SHASHANK MASHETTY
Email security
Introduction
Electronic mail most commonly referred to as email or e-mail.
Electronic mail is one of the most commonly used services on the Internet allowing people to send messages to one or more recipients.
Modern email operates across the internet and computer networks.
The messages can be notes entered from the keyboard or electronic files stored on the disk.
Why do we need secure email?
Protect sensitive dataProve authenticity to recipientsSend attachments that are normally
filteredAvoid the junk folder
Email security enhancements
AuthenticationConfidentialityConfidentiality and authenticationMessage intigrity
Threats enabled by e-mail
SpamSpoofingPhishingDisclosure of sensitive informationExposure of systems to malicious codeDenial-of-service(dos)Un authorized access
Email threats
Spam spam is the scourge of email around the
world it makes as 95% of all email on the internet spammers get e-mail address from new
groups, un scrupulous web site operators A large proportion of spam contains malware
or links to web sites that contain malware
Email threats
Spoofing Email spoofing occurs when an attacker
sends you an email pretending to be some one to you
Email spoofing is easy to do and very difficult to trace the real sender.
Phishing Phishing e-mails appear very authentic and
often include graphics or logos that are actually from your bank.
Email based attacksActive content attack - clean up at the serverBuffer over-flow attack - fix the codeShell script attack - scan before send to the shellTrojan horse attack - use do not automatically use the macro
option
Choices available in the secure email
PGP ( pretty good policy )S/MIMESpecial providersSSL/TLS web browser based emailSSL/TLS POP/SMPS email
PGP
Functionality: -encryption for confidentiality -signature for non repudiation/authenticityRequires key exchange and key
managementNot scalableSmall industry supportCan only exchange secure email with other
PGP users
S/MIME
Similar to PGP, requires administrator installation and configuration support intensive
User must download and install softwareMany installations have failed due to
complexityCan only exchange emails with other
S/MIME users
Special providers
Managed services using S/MIME with PKI key exchange
Appliance based services with special hardware requires integration
expensive
Secure web mail
Nothing to download or install, no support issues beyond typical email.
Works with any web browserUses SSL/TLS security , same system used
by banks, visa, etcEasy to add, manage usersNo training is needed it is simple
POP/SMTP Secure Mail
Works with all email programsUses SSL/TLS security same system used by
banks, visa, etcEasy to set up, no download or installation,
same issues as traditional email
Steps to secure mail
Generate an identityConfigure secure email softwareGet public keys for recipientsStart sending secured messages
Tips to be secure
Never click on a suspect e-mail.Never reply to a suspect email with
personal informationLook at the grammatical errors in the emailContact your bank via telephone ( get the
telephone number from the website rather than the email you received ) if you suspect a fraud
Watch for the small changes on your financial statements to avoid detection
Questions?
Top Related