Upload
sandra4211
View
1.503
Download
1
Tags:
Embed Size (px)
Citation preview
Email Security Overview
David Maislin – Director, North American Sales EngineeringApril 12, 2023
2
Understanding Email
3
Understanding Email
CO
MP
OS
E
SEN
D
TR
AN
SP
OR
T
RO
UTE
DELIV
ER
REC
EIV
E
REA
D
ClientsOutlookNotes
GroupWiseWeb Email
OtherProtocolsSMTP: 25Proprietary
ServersExchangeDomino
GroupWiseAppleMailGateways
Other
ProtocolsDNS: 53
LDAP: 389SLDAP: 636
AD: 3268(S)AD: 3269SMTP: 25TLS: 25
RoutesMX Records
orStatic IPs
ServersExchangeDomino
GroupWiseAppleMailGateways
Other
ClientsOutlookNotes
GroupWiseWeb Email
OtherProtocolsPOP: 110IMAP: 143Proprietary
4
As organizations grow expertise is segregatedAs organizations grow expertise is segregated
S
1-2
Shared Knowledge
• Email Servers• LDAP / AD
Shared Knowledge
• Network• DNS• Firewall
Shared Knowledge
• Database
Internal
• Antispam• Consultant(s)• Web Servers
Outsource
M
3-6
Limited Sharing
• Email Servers• LDAP / AD
Limited Sharing
• Network• DNS• Firewall
Knowledge Expert
• Database(s)
Internal
• Antispam• Programmer(s)• Consultant(s)• Web Servers• IT Management
Outsource
L
7-20
Knowledge Expert
• Email Servers• LDAP / AD
Knowledge Expert
• Network• DNS• Firewall• Compliance
Knowledge Expert
• Database(s)
Internal
• Antispam• Programmer(s)• Consultant(s)• Web Servers• IT Management• Help Desk
Outsource
VS
IT Staff:
Outsourced
• Email Servers• LDAP / AD• Antispam• Network• DNS• Firewall• Database• Web Servers
Shared Knowledge
• Generalist
1
XL
20-100+
Knowledge Expert
• Email Servers• LDAP / AD
Knowledge Expert
Knowledge Expert
• Database(s)
Internal
• Antispam• Programmer(s)• Consultant(s)• Web Servers• IT Management• Help Desk• Change Control
Outsource
• Network• DNS• Firewall• Compliance
Size Matters
5
Understanding Compliance
6
Understanding Major Security & Privacy Regulations
HIPAA: Health Insurance Portability & Accountability Act• Mandates specific technology standards and policies that healthcare
organizations must implement for compliance.
GLBA: Gramm-Leach-Bliley Act• Forces financial institutions to design, implement and maintain
necessary safeguards to protect consumers’ nonpublic personal information.
SOX: Sarbanes-Oxley Act• Requires public companies to automate their processes of building audit
trails and control procedures into their IT systems.
CA SB 1386: California Senate Bill 1386• A state regulation that requires companies to implement systems to
detect and prevent security breaches, as well as provide counter-measures and publicly report breaches
7
Other Regulations
SEC 17a-4 and NASD 3010• Requires public companies to keep records for auditing security
transactions, including review of brokers’ communications with the public
FDA 21 CFR Part 11• Controls the authenticity, integrity, non-repudiation and confidentiality
of electronic records
Payment Card Industry (PCI) Data Security Standard• Mandates the protection of credit cardholder and account information
across public networks
USA Patriot Act – Homeland Security• Requires companies to build and maintain an infrastructure that can
report details of information handled and stored online
8
EmailEmail
Email Filtering Compliance StrategyContent-Based Filtering
Sender
Receiver
Subject
Message
Attachment
Sender
Receiver
Subject
Message
Attachment
Message
Subject
ManualTrigger?
SendIn The Clear
Yes
No
Attachment
RegulatedContent?
