1 / 26

Analysis of Email security at NSU

Analysis of Email security at NSU. Mike Powers CSIS 4900. Analysis of email security at nsu. Traditional Email Protocols NSU Email Systems Email Protocols used by Exchange Protocol Security with TLS Analyze Cipher Suites Available Cipher Suites Insecure Cipher Suites Controlling Usage

cathal
Download Presentation

Analysis of Email security at NSU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of Email security at NSU Mike Powers CSIS 4900

  2. Analysis of email security at nsu Traditional Email Protocols NSU Email Systems • Email Protocols used by Exchange • Protocol Security with TLS Analyze Cipher Suites • Available Cipher Suites • Insecure Cipher Suites • Controlling Usage Recommendations

  3. Traditional Email protocols SMTP • Original Protocol of Email • Simple & Efficient Design Weaknesses • No Authentication • Transmitted in Clear-text http://www.codeproject.com/Articles/399207/Understanding-the-Insides-of-the-SMTP-Mail-Protoco

  4. Traditional Email protocols POP • Original Protocol for Workstations to Access Email • Simple & Efficient Design Weaknesses • No Authentication • Transmitted in Clear-text http://www.codeproject.com/Articles/399207/Understanding-the-Insides-of-the-SMTP-Mail-Protoco

  5. STARTTLS • Requires Server X.509 Certificate • Upgrade existing connection to encrypted connection • Enables existing protocols to be used; no changes needed • Protocol Independent (POP, IMAP, SMTP) Addition of Encryption http://www.codeproject.com/Articles/399207/Understanding-the-Insides-of-the-SMTP-Mail-Protoco

  6. What do we need TLS to protect? • Authentication (Account Security, Impersonation) • Message Transfer (Sensitive Data, Compliance) Email Security with tls

  7. NSU began consolidating to one Email system, Microsoft Exchange, in 2012 Email SYSTEMs At NSU

  8. What protocols are open to clients in NSU’s Microsoft Exchange environment and are potentially at risk? • MAPI/RPC • Outlook Anywhere • Outlook Web App • ActiveSync • Exchange Web Services • IMAPS • SMTP Exchange client protocols

  9. MAPI/RPC - Microsoft’s proprietary protocol for traditional communication between Outlook and Exchange. Outlook Anywhere - The traditional MAPI/RPC protocol tunneled over HTTPS (originally called RPC-over-HTTP). Outlook Web App - The browser-based email client for Microsoft Exchange. ActiveSync - Exchange ActiveSync is a protocol utilized by mobile devices for Exchange synchronization. Exchange Web Services - Exchange Web Services (EWS) is a web-based interface for clients to access Exchange. EWS is primarily used by Outlook for Mac and the Mac OS X Mail application. IMAPS- The traditional IMAP protocol available through Exchange. SMTP- The SMTP protocol is primarily available for third-party email clients and for relaying purposes. Exchange client protocols

  10. Is it Encrypted? MAPI/RPC – Available in Outlook 2003, Enabled by default in Outlook 2007+ Outlook Anywhere – Enabled by default when the internal and external service URLs are HTTPS addresses. Outlook Web App – Enabled by default when the internal and external service URLs are HTTPS addresses. ActiveSync – Enabled by default when the internal and external service URLs are HTTPS addresses. Exchange Web Services – Enabled by default when the internal and external service URLs are HTTPS addresses. IMAPS – IMAP authentication properties set to Require TLS. SMTP – SMTP authentication properties set to Require TLS. Exchange client protocols

  11. Everything should be encrypted, great! How can we analyze our security further? • What Cipher Suites are used? What Cipher Suites are available? • Are insecure Cipher Suites available for clients to use? • How can we enable or disable certain Cipher Suites? Exchange client Security

