CSCU Module 09 Securing Email Communications.pdf

8/19/2019 CSCU Module 09 Securing Email Communications.pdf

1/42

Copyright ©

by

EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.1

Securing Email Communications

Simplifying Security.

Module 9


2/42

Copyright ©

by

EC-Council


Individuals who are concerned about data loss may be surprised to hear of the number of

hacking attacks attempted on the Treasury.

Chancellor George Osborne revealed at the Google Zeitgeist conference on Monday (May

16th) that each month around 20,000 malicious emails are sent to UK government networks.

Furthermore, he noted: "During 2010, hostile intelligence agencies made hundreds of serious

and pre‐planned attempts to break into the Treasury's computer system. In fact, it averaged

out as more than one attempt per day."

As a result of these figures, Mr Osborne pointed out that the Treasury is one of the most

targeted by data attacks across the whole of Whitehall.

Government is not the only area concerned about breaches though, with Square Enix recently

confirming that a couple of websites it is associated with have been attacked.

Email Security: Malicious

Messages 'A Problem For Govt. Too'

May 16,

2011

http://www.cryptzone.com


3/42

Copyright ©

by

EC-Council


Module Objectives

Email System

Email Security

Email Security Threats

Spamming

Hoax/Chain and Scam Emails

Email Security Control Layers

Email Security Procedures

How to Obtain Digital Certificates?

Online Email

Encryption

Service

Email Security Tools

Email Security Checklist

Security Checklist

for

Checking

Emails

on Mobile


4/42

Copyright ©

by

EC-Council


Module Flow

Introduction to

Email Security

Email

Security Threats

Email

Security Procedures

How to Obtain

Digital Certificates?

Email

Security Tools


5/42

Copyright ©

by

EC-Council


Email Threat Scenario 2011Email Spam Intercepted

Top 5 Geographies

Global Spam Rate (89.1%)

Italy

Denmark

Austria

France

Switzerland

93.5%

93.2%

92.0%

92.0%

91.5%

Email Virus Intercepted

Top 5 Geographies

Global Virus Rate (1 in 284.2)

South Africa

UK

Spain

Oman

Switzerland

1 in 147.2

1 in 164.6

1 in 174.1

1 in 229.0

1 in 237.8

Email Phish Intercepted

Top 5 Geographies

Global Phish Rate (1 in 444.5)

South Africa

UK

Oman

United

Arab

Emirates

New Zealand

1 in 99.0

1 in 214.8

1 in 341.9

1 in 424.0

1 in 568.1


6/42

Copyright ©

by

EC-Council


How Various Email Systems Work?

Email (electronic mail) is a method of exchanging digital messages from a sender to one or

more recipients

Companies such as Microsoft, Yahoo!, Google, and AOL offer free email accounts

Email accounts

can

be

accessed

from

any

web

browser or

a standalone

email

client

such

as

Microsoft Outlook, Mozilla Thunderbird, etc.

Internet

Email Clients Email ClientsEmail Server Email ServerSender Receiver


7/42

Copyright ©

by

EC-Council


Email Security

No email communication is 100% secure

Insecure emails

allow

attackers

to

intercept

personal

and

sensitive information of the user

If not secured, emails sent/received can be forged or

read by others

Emails are one of the sources of viruses and various

malicious programs

It is

necessary

to

secure emails

to

have safer communications

and to protect privacy


8/42

Copyright ©

by

EC-Council


Module Flow

Introduction to

Email Security

Email

Security Threats

Email

Security Procedures

How to Obtain


Email

Security Tools


9/42

Copyright ©

by

EC-Council


Email Security Threats

Phishing mails lure victims to provide

personal data

Attachments may contain a virus, Trojan, worms,

keylogger, etc., and opening such attachments

infects

the

computer

The user may receive spam mails

may

contain

malware

allowing

attackers to take control of the

user computer

The user may receive hoax emails

that

contain

false

information

telling him/her to forward the

mail

Mails may contain links that

websites hosting malwares

and pornographic material

Malicious Email Attachments

Malicious User Redirection

Hoax/Chain Mail

Phishing

Spamming


10/42

Copyright ©

by

EC-Council


Malicious Email Attachments

Email attachments are major email security threats as they offers attackers

easiest and most powerful ways to attack a PC

Most malicious attachments install a virus, Trojan, spyware or any other kind of

malware code as soon as you open them


11/42

Copyright ©

by

EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited.

