Cscu module 09 securing email communications

Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

1

Securing Email Communications

Simplifying Security.

Module 9


2

Individuals who are concerned about data loss may be surprised to hear of the number of hacking attacks attempted on the Treasury.

Chancellor George Osborne revealed at the Google Zeitgeist conference on Monday (May 16th) that each month around 20,000 malicious emails are sent to UK government networks.

Furthermore, he noted: "During 2010, hostile intelligence agencies made hundreds of serious and pre‐planned attempts to break into the Treasury's computer system. In fact, it averaged out as more than one attempt per day."

As a result of these figures, Mr Osborne pointed out that the Treasury is one of the most targeted by data attacks across the whole of Whitehall.

Government is not the only area concerned about breaches though, with Square Enix recently confirming that a couple of websites it is associated with have been attacked.

Email Security: Malicious Messages 'A Problem For Govt. Too'

May 16, 2011

http://www.cryptzone.com


3

Module Objectives

Email System

Email Security

Email Security Threats

Spamming

Hoax/Chain and Scam Emails

Email Security Control Layers

Email Security Procedures

How to Obtain Digital Certificates?

Online Email Encryption Service

Email Security Tools

Email Security Checklist

Security Checklist for Checking Emails on Mobile


4

Module Flow

Introduction toEmail Security

EmailSecurity Threats

EmailSecurity Procedures

How to ObtainDigital Certificates?

EmailSecurity Tools


5

Email Threat Scenario 2011

Email Spam Intercepted Top 5 Geographies

Global Spam Rate (89.1%)

Italy

Denmark

Austria

France

Switzerland

93.5%

93.2%

92.0%

92.0%

91.5%

Email Virus Intercepted Top 5 Geographies

Global Virus Rate (1 in 284.2)

South Africa

UK

Spain

Oman

Switzerland

1 in 147.2

1 in 164.6

1 in 174.1

1 in 229.0

1 in 237.8

Email Phish Intercepted Top 5 Geographies

Global Phish Rate (1 in 444.5)

South Africa

UK

Oman

United Arab

Emirates

New Zealand

1 in 99.0

1 in 214.8

1 in 341.9

1 in 424.0

1 in 568.1


6

How Various Email Systems Work?

Email (electronic mail) is a method of exchanging digital messages from a sender to one or more recipients

Companies such as Microsoft, Yahoo!, Google, and AOL offer free email accounts

Email accounts can be accessed from any web browser or a standalone email client such as Microsoft Outlook, Mozilla Thunderbird, etc.

Internet

Email Clients Email ClientsEmail Server Email ServerSender Receiver


7

Email Security

No email communication is 100% secure

Insecure emails allow attackers to intercept personal and sensitive information of the user

If not secured, emails sent/received can be forged or read by others

Emails are one of the sources of viruses and various malicious programs

It is necessary to secure emails to have safer communications and to protect privacy


8

Module Flow





EmailSecurity Tools


9

Email Security Threats

Phishing mails lure victims to provide personal data

Attachments may contain a virus, Trojan, worms, keylogger, etc., and opening such attachments

infects the computer

The user may receive spam mailsmay contain malware allowing attackers to take control of the user computer

The user may receive hoax emailsthat contain false information telling him/her to forward the mail

Mails may contain links that websites hosting malwares and pornographic material

Malicious Email Attachments

Malicious User Redirection

Hoax/Chain Mail

Phishing

Spamming


10

Malicious Email Attachments Email attachments are major email security threats as they offers attackers

easiest and most powerful ways to attack a PC

Most malicious attachments install a virus, Trojan, spyware or any other kind of malware code as soon as you open them


11

Email Attachments: Caution

Check if the email was ever received from the source

Save and scan all email attachments before opening them

Check if the subject line and name of the attachment are correlated

with each other

Check if the email is from one of your contacts

Never open an email attachmentfrom unreliable sources

Do not open attachments with suspicious or unknown file

extensionsExample: *.exe, *.vbs,*.bat,*.ini,

*.bin, *.com, *.pif, *.zzx


12

Spamming

Spamming is the use of email systems to send unsolicited bulk messages indiscriminately overloading the users’ inbox

Spam emails may contain malicious computer programs such as viruses and Trojans

According to Symantec, spam makes up 89.1 % of all email traffic

0 20 40 60%

3%

7%

8%

18%

27%

44%

Oceania

North America

Africa

South America

Asia

Europe

http://www.m86security.com

Spam Sources by Continent

Unsolicited bulk messages

Attacker User


13

Avoid opening spam messages (classified by spam filters)

Use the email client's spam filter and anti‐

spamming tools

Never follow the links in spam messages

Report suspicious email as spam

Do not use official email address while registering with any website

Use a different email address when posting messages to any public forum

Spamming Countermeasures


14

Anti-Spamming Tool: SPAMfighter

http://www.spamfighter.com

SPAMfighter protects all the email accounts on a PC against "phishing", identity theft, and other email frauds


15

Hoax/Chain and Scam Emails Hoaxes are email messages warning the

recipients of non‐existent threats

Users are also warned of adverse effects if they do not forward the email to others

A scam email asks for personal information such as bank account details, credit card numbers, password, etc.

