Click here to load reader

Cscu module 09 securing email communications

  • View
    1.004

  • Download
    277

Embed Size (px)

Text of Cscu module 09 securing email communications

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    1

    Securing Email Communications

    Simplifying Security.

    Module 9

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    2

    IndividualswhoareconcernedaboutdatalossmaybesurprisedtohearofthenumberofhackingattacksattemptedontheTreasury.ChancellorGeorgeOsbornerevealedattheGoogleZeitgeistconferenceonMonday(May16th)thateachmontharound20,000maliciousemailsaresenttoUKgovernmentnetworks.Furthermore,henoted:"During2010,hostileintelligenceagenciesmadehundredsofseriousandpreplannedattemptstobreakintotheTreasury'scomputersystem.Infact,itaveragedoutasmorethanoneattemptperday."Asaresultofthesefigures,Mr OsbornepointedoutthattheTreasuryisoneofthemosttargetedbydataattacksacrossthewholeofWhitehall.Governmentisnottheonlyareaconcernedaboutbreachesthough,withSquareEnix recentlyconfirmingthatacoupleofwebsitesitisassociatedwithhavebeenattacked.

    Email Security: Malicious Messages 'A Problem For Govt. Too'

    May16,2011

    http://www.cryptzone.com

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    3

    Module Objectives

    EmailSystem

    EmailSecurity

    EmailSecurityThreats

    Spamming

    Hoax/ChainandScamEmails

    EmailSecurityControlLayers

    EmailSecurityProcedures

    HowtoObtainDigitalCertificates?

    OnlineEmailEncryptionService

    EmailSecurityTools

    EmailSecurityChecklist

    SecurityChecklistforCheckingEmailsonMobile

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    4

    Module Flow

    IntroductiontoEmailSecurity

    EmailSecurityThreats

    EmailSecurityProcedures

    HowtoObtainDigitalCertificates?

    EmailSecurityTools

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    5

    Email Threat Scenario 2011

    Email Spam Intercepted Top 5 Geographies

    Global Spam Rate (89.1%)

    Italy

    Denmark

    Austria

    France

    Switzerland

    93.5%

    93.2%

    92.0%

    92.0%

    91.5%

    Email Virus Intercepted Top 5 Geographies

    Global Virus Rate (1 in 284.2)

    SouthAfrica

    UK

    Spain

    Oman

    Switzerland

    1in147.2

    1in164.6

    1in174.1

    1in229.0

    1in237.8

    Email Phish Intercepted Top 5 Geographies

    Global Phish Rate (1 in 444.5)

    SouthAfrica

    UK

    Oman

    UnitedArab

    Emirates

    NewZealand

    1in99.0

    1in214.8

    1in341.9

    1in424.0

    1in568.1

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    6

    How Various Email Systems Work?

    Email (electronicmail)isamethodofexchangingdigitalmessagesfromasendertooneormorerecipientsCompaniessuchasMicrosoft,Yahoo!,Google,andAOLofferfreeemailaccountsEmailaccountscanbeaccessedfromanywebbrowser orastandaloneemailclientsuchasMicrosoftOutlook,MozillaThunderbird,etc.

    Internet

    EmailClients EmailClientsEmailServer EmailServerSender Receiver

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    7

    Email Security

    Noemailcommunicationis100%secure

    Insecureemailsallowattackerstointerceptpersonalandsensitiveinformationoftheuser

    Ifnotsecured,emailssent/received canbeforgedorreadbyothers

    Emailsareoneofthesourcesofviruses andvariousmalicious programs

    Itisnecessarytosecure emailstohave safer communicationsandtoprotectprivacy

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    8

    Module Flow

    IntroductiontoEmailSecurity

    EmailSecurityThreats

    EmailSecurityProcedures

    HowtoObtainDigitalCertificates?