  12. Everything should be encrypted, great! How can we analyze our security? • What Cipher Suites are used? What Cipher Suites are available? Determined by the Operating System of the device. • Are insecure Cipher Suites available for clients to use? See Next Slide. • How can we enable or disable certain Cipher Suites? Can be set via Windows Registry & Security policies, both on the Server and Client side (on Windows PCs). Exchange client Security

  13. What Cipher Suites are available? These are the cipher suites available in Windows OSes. Exchange client Security

  14. What Cipher Suites are available on mobile devices? These are the cipher suites available in Android and iOS. iOS 7 Android 4.3 Exchange client Security

  15. Are there any ciphers that we know are considered insecure and should be disabled? • RC4 • Latest vulnerability discovered by researchers in the University of London in March 2013. (http://www.isg.rhul.ac.uk/tls/) • Recommended to be disabled by Microsoft in November 2013 in Security Advisory 2868725. (http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx) • MD5 • Many vulnerabilities found in the hash function. Advised in CERT Vulnerability Note VU#836068 to avoid using MD5 in any capacity. (http://www.kb.cert.org/vuls/id/836068) • NULL Ciphers • Offer no encryption, used only as a form of steganography or in testing. Exchange client Security

  16. What Cipher suites can we disable? Highlighted are suites using RC4, MD5, or NULL ciphers. Exchange client Security

  17. What Cipher suites can we disable? Listed are Cipher suites using RC4, MD5, or NULL ciphers on mobile devices. • Six Cipher Suites in both Android 4.3 and iOS 7 • TLS_ECDHE_RSA_WITH_RC4_128_SHA • TLS_ECDHE_ECDSA_WITH_RC4_128_SHA • TLS_ECDH_RSA_WITH_RC4_128_SHA • TLS_ECDH_ECDSA_WITH_RC4_128_SHA • TLS_RSA_WITH_RC4_128_SHA • TLS_RSA_WITH_RC4_128_MD5 Exchange client Security

  18. How can we disable certain cipher suites at the server level? Can be accomplished via the Windows Registry • HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL EnABLING & Disabling specific cipher suites Can also be set by Group Policies

  19. Example of disabling RC4 completely in the Windows Registry: • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] • "Enabled"=dword:00000000 • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] • "Enabled"=dword:00000000 • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] • "Enabled"=dword:00000000 Disabling SPECIFIC CIPHER SUITES • http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx

  20. Is there any easier way to disable insecure Cipher suites? Microsoft has included a setting that will disable suites that are not FIPS-140 compliant in this security policy: • System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing. Some organizations may want more granular control by the specific suite, but this setting, which is disabled by default, would have disabled RC4 and MD5 already. EnABLING & Disabling specific cipher suites

  21. Can be accomplished through Local Security Policy & Group Policies Enabling ONLY FIPS CIPHER SUITES See Secpol.msc

  22. Windows Security Setting System Cryptography: Use FIPS compliant algorithms for encryption, hasing, and signing. “This security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider uses only the FIPS 140 approved cryptographic algorithms: 3DES and AES for encryption, RSA or ECC public key cryptography for the TLS key exchange and authentication, and only the Secure Hashing Algorithm (SHA1, SHA256, SHA384, and SHA512) for the TLS hashing requirements.” EnABLING & Disabling specific cipher suites See Secpol.msc

  23. What did we learn? • All methods of communication can be encrypted with Exchange. • Security at both client and server level is handled by Operating System settings that are often never configured or analyzed. • Maintaining a secure environment may require that specific changes are implemented and re-implemented as vulnerabilities arise. Analyzing exchange Security

  24. Recommendations: • Ensure all methods of communication require encryption at the Exchange connection properties. • Ensure that insecure ciphers are disabled at the server level, ensuring that clients cannot use them, whenever possible. • Explore enabling FIPS-only setting on Exchange servers. • Cipher suites with RC4, MD5, and NULL ciphers should be able to be disabled immediately. Analyzing exchange Security

  25. Analysis of Email security at NSU Mike Powers CSIS 4900

More Related