Upload
sandeep-roy
View
341
Download
35
Embed Size (px)
Citation preview
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
1/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.1
Securing Email Communications
Simplifying Security.
Module 9
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
2/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.2
Individuals who are concerned about data loss may be surprised to hear of the number of
hacking attacks attempted on the Treasury.
Chancellor George Osborne revealed at the Google Zeitgeist conference on Monday (May
16th) that each month around 20,000 malicious emails are sent to UK government networks.
Furthermore, he noted: "During 2010, hostile intelligence agencies made hundreds of serious
and pre‐planned attempts to break into the Treasury's computer system. In fact, it averaged
out as more than one attempt per day."
As a result of these figures, Mr Osborne pointed out that the Treasury is one of the most
targeted by data attacks across the whole of Whitehall.
Government is not the only area concerned about breaches though, with Square Enix recently
confirming that a couple of websites it is associated with have been attacked.
Email Security: Malicious
Messages 'A Problem For Govt. Too'
May 16,
2011
http://www.cryptzone.com
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
3/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.3
Module Objectives
Email System
Email Security
Email Security Threats
Spamming
Hoax/Chain and Scam Emails
Email Security Control Layers
Email Security Procedures
How to Obtain Digital Certificates?
Online Email
Encryption
Service
Email Security Tools
Email Security Checklist
Security Checklist
for
Checking
Emails
on Mobile
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
4/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.4
Module Flow
Introduction to
Email Security
Security Threats
Security Procedures
How to Obtain
Digital Certificates?
Security Tools
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
5/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.5
Email Threat Scenario 2011Email Spam Intercepted
Top 5 Geographies
Global Spam Rate (89.1%)
Italy
Denmark
Austria
France
Switzerland
93.5%
93.2%
92.0%
92.0%
91.5%
Email Virus Intercepted
Top 5 Geographies
Global Virus Rate (1 in 284.2)
South Africa
UK
Spain
Oman
Switzerland
1 in 147.2
1 in 164.6
1 in 174.1
1 in 229.0
1 in 237.8
Email Phish Intercepted
Top 5 Geographies
Global Phish Rate (1 in 444.5)
South Africa
UK
Oman
United
Arab
Emirates
New Zealand
1 in 99.0
1 in 214.8
1 in 341.9
1 in 424.0
1 in 568.1
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
6/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.6
How Various Email Systems Work?
Email (electronic mail) is a method of exchanging digital messages from a sender to one or
more recipients
Companies such as Microsoft, Yahoo!, Google, and AOL offer free email accounts
Email accounts
can
be
accessed
from
any
web
browser or
a standalone
client
such
as
Microsoft Outlook, Mozilla Thunderbird, etc.
Internet
Email Clients Email ClientsEmail Server Email ServerSender Receiver
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
7/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.7
Email Security
No email communication is 100% secure
Insecure emails
allow
attackers
to
intercept
personal
and
sensitive information of the user
If not secured, emails sent/received can be forged or
read by others
Emails are one of the sources of viruses and various
malicious programs
It is
necessary
to
secure emails
to
have safer communications
and to protect privacy
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
8/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.8
Module Flow
Introduction to
Email Security
Security Threats
Security Procedures
How to Obtain
Digital Certificates?
