how to achieve rock solid e mail security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
How to Achieve Rock-Solid E-mail Security PowerPoint Presentation
Download Presentation
How to Achieve Rock-Solid E-mail Security

Loading in 2 Seconds...

play fullscreen
1 / 35

How to Achieve Rock-Solid E-mail Security - PowerPoint PPT Presentation


  • 322 Views
  • Uploaded on

How to Achieve Rock-Solid E-mail Security Fred Avolio BAE Advanced Technologies, Inc. fred.avolio@baesystems.com Agenda The nature of the threat and reasons for successful attacks Simple and effective acceptable use policies E-mail firewalls

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'How to Achieve Rock-Solid E-mail Security' - paul


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
how to achieve rock solid e mail security

How to Achieve Rock-Solid E-mail Security

Fred Avolio

BAE Advanced Technologies, Inc.

fred.avolio@baesystems.com

agenda
Agenda
  • The nature of the threat and reasons for successful attacks
  • Simple and effective acceptable use policies
  • E-mail firewalls
  • The 5 easiest and most effective ways to protect your enterprise e-mail
e mail the killer app
E-mail, the “Killer App”
  • The #1 reason people, companies and agencies connect to the Internet
  • The #1 attack vector
    • E-mail is ubiquitous
    • E-mail is fast, convenient and easy (triple threat!)
    • Users believe what they read on a computer
the threats
The threats
  • Viruses/worms
  • Spam
  • DHA
  • Phishing
  • Data leakage
and of course users
And, of course, users

Idea, mine; Image, Bill Cheswick’s

e mail aup
E-mail AUP
  • Why do we require e-mail? (What business need?)
  • What will we allow? (i.e., that which meets the business requirements)
  • What are the threats?
  • Where are we vulnerable?
  • What is permitted?
  • What is denied?
obvious things
Obvious things
  • Act responsibly relative to
    • The law
    • Other enterprise policies
  • No “offensive” e-mail
  • No copyrighted, proprietary or sensitive
  • No running a side business
  • No chain letters
  • No expectation of privacy
  • Adhere to the antivirus policy
permitted
Permitted
  • Business communications
  • Limited personal communications (meeting the “No’s” on previous slide)
  • Use only enterprise-approved e-mail clients
  • Use only enterprise-approved configurations (only with permitted modifications)
acceptable use policies
Acceptable use policies
  • Are there for basic education
  • Remind people of good and evil
  • Are insufficient unless backed up by
    • Administrative procedures
    • Security enforcement devices
      • Firewalls
acceptable use policies 2
Acceptable use policies (2)
  • Examples
    • Must not distribute any disruptive or offensive messages, including offensive comments about …
    • May use a reasonable amount of resources for personal e-mails, but …
    • Must not distribute chain letters, jokes, virus warnings, mass mailings, any “forward to everyone you know who uses the Internet” kinds of messages

Suggested resource: http://www.sans.org/resources/policies/

e mail firewalls
E-mail firewalls
  • Can be standard firewall with e-mail-specific rules
  • Can be specialized devices (“application-specific” firewall)
  • Does what all firewalls do
    • Limit exposure
    • Enforce policy (permit and deny rules)

Disclaimer: I do not work for any product company.

standard firewall example
Standard firewall example*
  • WatchGuard Firebox
    • A hybrid firewall

*Other firewalls may or may not have these capabilities. Ask.

e mail firewall example
E-mail firewall example
  • Ciphertrust IronMail
    • E-mail-specific
    • E-mail gateway/server
    • Encrypted and signed e-mail
    • Anti-spam gateway
    • Anti-virus gateway
    • Content filter
    • Other features
five easy pieces
“Five easy pieces”
  • The 5 easiest and most effective ways to protect your enterprise e-mail

With a sanity check from my friends, Dave Piscitello (www.corecom.com) and Marcus Ranum (www.ranum.com) .

5 antivirus software
#5: Antivirus software
  • At the desktop
  • At an e-mail gateway or firewall
  • #1 attack vector for computer viruses is still e-mail
  • Desktop A/V — up-to-date and turned on to actively scan — is a very good deterrent
    • And “very good” is “good enough”
  • Is it the main deterrent?
    • No, that’s why it is not #1
4 use simple e mail clients
#4: Use simple e-mail clients
  • Security and complexity are inversely proportional*
  • Fancier, flashier features add complexity
  • Complexity leads to vulnerabilities

*http://www.avolio.com/papers/axioms.html

as simple as possible
As simple as possible
  • Don’t use Java, JavaScript or ActiveX when Plain HTML will do
  • Don’t use Plain HTML (or RTF) when, plain, unformatted, 7-bit ASCII text will do
  • Don’t use e-mail clients that automatically launch dangerous applications
  • All “helper” programs may be dangerous
    • Browsers
    • Picture viewers
    • Word
    • PDF viewer
    • Anything
stuck with outlook
Stuck with Outlook?
  • Turn off some features
    • Any that users do not really, really, really need
    • Disable and wait for complaints. Then selectively add.
  • Do not allow Outlook to auto-display HTML
  • Disable Java, JavaScript, ActiveX and VBS controls (Internet options)
  • See #1
3 use strong authentication
#3: Use strong authentication
  • To retrieve e-mail
  • To send e-mail
  • Use the strongest possible
    • “In the absence of other factors, always use the most secure options available.”*
  • Even reusable passwords are better than nothing
    • if the user does not cache the password and it is not trivially guessed
  • Automated e-mail sender/transfer robots will not work if the e-mail requires user intervention in order to get through the firewall

*Snyder’s Razor, Dr. Joel Snyder

2 trusted peering
#2: Trusted peering
  • E-mail clients configured to only talk to trusted e-mail servers
  • Enforce this with a firewall, any firewall
    • E-mail clients send (and receive) e-mail to (and from) the designated e-mail server or else they cannot “do e-mail”
    • Remember from earlier, security is without teeth if it is easily circumvented
1 strip off attachments
#1: Strip off attachments
  • Does your enterprise require .scr, .bat, .com, .exe, .dll …
  • Start with what it does need
  • Can you live with .rtf instead of .doc?
    • Don’t have to worry about macros
  • Disallow all except the ones you absolutely need
summary
Summary
  • Remember, the “5 Easy Pieces” are in backwards order. If you do nothing else, do #1, then add #2, etc.
  • E-mail is the #1 application and the #1 attack vector
  • Don’t forget policies
  • E-mail is (probably) required
  • E-mail threats can be contained
multifunction security gateways firewalls
Multifunction security gateways/firewalls
  • FortiGate, www.fortinet.com
  • Proventia, www.iss.net
  • DP Inspector, www.barbedwiretech.com
  • Firebox, www.watchguard.com
  • SidewinderG2, www.securecomputing.com
  • ServGate, www.servgate.com
  • Symantec Gateway Security, www.symantec.com

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss446_art914,00.html

e mail firewalls35
E-mail firewalls
  • MXtreme, www.borderware.com
  • MailGate, www.tumbleweed.com
  • MIMEsweeper, www.clearswift.com
  • IronMail, www.ciphertrust.com
  • MessageInspector, www.zixcorp.com

http://infosecuritymag.techtarget.com/2003/feb/gatewayguardians.shtml