    EmailSecurityTools

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    9

    Email Security Threats

    Phishing mailslurevictimstoprovidepersonaldata

    Attachmentsmaycontainavirus,Trojan,worms,keylogger,etc.,andopeningsuchattachments

    infectsthecomputer

    Theusermayreceivespammailsmaycontainmalwareallowingattackerstotakecontroloftheusercomputer

    Theusermayreceivehoaxemailsthatcontainfalseinformationtellinghim/hertoforwardthemail

    Mailsmaycontainlinksthatwebsiteshostingmalwaresandpornographicmaterial

    MaliciousEmailAttachments

    MaliciousUserRedirection

    Hoax/ChainMail

    Phishing

    Spamming

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    10

    Malicious Email Attachments Emailattachmentsaremajoremailsecuritythreatsastheyoffersattackers

    easiestandmostpowerfulwaystoattackaPC Mostmaliciousattachmentsinstallavirus, Trojan, spywareoranyotherkindof

    malware codeassoonasyouopenthem

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    11

    Email Attachments: Caution

    Checkiftheemailwaseverreceivedfromthesource

    Save andscan allemailattachmentsbeforeopeningthem

    Checkifthesubjectline andnameofthe attachmentarecorrelated

    witheachother

    Checkiftheemailisfromoneofyourcontacts

    Neveropenanemailattachmentfromunreliablesources

    Donotopenattachmentswithsuspicious orunknownfile

    extensionsExample:*.exe,*.vbs,*.bat,*.ini,

    *.bin,*.com,*.pif,*.zzx

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    12

    Spamming

    Spammingistheuseofemailsystemstosendunsolicitedbulkmessagesindiscriminatelyoverloadingtheusersinbox

    Spamemailsmaycontainmaliciouscomputerprograms suchasvirusesand Trojans

    AccordingtoSymantec,spammakesup89.1%ofallemailtraffic

    0 20 40 60%

    3%

    7%

    8%

    18%

    27%

    44%

    Oceania

    NorthAmerica

    Africa

    SouthAmerica

    Asia

    Europe

    http://www.m86security.com

    SpamSourcesbyContinent

    Unsolicitedbulkmessages

    Attacker User

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    13

    Avoidopeningspammessages(classifiedbyspamfilters)

    Usetheemailclient'sspamfilterandanti

    spammingtools

    Neverfollowthelinksinspammessages

    Reportsuspiciousemailasspam

    Donotuseofficialemailaddresswhileregisteringwithanywebsite

    Useadifferentemailaddresswhenpostingmessagestoanypublicforum

    Spamming Countermeasures

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    14

    Anti-Spamming Tool: SPAMfighter

    http://www.spamfighter.com

    SPAMfighter protectsalltheemailaccountsonaPCagainst"phishing",identitytheft,andotheremailfrauds

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    15

    Hoax/Chain and Scam Emails Hoaxesareemailmessageswarningthe

    recipientsofnonexistentthreats

    Usersarealsowarnedofadverseeffectsiftheydonotforwardtheemailtoothers

    Ascamemailasksforpersonalinformationsuchasbankaccountdetails,creditcardnumbers,password,etc.

    Thesenderofscammailsmayalsoasktherecipienttoforwardtheemailtoeveryoneinhis/hercontactlist

    http://www.scamletters.com

    http://diamondback.com

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    1616

    Nigerian Scam

    ANigerian scamisaformofadvancepaymentofmoneyormoneytransfer

    ThisscamiscalledaNigerianscambecauseinitiallyitstartedfromNigeria,buttheycancomeinanywhereintheworld

    Usingthisscam,scammerscontactyoubysendinganemailandofferyouashareinalargesumofmoney

    Theysaytheywanttotransfermoney,whichwastrappedinbanksduringcivilwars,toyouraccount

    Theymayalsocitevariousreasonssuchasmassiveinheritanceproblems,governmentrestrictions,ortaxesinthescammerscountry

    Scammersaskyoutopaymoneyorgivethemyourbankaccountdetailstohelpthemtransferthemoney