Security Tools
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
9/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.9
Email Security Threats
Phishing mails lure victims to provide
personal data
Attachments may contain a virus, Trojan, worms,
keylogger, etc., and opening such attachments
infects
the
computer
The user may receive spam mails
may
contain
malware
allowing
attackers to take control of the
user computer
The user may receive hoax emails
that
contain
false
information
telling him/her to forward the
Mails may contain links that
websites hosting malwares
and pornographic material
Malicious Email Attachments
Malicious User Redirection
Hoax/Chain Mail
Phishing
Spamming
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
10/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.10
Malicious Email Attachments
Email attachments are major email security threats as they offers attackers
easiest and most powerful ways to attack a PC
Most malicious attachments install a virus, Trojan, spyware or any other kind of
malware code as soon as you open them
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
11/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
11
Email Attachments: Caution
Check if the email was ever
received from
the
source
Save and scan all email
attachments before opening them
Check
if
the
subject
line and
name
of the attachment are correlated
with each other
Check if the email is from one of
your contacts
Never
open
an
attachmentfrom unreliable sources
Do not open attachments with
suspicious or unknown file
extensions
Example: *.exe,
*.vbs,*.bat,*.ini,
*.bin, *.com, *.pif, *.zzx
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
12/42
Copyright ©
by
EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
12
Spamming
Spamming is the use of email
systems to send unsolicited bulk
messages indiscriminately
overloading the
users’
inbox
Spam emails may contain malicious
computer programs such as viruses
and Trojans
According to Symantec, spam
makes up 89.1 % of all email traffic
0 20 40 60%
3%
7%
8%
18%
27%
44%
Oceania
North America
Africa
South America
Asia
Europe
http://www.m86security.com
Spam Sources by Continent
Unsolicited bulk messages
Attacker User
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
13/42
Copyright ©
by
EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
13
Avoid opening spam messages
(classified by spam filters)
Use the email client's
spam filter and anti‐
spamming tools
Never follow the links in spam
messages
Report suspicious email as
spam
Do not use official
email address while
registering with
any
website
Use a different email address when
posting messages
to
any
public
forum
Spamming Countermeasures
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
14/42
Copyright ©
by
EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
14
Anti-Spamming Tool: SPAMfighter
http://www.spamfighter.com
SPAMfighter protects all the email accounts on a PC against "phishing", identity theft,
and other email frauds
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
15/42
Copyright ©
by
EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
15
Hoax/Chain and Scam Emails
Hoaxes are email messages warning the
recipients of non‐existent threats
Users are also warned of adverse effects
if they do not forward the email to others
A scam email asks for personal information
such as bank account details, credit card
numbers, password, etc.
The
sender
of
scam
mails
may
also
ask
the
recipient to forward the email to everyone in
his/her contact list
http://www.scamletters.com
http://diamond ‐back.com
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
16/42
Copyright
©
by
EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
1616
Nigerian Scam
A Nigerian scam is a form of advance
payment of money or money transfer
This scam is called a Nigerian scam
because initially it started from Nigeria,
but they
can
come
in
anywhere
in
the
world
Using this scam, scammers contact you
by sending an email and offer you a
share in a large sum of money
They say they want to transfer money,
which was
trapped
in
banks
during
civil
wars, to your account
They may also cite various reasons such
as massive inheritance problems,
government restrictions, or taxes in the
scammer’s country
Scammers
ask
you
to
pay
money
or
give
them your bank account details to help
them transfer the money
From: Mr. Wong Du
Seoul, South
Korea.
I will introduce myself I am Mr.Wong du a Banker working in a bank in south Korea Until now I am
the account officer to most of the south Korea government accounts and I have since discovered
that most of the account are dormant account with a lot of money in the account on further
investigation I found out that one particular account belong to the former president of south Korean
MR PARK CHUNG HEE, who ruled south Korean from 1963‐1979 and this particular account has a
deposit of $48m with no next of kin.
My proposal is that since I am the account officer and the money or the account is dormant and
there is
no
next
of
kin
obviously
the
account
owner
the
former
president
of
South
Korea
has
died
long time ago, that you should provide an account for the money to be transferred.
The money that is floating in the bank right now is $48m and this is what I want to transfer to your
account for our mutual benefit.
Please if this is okay by you I will advice that you contact me through my direct email address.
Please this transaction should be kept confidential. For your assistance as the account owner we
shall share the money on equal basis.
Your reply will be appreciated,
Thank you.
Wong Du
http://in.mail.yahoo.com/
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
17/42
Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
17
Module Flow
Introduction to
Email Security
Security Threats
Security Procedures
How to Obtain
Digital Certificates?
