CSCU Module 09 Securing Email Communications PDF

Securing Email Communications
Module 9
Simplifying Security.
CopyrightbyEC-Council
AllRightsReserved.ReproductionisStrictlyProhibited.
Email Security: Malicious

Messages 'A Problem For Govt. Too'
May16,2011
Individualswhoareconcernedaboutdatalossmaybesurprisedtohearofthenumberof
hackingattacksattemptedontheTreasury.
ChancellorGeorgeOsbornerevealedattheGoogleZeitgeistconferenceonMonday(May
16th)thateachmontharound20,000maliciousemailsaresenttoUKgovernmentnetworks.
Furthermore,henoted:"During2010,hostileintelligenceagenciesmadehundredsofserious
andpreplannedattemptstobreakintotheTreasury'scomputersystem.Infact,itaveraged
outasmorethanoneattemptperday."
Asaresultofthesefigures,Mr OsbornepointedoutthattheTreasuryisoneofthemost
targetedbydataattacksacrossthewholeofWhitehall.
Governmentisnottheonlyareaconcernedaboutbreachesthough,withSquareEnix recently
confirmingthatacoupleofwebsitesitisassociatedwithhavebeenattacked.
http://www.cryptzone.com
Module Objectives
EmailSecurityProcedures
EmailSystem
HowtoObtainDigitalCertificates?
EmailSecurity
OnlineEmailEncryptionService
EmailSecurityThreats
EmailSecurityTools
Spamming
EmailSecurityChecklist
Hoax/ChainandScamEmails
SecurityChecklistforCheckingEmails
onMobile
EmailSecurityControlLayers
Module Flow
Introductionto
EmailSecurity
Email
SecurityThreats
HowtoObtain
DigitalCertificates?
Email
SecurityTools
Email
SecurityProcedures
Email Threat Scenario 2011

Email Spam Intercepted
Top 5 Geographies
93.5%
Italy
Denmark
93.2%
Email Virus Intercepted

Top 5 Geographies
UK
92.0%
Spain
France
92.0%
Oman
Switzerland
91.5%
Global Spam Rate (89.1%)
1in147.2 SouthAfrica
SouthAfrica
Austria
Email Phish Intercepted

Top 5 Geographies
1in164.6
1in174.1
1in229.0
1in237.8
Switzerland
Global Virus Rate (1 in 284.2)
UK
Oman
United
Arab
Emirates
NewZealand
1in99.0
1in214.8
1in341.9
1in424.0
1in568.1
Global Phish Rate (1 in 444.5)
How Various Email Systems Work?

Email (electronicmail)isamethodofexchangingdigitalmessagesfromasendertooneor
morerecipients
CompaniessuchasMicrosoft,Yahoo!,Google,andAOLofferfreeemailaccounts
Emailaccountscanbeaccessedfromanywebbrowser orastandaloneemailclientsuchas
MicrosoftOutlook,MozillaThunderbird,etc.
Internet
Sender
EmailClients
EmailServer
EmailServer
EmailClients
Receiver
Email Security
Noemailcommunicationis100%secure
Insecureemailsallowattackerstointerceptpersonaland
sensitiveinformationoftheuser
Ifnotsecured,emailssent/received canbeforgedor
readbyothers
Emailsareoneofthesourcesofviruses andvarious
malicious programs
Itisnecessarytosecure emailstohave safer communications

andtoprotectprivacy
Module Flow
Introductionto
EmailSecurity
Email
SecurityThreats
HowtoObtain
Email
SecurityTools
Email
SecurityProcedures
Email Security Threats

MaliciousEmailAttachments
Attachmentsmaycontainavirus,Trojan,worms,
keylogger,etc.,andopeningsuchattachments
infectsthecomputer
MaliciousUserRedirection
Mailsmaycontainlinksthat
websiteshostingmalwares
andpornographicmaterial
Phishing
Phishing mailslurevictimstoprovide
personaldata
Hoax/ChainMail
Spamming
Theusermayreceivehoaxemails
thatcontainfalseinformation
tellinghim/hertoforwardthe
mail
Theusermayreceivespammails
maycontainmalwareallowing
attackerstotakecontrolofthe
usercomputer
Malicious Email Attachments

