Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


Secure E-Mail Access

Published: 2012-02-07,
Last Updated: 2012-02-07 02:18:33 UTC
by Johannes Ullrich (Version: 1)

10 comment(s)

Recently attacks by the "not so sophisticated persistent threat" focused on e-mail security. In many cases, e-mail credentials were either brute forced, or retrieved from compromised databases (in some of these cases, password re-use was a contributing factor).

During Wednesday's threat update webcast, I would like to do a segment focusing on e-mail security, and was wondering what our readers do to secure e-mail. Some of the challenges I see:

- the use of "cloud based" e-mail services like gmail.
- mobile access to e-mail
- access to e-mail from multiple devices 
- e-mail encryption and authentication (PGP/S-Mime)
- e-mail forwarding security (if someone has e-mail forwarded to a personal e-mail address)

Please let me know if you have any novel ideas to address these problems that I should cover, or if you would like me to cover any additional questions.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: email php smime
10 comment(s)
Top of page

Top of page

Comments

Hi Johannes,

there are several provider of business class secure email.
Voltage, PGP/Symantec, CISCO are the most popular in the US. But these solutions are normally based on some proprietary technology like ibe or the envelopes from cisco. PGP does not really manage to solve the most important challenges: simplicity for the users.

In europe the requirements are a little bit more complex, so the market is completely different. There are some german products like Zertificon which are where strong with their appliances. But the leader seems to be Totemo from switzerland. They have a so called internal encryption which works really nice with cloud based services like Office 365 and offers the most simplicity and security with the possibility of central dataflow control.

best regards
posted by miiister, Tue Feb 07 2012, 07:17
First off, as I see it, the very nature of email is insecure and should always be handled as thus. Email security in itself is an oxymoron.

If you are concerned about documents being leaked there should be a policy in place that they never be transmitted via email. Of course, if certain documents absolutely need to be transmitted, there are always things you can do like password protected and encrypted archives but that's more on a file level than an email level.

In short, have a policy users will be able to abide by and enforce it.
posted by John, Tue Feb 07 2012, 13:50
Zix is very good and provides simplicity for the users.
posted by Johnny, Tue Feb 07 2012, 15:03
I do not have any expirence with zix. are they better than PGP or the europeans?
posted by miiister, Tue Feb 07 2012, 15:10
I cannot speak to the European solutions. I can say that after in-depth comparison of Voltage, PGP/Symantec, CISCO, McAfee, ProofPoint, and Zix; Zix came out on top as the best fit.

posted by Johnny, Tue Feb 07 2012, 15:37
A secondary issue to cloud email, but a significant one for government organizations in particular, is historical accessibility to meet legal requirements, for public disclosure and other purposes.
posted by RLE, Tue Feb 07 2012, 17:05
Although I'm guessing that you would like to focus on the technology side of e-mail security, my organization's biggest challenges are political. As such, we are largely relegated to dealing with e-mail security issues reactively.

IDP/IDS (Juniper) and SPAM filtering (Proofpoint) of OUTBOUND traffic, as well as monitoring e-mail web interface logs (IIS) have been critical for my organization in detecting compromises, and we have also used our web proxy to help mitigate those compromises.

On the [slightly] proactive side, we have a reasonable password change/complexity policy in effect, and audit our system directory monthly for inactive user accounts.
posted by ChrisG, Tue Feb 07 2012, 19:35
Please comment on novel encrypted email solution from CryptoHeaven http://cryptoheaven.com
posted by Henry, Wed Feb 08 2012, 00:03
I'm using lastpass and yubikey to get new passwords generated and to save them securely on the hashed server at lastpass,
yubikey is my last step in authentication for all accounts online or to logon to a machine.
Some of my machines have both a hardware password and a software password.
Hardware password is on the mother boards of the laptops and cannot be deleted by any means you may think of,
Lose it and you're in deep doo-doo,
you will have to contact the manufacturer for a master password for hardware and you have to convince them that you really own the machine.

Keep your passwords from others,
They are like the combination to your banks' vault.
posted by mrclarke, Wed Feb 08 2012, 00:52
What about Totema ? EU solution which address all end-to-end encryption's issues.
posted by sasha, Tue Feb 21 2012, 16:44

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

Got Packets? Odd duplicate DNS replies from 10.x IP Addresses - by: Johannes Ullrich (2012-05-16)

Reserved IP Address Space Reminder - by: Johannes Ullrich (2012-05-16)

Odd DNS replies from 10 nets and RFC1323 impacting firewalls - by: Dan Goldberg (2012-05-15)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute