Top Banner
Email Security Presented by Sanjiv Arora, CISA, CISM, CGEIT, CHPSE [email protected] +91 9810293733
30

Email Security and Awareness

Oct 21, 2014

Download

Technology

Email as used in personal and corporate work which impacts data risks, availability, business objectives failures, Good and bad practices
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Email Security and Awareness

Email Security

Presented by Sanjiv Arora, CISA, CISM, CGEIT, [email protected]

+91 9810293733

Page 2: Email Security and Awareness

What / Why E-mail?What / Why E-mail?

Daily Necessity Daily Necessity Essential for our SurvivalEssential for our Survival

Personal and Corporate emailsPersonal and Corporate emailsPlethora / type of emailsPlethora / type of emails

ID and Passwords!!ID and Passwords!!Security and PrivacySecurity and Privacy

Security / Use awarenessSecurity / Use awareness

Page 3: Email Security and Awareness

What is Security ?What is Security ?

ConfidentialityConfidentialityAvailabilityAvailability

IntegrityIntegrityPrivacyPrivacy

Meet Business ObjectivesMeet Business ObjectivesEffectiveness of ResourcesEffectiveness of Resources

Efficiency of ManpowerEfficiency of ManpowerOptimization of ResourcesOptimization of Resources

Page 4: Email Security and Awareness

On an un-auspicious day...On an un-auspicious day...

Page 5: Email Security and Awareness

Threats of Email SystemsThreats of Email SystemsSending of unauthorized messagesSending of unauthorized messages

Leakage of Confidential or sensitive data to un-known Leakage of Confidential or sensitive data to un-known external sourcesexternal sources

Malware infilteration through emailMalware infilteration through email

Message Sniffed across networkMessage Sniffed across network

Unsure, if message reached destinationUnsure, if message reached destination

Only 1 in 5 emails sent was legitimate (76% is spam)Only 1 in 5 emails sent was legitimate (76% is spam)http://www.websense.com/assets/reports/websense-2013-threat-report.pdfhttp://www.websense.com/assets/reports/websense-2013-threat-report.pdf

Allowed free use of gmail, yahoo, hotmail etc in corporatesAllowed free use of gmail, yahoo, hotmail etc in corporates

Allowed access of email on mobile devices iPad, Smart Allowed access of email on mobile devices iPad, Smart Phones, Notebooks, Web Access (Outside of Corporate LAN Phones, Notebooks, Web Access (Outside of Corporate LAN Defence Systems)Defence Systems)

Page 6: Email Security and Awareness

Email ChallengesEmail ChallengesSync with multiple devices and systemsSync with multiple devices and systems

Email data Traffic ManagementEmail data Traffic Management

Remembering multiple passwordsRemembering multiple passwords

Management of backup of PST files, email data foldersManagement of backup of PST files, email data folders

Growing email storage needs of each userGrowing email storage needs of each user

Duplicated emails with attachment across usersDuplicated emails with attachment across users

Email audit trailsEmail audit trails

Irrelevant 1-2 word email traffic such as Ok, Seen, Thx, Irrelevant 1-2 word email traffic such as Ok, Seen, Thx, GA, CU, Good Night, Recd etc, etc, etcGA, CU, Good Night, Recd etc, etc, etc

Email Infrastructure complexity and management challengesEmail Infrastructure complexity and management challenges

Archival, Retrieval and Redundancy (DR) challengesArchival, Retrieval and Redundancy (DR) challenges

Page 7: Email Security and Awareness

Email – Weakest link...UsersEmail – Weakest link...UsersHave on average > 2-3 email accountsHave on average > 2-3 email accounts

Retain all email history since BCRetain all email history since BC

Delete KEY is infrequently used for unwanted emailsDelete KEY is infrequently used for unwanted emails

Confidential data remains in email content and attachments in Confidential data remains in email content and attachments in multiple forwarded accountsmultiple forwarded accounts

Pressure IT if email systems down for more than 5 minutesPressure IT if email systems down for more than 5 minutes

Allow push email on all devices, 24x7Allow push email on all devices, 24x7

Saved password in Browsers, Smartphones, Tabs etc (Also use Saved password in Browsers, Smartphones, Tabs etc (Also use WhatsApp, TrueCaller, Viber simultaneously)WhatsApp, TrueCaller, Viber simultaneously)

Use email to communicate with collegues across desks (Verbal Use email to communicate with collegues across desks (Verbal communication is reducing)communication is reducing)

Page 8: Email Security and Awareness

More Email CulpritsMore Email CulpritsAutomated alerts from Email, Backup, Automated alerts from Email, Backup, Firewall Systems, Applications, BMSFirewall Systems, Applications, BMS

Help Desk Systems and Support Teams Help Desk Systems and Support Teams (Playing football with calls)(Playing football with calls)

Send Read / Receipt for each emailSend Read / Receipt for each email

Page 9: Email Security and Awareness

Food for thought

In 1964, 38 people in Queens, New York, witnessed the murder of one of their neighbors, a young woman named Kitty Genovese. A serial killer attacked and stabbed Genovese late one night outside her apartment house, and these 38 neighbors later admitted to hearing her screams; at least three said they saw part of the attack take place. Yet no one intervened.Social Psychologists call this phenomena the Bystander Problem or Bystander Dilemma or Bystander Effect. I believe the same effect happens in “Reply All” email communication.

