shashank mashetty email security. introduction electronic mail most commonly referred to as email or...

SHASHANK MASHETTY

Email security

Introduction

Electronic mail most commonly referred to as email or e-mail.

Electronic mail is one of the most commonly used services on the Internet allowing people to send messages to one or more recipients.

Modern email operates across the internet and computer networks.

The messages can be notes entered from the keyboard or electronic files stored on the disk.

Why do we need secure email?

Protect sensitive dataProve authenticity to recipientsSend attachments that are normally

filteredAvoid the junk folder

Email security enhancements

AuthenticationConfidentialityConfidentiality and authenticationMessage intigrity

Threats enabled by e-mail

SpamSpoofingPhishingDisclosure of sensitive informationExposure of systems to malicious codeDenial-of-service(dos)Un authorized access

Email threats

Spam spam is the scourge of email around the

world it makes as 95% of all email on the internet spammers get e-mail address from new

groups, un scrupulous web site operators A large proportion of spam contains malware

or links to web sites that contain malware

Email threats

Spoofing Email spoofing occurs when an attacker

sends you an email pretending to be some one to you

Email spoofing is easy to do and very difficult to trace the real sender.

Phishing Phishing e-mails appear very authentic and

often include graphics or logos that are actually from your bank.

Email based attacksActive content attack - clean up at the serverBuffer over-flow attack - fix the codeShell script attack - scan before send to the shellTrojan horse attack - use do not automatically use the macro

option

Choices available in the secure email

PGP ( pretty good policy )S/MIMESpecial providersSSL/TLS web browser based emailSSL/TLS POP/SMPS email

PGP

Functionality: -encryption for confidentiality -signature for non repudiation/authenticityRequires key exchange and key

managementNot scalableSmall industry supportCan only exchange secure email with other

PGP users

S/MIME

Similar to PGP, requires administrator installation and configuration support intensive

User must download and install softwareMany installations have failed due to

complexityCan only exchange emails with other

S/MIME users

Special providers

Managed services using S/MIME with PKI key exchange

Appliance based services with special hardware requires integration

expensive

Secure web mail

Nothing to download or install, no support issues beyond typical email.

Works with any web browserUses SSL/TLS security , same system used

by banks, visa, etcEasy to add, manage usersNo training is needed it is simple

POP/SMTP Secure Mail

Works with all email programsUses SSL/TLS security same system used by

banks, visa, etcEasy to set up, no download or installation,

same issues as traditional email

Steps to secure mail

Generate an identityConfigure secure email softwareGet public keys for recipientsStart sending secured messages

Tips to be secure

Never click on a suspect e-mail.Never reply to a suspect email with

personal informationLook at the grammatical errors in the emailContact your bank via telephone ( get the

telephone number from the website rather than the email you received ) if you suspect a fraud

Watch for the small changes on your financial statements to avoid detection

Questions?