Emailattachmentsaremajoremailsecuritythreatsastheyoffersattackers
easiestandmostpowerfulwaystoattackaPC
Mostmaliciousattachmentsinstallavirus, Trojan, spywareoranyotherkindof
malware codeassoonasyouopenthem
10
Email Attachments: Caution

Save andscan allemail
attachmentsbeforeopeningthem
Checkiftheemailisfromoneof
yourcontacts
Donotopenattachmentswith
suspicious orunknownfile
extensions
Example:*.exe,*.vbs,*.bat,*.ini,
*.bin,*.com,*.pif,*.zzx
Checkiftheemailwasever
receivedfromthesource
Neveropenanemailattachment
fromunreliablesources
Checkifthesubjectline andname
ofthe attachmentarecorrelated
witheachother
11
Spamming
Unsolicitedbulkmessages
Spammingistheuseofemail
systemstosendunsolicitedbulk
messagesindiscriminately
overloadingtheusersinbox
Spamemailsmaycontainmalicious
computerprograms suchasviruses
and Trojans
AccordingtoSymantec,spam
makesup89.1%ofallemailtraffic
Attacker
User
SpamSourcesbyContinent
44%
Europe
Asia
27%
18%
SouthAmerica
Africa
8%
7%
NorthAmerica
Oceania
3%
0
20
40
60%
http://www.m86security.com
12
Spamming Countermeasures
Avoidopeningspammessages
(classifiedbyspamfilters)
Reportsuspiciousemailas
spam
Usetheemailclient's
spamfilterandanti
spammingtools
Donotuseofficial
emailaddresswhile
registeringwithany
website
Neverfollowthelinksinspam
messages
Useadifferentemailaddresswhen
postingmessagestoanypublic
forum
13
Anti-Spamming Tool: SPAMfighter

SPAMfighter protectsalltheemailaccountsonaPCagainst"phishing",identitytheft,
andotheremailfrauds
http://www.spamfighter.com
14
Hoax/Chain and Scam Emails
Hoaxesareemailmessageswarningthe
recipientsofnonexistentthreats
Usersarealsowarnedofadverseeffects
iftheydonotforwardtheemailtoothers
http://www.scamletters.com
http://diamondback.com
15
Ascamemailasksforpersonalinformation
suchasbankaccountdetails,creditcard
numbers,password,etc.
Thesenderofscammailsmayalsoaskthe
recipienttoforwardtheemailtoeveryonein
his/hercontactlist
Nigerian Scam
ANigerian scamisaformofadvance
paymentofmoneyormoneytransfer
http://in.mail.yahoo.com/
ThisscamiscalledaNigerianscam
becauseinitiallyitstartedfromNigeria,
buttheycancomeinanywhereinthe
world
Usingthisscam,scammerscontactyou
bysendinganemailandofferyoua
shareinalargesumofmoney
Theysaytheywanttotransfermoney,
whichwastrappedinbanksduringcivil
wars,toyouraccount
Theymayalsocitevariousreasonssuch
asmassiveinheritanceproblems,
governmentrestrictions,ortaxesinthe
scammerscountry
Scammersaskyoutopaymoneyorgive
themyourbankaccountdetailstohelp
themtransferthemoney
From:Mr.WongDu
Seoul,SouthKorea.
IwillintroducemyselfIamMr.Wong duaBankerworkinginabankinsouthKoreaUntilnowIam
theaccountofficertomostofthesouthKoreagovernmentaccountsandIhavesincediscovered
thatmostoftheaccountaredormantaccountwithalotofmoneyintheaccountonfurther
investigationIfoundoutthatoneparticularaccountbelongtotheformerpresidentofsouthKorean
MRPARKCHUNGHEE,whoruledsouthKoreanfrom19631979andthisparticularaccounthasa
depositof$48mwithnonextofkin.
MyproposalisthatsinceIamtheaccountofficerandthemoneyortheaccountisdormantand
thereisnonextofkinobviouslytheaccountownertheformerpresidentofSouthKoreahasdied
longtimeago,thatyoushouldprovideanaccountforthemoneytobetransferred.
Themoneythatisfloatinginthebankrightnowis$48mandthisiswhatIwanttotransfertoyour
accountforourmutualbenefit.
PleaseifthisisokaybyyouIwilladvicethatyoucontactmethroughmydirectemailaddress.
Pleasethistransactionshouldbekeptconfidential.Foryourassistanceastheaccountownerwe
shallsharethemoneyonequalbasis.
Yourreplywillbeappreciated,
Thankyou.
WongDu
16
Module Flow
Introductionto
EmailSecurity
Email
SecurityThreats
HowtoObtain
Email
SecurityTools
17
Email
SecurityProcedures
Email Security
Control Layers
Receiver
Sender
18
Email Security Procedures