Page 10: Email Security and Awareness

Denial of Email Systems..Aside from annoying a lot of people – all at once – ‘Reply to All’ abuse

can bring enterprises to a screeching halt as messaging servers attempt to process the onslaught of email – as the U.S. State Department found out in January.When a U.S. State Department employee accidentally sent a blank email to a global distribution list of thousands, an email storm ensued.Some recipients used ‘Reply-to-All’ to demand to be removed from the list. Others used ‘Reply to All' to tell their co-workers, in often less than diplomatic language, to stop responding to the entire group using ‘Reply-to-All.’ Some users then compounded the problem by trying to recall their initial replies. The recall generated another round of messages to the entire group.Senior officials became involved as the huge volume of email resulted in a major denial-of-service and, we suspect, a huge drop in worker productivity.

* Denial of Service is when mail servers stop working due to overload attack.

Page 11: Email Security and Awareness

Email Stats

Detail 2012 2016

Total Email A/cs 3.3 bn 4.3 bn

Business Email a/c 989 mn 1078 mn

Consumer Email a/c 2970 mn 3548 mn

Business Email / day 100.5 bn 123.9 bn

Consumer Email / Day 82.5 bn 77.5 bn (-)

Source: http://www.radicati.com/?p=9659

Page 12: Email Security and Awareness

Email: Where are we today? Email: Where are we today? Traffic Across InternetTraffic Across Internet

Page 13: Email Security and Awareness

Email: Where are we today? - Email: Where are we today? - InfrastructureInfrastructure

Page 14: Email Security and Awareness

Email: Where are we today?Email: Where are we today?Our work StyleOur work Style

Page 15: Email Security and Awareness

Email: Where are we today?Email: Where are we today?Daily Work Plan ...out of WindowDaily Work Plan ...out of Window

Page 16: Email Security and Awareness

Email: Where are we today?Email: Where are we today?Looking For Futuristic SolutionLooking For Futuristic Solution

Page 17: Email Security and Awareness

Email Servers and YOU.Email Servers and YOU.

Page 18: Email Security and Awareness

Key Controls - Email Security

Appropriate management of email Infrastructure

– Confidentiality, Integrity and Availability

Effective and Efficient use of resources to meet Business ObjectivesAwarenesss and Implementation of Email ettiquettes

Page 19: Email Security and Awareness

Email – Information Security

Hardening of Email Servers, InfrastructureEnable allowed ports and servicesEnable Spam, Virus protectionMail relay controlsSize and email traffic quotasPassword PoliciesMonitoring of Logs,

Exceptions and abnormal behavior

Performance

Build ISP link, Infrastructure Redundancy to maintain Email Systems in HA mode

Page 20: Email Security and Awareness

Encrypt emails when relaying sensitive dataApplicable Need to Know and Use rules on Data

Drives in LAN as per data classificationImplement Email Acceptable use policiesImplement email retention policiesImplement Data Leak Protection tools / methodsMonitor user activities

Email – Information SecurityEmail – Information Security

Page 21: Email Security and Awareness

Effective and Efficient use to meet Business Objectives

Reduce loads on Online and backup storage needs

Delete past data as per retention policy

Set user quota

Disallow attachments of large size > 5 MB even in LAN (Use temporary file shares)

Reduce or manage Fixed / Mobile devices accessing emails

Reduce Internet traffic Stress

Utilize and manage time for better productivity

Page 22: Email Security and Awareness

Email: Awareness and EttiquettesUnderstand Cyber Crime and Criminals are out there to

fool, cheat, excite or even SCARE you

Verify sender email address

Do not open attachments from unknown Sender or Not Relevant Subject

Reply All – Use in special situations only

Do not Reply all with attachements

Delete forwarded message trails contents, where not relevant (Remove attachments in case of reminders etc)

Use strong and complex passwords

Page 23: Email Security and Awareness

Restrict attachment size (1 or 2 mb)

Do not initiate or forward unwanted chain mails

Delete emails older than 2 years

Check and re-check subject, contents, attachments, recepients before sending

Limit personal use of Business email accounts

Act on emails not forward (pass the buck)

Yes your email reaches destination, avoid sending Did you Get it? Ok Please Confirm? Are you Sure?

Use Read Receipts as Optional and not mandatory

Email: Awareness and EttiquettesEmail: Awareness and Ettiquettes

Page 24: Email Security and Awareness

Whats happening in other Corporates?

Email etiquette(s) are being taught

Companies Disabling 'Reply-All' Button, Rather Than Dealing With Inane Email

Threads - The latest to do so is Nielsen, which did so with a cheery memo to staff explaining why this would "reduce non-essential messages in mailboxes, freeing up our time as

well as server space." That's one way to think about it.

Page 25: Email Security and Awareness

Email – Our Achievement

Page 26: Email Security and Awareness

Email – Can get messy!

Page 27: Email Security and Awareness

Email – Working style of some...

Page 28: Email Security and Awareness

Email – working style of some of us....

Page 29: Email Security and Awareness

Email – Please take care !

Page 30: Email Security and Awareness

Just a plain Thanks.(No Thank you emails)

We offer our rich experience to meet your Business Requirements and Objectives in the IT Audits, IT Governance, Risk, Security Awareness, CISA, CISM Training and IT

Strategy consulting areas.

Our specializations includes reviews of ERP, CBS, Information Architecture, IT Efficiency and Effectiveness to deliver value amongst other things.

We have worked with Al Rajhi Takaful in KSA, Qatar Steel, WFP, WHO, UNOPS, Govt of India and many other reputed companies across the world.

We shall be happy to discuss your requirements,Look forward.

Sanjiv Arora, CISA, CISM, CGEIT, CHPSEContact Cell +91 98102 93733, e-mail – [email protected], www.tech-controls.com