Security Tools
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
18/42
Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
18
Email Security
Control Layers
Sender
Receiver
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
19/42
Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
19
Email Security Procedures
Create and use strong
passwords
Use HTTPS for browser
connection
Disable/unselect Keep Me
Signed In/Remember
Me
functions
Scan email attachments
for malware
Create junk email filter
in email clients
Avoid unwanted emails
using filters
Digitally sign your mail
messages
Turn off the preview
feature and
change
download settings in
email clients
Provide alternate
address for mail
recovery
Check for last logging
activity
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
20/42
Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
20
Creating Strong Passwords
Strong passwords are difficult to crack or guess
A strong password can be created by using combinations of numbers (0‐9), letters
in upper and lower case (a‐z and A‐Z), and special characters (!@#$% …)
Create a strong
but
easy
to
remember
password
and
do
not
write
it
anywhere
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
21/42
Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
21
Alternate Email Address
An alternate email address is the additional email address required at signup for most of
the free email services such as Gmail and Yahoo
It is used by service providers to verify the account creator’s identify
Alternate email
addresses
are
used
for
password
recovery
in
case
you
forgot
the
password
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
22/42
Copyright
©
by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
22
Keep Me Signed In/Remember Me
Most of the popular email clients
have the Keep me signed in or
Remember Me options
Checking these options allow the
email client
to
fetch
the
inbox
of the user without him/her having
to fill in the login details again
This allows other users to access the
user’s email
Users should
check
that
this
option
is not selected when accessing
email from a public computer
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
23/42
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
23
Using HTTPS
Web mails such as Gmail, Yahoomail, Hotmail, AOL Mail, etc. have an option for choosing the
communication protocol for browser connection
Change the Browser connection setting to receive email using HTTPS (HTTPSecure)
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
24/42
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
24
Check for Last Account ActivityAlways check the latest email account activity
if the feature is available with the email
service
Latest account activity includes information
such as access type (browser, mobile, POP3,
etc.), location (IP
address),
and
date/time
of
account activities
To check account activity in Gmail, scroll to the
bottom of the page and click Details
Immediately change your password and
password hints if you observe any suspicious
activity
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
25/42
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
25
Be cautious when opening any email attachment
Save all the attachments and scan them properly for malware using an antivirus
before opening
Enable the antivirus to automatically scan all the emails and downloads
Scanning Email Attachments
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
26/42
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
26
Turn Off Preview Feature
Email clients have an option to show a preview of
the email
Turn off this feature in email clients
Turning on
this
feature
may
execute
script
code
without you explicitly opening the message
To turn off the preview feature in Microsoft
Outlook:
Go to View menu and select Reading Pane
Click the Off option
To turn off the preview feature in Mozilla
Thunderbird:
Go to View menu and select Layout
Uncheck the option Message Pane
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
27/42
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
27
Email Filtering: Avoiding Unwanted Emails
Email filtering
is
the
process
of
organizing
emails
according
to
a specified
criteria
Email filters are generally used to identify and categorize spam mails
To avoid unwanted emails in Outlook 2010, go to the Delete group on the Home tab,
click Junk and Junk E‐mail Options, On the Blocked Sender tab, click Add
Enter an email address or domain name, click OK
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
28/42
Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
28
Module Flow
Introduction to
Email Security
Security Threats
Security Procedures
How to
Obtain
Digital Certificates?
Security Tools
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
29/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
29
Digitally Sign Your Emails
Thwate (http://www.thawte.com)
Example of Certification Authorities:
VeriSign (http://www.verisign.com) Comodo (http://www.comodo.com)
Entrust (http://www.entrust.com)
Digital signatures are used to authenticate the sender of a message or the signer
of a document
They can also be used to ensure that the original content of the message is not
changed
Users
require
an
certificate
to
digitally
sign
emails You can obtain digital signatures from certification authorities
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
30/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
30
How to Obtain Digital Certificates?