Scanemailattachments
formalware
Createandusestrong
passwords
Turnoffthepreview
featureandchange
downloadsettingsin
emailclients
Providealternateemail
address formail
recovery
Checkforlastlogging
activity
Createjunkemailfilter
inemailclients
Digitallysignyourmail
messages
UseHTTPS forbrowser
connection
Disable/unselect KeepMe
SignedIn/RememberMe
functions
Avoidunwantedemails
usingfilters
19
Creating Strong Passwords

Strongpasswordsaredifficulttocrackorguess
Astrongpasswordcanbecreatedbyusingcombinationsofnumbers(09),letters
inupperandlowercase(azandAZ),andspecialcharacters(!@#$%)
Createastrongbuteasytorememberpasswordanddonotwriteitanywhere
20
Alternate Email Address

Analternateemailaddressistheadditionalemailaddress requiredatsignupformostof
thefreeemailservicessuchasGmailandYahoo
Itisusedbyserviceproviderstoverifytheaccountcreatorsidentify
Alternateemailaddressesareusedforpasswordrecoveryincaseyouforgotthepassword
21
Keep Me Signed In/Remember Me

Mostofthepopularemailclients
havetheKeepmesignedin or
RememberMe options
Checkingtheseoptionsallowthe
emailclienttofetchtheemailinbox
oftheuserwithouthim/herhaving
tofillinthelogindetailsagain
Thisallowsotheruserstoaccessthe
usersemail
Usersshouldcheckthatthisoption
isnotselectedwhenaccessing
emailfromapubliccomputer
22
Using HTTPS
WebmailssuchasGmail,Yahoomail,Hotmail,AOLMail,etc.haveanoptionforchoosingthe
communicationprotocolforbrowserconnection
ChangetheBrowserconnectionsetting toreceiveemailusingHTTPS (HTTPSecure)
23
Check for Last Account Activity

Alwayscheckthelatestemailaccountactivity
ifthefeatureisavailablewiththeemail
service
TocheckaccountactivityinGmail,scrolltothe
bottomofthepageandclickDetails
Immediatelychangeyourpasswordand
passwordhintsifyouobserveanysuspicious
activity
Latestaccountactivityincludesinformation
suchasaccesstype(browser,mobile,POP3,
etc.),location (IPaddress),anddate/timeof
accountactivities
24
Scanning Email Attachments

Becautiouswhenopeninganyemailattachment
Save alltheattachmentsandscan themproperlyformalwareusinganantivirus
beforeopening
Enabletheantivirustoautomaticallyscan alltheemailsanddownloads
25
Turn Off Preview Feature

Emailclients haveanoptiontoshowapreviewof
theemail
Turnoffthisfeature inemailclients
Turningonthisfeaturemayexecutescriptcode
withoutyouexplicitlyopeningthemessage
ToturnoffthepreviewfeatureinMicrosoft
Outlook:
GotoView menuandselectReadingPane
ClicktheOffoption
ToturnoffthepreviewfeatureinMozilla
Thunderbird:
GotoView menuandselectLayout
UnchecktheoptionMessagePane
26
Email Filtering: Avoiding Unwanted Emails