    From:Mr.WongDuSeoul,SouthKorea.IwillintroducemyselfIamMr.Wong duaBankerworkinginabankinsouthKoreaUntilnowIamtheaccountofficertomostofthesouthKoreagovernmentaccountsandIhavesincediscoveredthatmostoftheaccountaredormantaccountwithalotofmoneyintheaccountonfurtherinvestigationIfoundoutthatoneparticularaccountbelongtotheformerpresidentofsouthKoreanMRPARKCHUNGHEE,whoruledsouthKoreanfrom19631979andthisparticularaccounthasadepositof$48mwithnonextofkin.MyproposalisthatsinceIamtheaccountofficerandthemoneyortheaccountisdormantandthereisnonextofkinobviouslytheaccountownertheformerpresidentofSouthKoreahasdiedlongtimeago,thatyoushouldprovideanaccountforthemoneytobetransferred.Themoneythatisfloatinginthebankrightnowis$48mandthisiswhatIwanttotransfertoyouraccountforourmutualbenefit.PleaseifthisisokaybyyouIwilladvicethatyoucontactmethroughmydirectemailaddress.Pleasethistransactionshouldbekeptconfidential.Foryourassistanceastheaccountownerweshallsharethemoneyonequalbasis.Yourreplywillbeappreciated,Thankyou.WongDu

    http://in.mail.yahoo.com/

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    17

    Module Flow

    IntroductiontoEmailSecurity

    EmailSecurityThreats

    EmailSecurityProcedures

    HowtoObtainDigitalCertificates?

    EmailSecurityTools

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    18

    Email Security Control Layers

    Sender

    Receiver

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    19

    Email Security Procedures

    Createandusestrongpasswords

    UseHTTPS forbrowserconnection

    Disable/unselect KeepMeSignedIn/RememberMefunctions

    Scanemailattachmentsformalware

    Createjunkemailfilterinemailclients

    Avoidunwantedemailsusingfilters

    Digitallysignyourmailmessages

    Turnoffthepreviewfeatureandchange

    downloadsettingsinemailclients

    Providealternateemailaddress formailrecovery

    Checkforlastloggingactivity

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    20

    Creating Strong PasswordsStrongpasswordsaredifficulttocrackorguess

    Astrongpasswordcanbecreatedbyusingcombinationsofnumbers(09),lettersinupperandlowercase(azandAZ),andspecialcharacters([email protected]#$%)

    Createastrongbuteasytorememberpasswordanddonotwriteitanywhere

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    21

    Alternate Email AddressAnalternateemailaddressistheadditionalemailaddress requiredatsignupformostofthefreeemailservicessuchasGmailandYahoo

    ItisusedbyserviceproviderstoverifytheaccountcreatorsidentifyAlternateemailaddressesareusedforpasswordrecoveryincaseyouforgotthepassword

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    22

    Keep Me Signed In/Remember Me

    MostofthepopularemailclientshavetheKeepmesignedin orRememberMe options

    Checkingtheseoptionsallowtheemailclienttofetchtheemailinboxoftheuserwithouthim/herhavingtofillinthelogindetailsagain

    Thisallowsotheruserstoaccesstheusersemail

    Usersshouldcheckthatthisoptionisnotselectedwhenaccessingemailfromapubliccomputer

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    23

    Using HTTPS WebmailssuchasGmail,Yahoomail,Hotmail,AOLMail,etc.haveanoptionforchoosingthe

    communicationprotocolforbrowserconnection

    ChangetheBrowserconnectionsetting toreceiveemailusingHTTPS (HTTPSecure)

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    24

    Check for Last Account ActivityAlwayscheckthelatestemailaccountactivityifthefeatureisavailablewiththeemailservice

    Latestaccountactivityincludesinformationsuchasaccesstype(browser,mobile,POP3,etc.),location (IPaddress),anddate/timeofaccountactivities

