Your SlideShare is downloading. ×
Guide ToEmail Security                 1
Table Of ContentsIntroduction................................................................................................
Introduction To Email Securityby Brandon, deliverability engineerWe’re a paranoid bunch at Mailchimp. We proudly wear tinf...
How To Protect YourselfYou can never be too cautious when it comes to protecting yourself, yourbusiness and your valuable ...
What To Do If You Get HackedHopefully you’re protecting your data like a champ and nobody’s after you.But if you do get ha...
The Hacker’s LifeDiscussions about hackers usually end with, ”Why don’t they just get a           All attacks are planned....
Email Is GoldEmail addresses are extremely valuable in today’s economy. Referencingback to our quick calculation in the in...
How An Attack WorksRemember, the hacker has an end goal. In this section we’ll build a sce-       Over the years we’ve see...
Email security
Upcoming SlideShare
Loading in...5
×

Email security

330

Published on

Security 101 for email marketers, including:

Why email is valuable
How to protect your data
What to do if you get hacked
How an attack works
We take security seriously at MailChimp—and as an email marketer, you should too. While we have lots of security measures in place to keep your data safe, you've got some responsibilities of your own. This guide explains why evil hackers might want your data, how you can best protect yourself from their attacks, and what to do if you get compromised.

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • I Got The Full File, I Just Wanna Share to You Guyszz.. It's Working You Can The Download The Full File + Instructions Here ://http://gg.gg/setupexe
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
330
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Email security"