Encrypt
Yes
No
Sender Receiver
Content-BasedFiltering Strategy
9
Email Filtering Compliance StrategyIdentity-Based Filtering
EmailEmail
Sender
Receiver
Subject
Message
Attachment
Sender
Receiver
Subject
Message
Attachment
Who is thesender?
Who is thereceiver?
Designated?
Authorized?
Encrypt
Content Filter
Yes
No
Encrypt
Content Filter
Yes
No
Sender Receiver
Identity-BasedFiltering Strategy
10
Understanding Email Encryption
11
Understanding Email Encryption
TLS encrypts the network: server to server encryption
S/MIME and PGP can encrypt or sign email: server to server, server to client, client to server, and client to client. Also for authentication purposes
Secure WebMail: Stores encrypted email on the server, retrieved by client
12
Email Encryption Methods - TLS
TLS: Transport Layer Security• Creates a secure connection between email gateways over
which any amount of data can be sent securely using SSL. Note: SSL encryption is only in effect when the email is in transit.
• Gateway to Gateway (company to company) encryption
Benefits:• Seamless partner to partner encryption• Completely transparent to the sender and receiver
Email Servers
Email Gateway
Email Servers
Email Gateway
Internet
13
Email Encryption Methods – S/MIME and PGP
S/MIME and PGP• Encrypts and decrypts the email body and attachments
S/MIME certificates• Gateway to Gateway (company to company)• Gateway to Client (from your company to an external
recipient)• Client to Gateway (from external sender to your
company)
Benefits:• Seamless partner to partner encryption• Completely transparent to the sender and receiver• Automatic harvesting of inbound signing/public
certificates• Generates proxy certificates for any internal employees
via email• Proxy encryption and signing• Proxy decryption
Email Servers
Email Gateway
Email Servers
Email Gateway
Internet
14
Email Encryption Methods – Secure WebMail
• Encrypts email and provides access through a secure web portal
• Gateway to client (from your company to any external recipient)• Universal (zero client side software requirements)• Online and offline secure email• Self registration, zero registration, and automated user
management• Very large email attachment support• Tracking by recipient, by message, and by attachment• Delivery profiles for message, inbox, and portal branding• Roles for message expiration, password requirements, domain
limits, message size, and message quotas.
Benefits:• No learning curve• No client side software Email
Servers
Internet Em
ail n
oti
fica
tio
n
SS
L
15
Employee to Employee Encryption• Protects sensitive internal messages to the desktop• Provides senders with a “Send Secure” button• Solves problems of enrollment, key distribution,
authentication• Uses S/MIME encryption standards• New users receive messages via Web system with links
for enrollment
Benefits:• Adds layer of protection for key internal users• External users receive Secure WebMail• No change to user paradigm• Removes the hassles of managing PKI-based
Email Encryption Methods – Desktop Messenger
Email Servers
Email Gateway
EnrollmentKey Mgt
Authentication
SensitiveInternal
Communication
Internet Em
ail n
oti
fica
tio
n
SS
L
16
File Messenger• Large files route around email servers
Benefits:• End users send files with email applications• Large files don’t waste space on email servers• Track by recipient and attachment• Completely secure• Uses existing standards based technologies• Supports digital signing and encryption using existing
email standards
Messaging Delivery Methods – File Messenger
Email Servers
Internet Em
ail n
oti
fica
tio
n
SS
L
Automaticallyroutes large
files
17
Hosted Solutions
• Hosted solutions present several issues
• Sensitivity of data
• Archive and recovery of sensitive email
• Who is liable if data is lost?
• Viability and volatility of hosting company
• Sender and recipient email addresses can be considered identifiers
• Recipient must sign up with external service to read their confidential data
• Service may use email address lists for other purposes
18
Steganography
• The art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message
• In contrast to cryptography, where the existence of the message itself is not disguised, but the content is obscured. Quite often, steganography is hidden in pictures.