    TocheckaccountactivityinGmail,scrolltothebottomofthepageandclickDetails

    Immediatelychangeyourpasswordandpasswordhintsifyouobserveanysuspiciousactivity

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    25

    Becautiouswhenopeninganyemailattachment

    Save alltheattachmentsandscan themproperlyformalwareusinganantivirusbeforeopening

    Enabletheantivirustoautomaticallyscan alltheemailsanddownloads

    Scanning Email Attachments

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    26

    Turn Off Preview Feature

    Emailclients haveanoptiontoshowapreviewoftheemail

    Turnoffthisfeature inemailclients

    Turningonthisfeaturemayexecutescriptcodewithoutyouexplicitlyopeningthemessage

    ToturnoffthepreviewfeatureinMicrosoftOutlook:

    GotoView menuandselectReadingPane ClicktheOffoptionToturnoffthepreviewfeatureinMozillaThunderbird:

    GotoView menuandselectLayout UnchecktheoptionMessagePane

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    27

    Email Filtering: Avoiding Unwanted Emails Emailfilteringistheprocessoforganizingemailsaccordingtoaspecifiedcriteria

    Emailfiltersaregenerallyusedtoidentifyandcategorizespammails

    ToavoidunwantedemailsinOutlook2010,gototheDeletegrouponthe Home tab,clickJunk andJunkEmailOptions,OntheBlockedSender tab,clickAdd

    Enteranemailaddressordomainname,clickOK

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    28

    Module Flow

    IntroductiontoEmailSecurity

    EmailSecurityThreats

    EmailSecurityProcedures

    HowtoObtainDigitalCertificates?

    EmailSecurityTools

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    29

    Digitally Sign Your Emails

    Thwate (http://www.thawte.com)

    ExampleofCertificationAuthorities:

    VeriSign (http://www.verisign.com) Comodo (http://www.comodo.com)

    Entrust (http://www.entrust.com)

    Digitalsignaturesareusedtoauthenticatethesenderofamessageorthesignerofadocument

    Theycanalsobeusedtoensurethattheoriginalcontentofthemessageisnotchanged

    Usersrequireanemailcertificatetodigitallysignemails Youcanobtaindigitalsignaturesfromcertificationauthorities

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    30

    How to Obtain Digital Certificates?

    GototheCertificateAuthoritieswebsite

    Purchaseanddownload adigitalcertificate

    SomecertificateauthoritiesofferafreepersonalemailsecuritycertificatesuchasComodo

    Providepersonaldetailstodownloadthecertificate

    Login totheemailaccountthatyouhaveprovidedwhiledownloadingthecertificate

    Checkyourinboxforaninstallationlink

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    31

    Installing a Digital Certificate

    Clickontheinstallationlinktoinstallthedigitalcertificate

    InInternetExplorergoto Tools InternetOptions Content tabInthecontenttab,clickCertificates button

    SelectthecertificateandclicktheExportbutton

    ClickonNext

    ChecktheYes,exporttheprivatekey option

    ClickonNext

    Protecttheprivatekeybygivingapasswordandconfirmingit

    Specifythefileyouwanttoexportandsaveittoaparticularlocation

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    32

    SigningYour Emails

    GototheMicrosoftOutlook File OptionsClickonTrustCenter TrustCenterSettings EmailSecurityEncryptthemailbyselectingtheappropriatecheckboxesundertheEncryptedemail section

    ClicktheImport/Export button

    Browsetofindthefiletoopenandgivethepassword anddigitalIDname

    ClicktheOK button

    ClickNewMail towriteamessage

    AfterclickingontheSend button,itwillprompttoencryptthemessage

    ClicktheSendUnencryptedbutton(iftherecipientsdonothaveprivatekey)

    ClickontheContinue buttoniftherecipienthaveprivatekey

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    33

    SigningYour Emails

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    34

    ChoosetheAutomaticDownloadoptionfromtheTrustCenterandselecttheoptionsasshowninthefigure

    Microsoft Outlook Download Settings

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    35

    Module Flow

    IntroductiontoEmailSecurity

    EmailSecurityThreats

    EmailSecurityProcedures

    HowtoObtainDigitalCertificates?