11

Email Attachments: Caution

Check if the email was ever

received from

the

source

Save and scan all email

attachments before opening them

Check

if

the

subject

line and

name

of the attachment are correlated

with each other

Check if the email is from one of

your contacts

Never

open

an

email

attachmentfrom unreliable sources

Do not open attachments with

suspicious or unknown file

extensions

Example: *.exe,

*.vbs,*.bat,*.ini,

*.bin, *.com, *.pif, *.zzx


12/42

Copyright ©

by

EC-Council


12

Spamming

Spamming is the use of email

systems to send unsolicited bulk

messages indiscriminately

overloading the

users’

inbox

Spam emails may contain malicious

computer programs such as viruses

and Trojans

According to Symantec, spam

makes up 89.1 % of all email traffic

0 20 40 60%

3%

7%

8%

18%

27%

44%

Oceania

North America

Africa

South America

Asia

Europe

http://www.m86security.com

Spam Sources by Continent

Unsolicited bulk messages

Attacker User


13/42

Copyright ©

by

EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.

13

Avoid opening spam messages

(classified by spam filters)

Use the email client's

spam filter and anti‐

spamming tools

Never follow the links in spam

messages

Report suspicious email as

spam

Do not use official

email address while

registering with

any

website

Use a different email address when

posting messages

to

any

public

forum

Spamming Countermeasures


14/42

Copyright ©

by


14

Anti-Spamming Tool: SPAMfighter

http://www.spamfighter.com

SPAMfighter protects all the email accounts on a PC against "phishing", identity theft,

and other email frauds


15/42

Copyright ©

by


15

Hoax/Chain and Scam Emails

Hoaxes are email messages warning the

recipients of non‐existent threats

Users are also warned of adverse effects

if they do not forward the email to others

A scam email asks for personal information

such as bank account details, credit card

numbers, password, etc.

The

sender

of

scam

mails

may

also

ask

the

recipient to forward the email to everyone in

his/her contact list

http://www.scamletters.com

http://diamond ‐back.com


16/42

Copyright

©

by


1616

Nigerian Scam

A Nigerian scam is a form of advance

payment of money or money transfer

This scam is called a Nigerian scam

because initially it started from Nigeria,

but they

can

come

in

anywhere

in

the

world

Using this scam, scammers contact you

by sending an email and offer you a

share in a large sum of money

They say they want to transfer money,

which was

trapped

in

banks

during

civil

wars, to your account

They may also cite various reasons such

as massive inheritance problems,

government restrictions, or taxes in the

scammer’s country

Scammers

ask

you

to

pay

money

or

give

them your bank account details to help

them transfer the money

From: Mr. Wong Du

Seoul, South

Korea.

I will introduce myself I am Mr.Wong du a Banker working in a bank in south Korea Until now I am

the account officer to most of the south Korea government accounts and I have since discovered

that most of the account are dormant account with a lot of money in the account on further

investigation I found out that one particular account belong to the former president of south Korean

MR PARK CHUNG HEE, who ruled south Korean from 1963‐1979 and this particular account has a

deposit of $48m with no next of kin.

My proposal is that since I am the account officer and the money or the account is dormant and

there is

no

next

of

kin

obviously

the

account

owner

the

former

president

of

South

Korea

has

died

long time ago, that you should provide an account for the money to be transferred.

The money that is floating in the bank right now is $48m and this is what I want to transfer to your

account for our mutual benefit.

Please if this is okay by you I will advice that you contact me through my direct email address.

Please this transaction should be kept confidential. For your assistance as the account owner we

shall share the money on equal basis.

Your reply will be appreciated,

Thank you.