• Aren’t we trying to block image based spam already?
A GIF carrier file containing the airport mapOriginal message or attachment
19
Email Encryption – Best Delivery Approaches
Business-to-BusinessBusiness-to-Business
Business-to-ConsumerBusiness-to-Consumer
Employee-to-EmployeeEmployee-to-Employee
Desktopto
Desktop
Desktopto
Desktop
Gatewayto
Desktop
Gatewayto
Desktop
SecureWeb
Delivery
SecureWeb
Delivery
Gatewayto
Gateway
Gatewayto
Gateway
BestPractice
BestPractice
BestPractice
BestPractice
BestPractice
BestPractice
BestPractice
BestPractice
Who?
How?
Tips:• Seek encryption transparency• Select vendor solutions that support industry standards and interoperability• Look for vendor solutions that can provide transparency for both outbound and
inbound secure email• Look to automate the acceptance of customer/member/patient email messages
through a Web portal
20
Domain Key Identified Mail (DKIM)
• Authentication framework for email using public-key cryptography and key server technology to permit verification of the source and contents of messages by either Mail Transfer Agents (MTAs) or Mail User Agents (MUAs).
• The ultimate goal of this framework is to permit a signing domain to assert responsibility for a message, thus protecting message signer identity and the integrity of the messages they convey while retaining the functionality of Internet email as it is known today. Protection of email identity may assist in the global control of "spam" and "phishing".
21
Why Do Spammers Send Spam?
22
Malicious Threats - Worldwide
23
Understanding Malicious Threats – Denials of Service Attacks
They start attacking from network, from all over the Internet…
Denial of Service Attack (DoS)
Too many connections from the one IP
addresses
Distributed Denialof Service Attack (DDoS)
Too many connections from the many IP
addresses (zombies)
Bounce Flood Attack(Smurf)
Attacks of networks using spoofed
domains, causing email bounces to the
intended victim domains
24
Bounce Address Tag Validation (BATV)
• Bounce Address Tag Validation (BATV) defines a framework for mechanisms that validate the value in the “mail from” command.
• Header policies can tag the “mail from” header for outbound email
• MAIL FROM: [email protected]
Is transformed to…
• MAIL FROM: [email protected]
Where =KEY123 is the Bounce Tag
• Only accept inbound email bounces with unique tag in “mail from” header
• Reports can be generated on all BATV violations
25
Understanding Malicious Threats – Directory Harvest Attacks
[email protected]@COMPANY.COM
Directory Harvest Attack(DHA)
550 Email Bounce
During a directory harvest attack, spammers use brute force against an email server to compile comprehensive lists of valid email addresses to use or sell.
Meantime, the plethora of probes overwhelms the email server, creating a denial of service from the vast amount of non-delivery reports the attack generates.