Go to the Certificate Authorities
website
Purchase and download a digital
certificate
Some certificate authorities offer a free
personal email security certificate such
as Comodo
Provide personal details to download
the certificate
Login to the email account that you
have provided while downloading the
certificate
Check your inbox for an installation
link
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
31/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
31
Installing a Digital Certificate
Click on the installation link to install the
digital certificate
In Internet Explorer go to Tools Internet
Options Content tab
In the content tab, click Certificates button
Select the certificate and click the Export
button
Click on Next
Check
the
Yes,
export
the
private
key optionClick on Next
Protect the private key by giving a password
and confirming it
Specify the file you want to export and save it
to a particular location
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
32/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
32
Signing Your Emails
Go to the Microsoft Outlook File Options
Click on Trust Center Trust Center Settings
Email Security
Encrypt the
by
selecting
the
appropriate
check boxes under the Encrypted e‐mail section
Click the Import/Export button
Browse to find the file to open and give the
password and digital ID name
Click the OK button
Click New
Mail to
write
a message
After clicking on the Send button, it will prompt
to encrypt the message
Click the Send Unencrypted button (if the
recipients do not have private key)
Click on the Continue button if the recipient
have private
key
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
33/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
33
Signing Your Emails
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
34/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
34
Choose the Automatic Download option from the Trust Center and select the options
as shown in the figure
Microsoft Outlook Download Settings
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
35/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
35
Module Flow
Introduction to
Email Security
Security Threats
Security Procedures
How to
Obtain
Digital Certificates?Email
Security Tools
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
36/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
36
Online Email Encryption Service: Lockbin
Lockbin is a free service for sending private email messages
It is used for sending confidential information such as credit card details and business information
https://www.lockbin.com
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
37/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
37
Email Security Tools
Comodo AntiSpamhttp://www.comodoantispam.com
Netcraft Toolbar http://toolbar.netcraft.com
PhishTank SiteCheckerhttps://addons.mozilla.org
Mirramail Secure Email
http://www.mirrasoft.com
Spamihilatorhttp://www.spamihilator.com
Encryptomatic MessageLockhttp://www.encryptomatic.com
McAfee SpamKillerhttp://us.mcafee.com
Comodo Email Certificatehttp://www.comodo.com
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
38/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
38
Module Summary
Email (electronic mail) is a method of exchanging digital messages from a sender to
one or more recipients
Attachments can
contain
malicious
programs;
opening
such
attachments
can
infect
the computer
Spamming is the process of populating the user’s inbox with unsolicited or junk emails
Hoaxes are false alarms claiming reports about a nonexistent virus
Do
not
forget
to
delete
browser
cache,
passwords,
and
history Consider setting mobile phones to download only headers of emails, not the full email
Digital signatures are used to authenticate the sender of a message or the signer of a
document
Email security tools protect passwords and automatically log off email accounts
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
39/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
39
Email Communication Checklist
DON’T CLOSE the browser without properly logging out
DON’T FORGET to delete browser cache, passwords, and history
DON’T SEND personal and financial information via email
DON’T USE just one email account for all purposes
DON’T TRUST the emails from your friends to be secure
DON’T DELETE spam instead of blacklisting it
DON’T FAIL to scan all email attachments and to enable the email
spam filter
DON’T USE simple and easy‐to‐guess passwords
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
40/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
40
Email Security Checklist
Enable https for secure communications/transactions
Be diligent while opening email attachments
Do not click on links provided in email messages
Create strong passwords for logging into mail accounts
Follow email etiquette when forwarding messages
Do not forward or reply to spam and suspicious emails; delete them
Avoid accessing email via unsecured public wireless connection
Avoid accessing
the
accounts
on
shared computers
and
sending
large attachments in emails
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
41/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
41
Never save your password on the web browser
Sort messages
by
priority,
subject,
date,
sender,
and
other
options
(Helps in searching email)
Avoid sending confidential, sensitive, personal, and classified
information in emails
Use Bcc: option when sending mail to bulk recipients
Clean your Inbox regularly
Create folders and move email accordingly (Family, Friends, Work, etc.)
Digitally sign your outgoing mails
Send attachments in PDF form rather than Word or Excel formats
Email Security Checklist
8/19/2019 CSCU Module 09 Securing Email Communications.pdf
42/42
Copyright © by EC-Council
All Rights
Reserved.
Reproduction
is
Strictly
Prohibited.
42
Configure to check only attachment notifications, but not
attachments
Do not open/send large attachments from mobile
Do not follow links sent in email or text messages
Consider setting mobile phones to download only headers of emails,
not the full email
Install mobile antivirus and keep it up to date
Turn off Show Pictures in your Mobile Browser
To reduce the size of email, send them in plain text
Zip and send any important files
Security Checklist for Checking Emails on Mobile