
communications Archiving
18 December 2003ISACA London Chapter 19
@Email PoliciesEmail Policies Users
Spell out risks and specify what is permitted and what is prohibited, cover: Personal use Confidential information Libellous, defamatory, offensive, racist or obscene Attachments and viruses Disclaimers Monitoring Best practices &email etiquette
Mail Servers Restrict to only running services that are required Keep regularly patched Content filtering Virus software (also workstations) Archiving and retention policies (and destruction policies)
18 December 2003ISACA London Chapter 20
@Email and the LawEmail and the Law Defamation Sexual and racial
harassment Breach of confidence Copyright infringement Publication of obscene
material Inadvertent formulation
of contracts Negligent mis-statement
Data protection obligations
Privacy Computer misuse Negligent virus
transmission Disclosure of
computer records in legal proceedings
Admissibility of evidence
18 December 2003ISACA London Chapter 21
@Steps to Avoid LiabilitySteps to Avoid Liability Written and up to date email policies Specify the company’s right to monitor use Companies should have employees sign off on
policies acknowledging that they have read, understood and will comply
Take advantage of software to filter content Use software to monitor and report activity Ongoing user awareness and education about
email policies Disclaimers
18 December 2003ISACA London Chapter 22
@Regulations and LegislationRegulations and Legislation EU
European Union Data Protection Directive European Directive on Privacy and Electronic Communications
UK Data Protection Act – staff can demand to access to confidential
records, including emails Regulatory Investigatory Powers Bill – Employers can monitor staff’s
email UK Implementation of EU Directive 11 December 2003
US Federal Electronic Communication Privacy Act – grants employers
right to monitor email and internet activity on company systems, but does not prevent employees from filing invasion of privacy claims
The Unsolicited Commercial Electronic Mail Act (Anti-Spam Bill) – prohibits sending spam and offers opt out for consumers
18 December 2003ISACA London Chapter 23
@SPAM – too slippery for the law?SPAM – too slippery for the law?
Estimates AOL blocks 1.5 billion
every 24 hours 60-70% of all email
traffic is Spam Work of about 200
spammers sending up to 50M each per day
Making one sale/million messages
US 16/12/03 – Bush signs
anti-spam legislation One month this
summer, >100K complaints against one Spam org
Two men now face felony charges in Virginia
Possible jail terms and confiscation
18 December 2003ISACA London Chapter 24
@E-Mail Looking AheadE-Mail Looking Ahead Email collaboration Greater strain on email infrastructure Increasing volumes, both in number of messages
and size of attachments Delays in timely delivery because of increased
filtering requirements Increased use of encryption to defeat virus
scanners Increased use of multiple payloads. Eg email
worm that contains a trojan for network penetration and a virus for data destruction
18 December 2003ISACA London Chapter 25
@Instant MessagingInstant Messaging Confidentiality and privacy Authentication and password security Viruses, trojans, DOS attacks File transfers bypass perimeter controls Vendor access to data Service & support Interoperability Auditing of conversations
18 December 2003ISACA London Chapter 26
@IM & RegulatorsIM & Regulators NASD Notice to members earlier in 2003 outlining its
expectations their IM expectations of its member firms SEC specifies it’s the content (not the medium) and the audience
of each type of Electronic Communication that determines the appropriate supervisory and recordkeeping treatment
Bottom line – “If you can’t save it, store it and retrieve it, don’t even think of using it”
Note: IM retention is much more complex than email
18 December 2003ISACA London Chapter 27
@Text Messaging / SMSText Messaging / SMS Alerting eg. CERT or Virus attacks Authentication code sent to mobile users Informing users that accounts are being accessed Mobile positioning and marketing Football scores etc
SMS security risk highlighted in Friends Reunited hacking case – text messages intercepted
SMS is not a secure environment suitable for sending confidential messages
18 December 2003ISACA London Chapter 28
@E-mail Related ResourcesE-mail Related Resources E-mail @ work – Jonathan Whelan - ISBN 0 273 64465 3 Email coaching Mesmo Consulting www.mesmo.co.uk Anti-spam
European Coalition Against Unsolicited Commercial E-mail (CAUCE) http://www.euro.cauce.org/en/index.html
FAQ on abuse of e-mail http://members.aol.com/e-mailfaq Fighting Spam www.spamcop.com
Regulations & legislation UK Electronic Communication Act
http://www.legislation.hmso.gov.uk/acts/acts2000/20000007.htm UK Data Protection Act www.dataprotection.gov.uk UK Regulatory of Investigatory Powers
http://www.hmso.gov.uk/acts/acts2000/20000023.htm Gramm-Leach-Bliley www.ftc.gov/privacy/glbact HIPAA http://www.hrsa.gov/website.htm www.privacylaw.net
18 December 2003ISACA London Chapter 29
@QuestionsQuestions