cscu module 09 securing email communications
TRANSCRIPT
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
1
Securing Email Communications
Simplifying Security.
Module 9
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
2
Individuals who are concerned about data loss may be surprised to hear of the number of hacking attacks attempted on the Treasury.
Chancellor George Osborne revealed at the Google Zeitgeist conference on Monday (May 16th) that each month around 20,000 malicious emails are sent to UK government networks.
Furthermore, he noted: "During 2010, hostile intelligence agencies made hundreds of serious and pre‐planned attempts to break into the Treasury's computer system. In fact, it averaged out as more than one attempt per day."
As a result of these figures, Mr Osborne pointed out that the Treasury is one of the most targeted by data attacks across the whole of Whitehall.
Government is not the only area concerned about breaches though, with Square Enix recently confirming that a couple of websites it is associated with have been attacked.
Email Security: Malicious Messages 'A Problem For Govt. Too'
May 16, 2011
http://www.cryptzone.com
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
3
Module Objectives
Email System
Email Security
Email Security Threats
Spamming
Hoax/Chain and Scam Emails
Email Security Control Layers
Email Security Procedures
How to Obtain Digital Certificates?
Online Email Encryption Service
Email Security Tools
Email Security Checklist
Security Checklist for Checking Emails on Mobile
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
4
Module Flow
Introduction toEmail Security
EmailSecurity Threats
EmailSecurity Procedures
How to ObtainDigital Certificates?
EmailSecurity Tools
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
5
Email Threat Scenario 2011
Email Spam Intercepted Top 5 Geographies
Global Spam Rate (89.1%)
Italy
Denmark
Austria
France
Switzerland
93.5%
93.2%
92.0%
92.0%
91.5%
Email Virus Intercepted Top 5 Geographies
Global Virus Rate (1 in 284.2)
South Africa
UK
Spain
Oman
Switzerland
1 in 147.2
1 in 164.6
1 in 174.1
1 in 229.0
1 in 237.8
Email Phish Intercepted Top 5 Geographies
Global Phish Rate (1 in 444.5)
South Africa
UK
Oman
United Arab
Emirates
New Zealand
1 in 99.0
1 in 214.8
1 in 341.9
1 in 424.0
1 in 568.1
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
6
How Various Email Systems Work?
Email (electronic mail) is a method of exchanging digital messages from a sender to one or more recipients
Companies such as Microsoft, Yahoo!, Google, and AOL offer free email accounts
Email accounts can be accessed from any web browser or a standalone email client such as Microsoft Outlook, Mozilla Thunderbird, etc.
Internet
Email Clients Email ClientsEmail Server Email ServerSender Receiver
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
7
Email Security
No email communication is 100% secure
Insecure emails allow attackers to intercept personal and sensitive information of the user
If not secured, emails sent/received can be forged or read by others
Emails are one of the sources of viruses and various malicious programs
It is necessary to secure emails to have safer communications and to protect privacy
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
8
Module Flow
Introduction toEmail Security
EmailSecurity Threats
EmailSecurity Procedures
How to ObtainDigital Certificates?
EmailSecurity Tools
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
9
Email Security Threats
Phishing mails lure victims to provide personal data
Attachments may contain a virus, Trojan, worms, keylogger, etc., and opening such attachments
infects the computer
The user may receive spam mailsmay contain malware allowing attackers to take control of the user computer
The user may receive hoax emailsthat contain false information telling him/her to forward the mail
Mails may contain links that websites hosting malwares and pornographic material
Malicious Email Attachments
Malicious User Redirection
Hoax/Chain Mail
Phishing
Spamming
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
10
Malicious Email Attachments Email attachments are major email security threats as they offers attackers
easiest and most powerful ways to attack a PC
Most malicious attachments install a virus, Trojan, spyware or any other kind of malware code as soon as you open them
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
11
Email Attachments: Caution
Check if the email was ever received from the source
Save and scan all email attachments before opening them
Check if the subject line and name of the attachment are correlated
with each other
Check if the email is from one of your contacts
Never open an email attachmentfrom unreliable sources
Do not open attachments with suspicious or unknown file
extensionsExample: *.exe, *.vbs,*.bat,*.ini,
*.bin, *.com, *.pif, *.zzx
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
12
Spamming
Spamming is the use of email systems to send unsolicited bulk messages indiscriminately overloading the users’ inbox
Spam emails may contain malicious computer programs such as viruses and Trojans
According to Symantec, spam makes up 89.1 % of all email traffic
0 20 40 60%
3%
7%
8%
18%
27%
44%
Oceania
North America
Africa
South America
Asia
Europe
http://www.m86security.com
Spam Sources by Continent
Unsolicited bulk messages
Attacker User
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
13
Avoid opening spam messages (classified by spam filters)
Use the email client's spam filter and anti‐
spamming tools
Never follow the links in spam messages
Report suspicious email as spam
Do not use official email address while registering with any website
Use a different email address when posting messages to any public forum
Spamming Countermeasures
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
14
Anti-Spamming Tool: SPAMfighter
http://www.spamfighter.com
SPAMfighter protects all the email accounts on a PC against "phishing", identity theft, and other email frauds
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
15
Hoax/Chain and Scam Emails Hoaxes are email messages warning the
recipients of non‐existent threats
Users are also warned of adverse effects if they do not forward the email to others
A scam email asks for personal information such as bank account details, credit card numbers, password, etc.