Wong Du

http://in.mail.yahoo.com/


17/42

Copyright

©

by EC-Council


17

Module Flow

Introduction to

Email Security

Email

Security Threats

Email

Security Procedures

How to Obtain


Email

Security Tools


18/42

Copyright

©

by EC-Council


18

Email Security

Control Layers

Sender

Receiver


19/42

Copyright

©

by EC-Council


19

Email Security Procedures

Create and use strong

passwords

Use HTTPS for browser

connection

Disable/unselect Keep Me

Signed In/Remember

Me

functions

Scan email attachments

for malware

Create junk email filter

in email clients

Avoid unwanted emails

using filters

Digitally sign your mail

messages

Turn off the preview

feature and

change

download settings in

email clients

Provide alternate

email

address for mail

recovery

Check for last logging

activity


20/42

Copyright

©

by EC-Council


20

Creating Strong Passwords

Strong passwords are difficult to crack or guess

A strong password can be created by using combinations of numbers (0‐9), letters

in upper and lower case (a‐z and A‐Z), and special characters (!@#$% …)

Create a strong

but

easy

to

remember

password

and

do

not

write

it

anywhere


21/42

Copyright

©

by EC-Council


21

Alternate Email Address

An alternate email address is the additional email address required at signup for most of

the free email services such as Gmail and Yahoo

It is used by service providers to verify the account creator’s identify

Alternate email

addresses

are

used

for

password

recovery

in

case

you

forgot

the

password


22/42

Copyright

©

by EC-Council


22

Keep Me Signed In/Remember Me

Most of the popular email clients

have the Keep me signed in or

Remember Me options

Checking these options allow the

email client

to

fetch

the

email

inbox

of the user without him/her having

to fill in the login details again

This allows other users to access the

user’s email

Users should

check

that

this

option

is not selected when accessing

email from a public computer


23/42

Copyright © by EC-Council


23

Using HTTPS

Web mails such as Gmail, Yahoomail, Hotmail, AOL Mail, etc. have an option for choosing the

communication protocol for browser connection

Change the Browser connection setting to receive email using HTTPS (HTTPSecure)


24/42



24

Check for Last Account ActivityAlways check the latest email account activity

if the feature is available with the email

service

Latest account activity includes information

such as access type (browser, mobile, POP3,

etc.), location (IP

address),

and

date/time

of

account activities

To check account activity in Gmail, scroll to the

bottom of the page and click Details

Immediately change your password and

password hints if you observe any suspicious

activity


25/42



25

Be cautious when opening any email attachment

Save all the attachments and scan them properly for malware using an antivirus

before opening

Enable the antivirus to automatically scan all the emails and downloads

Scanning Email Attachments


26/42



26

Turn Off Preview Feature

Email clients have an option to show a preview of

the email

Turn off this feature in email clients

Turning on

this

feature

may

execute

script

code

without you explicitly opening the message

To turn off the preview feature in Microsoft

Outlook:

Go to View menu and select Reading Pane

Click the Off option

To turn off the preview feature in Mozilla

Thunderbird:

Go to View menu and select Layout

Uncheck the option Message Pane


27/42



27

Email Filtering: Avoiding Unwanted Emails

Email filtering

is

the

process

of

organizing

emails

according

to

a specified

criteria

Email filters are generally used to identify and categorize spam mails

To avoid unwanted emails in Outlook 2010, go to the Delete group on the Home tab,

click Junk and Junk E‐mail Options, On the Blocked Sender tab, click Add

Enter an email address or domain name, click OK


28/42



28

Module Flow

Introduction to

Email Security

Email

Security Threats

Email

Security Procedures

How to

Obtain


Email

Security Tools


29/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

29

Digitally Sign Your Emails

Thwate (http://www.thawte.com)

Example of Certification Authorities:

VeriSign (http://www.verisign.com) Comodo (http://www.comodo.com)

Entrust (http://www.entrust.com)

Digital signatures are used to authenticate the sender of a message or the signer

of a document

They can also be used to ensure that the original content of the message is not

changed

Users

require

an

email

certificate

to

digitally

sign

emails You can obtain digital signatures from certification authorities


30/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

30

How to Obtain Digital Certificates?

