How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc....
-
Upload
sybil-bates -
Category
Documents
-
view
219 -
download
6
Transcript of How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc....
![Page 2: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/2.jpg)
Agenda
The nature of the threat and reasons for
successful attacks
Simple and effective acceptable use
policies
E-mail firewalls
The 5 easiest and most effective ways to
protect your enterprise e-mail
![Page 3: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/3.jpg)
E-mail, the “Killer App”
The #1 reason people, companies and
agencies connect to the Internet
The #1 attack vector• E-mail is ubiquitous
• E-mail is fast, convenient and easy (triple threat!)
• Users believe what they read on a computer
![Page 4: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/4.jpg)
The threats
Viruses/worms
Spam
DHA
Phishing
Data leakage
![Page 5: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/5.jpg)
Idea, mine; Image, Bill Cheswick’s
And, of course, users
![Page 6: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/6.jpg)
E-mail AUP
Why do we require e-mail? (What business need?)
What will we allow? (i.e., that which meets the
business requirements)
What are the threats?
Where are we vulnerable?
What is permitted?
What is denied?
![Page 7: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/7.jpg)
Obvious things
Act responsibly relative to• The law
• Other enterprise policies
No “offensive” e-mail
No copyrighted, proprietary or sensitive
No running a side business
No chain letters
No expectation of privacy
Adhere to the antivirus policy
![Page 8: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/8.jpg)
Permitted
Business communications
Limited personal communications (meeting the
“No’s” on previous slide)
Use only enterprise-approved e-mail clients
Use only enterprise-approved configurations
(only with permitted modifications)
![Page 9: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/9.jpg)
Acceptable use policies
Are there for basic education
Remind people of good and evil
Are insufficient unless backed up by• Administrative procedures
• Security enforcement devices
Firewalls
![Page 10: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/10.jpg)
Acceptable use policies (2)
Examples• Must not distribute any disruptive or offensive
messages, including offensive comments about …
• May use a reasonable amount of resources for
personal e-mails, but …
• Must not distribute chain letters, jokes, virus
warnings, mass mailings, any “forward to everyone
you know who uses the Internet” kinds of messages
Suggested resource: http://www.sans.org/resources/policies/
![Page 11: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/11.jpg)
E-mail firewalls
Can be standard firewall with e-mail-specific
rules
Can be specialized devices (“application-specific”
firewall)
Does what all firewalls do
• Limit exposure
• Enforce policy (permit and deny rules)
Disclaimer: I do not work for any product company.
![Page 12: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/12.jpg)
Standard firewall example*
WatchGuard Firebox• A hybrid firewall
*Other firewalls may or may not have these capabilities. Ask.
![Page 13: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/13.jpg)
![Page 14: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/14.jpg)
![Page 15: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/15.jpg)
![Page 16: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/16.jpg)
![Page 17: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/17.jpg)
E-mail firewall example
Ciphertrust IronMail• E-mail-specific
• E-mail gateway/server
• Encrypted and signed e-mail
• Anti-spam gateway
• Anti-virus gateway
• Content filter
• Other features
![Page 18: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/18.jpg)
![Page 19: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/19.jpg)
![Page 20: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/20.jpg)
![Page 21: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/21.jpg)
![Page 22: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/22.jpg)
![Page 23: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/23.jpg)
![Page 24: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/24.jpg)
![Page 25: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/25.jpg)
“Five easy pieces”
The 5 easiest and most effective ways to
protect your enterprise e-mail
With a sanity check from my friends, Dave Piscitello (www.corecom.com) and Marcus Ranum (www.ranum.com) .
![Page 26: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/26.jpg)
#5: Antivirus software
At the desktop
At an e-mail gateway or firewall
#1 attack vector for computer viruses is still e-mail
Desktop A/V — up-to-date and turned on to actively scan — is a very good deterrent• And “very good” is “good enough”
Is it the main deterrent?• No, that’s why it is not #1
![Page 27: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/27.jpg)
#4: Use simple e-mail clients
Security and complexity are inversely
proportional*
Fancier, flashier features add complexity
Complexity leads to vulnerabilities
*http://www.avolio.com/papers/axioms.html
![Page 28: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/28.jpg)
As simple as possible
Don’t use Java, JavaScript or ActiveX when Plain HTML will do
Don’t use Plain HTML (or RTF) when, plain, unformatted, 7-bit ASCII text will do
Don’t use e-mail clients that automatically launch dangerous applications
All “helper” programs may be dangerous• Browsers
• Picture viewers
• Word
• PDF viewer
• Anything
![Page 29: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/29.jpg)
Stuck with Outlook?
Turn off some features
• Any that users do not really, really, really need
• Disable and wait for complaints. Then selectively add.
Do not allow Outlook to auto-display HTML
Disable Java, JavaScript, ActiveX and VBS
controls (Internet options)
See #1
![Page 30: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/30.jpg)
#3: Use strong authentication
To retrieve e-mail
To send e-mail
Use the strongest possible• “In the absence of other factors, always use the most
secure options available.”*
Even reusable passwords are better than nothing• if the user does not cache the password and it is not
trivially guessed
Automated e-mail sender/transfer robots will not work if the e-mail requires user intervention in order to get through the firewall
*Snyder’s Razor, Dr. Joel Snyder
![Page 31: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/31.jpg)
#2: Trusted peering
E-mail clients configured to only talk to
trusted e-mail servers
Enforce this with a firewall, any firewall• E-mail clients send (and receive) e-mail to (and
from) the designated e-mail server or else they
cannot “do e-mail”
• Remember from earlier, security is without teeth if
it is easily circumvented
![Page 32: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/32.jpg)
#1: Strip off attachments
Does your enterprise require .scr, .bat, .com, .exe, .dll …
Start with what it does need
Can you live with .rtf instead of .doc?• Don’t have to worry about macros
Disallow all except the ones you absolutely need
![Page 33: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/33.jpg)
Summary
Remember, the “5 Easy Pieces” are in backwards order. If you do nothing else, do #1, then add #2, etc.
E-mail is the #1 application and the #1 attack vector
Don’t forget policies
E-mail is (probably) required
E-mail threats can be contained
![Page 34: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/34.jpg)
Multifunction security gateways/firewalls
FortiGate, www.fortinet.com
Proventia, www.iss.net
DP Inspector, www.barbedwiretech.com
Firebox, www.watchguard.com
SidewinderG2, www.securecomputing.com
ServGate, www.servgate.com
Symantec Gateway Security, www.symantec.com
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss446_art914,00.html
![Page 35: How to Achieve Rock- Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com.](https://reader035.fdocuments.in/reader035/viewer/2022070410/56649ea75503460f94ba9a46/html5/thumbnails/35.jpg)
E-mail firewalls
MXtreme, www.borderware.com
MailGate, www.tumbleweed.com
MIMEsweeper, www.clearswift.com
IronMail, www.ciphertrust.com
MessageInspector, www.zixcorp.com
http://infosecuritymag.techtarget.com/2003/feb/gatewayguardians.shtml