18 December 2003ISACA London Chapter 1 SECURITY Allan

18 December 2003 ISACA London Chapter 1

EMAIL SECURITYEMAIL SECURITY

Allan Boardman

@

18 December 2003ISACA London Chapter 2

@AgendaAgenda

Dependency on Email systems Business & technical risks & threats Controlling and securing Email Regulations and legislation Other messaging systems Q&A


@Email todayEmail today Revolutionised

How business conducted How workforce operates

Today we take email for granted Ubiquitous Flexible Configurable Asynchronous and fast

Big question over security?


@Email DependencyEmail Dependency

Most widely used desktop application Extensively used within organisations, as

well as with external parties including customers, vendors/suppliers & business partners

Grown into a complex, business critical application

Integral to business processes


@Email Usage ForecastEmail Usage Forecast

Its huge and it getting

Bigger!!!Fast!!!


@Email News StoriesEmail News Stories Norwich Union paid out over £450K for libelling a rival

company in emails sent by staff Chevron paid around $2.2M to settle a lawsuit over

sexism & pornography contained in emails Microsoft’s antitrust litigation where the government

turned up damaging email that Microsoft thought no longer existed

London law firm -- email with “personal content” circulated to millions worldwide

Wall Street banker’s email instruction to staff to destroy documents during criminal and regulatory investigation

Sobig.F mass mailing virus Aug 2003


@Business Risks & ThreatsBusiness Risks & Threats Information overload / data avalanche Information leakage Offensive content Interception & tampering Retention vs destruction Incidents, lawsuits, brand damage Regulators target email comms Reliability & delivery failure Large proportion of email traffic is non business

related


@Email SupportEmail Support As business becomes

increasingly reliant on advanced software and technology, it's often the simplest tools, notably email, that cause the most significant support issues


@Email Security FAQEmail Security FAQ Attachments being blocked Use of generic mail accounts Group mail accounts & delegation Access to ex-staff mail after they have left Staff leaving wishing to take message files with

them Message rules Virus hoaxes Spam Mail forwarding


@Technical Risks & ThreatsTechnical Risks & Threats

Policy enforcement System performance & availability Junk mail / spam Damaging attachments - viruses Web based email Attacks launched using email Systems increasingly using auto email

alerts


@Expectation vs RealityExpectation vs Reality Part of the official communication process Personal but it comes from the business Thought of as in transient – so viewed as

“without record” Impulsive and reactive – so often viewed

as informal communication Ownership – who’s email is it anyway In plain view – who else can see your

mail?


@Email AttacksEmail Attacks

Email has become the prime means for installing backdoors (trojans) and other harmful programs to help intruders break into a corporate networks or to bring down networks or systems


@Types of Email AttacksTypes of Email Attacks Email trojans

Either for stealing information (eg. passwords) or cause damage by activating a distributed attack

Often disguised as joke or picture Buffer overflows

Supplies program instructions to the victims computer to execute

Can also be used as denial-of-service attack, causing the computer to crash

HTML viruses (user intervention free) Active content or browser attacks Uses scripting features of html or email client to execute illicit

code


@Defending Against Email AttacksDefending Against Email Attacks Content checking of all inbound and

outbound email at gateway and mail server level

Layered anti-virus checking Block or quarantine emails and

attachments containing macros, VB scripts, java scripts, executables and html scripts


@New blend of virus - Sobig.FNew blend of virus - Sobig.F

What makes Sobig.F different from previous worm attacks is that it blurs the line between spam and viruses by using techniques common to both, to spread quickly and broadly.

Sobig.F is an example of a new generation of email threats that are more complex and more difficult to avert using traditional spam or virus filtering tools.


@SPAMSPAM

“This blending of worms and spam indicate that spam — usually seen as a nuisance or legal risk — poses security risks, too.”

Gartner,August 2003


@Securing EmailSecuring Email Security requirements

Need to encrypt for privacy Need to check for viruses Need to check content against policy

Dilemma - internal monitoring vs encryption

Widespread use of desktop based encryption is not a viable solution

Client vs server based encryption – certificate management is main problem


@Controlling and Securing EmailControlling and Securing Email Corporate email policy

acceptable use policies, guidelines & procedures Security software

Anti-virus Anti-spam (also check headers to prevent corporate

mail system to be used in mail relaying) Prevent information leakage Stop interception and tampering (PGP or S/MIME) Content control, eg checking of offensive content Reporting – for tracking email usage and monitoring

communications Archiving


@Email PoliciesEmail Policies Users

Spell out risks and specify what is permitted and what is prohibited, cover: Personal use Confidential information Libellous, defamatory, offensive, racist or obscene Attachments and viruses Disclaimers Monitoring Best practices &email etiquette

