Cscu module 09 securing email communications

Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
1
Securing Email Communications
Simplifying Security.
Module 9

2
Individuals who are concerned about data loss may be surprised to hear of the number of
hacking attacks attempted on the Treasury.
Chancellor George Osborne revealed at the Google Zeitgeist conference on Monday (May
16th) that each month around 20,000 malicious emails are sent to UK government networks.
Furthermore, he noted: "During 2010, hostile intelligence agencies made hundreds of serious
and pre‐planned attempts to break into the Treasury's computer system. In fact, it averaged
out as more than one attempt per day."
As a result of these figures, Mr Osborne pointed out that the Treasury is one of the most
targeted by data attacks across the whole of Whitehall.
Government is not the only area concerned about breaches though, with Square Enix recently
confirming that a couple of websites it is associated with have been attacked.
Email Security: Malicious
Messages 'A Problem For Govt.Too'
May 16, 2011
http://www.cryptzone.com

3
Module Objectives
Email System
Email Security
Email Security Threats
Spamming
Hoax/Chain and Scam Emails
Email Security Control Layers
Email Security Procedures
How to Obtain Digital Certificates?
Online Email Encryption Service
Email Security Tools
Email Security Checklist
Security Checklist for Checking Emails
on Mobile

4
Module Flow
Introduction to
Email Security
Email
Security Threats
Email
Security Procedures
How to Obtain
Digital Certificates?
Email
Security Tools

5
Email Threat Scenario 2011
Email Spam Intercepted
Top 5 Geographies
Global Spam Rate (89.1%)
Italy
Denmark
Austria
France
Switzerland
93.5%
93.2%
92.0%
92.0%
91.5%
Email Virus Intercepted
Top 5 Geographies
Global Virus Rate (1 in 284.2)
South Africa
UK
Spain
Oman
Switzerland
1 in 147.2
1 in 164.6
1 in 174.1
1 in 229.0
1 in 237.8
Email Phish Intercepted
Top 5 Geographies
Global Phish Rate (1 in 444.5)
South Africa
UK
Oman
United
Arab
Emirates
New Zealand
1 in 99.0
1 in 214.8
1 in 341.9
1 in 424.0
1 in 568.1

6
HowVarious Email SystemsWork?
Email (electronic mail) is a method of exchanging digital messages from a sender to one or
more recipients
Companies such as Microsoft, Yahoo!, Google, and AOL offer free email accounts
Email accounts can be accessed from any web browser or a standalone email client such as
Microsoft Outlook, Mozilla Thunderbird, etc.
Internet
Email Clients Email ClientsEmail Server Email ServerSender Receiver

7
Email Security
No email communication is 100% secure
Insecure emails allow attackers to intercept personal and
sensitive information of the user
If not secured, emails sent/received can be forged or
read by others
Emails are one of the sources of viruses and various
malicious programs
It is necessary to secure emails to have safer communications
and to protect privacy

8
Module Flow
Introduction to
Email Security
Email
Security Threats
Email
Security Procedures
How to Obtain
Email
Security Tools

9
Email Security Threats
Phishing mails lure victims to provide
personal data
Attachments may contain a virus, Trojan, worms,
keylogger, etc., and opening such attachments
infects the computer
The user may receive spam mails
may contain malware allowing
attackers to take control of the
user computer
The user may receive hoax emails
that contain false information
telling him/her to forward the
mail
Mails may contain links that
websites hosting malwares
and pornographic material
Malicious Email Attachments
Malicious User Redirection
Hoax/Chain Mail
Phishing
Spamming

10
Malicious Email Attachments
 Email attachments are major email security threats as they offers attackers
easiest and most powerful ways to attack a PC
 Most malicious attachments install a virus, Trojan, spyware or any other kind of
malware code as soon as you open them