The sender of scam mails may also ask the recipient to forward the email to everyone in his/her contact list
http://www.scamletters.com
http://diamond‐back.com
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
1616
Nigerian Scam
A Nigerian scam is a form of advance payment of money or money transfer
This scam is called a Nigerian scam because initially it started from Nigeria, but they can come in anywhere in the world
Using this scam, scammers contact you by sending an email and offer you a share in a large sum of money
They say they want to transfer money, which was trapped in banks during civil wars, to your account
They may also cite various reasons such as massive inheritance problems, government restrictions, or taxes in the scammer’s country
Scammers ask you to pay money or give them your bank account details to help them transfer the money
From: Mr. Wong DuSeoul, South Korea.
I will introduce myself I am Mr.Wong du a Banker working in a bank in south Korea Until now I am the account officer to most of the south Korea government accounts and I have since discovered that most of the account are dormant account with a lot of money in the account on further investigation I found out that one particular account belong to the former president of south Korean MR PARK CHUNG HEE, who ruled south Korean from 1963‐1979 and this particular account has a deposit of $48m with no next of kin.
My proposal is that since I am the account officer and the money or the account is dormant and there is no next of kin obviously the account owner the former president of South Korea has died long time ago, that you should provide an account for the money to be transferred.
The money that is floating in the bank right now is $48m and this is what I want to transfer to your account for our mutual benefit.Please if this is okay by you I will advice that you contact me through my direct email address.
Please this transaction should be kept confidential. For your assistance as the account owner we shall share the money on equal basis.
Your reply will be appreciated,
Thank you.
Wong Du
http://in.mail.yahoo.com/
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
17
Module Flow
Introduction toEmail Security
EmailSecurity Threats
EmailSecurity Procedures
How to ObtainDigital Certificates?
EmailSecurity Tools
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
18
Email Security Control Layers
Sender
Receiver
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
19
Email Security Procedures
Create and use strong passwords
Use HTTPS for browser connection
Disable/unselect Keep Me Signed In/Remember Me functions
Scan email attachments for malware
Create junk email filter in email clients
Avoid unwanted emails using filters
Digitally sign your mail messages
Turn off the preview feature and change
download settings in email clients
Provide alternate email address for mail recovery
Check for last logging activity
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
20
Creating Strong PasswordsStrong passwords are difficult to crack or guess
A strong password can be created by using combinations of numbers (0‐9), letters in upper and lower case (a‐z and A‐Z), and special characters (!@#$% …)
Create a strong but easy to remember password and do not write it anywhere
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
21
Alternate Email AddressAn alternate email address is the additional email address required at signup for most of the free email services such as Gmail and Yahoo
It is used by service providers to verify the account creator’s identify
Alternate email addresses are used for password recovery in case you forgot the password
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
22
Keep Me Signed In/Remember Me
Most of the popular email clients have the Keep me signed in or Remember Me options
Checking these options allow the email client to fetch the email inbox of the user without him/her having to fill in the login details again
This allows other users to access the user’s email
Users should check that this option is not selected when accessing email from a public computer
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
23
Using HTTPS Web mails such as Gmail, Yahoomail, Hotmail, AOL Mail, etc. have an option for choosing the
communication protocol for browser connection
Change the Browser connection setting to receive email using HTTPS (HTTPSecure)
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
24
Check for Last Account ActivityAlways check the latest email account activity if the feature is available with the email service
Latest account activity includes information such as access type (browser, mobile, POP3, etc.), location (IP address), and date/time of account activities
To check account activity in Gmail, scroll to the bottom of the page and click Details
Immediately change your password and password hints if you observe any suspicious activity
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
25
Be cautious when opening any email attachment
Save all the attachments and scan them properly for malware using an antivirus before opening
Enable the antivirus to automatically scan all the emails and downloads
Scanning Email Attachments
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
26
Turn Off Preview Feature
Email clients have an option to show a preview of the email
Turn off this feature in email clients
Turning on this feature may execute script codewithout you explicitly opening the message
To turn off the preview feature in Microsoft Outlook:
Go to View menu and select Reading Pane
Click the Off option
To turn off the preview feature in Mozilla Thunderbird:
Go to View menu and select Layout
Uncheck the option Message Pane
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
27
Email Filtering: Avoiding Unwanted Emails Email filtering is the process of organizing emails according to a specified criteria
Email filters are generally used to identify and categorize spam mails
To avoid unwanted emails in Outlook 2010, go to the Delete group on the Home tab, click Junk and Junk E‐mail Options, On the Blocked Sender tab, click Add
Enter an email address or domain name, click OK
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
28
Module Flow
Introduction toEmail Security
EmailSecurity Threats
EmailSecurity Procedures
How to ObtainDigital Certificates?