26
Understanding Spamming Techniques
27
Basic Email Network
• Enterprise threats are typically inbound
Out of Control Disk GrowthPerformance Degradation
Spam/Viruses inside networkNo Recipient Validation
EmailServer(s)
28
Basic ISP Email Network
• ISPs are completely different• Threats are inbound• Threats are outbound• Threats are domain to domain
Domain 2
Domain X
Domain 1
InternetInternet
29
Recipient Validation Issues
• Not all invalid recipient email is rejected by all Mail Servers• Mail servers can be part of the problem• Spam can still get through
From: "Kim Browne" [[email protected]]Sent: 11/26/2006 07:49 PMTo: [email protected]: Mississippi catfish Out-milton
are different things, though the words are often used synonymously. a person may be proud without"perhaps," said darcy, "i should have judged better, had i sought an introduction; but i am
Fuzzy logic sent this email to:
30
Some Spam is Hard to Detect
• Not all email is easily recognized as spam• Spammer techniques evolve to bypass filters
From: "Kim Browne" [[email protected]]Sent: 11/26/2006 07:49 PMTo: [email protected]: Mississippi catfish Out-milton
are different things, though the words are often used synonymously. a person may be proud without"perhaps," said darcy, "i should have judged better, had i sought an introduction; but i am
Random phrases containing
Nonsense and gibberish
31
FAKEREAL
Phishing Attacks
32
The Image Spam Problem
• Image spam presents a new challenge to spam filters
• Messages are sent as images instead of text• Gibberish text is inserted to fool content filters• Image files are randomized to avoid signature detection
• Spammers alter every possible file attribute to trick filters
• Changing image size, margins, color shades• Adding random noise, “dust” and “speckles”• Splitting or breaking images• Assembling multiple images into animated GIFs
• The impact has been significant• Spam rates have increased sharply as image spam
bypasses many legacy spam filters• Most vendors have lacked the ability to view or filter image
content 0%
5%
10%
15%
20%
25%
30%
35%
40%
2003 2004 2005 Q1 06 Q2 06 Q3 06
Growth in Image Spam QuantityTumbleweed Message Protection Lab, Nov. 2006
33
Image Spam Techniques
Gibberish text to fool Bayesian filters
Gibberish text to fool Bayesian filters
Obscure fonts to bypassOCR scanning
Obscure fonts to bypassOCR scanning
Randomized pixel “noise” stripes
Randomized pixel “noise” stripes
Random dots and“dust specks”
Random dots and“dust specks”
Changing background colors and patterns
Changing background colors and patterns
Shifting text heightand position to fool
OCR scanning
Shifting text heightand position to fool
OCR scanning
Altering text & backgroundcolors and textures
Altering text & backgroundcolors and textures
34
Adaptive Image Filtering
Use this image…
to identify this image ...
or this image.
35
Clever spamming techniques
Can you spot the difference between these two penguins?
36
Original Image
Original Image HTML TableEach table cell represents a colored pixel
JPG Image2.97K
HTML Table273K
37
≈
Varying Image Spam
Sample
WaveletTransforms
WaveletTransforms
ђэьѓзщҒёҝѕ
Signature
Que
ry
Image Database
ђэьѓзщҒёҝѕЌχϋУέЫЄИдҖλЗςұпжўЫҝЎЉθξӘ
Image Signatures
New Spam
Adaptive Image Filtering Techniques
38
New Breed of Viruses / Malware
Early days: Typical Viral propagation
0%
20%
40%
60%
80%
100%
0 hr Pea
k
: 6-10
hr
s20
hrs
Inte
ns
ity
Short Span attack
0%
20%
40%
60%
80%
100%
0 hr 3-
7
hrs
Inte
ns
ity
Now: Serial Variants Attack
0%
20%
40%
60%
80%
100%
V.1 V.2 V.3 V.4
Variants Release Timeline
Inte
ns
ity
Rapid spread by zombies and botnets
Signature-based approach not keeping up
10 hours to develop signatures vs. 3-7 hours for attacks to peak
39
Zero-Hour vs. Traditional Anti-Virus
Virus Outbreak Production complements Signature-based Antivirus products
Virus Outbreak Protection McAfee, Kaspersky signature-based AV
Response time Within 1-2 minutes Within 5-10 hours
Services protected Email only Email, Web, IM
Defend Yes Yes
Clean and Repair No Yes
Spyware Defense Block infection Scan after updates
Update mechanism Real-time pull Periodic update of signature pack
CPU Impact Lightweight Heavy load
Multi-wave attacks Catch them all Let some through
2 3 4
Content Filtering
• Lexical Analysis• Weighted Word lists• Regular Expressions• Signature/Hash
Content Filtering
• Lexical Analysis• Weighted Word lists• Regular Expressions• Signature/Hash
Content Filtering
• Lexical Analysis• Weighted Word lists• Regular Expressions• Signature/Hash
Behavioral Analysis
• Heuristics• Bayesian• Statistical Analysis• Message intent - AI
Behavioral Analysis
• Heuristics• Bayesian• Statistical Analysis• Message intent - AI
1998-2002 2002-2004 2005
Pattern Detection
• Edge Defense• Outbreak detection• Reputation • Recurrent Pattern
Content Filtering
Behavioral Analysis
• Heuristics• Bayesian• Statistical Analysis• Message intent - AI
Pattern Detection
• Edge Defense• Outbreak detection• IP Reputation • Recurrent Pattern
• Lexical Analysis• Weighted Word lists• Regular Expressions• Signature/Hash
2007
5
Image Filtering
• Image Pattern Analysis • Adaptive Image Filtering• Dynamic Engine Update
The Continuing Fight Against Spammers
• Effective anti-spam requires expertise, constant adaptation, layering of new techniques
• Effective anti-spam requires expertise, constant adaptation, layering of new techniques
41
Common Architectural Deployment Mistakes
42
The Single Box Solution?