The sender of scam mails may also ask the recipient to forward the email to everyone in his/her contact list

http://www.scamletters.com

http://diamond‐back.com


1616

Nigerian Scam

A Nigerian scam is a form of advance payment of money or money transfer

This scam is called a Nigerian scam because initially it started from Nigeria, but they can come in anywhere in the world

Using this scam, scammers contact you by sending an email and offer you a share in a large sum of money

They say they want to transfer money, which was trapped in banks during civil wars, to your account

They may also cite various reasons such as massive inheritance problems, government restrictions, or taxes in the scammer’s country

Scammers ask you to pay money or give them your bank account details to help them transfer the money

From: Mr. Wong DuSeoul, South Korea.

I will introduce myself I am Mr.Wong du a Banker working in a bank in south Korea Until now I am the account officer to most of the south Korea government accounts and I have since discovered that most of the account are dormant account with a lot of money in the account on further investigation I found out that one particular account belong to the former president of south Korean MR PARK CHUNG HEE, who ruled south Korean from 1963‐1979 and this particular account has a deposit of $48m with no next of kin.

My proposal is that since I am the account officer and the money or the account is dormant and there is no next of kin obviously the account owner the former president of South Korea has died long time ago, that you should provide an account for the money to be transferred.

The money that is floating in the bank right now is $48m and this is what I want to transfer to your account for our mutual benefit.Please if this is okay by you I will advice that you contact me through my direct email address.

Please this transaction should be kept confidential. For your assistance as the account owner we shall share the money on equal basis.

Your reply will be appreciated,

Thank you.

Wong Du

http://in.mail.yahoo.com/


17

Module Flow





EmailSecurity Tools


18

Email Security Control Layers

Sender

Receiver


19

Email Security Procedures

Create and use strong passwords

Use HTTPS for browser connection

Disable/unselect Keep Me Signed In/Remember Me functions

Scan email attachments for malware

Create junk email filter in email clients

Avoid unwanted emails using filters

Digitally sign your mail messages

Turn off the preview feature and change

download settings in email clients

Provide alternate email address for mail recovery

Check for last logging activity


20

Creating Strong PasswordsStrong passwords are difficult to crack or guess

A strong password can be created by using combinations of numbers (0‐9), letters in upper and lower case (a‐z and A‐Z), and special characters (!@#$% …)

Create a strong but easy to remember password and do not write it anywhere


21

Alternate Email AddressAn alternate email address is the additional email address required at signup for most of the free email services such as Gmail and Yahoo

It is used by service providers to verify the account creator’s identify

Alternate email addresses are used for password recovery in case you forgot the password


22

Keep Me Signed In/Remember Me

Most of the popular email clients have the Keep me signed in or Remember Me options

Checking these options allow the email client to fetch the email inbox of the user without him/her having to fill in the login details again

This allows other users to access the user’s email

Users should check that this option is not selected when accessing email from a public computer


23

Using HTTPS Web mails such as Gmail, Yahoomail, Hotmail, AOL Mail, etc. have an option for choosing the

communication protocol for browser connection

Change the Browser connection setting to receive email using HTTPS (HTTPSecure)


24

Check for Last Account ActivityAlways check the latest email account activity if the feature is available with the email service

Latest account activity includes information such as access type (browser, mobile, POP3, etc.), location (IP address), and date/time of account activities

To check account activity in Gmail, scroll to the bottom of the page and click Details

Immediately change your password and password hints if you observe any suspicious activity


25

Be cautious when opening any email attachment

Save all the attachments and scan them properly for malware using an antivirus before opening

Enable the antivirus to automatically scan all the emails and downloads

Scanning Email Attachments


26

Turn Off Preview Feature

Email clients have an option to show a preview of the email

Turn off this feature in email clients

Turning on this feature may execute script codewithout you explicitly opening the message

To turn off the preview feature in Microsoft Outlook:

Go to View menu and select Reading Pane

Click the Off option

To turn off the preview feature in Mozilla Thunderbird:

Go to View menu and select Layout

Uncheck the option Message Pane


27

Email Filtering: Avoiding Unwanted Emails Email filtering is the process of organizing emails according to a specified criteria

Email filters are generally used to identify and categorize spam mails

To avoid unwanted emails in Outlook 2010, go to the Delete group on the Home tab, click Junk and Junk E‐mail Options, On the Blocked Sender tab, click Add

Enter an email address or domain name, click OK


28

Module Flow





EmailSecurity Tools


29

Digitally Sign Your Emails

Thwate (http://www.thawte.com)

Example of Certification Authorities:

VeriSign (http://www.verisign.com) Comodo (http://www.comodo.com)

Entrust (http://www.entrust.com)

Digital signatures are used to authenticate the sender of a message or the signer of a document

They can also be used to ensure that the original content of the message is not changed

Users require an email certificate to digitally sign emails

You can obtain digital signatures from certification authorities


30

How to Obtain Digital Certificates?