Emailfilteringistheprocessoforganizingemailsaccordingtoaspecifiedcriteria
Emailfiltersaregenerallyusedtoidentifyandcategorizespammails
ToavoidunwantedemailsinOutlook2010,gototheDeletegrouponthe Home tab,
clickJunk andJunkEmailOptions,OntheBlockedSender tab,clickAdd
Enteranemailaddressordomainname,clickOK
27
Module Flow
Introductionto
EmailSecurity
Email
SecurityThreats
HowtoObtain
Email
SecurityTools
28
Email
SecurityProcedures
Digitally Sign Your Emails
Digitalsignaturesareusedtoauthenticatethesenderofamessageorthesigner
ofadocument
Theycanalsobeusedtoensurethattheoriginalcontentofthemessageisnot
changed
Usersrequireanemailcertificatetodigitallysignemails
Youcanobtaindigitalsignaturesfromcertificationauthorities
ExampleofCertificationAuthorities:
VeriSign (http://www.verisign.com)
Comodo (http://www.comodo.com)
Thwate (http://www.thawte.com)
Entrust (http://www.entrust.com)
29
How to Obtain Digital Certificates?

GototheCertificateAuthorities
website
Purchaseanddownload adigital
certificate
Somecertificateauthoritiesofferafree
personalemailsecuritycertificatesuch
asComodo
Providepersonaldetailstodownload
thecertificate
Login totheemailaccountthatyou
haveprovidedwhiledownloadingthe
certificate
Checkyourinboxforaninstallation
link
30
Installing a Digital Certificate

Clickontheinstallationlinktoinstallthe
digitalcertificate
InInternetExplorergoto Tools Internet
Options Content tab
Inthecontenttab,clickCertificates button
SelectthecertificateandclicktheExport
button
ClickonNext
ChecktheYes,exporttheprivatekey option
ClickonNext
Protecttheprivatekeybygivingapassword
andconfirmingit
Specifythefileyouwanttoexportandsaveit
toaparticularlocation
31
Signing Your Emails

GototheMicrosoftOutlook File Options
ClickonTrustCenter TrustCenterSettings
EmailSecurity
Encryptthemailbyselectingtheappropriate
checkboxesundertheEncryptedemail section
ClicktheImport/Export button
Browsetofindthefiletoopenandgivethe
password anddigitalIDname
ClicktheOK button
ClickNewMail towriteamessage
AfterclickingontheSend button,itwillprompt
toencryptthemessage
ClicktheSendUnencryptedbutton(ifthe
recipientsdonothaveprivatekey)
ClickontheContinue buttoniftherecipient
haveprivatekey
32
Signing Your Emails
33
Microsoft Outlook Download Settings

ChoosetheAutomaticDownloadoptionfromtheTrustCenterandselecttheoptions
asshowninthefigure
34
Module Flow
Introductionto
EmailSecurity
Email
SecurityThreats
HowtoObtain
Email
SecurityTools
35
Email
SecurityProcedures
Online Email Encryption Service: Lockbin

Lockbinisafreeserviceforsendingprivateemailmessages
Itisusedforsendingconfidentialinformationsuchascreditcarddetailsandbusinessinformation
https://www.lockbin.com
36
Email Security Tools

Comodo AntiSpam
McAfeeSpamKiller
http://www.comodoantispam.com
http://us.mcafee.com
Netcraft Toolbar
ComodoEmailCertificate
http://toolbar.netcraft.com
http://www.comodo.com
PhishTank SiteChecker
Mirramail SecureEmail
https://addons.mozilla.org
http://www.mirrasoft.com
Spamihilator
Encryptomatic MessageLock
http://www.spamihilator.com
http://www.encryptomatic.com
37
Module Summary
Email(electronicmail)isamethodofexchangingdigitalmessagesfromasenderto
oneormorerecipients
Attachmentscancontainmaliciousprograms;openingsuchattachmentscaninfect
thecomputer
Spammingistheprocessofpopulatingtheusersinboxwithunsolicitedorjunkemails
Hoaxesarefalsealarmsclaimingreportsaboutanonexistentvirus
Donotforgettodeletebrowsercache,passwords,andhistory
Considersettingmobilephonestodownloadonlyheadersofemails,notthefullemail
Digitalsignaturesareusedtoauthenticatethesenderofamessageorthesignerofa
document
Emailsecuritytoolsprotectpasswordsandautomaticallylogoffemailaccounts
38
Email Communication Checklist