  1. 1. Guide ToEmail Security 1
  2. 2. Table Of ContentsIntroduction......................................................................................................................................................................................................... 3How To Protect Yourself. ....................................................................................................................................................................................... 4 .What To Do If You Get Hacked............................................................................................................................................................................... 5The Hacker’s Life................................................................................................................................................................................................. 6 .Email Is Gold....................................................................................................................................................................................................... 7How An Attack Works............................................................................................................................................................................................ 8 2
  3. 3. Introduction To Email Securityby Brandon, deliverability engineerWe’re a paranoid bunch at Mailchimp. We proudly wear tinfoil hats, wehave secret hideout rooms with steel walls, and we have fireman polesand slides throughout the building for quick evacuation. We also have atleast 24 rottweilers with freakin’ lasers on their heads. We’d go into moredetail, but let’s just say that security is a serious matter at Mailchimp. Wetake it so seriously because our customers shouldn’t have to worry abouttheir data. We spend a lot of time talking about bad guys and acting likebad guys, to figure out how they think. Our team invests a lot of timeand money into writing code to protect ourselves and our customers, andwe have lots of software and hardware to protect our infrastructure. Oursecurity methods are there to help keep you safe—but when it comes toprotecting yourself and your subscribers, you have some responsibilitiesof your own. In this guide we’ll cover how you can protect yourself, whatto do if your data has been compromised, some basics on why an attackermight target you, and why email data is important in the first place. Wehope this guide scares you into taking some precautionary measures toensure your data is safe.According to the Ponemon Institute, the value of a customer record is$204 in the US. For some people the value is much higher, and for oth-ers it’s much lower. Some people use the simple “dollars earned dividedby list size equals dollar-per-email value” calculation. (So if you made$120,000 off your campaigns and had 5,000 subscribers, then eachsubscriber is worth $24.) Though some are worth more than others, thatcalculation shows you how valuable email addresses are. And even ifyou’re not earning money off your subscribers, there’s great responsibil-ity in protecting the email addresses they provide. Hackers want thoseaddresses because they know how to extract and extort money fromunsuspecting people, tarnish your brand and cause some serious financialhassles for you. If you and your service providers aren’t taking the properprecautions to protect your customers data, then you’re doing a grave dis-service to your business and subscribers.*ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMERThis guide is intended to serve as a resource on the topic of email security. It is not intended to beprofessional advice, nor is it a complete compendium of the information available in this area. TheRocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about theinformation contained within. In sum, while we think this is an awesome guide on the topic, use ofthe information contained within the guide is entirely, completely, definitively, absolutely, positively,100% at your own risk. If you have questions or need specific advice for your situation, pleasecontact a knowledgeable professional. 3
  4. 4. How To Protect YourselfYou can never be too cautious when it comes to protecting yourself, yourbusiness and your valuable data. Here are some tinfoil-hat tips.1. Keep ALL of your systems completely up to date. Not just your operat-ing systems, but your browser, Adobe Reader, Java, flash, etc. These ancil-lary applications are generally the most problematic and easiest to hack.Keep your anti-virus programs up to date, and if possible, use anti-virussoftware that has a firewall—or at the very least malware—protection. Trysomething like Comodo.2. Run anti-virus and malware scans daily. As in, every single day.3. Secure your networks and wifi. Do NOT allow employees to use theirhome computers, guest computers, smartphones or iPads on your network.Secure your wifi using WPA2 or stronger. If you have mobile workstationsinside or outside your networks, never use insecure wifi, like your localcoffee shop’s connection. If you must use this type of connection, keepyour usage to an absolute minimum. Read up on Firesheep to learn howmuch information gets transmitted on an open wifi connection.4. Secure your smartphone with a password or security lock. If it’s stolen,call your provider immediately and disconnect your phone. Passwords areextremely important when it comes to security. Use different passwordsfor every site you do business with. Do NOT use the same password twice(see: Twitter Spam Attack Tied to Gawker Security Breach). Each siteshould have a unique password. Consider using 1Password, KeePass or asimilar utility to help keep track of all your passwords. Keep in mind thatif someone steals your computer or gains access, they can steal your pass-word database. So make sure your master password is unique and difficultto guess. Use at least 10-digit passwords with numbers, letters, symbolsas well as different cases. If you use the same password everywhere, it’sextremely easy for an attacker to try your username and password at eachand every site they’re after.5. Use a single machine for financial transactions. It shouldn’t be usedfor anything other than banking, and should only be connected via a wiredconnection. Don’t keep this computer powered up unless it’s being used.6. Be careful what information you share publicly. If you’re interviewedfor something that will be published online, make sure you don’t mentionsoftware vendors or business vendors you use, unless you can be 100%sure that your software and business vendors will not be hacked.7. Never open email, IMs and social-media notifications from people youdon’t know, haven’t heard from in a long time, or look suspicious. Thistype of communication is often malicious, so skip it to be safe. If you’reunsure, don’t reply to the communication, and call the person for confir-mation. Assume everyone is compromised. 4