Go to the Certificate Authorities website

Purchase and download a digital certificate

Some certificate authorities offer a free personal email security certificate such as Comodo

Provide personal details to download the certificate

Login to the email account that you have provided while downloading the certificate

Check your inbox for an installation link


31

Installing a Digital Certificate

Click on the installation link to install the digital certificate

In Internet Explorer go to Tools Internet Options Content tab

In the content tab, click Certificates button

Select the certificate and click the Export button

Click on Next

Check the Yes, export the private key option

Click on Next

Protect the private key by giving a passwordand confirming it

Specify the file you want to export and save it to a particular location


32

SigningYour Emails

Go to the Microsoft Outlook File Options

Click on Trust Center Trust Center Settings Email Security

Encrypt the mail by selecting the appropriate check boxes under the Encrypted e‐mail section

Click the Import/Export button

Browse to find the file to open and give the password and digital ID name

Click the OK button

Click New Mail to write a message

After clicking on the Send button, it will prompt to encrypt the message

Click the Send Unencrypted button (if the recipients do not have private key)

Click on the Continue button if the recipient have private key


33

SigningYour Emails


34

Choose the Automatic Download option from the Trust Center and select the options as shown in the figure

Microsoft Outlook Download Settings


35

Module Flow





EmailSecurity Tools


36

Online Email Encryption Service: Lockbin

Lockbin is a free service for sending private email messages

It is used for sending confidential information such as credit card details and business information

https://www.lockbin.com


37

Email Security Tools

Comodo AntiSpamhttp://www.comodoantispam.com

Netcraft Toolbar http://toolbar.netcraft.com

PhishTank SiteCheckerhttps://addons.mozilla.org

Mirramail Secure Email http://www.mirrasoft.com

Spamihilatorhttp://www.spamihilator.com

Encryptomatic MessageLockhttp://www.encryptomatic.com

McAfee SpamKillerhttp://us.mcafee.com

Comodo Email Certificatehttp://www.comodo.com


38

Module Summary

Email (electronic mail) is a method of exchanging digital messages from a sender to one or more recipients

Attachments can contain malicious programs; opening such attachments can infect the computer

Spamming is the process of populating the user’s inbox with unsolicited or junk emails

Hoaxes are false alarms claiming reports about a nonexistent virus

Do not forget to delete browser cache, passwords, and history

Consider setting mobile phones to download only headers of emails, not the full email

Digital signatures are used to authenticate the sender of a message or the signer of a document

Email security tools protect passwords and automatically log off email accounts


39

Email Communication Checklist

DON’T CLOSE the browser without properly logging out

DON’T FORGET to delete browser cache, passwords, and history

DON’T SEND personal and financial information via email

DON’T USE just one email account for all purposes

DON’T TRUST the emails from your friends to be secure

DON’T DELETE spam instead of blacklisting it

DON’T FAIL to scan all email attachments and to enable the email spam filter

DON’T USE simple and easy‐to‐guess passwords


40


Enable https for secure communications/transactions

Be diligent while opening email attachments

Do not click on links provided in email messages

Create strong passwords for logging into mail accounts

Follow email etiquette when forwarding messages

Do not forward or reply to spam and suspicious emails; delete them

Avoid accessing email via unsecured public wireless connection

Avoid accessing the email accounts on shared computers and sending large attachments in emails


41

Never save your password on the web browser

Sort messages by priority, subject, date, sender, and other options (Helps in searching email)

Avoid sending confidential, sensitive, personal, and classified information in emails

Use Bcc: option when sending mail to bulk recipients

Clean your Inbox regularly

Create folders and move email accordingly (Family, Friends, Work, etc.)

Digitally sign your outgoing mails

Send attachments in PDF form rather than Word or Excel formats



42

Configure to check only attachment notifications, but not attachments

Do not open/send large attachments from mobile

Do not follow links sent in email or text messages

Consider setting mobile phones to download only headers of emails, not the full email

Install mobile antivirus and keep it up to date

Turn off Show Pictures in your Mobile Browser

To reduce the size of email, send them in plain text

Zip and send any important files

Security Checklist for Checking Emails on Mobile

Documents

Cscu module 09 securing email communications