Spam Appliance 1
MX Record: mycompany.com215.23.3.130
EmailServer
192.168.1.125
Firewall
If it can fail, it will!
One box, no matter how amazing the architecture is still a single point of failure.
Networks can fail too.
Remember that email is the most important and ubiquitous application in your company.
192.168.1.130
43
The Single Box Solution?
Spam Appliance 1
MX Record: mycompany.com215.23.3.130
EmailServer
192.168.1.125
Firewall
Plan for redundancy and failure around hardware and networks!
Start with the best hardware and work down, not the cheapest.
192.168.2.130
Spam Appliance 2
192.168.1.130
44
LDAP Mistakes
Spam Appliance 1
EmailServer
192.168.1.125
Firewall
Everything looks greatRedundancy is everywhere
What could go wrong?
192.168.2.130
Spam Appliance 2
192.168.1.110
LDAP 1
LDAP 2
ServiceAccount Bind
ServiceAccount Bind
192.168.1.130
192.168.1.111
45
LDAP Mistakes
Spam Appliance 1
EmailServer
192.168.1.125
Firewall
LDAP account gets locked outMoved LDAP user when bind DN was unique
Resetting password is pointless as it will automatically lock againCustomer perceives this is as a product issue
192.168.2.130
Spam Appliance 2
192.168.1.110
LDAP 1
LDAP 2
ServiceAccount Bind
ServiceAccount Bind
192.168.1.130
192.168.1.111
46
Network Mistakes
Spam Appliance 1
EmailServer
192.168.1.125
Firewall
Recipient validation stopped workingCustomer blames product
States nothing has changed
192.168.2.130
Spam Appliance 2
192.168.1.110
LDAP 1
LDAP 2
LDAP Bind
LDAP Bind
192.168.1.130
192.168.1.111
47
Network Mistakes
Spam Appliance 1
EmailServer
192.168.1.125
Firewall
The Firewall rules changedThe ISP changed
The DNS ChangedThey are using DNS names instead of IP Address
192.168.2.130
Spam Appliance 2
192.168.1.110
LDAP 1
LDAP 2
LDAP Bind
LDAP Bind
192.168.1.130
192.168.1.111
48
Incompetence - Spam Still Gets Through!
Spam Appliance 1
EmailServer
MX Record: mycompany.com215.23.3.130
192.168.1.125192.168.1.130
Spam Appliance 2
192.168.1.131
Spam Appliance 3
192.168.1.132
Firewall
49
Solutions Work…. The Email Architecture Does Not
Spam Appliance 1
EmailServer
MX Record 1: mycompany.com215.23.3.130
192.168.1.125192.168.1.130
Spam Appliance 2
192.168.1.131
Spam Appliance 3
192.168.1.132
MX Record 2: mycompany.com215.23.3.125
MX Record 3: isp.mycompany.com220.1.23.5
WebMail: webmail.mycompany.com215.23.3.131
ISP Mail Server
Examine All MX Records!
Examine All WebMail Ports!