EmailSecurity Tools
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
29
Digitally Sign Your Emails
Thwate (http://www.thawte.com)
Example of Certification Authorities:
VeriSign (http://www.verisign.com) Comodo (http://www.comodo.com)
Entrust (http://www.entrust.com)
Digital signatures are used to authenticate the sender of a message or the signer of a document
They can also be used to ensure that the original content of the message is not changed
Users require an email certificate to digitally sign emails
You can obtain digital signatures from certification authorities
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
30
How to Obtain Digital Certificates?
Go to the Certificate Authorities website
Purchase and download a digital certificate
Some certificate authorities offer a free personal email security certificate such as Comodo
Provide personal details to download the certificate
Login to the email account that you have provided while downloading the certificate
Check your inbox for an installation link
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
31
Installing a Digital Certificate
Click on the installation link to install the digital certificate
In Internet Explorer go to Tools Internet Options Content tab
In the content tab, click Certificates button
Select the certificate and click the Export button
Click on Next
Check the Yes, export the private key option
Click on Next
Protect the private key by giving a passwordand confirming it
Specify the file you want to export and save it to a particular location
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
32
SigningYour Emails
Go to the Microsoft Outlook File Options
Click on Trust Center Trust Center Settings Email Security
Encrypt the mail by selecting the appropriate check boxes under the Encrypted e‐mail section
Click the Import/Export button
Browse to find the file to open and give the password and digital ID name
Click the OK button
Click New Mail to write a message
After clicking on the Send button, it will prompt to encrypt the message
Click the Send Unencrypted button (if the recipients do not have private key)
Click on the Continue button if the recipient have private key
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
33
SigningYour Emails
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
34
Choose the Automatic Download option from the Trust Center and select the options as shown in the figure
Microsoft Outlook Download Settings
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
35
Module Flow
Introduction toEmail Security
EmailSecurity Threats
EmailSecurity Procedures
How to ObtainDigital Certificates?
EmailSecurity Tools
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
36
Online Email Encryption Service: Lockbin
Lockbin is a free service for sending private email messages
It is used for sending confidential information such as credit card details and business information
https://www.lockbin.com
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
37
Email Security Tools
Comodo AntiSpamhttp://www.comodoantispam.com
Netcraft Toolbar http://toolbar.netcraft.com
PhishTank SiteCheckerhttps://addons.mozilla.org
Mirramail Secure Email http://www.mirrasoft.com
Spamihilatorhttp://www.spamihilator.com
Encryptomatic MessageLockhttp://www.encryptomatic.com
McAfee SpamKillerhttp://us.mcafee.com
Comodo Email Certificatehttp://www.comodo.com
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
38
Module Summary
Email (electronic mail) is a method of exchanging digital messages from a sender to one or more recipients
Attachments can contain malicious programs; opening such attachments can infect the computer
Spamming is the process of populating the user’s inbox with unsolicited or junk emails
Hoaxes are false alarms claiming reports about a nonexistent virus
Do not forget to delete browser cache, passwords, and history
Consider setting mobile phones to download only headers of emails, not the full email
Digital signatures are used to authenticate the sender of a message or the signer of a document
Email security tools protect passwords and automatically log off email accounts
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
39
Email Communication Checklist
DON’T CLOSE the browser without properly logging out
DON’T FORGET to delete browser cache, passwords, and history
DON’T SEND personal and financial information via email
DON’T USE just one email account for all purposes
DON’T TRUST the emails from your friends to be secure
DON’T DELETE spam instead of blacklisting it
DON’T FAIL to scan all email attachments and to enable the email spam filter
DON’T USE simple and easy‐to‐guess passwords
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
40
Email Security Checklist
Enable https for secure communications/transactions
Be diligent while opening email attachments
Do not click on links provided in email messages
Create strong passwords for logging into mail accounts
Follow email etiquette when forwarding messages
Do not forward or reply to spam and suspicious emails; delete them
Avoid accessing email via unsecured public wireless connection
Avoid accessing the email accounts on shared computers and sending large attachments in emails
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
41
Never save your password on the web browser
Sort messages by priority, subject, date, sender, and other options (Helps in searching email)
Avoid sending confidential, sensitive, personal, and classified information in emails
Use Bcc: option when sending mail to bulk recipients
Clean your Inbox regularly
Create folders and move email accordingly (Family, Friends, Work, etc.)
Digitally sign your outgoing mails
Send attachments in PDF form rather than Word or Excel formats
Email Security Checklist
Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.
42
Configure to check only attachment notifications, but not attachments
Do not open/send large attachments from mobile
Do not follow links sent in email or text messages
Consider setting mobile phones to download only headers of emails, not the full email
Install mobile antivirus and keep it up to date
Turn off Show Pictures in your Mobile Browser
To reduce the size of email, send them in plain text
Zip and send any important files
Security Checklist for Checking Emails on Mobile