Go to the Certificate Authorities

website

Purchase and download a digital

certificate

Some certificate authorities offer a free

personal email security certificate such

as Comodo

Provide personal details to download

the certificate

Login to the email account that you

have provided while downloading the

certificate

Check your inbox for an installation

link


31/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

31

Installing a Digital Certificate

Click on the installation link to install the

digital certificate

In Internet Explorer go to Tools Internet

Options Content tab

In the content tab, click Certificates button

Select the certificate and click the Export

button

Click on Next

Check

the

Yes,

export

the

private

key optionClick on Next

Protect the private key by giving a password

and confirming it

Specify the file you want to export and save it

to a particular location


32/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

32

Signing Your Emails

Go to the Microsoft Outlook File Options

Click on Trust Center Trust Center Settings

Email Security

Encrypt the

mail

by

selecting

the

appropriate

check boxes under the Encrypted e‐mail section

Click the Import/Export button

Browse to find the file to open and give the

password and digital ID name

Click the OK button

Click New

Mail to

write

a message

After clicking on the Send button, it will prompt

to encrypt the message

Click the Send Unencrypted button (if the

recipients do not have private key)

Click on the Continue button if the recipient

have private

key


34/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

34

Choose the Automatic Download option from the Trust Center and select the options

as shown in the figure

Microsoft Outlook Download Settings


35/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

35

Module Flow

Introduction to

Email Security

Email

Security Threats

Email

Security Procedures

How to

Obtain

Digital Certificates?Email

Security Tools


36/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

36

Online Email Encryption Service: Lockbin

Lockbin is a free service for sending private email messages

It is used for sending confidential information such as credit card details and business information

https://www.lockbin.com


37/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

37

Email Security Tools

Comodo AntiSpamhttp://www.comodoantispam.com

Netcraft Toolbar http://toolbar.netcraft.com

PhishTank SiteCheckerhttps://addons.mozilla.org

Mirramail Secure Email

http://www.mirrasoft.com

Spamihilatorhttp://www.spamihilator.com

Encryptomatic MessageLockhttp://www.encryptomatic.com

McAfee SpamKillerhttp://us.mcafee.com

Comodo Email Certificatehttp://www.comodo.com


38/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

38

Module Summary

Email (electronic mail) is a method of exchanging digital messages from a sender to

one or more recipients

Attachments can

contain

malicious

programs;

opening

such

attachments

can

infect

the computer

Spamming is the process of populating the user’s inbox with unsolicited or junk emails

Hoaxes are false alarms claiming reports about a nonexistent virus

Do

not

forget

to

delete

browser

cache,

passwords,

and

history Consider setting mobile phones to download only headers of emails, not the full email

Digital signatures are used to authenticate the sender of a message or the signer of a

document

Email security tools protect passwords and automatically log off email accounts


39/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

39

Email Communication Checklist

DON’T CLOSE the browser without properly logging out

DON’T FORGET to delete browser cache, passwords, and history

DON’T SEND personal and financial information via email

DON’T USE just one email account for all purposes

DON’T TRUST the emails from your friends to be secure

DON’T DELETE spam instead of blacklisting it

DON’T FAIL to scan all email attachments and to enable the email

spam filter

DON’T USE simple and easy‐to‐guess passwords


40/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

40


Enable https for secure communications/transactions

Be diligent while opening email attachments

Do not click on links provided in email messages

Create strong passwords for logging into mail accounts

Follow email etiquette when forwarding messages

Do not forward or reply to spam and suspicious emails; delete them

Avoid accessing email via unsecured public wireless connection

Avoid accessing

the

email

accounts

on

shared computers

and

sending

large attachments in emails


41/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

41

Never save your password on the web browser

Sort messages

by

priority,

subject,

date,

sender,

and

other

options

(Helps in searching email)

Avoid sending confidential, sensitive, personal, and classified

information in emails

Use Bcc: option when sending mail to bulk recipients

Clean your Inbox regularly

Create folders and move email accordingly (Family, Friends, Work, etc.)

Digitally sign your outgoing mails

Send attachments in PDF form rather than Word or Excel formats



42/42


All Rights

Reserved.

Reproduction

is

Strictly

Prohibited.

42

Configure to check only attachment notifications, but not

attachments

Do not open/send large attachments from mobile

Do not follow links sent in email or text messages

Consider setting mobile phones to download only headers of emails,

not the full email

Install mobile antivirus and keep it up to date

Turn off Show Pictures in your Mobile Browser

To reduce the size of email, send them in plain text

Zip and send any important files

Security Checklist for Checking Emails on Mobile

Documents

CSCU Module 09 Securing Email Communications.pdf