  5. 5. What To Do If You Get HackedHopefully you’re protecting your data like a champ and nobody’s after you.But if you do get hacked, here’s how to handle it.1. If it’s a virus or malware on a machine, disconnect ALL machinesfrom your network immediately. At this point it’s best to involve a local ITcompany or consultant who’s trained in removing malware. Don’t turn onany systems until the threat has been completely removed. If you must getto a system, make sure it’s not on the internet, and assume that anythingand everything on that system is infected.2. Change all passwords, and security questions and answers that mayhave been affected. Make sure you do it from a secure machine—if youchange passwords on an infected machine, you’re giving the attacker allthe info they were after on a silver platter. Use a secured network thatyou trust. If your systems were hacked, don’t trust your network until allmachines have been given the all clear.3. Contact your service providers and software providers, and ask them todo a scan for potential data breaches on your account. Also ask them tolock your account from further access if you feel the account is what theattacker was after, or if the account is important enough to lock down.4. Check your email. Ensure that there’s nothing in your deleted itemsthat relates to communication with your service and software providers.5. Notify your friends, clients and business vendors that you were com-promised. Let them know that they shouldn’t trust further communicationfrom you until otherwise noted. 5
  6. 6. The Hacker’s LifeDiscussions about hackers usually end with, ”Why don’t they just get a All attacks are planned. There’s an end goal, and because this is the at-job?” The truth is, hacking is their job, and they often make good money tacker’s job, he spends lots of time planning and plotting every step. Just(or enjoy what they do). The laws in many countries are lax enough that like that new promotion you planned in November, the attacker plannedcybercrime isn’t considered serious, or there’s just so much other bad the malicious attack on your Social Media Manager. Many people thinkstuff going on, it doesn’t bubble up. Many countries even overlook this be- hackers don’t put much thought into attacks, and while the 419 scamshavior because the criminals pay off and support government officials. The and bad spelling in most SPAM might make you think hackers are stupid,book Fatal System Error by Joseph Menn goes into more detail about that. that’s far from the truth. In the book Social Engineering: The Art of Hu-Whether someone is paying government officials, or the laws just don’t man Hacking, Christopher Hadnagy provides information on how muchapply, it really doesn’t matter. These criminals exist, and they’re out to get effort a hacker will put into planning and executing an attack. It’s like aany and all information they can. So why do they want your data? chess game—but unfortunately, most of the targets have no idea they’re part of the game. If you have any type of online presence, then you are,1. To target your personal and/or business finances. Stealing financial ac- have been, or very shortly will be under attack. So you must behave likecount information is easy these days. It’s even easier, and far more useful, you’re under attack and secure your assets at all times.to steal credit card information.2. To target your computers and technology infrastructure. Botnets allowan attacker to use many machines to attack other machines, steal infor-mation and commit various other acts of evil. Once the hacker controlsyour computer they can:• Log every keystroke you type. The software that records the key- strokes is even built to show fake login pages for financial institutes to log your credentials.• Steal information from your hard drive. The attacker owns your machine and can get at any piece of data they want. Stealing your accounting database and cracking the username and password shouldn’t take more than a few Google searches.• Use your system to send SPAM. The majority of SPAM is sent through systems controlled by botnets. If your system is under the control of a hacker, they can send hundreds of thousands of pieces of SPAM from your system without you ever knowing it.3. To target your customers. Maybe you have some high-profile clients thatthe attacker is after. Maybe a client is listed on your site or sent an issuevia Twitter. It’s easy to figure out who your clients are, and it’s an easilyaccessible entry point for an attack.4. To target employees. A hacker can easily target your employees usingsocial media and direct attacks. It’s easy to find ways to get at your em-ployees, like using family members, college or high-school friends foundthrough Facebook. If an attacker targets one of your employees, he cangain insight into your business practices and target your entire company. 6
  7. 7. Email Is GoldEmail addresses are extremely valuable in today’s economy. Referencingback to our quick calculation in the introduction, you can see that anemail address can be worth a lot of money to your business. Our identities,important accounts and vital information are attached to email addresses.Chances are your financial institutions use your email address as yourusername. Your social media accounts, like Facebook and Twitter, tie toyour email address. Your email address is a unique identifier—but moreimportantly, it’s a communication mechanism. We use email to transmitall kinds of important information, and we use email more and more eachday. Evil hackers want the email accounts for various reasons. This is justa small list of some stuff they might be after:• Hackers have found that companies who use ESPs generally have clean lists. A clean list means fewer bounces and potentially an en- gaged list. And that means the list will deliver to the inbox and have a higher likelihood of clicks and opens.