Mail Servers Restrict to only running services that are required Keep regularly patched Content filtering Virus software (also workstations) Archiving and retention policies (and destruction policies)


@Email and the LawEmail and the Law Defamation Sexual and racial

harassment Breach of confidence Copyright infringement Publication of obscene

material Inadvertent formulation

of contracts Negligent mis-statement

Data protection obligations

Privacy Computer misuse Negligent virus

transmission Disclosure of

computer records in legal proceedings

Admissibility of evidence


@Steps to Avoid LiabilitySteps to Avoid Liability Written and up to date email policies Specify the company’s right to monitor use Companies should have employees sign off on

policies acknowledging that they have read, understood and will comply

Take advantage of software to filter content Use software to monitor and report activity Ongoing user awareness and education about

email policies Disclaimers


@Regulations and LegislationRegulations and Legislation EU

European Union Data Protection Directive European Directive on Privacy and Electronic Communications

UK Data Protection Act – staff can demand to access to confidential

records, including emails Regulatory Investigatory Powers Bill – Employers can monitor staff’s

email UK Implementation of EU Directive 11 December 2003

US Federal Electronic Communication Privacy Act – grants employers

right to monitor email and internet activity on company systems, but does not prevent employees from filing invasion of privacy claims

The Unsolicited Commercial Electronic Mail Act (Anti-Spam Bill) – prohibits sending spam and offers opt out for consumers


@SPAM – too slippery for the law?SPAM – too slippery for the law?

Estimates AOL blocks 1.5 billion

every 24 hours 60-70% of all email

traffic is Spam Work of about 200

spammers sending up to 50M each per day

Making one sale/million messages

US 16/12/03 – Bush signs

anti-spam legislation One month this

summer, >100K complaints against one Spam org

Two men now face felony charges in Virginia

Possible jail terms and confiscation


@E-Mail Looking AheadE-Mail Looking Ahead Email collaboration Greater strain on email infrastructure Increasing volumes, both in number of messages

and size of attachments Delays in timely delivery because of increased

filtering requirements Increased use of encryption to defeat virus

scanners Increased use of multiple payloads. Eg email

worm that contains a trojan for network penetration and a virus for data destruction


@Instant MessagingInstant Messaging Confidentiality and privacy Authentication and password security Viruses, trojans, DOS attacks File transfers bypass perimeter controls Vendor access to data Service & support Interoperability Auditing of conversations


@IM & RegulatorsIM & Regulators NASD Notice to members earlier in 2003 outlining its

expectations their IM expectations of its member firms SEC specifies it’s the content (not the medium) and the audience

of each type of Electronic Communication that determines the appropriate supervisory and recordkeeping treatment

Bottom line – “If you can’t save it, store it and retrieve it, don’t even think of using it”

Note: IM retention is much more complex than email


@Text Messaging / SMSText Messaging / SMS Alerting eg. CERT or Virus attacks Authentication code sent to mobile users Informing users that accounts are being accessed Mobile positioning and marketing Football scores etc

SMS security risk highlighted in Friends Reunited hacking case – text messages intercepted

SMS is not a secure environment suitable for sending confidential messages


@E-mail Related ResourcesE-mail Related Resources E-mail @ work – Jonathan Whelan - ISBN 0 273 64465 3 Email coaching Mesmo Consulting www.mesmo.co.uk Anti-spam

European Coalition Against Unsolicited Commercial E-mail (CAUCE) http://www.euro.cauce.org/en/index.html

FAQ on abuse of e-mail http://members.aol.com/e-mailfaq Fighting Spam www.spamcop.com

Regulations & legislation UK Electronic Communication Act

http://www.legislation.hmso.gov.uk/acts/acts2000/20000007.htm UK Data Protection Act www.dataprotection.gov.uk UK Regulatory of Investigatory Powers

http://www.hmso.gov.uk/acts/acts2000/20000023.htm Gramm-Leach-Bliley www.ftc.gov/privacy/glbact HIPAA http://www.hrsa.gov/website.htm www.privacylaw.net


@QuestionsQuestions


@Thank You Thank You

[email protected]

18 December 2003ISACA London Chapter 1 SECURITY Allan

Documents

Transcript of 18 December 2003ISACA London Chapter 1 SECURITY Allan