Firewall
50
The Case of the Nasty NAT
Firewall
EmailServer
&WebMail
MX Record: mycompany.com215.23.3.120
Firewall NATs215.23.3.120 to192.168.1.125
192.168.1.125
DNS Record: webmail.mycompany.com215.23.3.120
51
The Case of the Nasty NAT: What Happens to WebMail?
Firewall
Spam ApplianceEmailServer
&WebMail
MX Record: mycompany.com215.23.3.120
Firewall now NATs215.23.3.120 to192.168.1.130
192.168.1.125
DNS Record: webmail.mycompany.com215.23.3.120
192.168.1.130
52
The Case of the Nasty NAT: Add Public IP & NAT to WebMail
Firewall
Spam ApplianceEmailServer
&WebMail
MX Record: mycompany.com215.23.3.120
Firewall now NATs215.23.3.120 to192.168.1.130
192.168.1.125
DNS Record: webmail.mycompany.com215.23.3.125
192.168.1.130
It is not always a drop-in appliance solution.
It is a consultative approach to solving real world problems
53
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail ServersMail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail ServersMail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway
Internet
Internet
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
SMTP1 SMTP2 SMTP3 SMTP4 SMTP5 SMTP6 SMTP7 SMTP8
Email Architecture Issues
• Tiered MX records can cause performance issues• Uneven distribution of inbound and outbound email• Email queues can backup during email peak periods
MX 1030%
MX 2020%
MX 3010%
MX 405%
MX 505%
MX 605%
MX 7010%
MX 8015%
Datacenter 1 Datacenter 2
54
Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail ServersMail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail ServersMail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
SMTP1 SMTP2 SMTP3 SMTP4
Load Balancers Deployed, but No Recipient Validation
• No recipient validation passes mail to email server• Some email servers use closest match and some spam makes it through• Emails bounce and are processed many times causing extra network traffic, slow
performance, quarantining of invalid email, and backup of invalid email
MX1050%
MX1050%
Load Balancer Load Balancer
Internet
InternetDatacenter 1 Datacenter 2
55
Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway Spam Gateway
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail ServersMail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail ServersMail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers Mail Servers
SMTP1 SMTP2 SMTP3 SMTP4 SMTP5 SMTP6 SMTP7 SMTP8
Load Balancers and Recipient Validation Deployed
• Recipient validation allows email in for valid recipients only• 100% of invalid recipient email dropped at gateway• No more email bounces• Improved mail server performance, no more quarantining invalid email
MX1050%
MX1050%
Load Balancer Load Balancer
LDAP2 LDAP4LDAP3LDAP1
Internet
InternetDatacenter 1 Datacenter 2
56
Trends by Content and IP
57
Trends by DNS Black List and IP
58
Trends by Denial of Server and IP
59
Trending Produces Results
60
IP Layer Blocking
• Trends occur by IP address• Permanently block ranges of IP addresses at the network layer• No need to ever scan content when a connection can’t be made• Spammers can’t circumvent IP blocks
61
Spam, phishing, viruses, DoS, and DHA attacks sent from all over the Internet.
Inbound Email Best Practices – Before
No recipient verification causes email bounces. These emails clog up queues on some relays while leaving others completely idle.
With no redundancy and no load balancing, hardware failures will result in considerable downtime
Spam bounces cause queues to build up with useless NDR bounced emails
End user and email administrator time is wasted with unwanted emails and countless help desk calls.
62
Spammers are identified at the source and blocked by real-time messaging technologies and reputation filters.
Server-based clustering and load balancing guarantees that both inbound and outbound email routes are protected
Offensive emails disappear, encryption options are numerous, and compliance is transparent.
Recipient verification, reverse DNS lookups, anti-spam technologies and trend analysis put an end to spam.
Gateway based clustering and load balancing ensures uptime
Inbound Email Best Practices – After
63
Questions?