11
Email Attachments: Caution
Check if the email was ever
received from the source
Save and scan all email
attachments before opening them
Check if the subject line and name
of the attachment are correlated
with each other
Check if the email is from one of
your contacts
Never open an email attachment
from unreliable sources
Do not open attachments with
suspicious or unknown file
extensions
Example: *.exe, *.vbs,*.bat,*.ini,
*.bin, *.com, *.pif, *.zzx

12
Spamming
 Spamming is the use of email
systems to send unsolicited bulk
messages indiscriminately
overloading the users’ inbox
 Spam emails may contain malicious
computer programs such as viruses
and Trojans
 According to Symantec, spam
makes up 89.1 % of all email traffic
0 20 40 60%
3%
7%
8%
18%
27%
44%
Oceania
North America
Africa
South America
Asia
Europe
http://www.m86security.com
Spam Sources by Continent
Unsolicited bulk messages
Attacker User

13
Avoid opening spam messages
(classified by spam filters)
Use the email client's
spam filter and anti‐
spamming tools
Never follow the links in spam
messages
Report suspicious email as
spam
Do not use official
email address while
registering with any
website
Use a different email address when
posting messages to any public
forum
Spamming Countermeasures

14
Anti-Spamming Tool: SPAMfighter
http://www.spamfighter.com
SPAMfighter protects all the email accounts on a PC against "phishing", identity theft,
and other email frauds

15
Hoax/Chain and Scam Emails
 Hoaxes are email messages warning the
recipients of non‐existent threats
 Users are also warned of adverse effects
if they do not forward the email to others
 A scam email asks for personal information
such as bank account details, credit card
numbers, password, etc.
 The sender of scam mails may also ask the
recipient to forward the email to everyone in
his/her contact list
http://www.scamletters.com
http://diamond‐back.com

1616
Nigerian Scam
A Nigerian scam is a form of advance
payment of money or money transfer
This scam is called a Nigerian scam
because initially it started from Nigeria,
but they can come in anywhere in the
world
Using this scam, scammers contact you
by sending an email and offer you a
share in a large sum of money
They say they want to transfer money,
which was trapped in banks during civil
wars, to your account
They may also cite various reasons such
as massive inheritance problems,
government restrictions, or taxes in the
scammer’s country
Scammers ask you to pay money or give
them your bank account details to help
them transfer the money
From: Mr. Wong Du
Seoul, South Korea.
I will introduce myself I am Mr.Wong du a Banker working in a bank in south Korea Until now I am
the account officer to most of the south Korea government accounts and I have since discovered
that most of the account are dormant account with a lot of money in the account on further
investigation I found out that one particular account belong to the former president of south Korean
MR PARK CHUNG HEE, who ruled south Korean from 1963‐1979 and this particular account has a
deposit of $48m with no next of kin.
My proposal is that since I am the account officer and the money or the account is dormant and
there is no next of kin obviously the account owner the former president of South Korea has died
long time ago, that you should provide an account for the money to be transferred.
The money that is floating in the bank right now is $48m and this is what I want to transfer to your
account for our mutual benefit.
Please if this is okay by you I will advice that you contact me through my direct email address.
Please this transaction should be kept confidential. For your assistance as the account owner we
shall share the money on equal basis.
Your reply will be appreciated,
Thank you.
Wong Du
http://in.mail.yahoo.com/

17
Module Flow
Introduction to
Email Security
Email
Security Threats
Email
Security Procedures
How to Obtain
Email
Security Tools

18
Email Security
Control Layers
Sender
Receiver

19
Email Security Procedures
Create and use strong
passwords
Use HTTPS for browser
connection
Disable/unselect Keep Me
Signed In/Remember Me
functions
Scan email attachments
for malware
Create junk email filter
in email clients
Avoid unwanted emails
using filters
Digitally sign your mail
messages
Turn off the preview
feature and change
download settings in
email clients
Provide alternate email
address for mail
recovery
Check for last logging
activity