• The hacker wants your email addresses to send your subscribers . malicious stuff. Maybe your email list has important users like con- gress members. If they can trick your subscribers into clicking links and visiting bad sites, they can then gain access to machines they were targeting.• The hacker is planning a much larger attack and is just harvesting email addresses.• The hacker is planning to resell your subscribers.Know that lists used by marketers often have highly engaged readers andgood email addresses. If the hacker wanted to target your customers,they could easily imitate your campaign content and trick your users intofollowing a link to a malicious site. Chances are, the engaged readers willclick like they normally would. The list is valuable to you, but it’s just asvaluable—if not more so—to the hacker. There’s also a large market for buying and selling email addresses. Sonot only can the hacker use the email addresses for direct attacks, butthey can then sell the addresses to a list broker for further gain. Thinkthat through the next time someone approaches you about selling a list—chances are most of the addresses were gathered unethically. 7
  8. 8. How An Attack WorksRemember, the hacker has an end goal. In this section we’ll build a sce- Over the years we’ve seen SPAM grow in maturity. SPAM has movednario and walk through how an attack is planned and carried out. from poorly spelled 419 scams, to simple phishing scams, and now we see smarter and more targeted SPAM and phishing attacks. Hackers haveLet’s say your site is a popular foodie blog. You have a cool newslet- exposure to tools, data and blackhat ESP systems that allow them to runter signup on your site, and you allow people to comment on your blog. sophisticated campaigns against targeted victims. We see hackers useSomewhere along the way, you were interviewed on a food website about levels of sophitication beyond what most marketers use, like advancedhow you handle your business, and most importantly, your marketing. segmentation, dynamic content using conditional merge tags, and combin-You told everyone that you use this really cool newsletter service called ing other data sources to target recipients more effectively. With combinedMiamiMail, that you have 280,000 subscribers, and the list grows by data sources, they can effectively attack your employees and users. If the2,000-3,000 subscribers a week. It’s so much to maintain that you hired attacker can’t obtain enough information, there are sites where a few dol-Debra, a social-media expert, Quinn, an email-marketing guru, and Vince, lars can provide them with just about anything they want to know. Just asa programmer who works with the MiamiMail API. You also talk about your you read your campaigns results, the hacker is using reporting data fromguest bloggers and some of the famous chefs that actively participate on their malicious software. When they launch an attack, they use the stats tothe blog and answer questions in the comments. You just built this great tweak and refine future attacks.new recipe section, where the same famous chefs comment on the posts.Arthur is a hacker, and he’s just come off a series of attacks against major Arthur builds his campaign to drive his victims toward a site or series ofcar dealers. He wants to change things up and reads the article about your malicious sites. These campaigns allow him to learn more about the com-site. It piques his interest because you gave some specific details. Here’s puter systems involved, gain access to the owners system, or even worse,what Arthur knows about your business: damage your infrastructure as a whole. He won’t just target employees— he’ll target business associates, family members and friends. Arthur may1. You use MiamiMail. even use a series of campaigns to learn more information or gain access to specific computer systems.2. You have a substantial list, and it’s growing quickly.3. Arthur knows about at least four people in the company: Debra, Quinn, So what is a malicious site?Vince and you. Years ago someone would receive a virus in an email, click it, and get in- fected. Those tactics are still used, but these days most attacks use drive-4. Arthur also knows some famous people who use your blogging tool. by malware. The basic idea is that you visit a site that the hacker controls. They’ve embedded some javascript or code that runs and infects your5. Those famous people participate in the recipe section. system. You didn’t have to click anything—you simply visited the site and got infected. If Arthur plays his cards right, he’ll infect the right machines.Arthur takes this data and begins to research the following: Even if he doesn’t get to the systems he wanted, he’ll use the other systems to learn more information or attack elsewhere. And what does an1. MiamiMail. Find out anything and everything out about them. He trolls infected machine provide Arthur with? Malware infections can includethe support forums, signs up for a free account, learns about the API and keyloggers, remote access and access to all the data on your machine oreven experiments with the system to send a few test campaigns. network. Once infected, Arthur has unfettered access to your information. Keyloggers allow him to watch all your keystrokes. Yes, EVERY keystroke. 2. Your company’s About page. That really cool Team page came in handy! Malware is designed to run without you ever knowing it has been installed. Arthur finds a few other employees and then begins researching your Arthur can sit and watch and collect and learn. With time he’ll gain accessemployees and building profiles for Debra, Quinn, Vince and you. He finds to all of your systems or in this case gain access to your MiamiMail ac-your Twitter, Facebook and LinkedIn profiles. He also finds out your home count. Once he has this access, he’ll steal your subscribers and start theaddresses, personal email accounts and a few other pieces of information process all over again. At this point, he can target your subscribers to gainhe purchases using some stolen credit cards he got from that car dealer access to their systems, attempt to steal credit cards and more. He canscam he ran last week. continue mining data from your system, or rent or sell your system to other hackers for other needs.3. The famous chefs. If Arthur can’t trick your employees, he might beable to trick one of the chefs and maybe gain some access to the blog. Read more about malware. Scary, huh? We suggest rottweilers with lasers. 8

×