    EmailSecurityTools

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    36

    Online Email Encryption Service: Lockbin

    Lockbinisafreeserviceforsendingprivateemailmessages

    Itisusedforsendingconfidentialinformationsuchascreditcarddetailsandbusinessinformation

    https://www.lockbin.com

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    37

    Email Security Tools

    Comodo AntiSpamhttp://www.comodoantispam.com

    Netcraft Toolbarhttp://toolbar.netcraft.com

    PhishTank SiteCheckerhttps://addons.mozilla.org

    Mirramail SecureEmailhttp://www.mirrasoft.com

    Spamihilatorhttp://www.spamihilator.com

    Encryptomatic MessageLockhttp://www.encryptomatic.com

    McAfeeSpamKillerhttp://us.mcafee.com

    ComodoEmailCertificatehttp://www.comodo.com

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    38

    Module Summary

    Email(electronicmail)isamethodofexchangingdigitalmessagesfromasendertooneormorerecipients

    Attachmentscancontainmaliciousprograms;openingsuchattachmentscaninfectthecomputer

    Spammingistheprocessofpopulatingtheusersinboxwithunsolicitedorjunkemails Hoaxesarefalsealarmsclaimingreportsaboutanonexistentvirus Donotforgettodeletebrowsercache,passwords,andhistory Considersettingmobilephonestodownloadonlyheadersofemails,notthefullemail Digitalsignaturesareusedtoauthenticatethesenderofamessageorthesignerofa

    document

    Emailsecuritytoolsprotectpasswordsandautomaticallylogoffemailaccounts

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    39

    Email Communication Checklist

    DONTCLOSEthebrowserwithoutproperlyloggingout

    DONTFORGETtodeletebrowsercache,passwords,andhistory

    DONTSENDpersonalandfinancialinformationviaemail

    DONTUSEjustoneemailaccountforallpurposes

    DONTTRUSTtheemailsfromyourfriendstobesecure

    DONTDELETEspaminsteadofblacklistingit

    DONTFAILtoscanallemailattachmentsandtoenabletheemailspamfilter

    DONT USE simpleandeasytoguesspasswords

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    40

    Email Security Checklist

    Enablehttps forsecurecommunications/transactions

    Bediligentwhileopeningemailattachments

    Donotclickonlinks providedinemailmessages

    Createstrongpasswordsforloggingintomailaccounts

    Followemailetiquettewhenforwarding messages

    Donotforwardorreplytospam andsuspiciousemails;deletethem

    Avoidaccessingemailviaunsecured publicwirelessconnection

    Avoidaccessingtheemailaccountsonshared computersandsendinglargeattachmentsinemails

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    41

    Neversaveyourpassword onthewebbrowser

    Sortmessagesbypriority,subject,date,sender,andotheroptions(Helpsinsearchingemail)

    Avoidsendingconfidential,sensitive,personal,andclassifiedinformationinemails

    UseBcc:optionwhensendingmailtobulkrecipients

    CleanyourInbox regularly

    Createfoldersandmoveemail accordingly(Family,Friends,Work,etc.)

    Digitallysignyouroutgoingmails

    SendattachmentsinPDFformratherthanWordorExcelformats

    Email Security Checklist

  • CopyrightbyEC-CouncilAllRightsReserved.ReproductionisStrictlyProhibited.

    42

    Configuretocheckonlyattachmentnotifications,butnotattachments

    Donotopen/send largeattachmentsfrommobile

    Donotfollowlinkssentinemailortextmessages

    Considersettingmobilephonestodownloadonlyheadersofemails,notthefullemail

    Installmobileantivirusandkeepituptodate

    TurnoffShowPicturesinyourMobileBrowser

    Toreducethesizeofemail,sendtheminplaintext

    Zip andsendanyimportantfiles

    Security Checklist for Checking Emails on Mobile