DONTUSEjustoneemailaccountforallpurposes
DONTCLOSEthebrowserwithoutproperlyloggingout
DONTFORGETtodeletebrowsercache,passwords,andhistory
DONTSENDpersonalandfinancialinformationviaemail
DONTTRUSTtheemailsfromyourfriendstobesecure
DONTDELETEspaminsteadofblacklistingit
DONTFAILtoscanallemailattachmentsandtoenabletheemail
spamfilter
DONT USE simpleandeasytoguesspasswords
39
Email Security Checklist

Createstrongpasswordsforloggingintomailaccounts
Enablehttps forsecurecommunications/transactions
Bediligentwhileopeningemailattachments
Donotclickonlinks providedinemailmessages
Followemailetiquettewhenforwarding messages
Donotforwardorreplytospam andsuspiciousemails;deletethem
Avoidaccessingemailviaunsecured publicwirelessconnection
Avoidaccessingtheemailaccountsonshared computersandsending
largeattachmentsinemails
40
Email Security Checklist

UseBcc:optionwhensendingmailtobulkrecipients
Neversaveyourpassword onthewebbrowser
Sortmessagesbypriority,subject,date,sender,andotheroptions
(Helpsinsearchingemail)
Avoidsendingconfidential,sensitive,personal,andclassified
informationinemails
CleanyourInbox regularly
Createfoldersandmoveemail accordingly(Family,Friends,Work,etc.)
Digitallysignyouroutgoingmails
SendattachmentsinPDFformratherthanWordorExcelformats
41
Security Checklist for Checking Emails on Mobile

Considersettingmobilephonestodownloadonlyheadersofemails,
notthefullemail
Configuretocheckonlyattachmentnotifications,butnot
attachments
Donotopen/send largeattachmentsfrommobile
Donotfollowlinkssentinemailortextmessages
Installmobileantivirusandkeepituptodate
TurnoffShowPicturesinyourMobileBrowser
Toreducethesizeofemail,sendtheminplaintext
Zip andsendanyimportantfiles
42

CSCU Module 09 Securing Email Communications PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CSCU Module 09 Securing Email Communications PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Securing Email Communications

Email Security: Malicious

Email Threat Scenario 2011

Email Virus Intercepted

Global Spam Rate (89.1%)

Email Phish Intercepted

Global Virus Rate (1 in 284.2)

Global Phish Rate (1 in 444.5)

How Various Email Systems Work?

Itisnecessarytosecure emailstohave safer communications

Email Security Threats

Malicious Email Attachments

Email Attachments: Caution

Anti-Spamming Tool: SPAMfighter

Hoax/Chain and Scam Emails

Email Security Procedures

Creating Strong Passwords

Alternate Email Address

Keep Me Signed In/Remember Me

ChangetheBrowserconnectionsetting toreceiveemailusingHTTPS (HTTPSecure)

Check for Last Account Activity

Scanning Email Attachments

Turn Off Preview Feature

Email Filtering: Avoiding Unwanted Emails

Digitally Sign Your Emails

How to Obtain Digital Certificates?

Installing a Digital Certificate

Signing Your Emails

Signing Your Emails

Microsoft Outlook Download Settings

Online Email Encryption Service: Lockbin

Email Security Tools

Email Communication Checklist

Email Security Checklist

Email Security Checklist

Security Checklist for Checking Emails on Mobile

S-ar putea să vă placă și