20
Creating Strong Passwords
Strong passwords are difficult to crack or guess
A strong password can be created by using combinations of numbers (0‐9), letters
in upper and lower case (a‐z and A‐Z), and special characters (!@#$% …)
Create a strong but easy to remember password and do not write it anywhere

21
Alternate Email Address
An alternate email address is the additional email address required at signup for most of
the free email services such as Gmail and Yahoo
It is used by service providers to verify the account creator’s identify
Alternate email addresses are used for password recovery in case you forgot the password

22
Keep Me Signed In/Remember Me
Most of the popular email clients
have the Keep me signed in or
Remember Me options
Checking these options allow the
email client to fetch the email inbox
of the user without him/her having
to fill in the login details again
This allows other users to access the
user’s email
Users should check that this option
is not selected when accessing
email from a public computer

23
Using HTTPS
 Web mails such as Gmail, Yahoomail, Hotmail, AOL Mail, etc. have an option for choosing the
communication protocol for browser connection
 Change the Browser connection setting to receive email using HTTPS (HTTPSecure)

24
Check for Last Account Activity
Always check the latest email account activity
if the feature is available with the email
service
Latest account activity includes information
such as access type (browser, mobile, POP3,
etc.), location (IP address), and date/time of
account activities
To check account activity in Gmail, scroll to the
bottom of the page and click Details
Immediately change your password and
password hints if you observe any suspicious
activity

25
Be cautious when opening any email attachment
Save all the attachments and scan them properly for malware using an antivirus
before opening
Enable the antivirus to automatically scan all the emails and downloads
Scanning Email Attachments

26
Turn Off Preview Feature
Email clients have an option to show a preview of
the email
Turn off this feature in email clients
Turning on this feature may execute script code
without you explicitly opening the message
To turn off the preview feature in Microsoft
Outlook:
 Go to View menu and select Reading Pane
 Click the Off option
To turn off the preview feature in Mozilla
Thunderbird:
 Go to View menu and select Layout
 Uncheck the option Message Pane

27
Email Filtering: Avoiding Unwanted Emails
Email filtering is the process of organizing emails according to a specified criteria
Email filters are generally used to identify and categorize spam mails
To avoid unwanted emails in Outlook 2010, go to the Delete group on the Home tab,
click Junk and Junk E‐mail Options, On the Blocked Sender tab, click Add
Enter an email address or domain name, click OK

28
Module Flow
Introduction to
Email Security
Email
Security Threats
Email
Security Procedures
How to Obtain
Email
Security Tools

29
Digitally SignYour Emails
Thwate (http://www.thawte.com)
Example of Certification Authorities:
VeriSign (http://www.verisign.com) Comodo (http://www.comodo.com)
Entrust (http://www.entrust.com)
 Digital signatures are used to authenticate the sender of a message or the signer
of a document
 They can also be used to ensure that the original content of the message is not
changed
 Users require an email certificate to digitally sign emails
 You can obtain digital signatures from certification authorities

30
How to Obtain Digital Certificates?
Go to the Certificate Authorities
website
Purchase and download a digital
certificate
Some certificate authorities offer a free
personal email security certificate such
as Comodo
Provide personal details to download
the certificate
Login to the email account that you
have provided while downloading the
certificate
Check your inbox for an installation
link

31
Installing a Digital Certificate
Click on the installation link to install the
digital certificate
In Internet Explorer go to Tools  Internet
Options  Content tab
In the content tab, click Certificates button
Select the certificate and click the Export
button
Click on Next
Check the Yes, export the private key option
Click on Next
Protect the private key by giving a password
and confirming it
Specify the file you want to export and save it
to a particular location

32
SigningYour Emails
Go to the Microsoft Outlook   File  Options
Click on Trust Center  Trust Center Settings
 Email Security
Encrypt the mail by selecting the appropriate
check boxes under  the Encrypted e‐mail section
Click the Import/Export button
Browse to find the file to open and give the
password and digital ID name
Click the OK button
Click New Mail to write a message
After clicking on the Send button, it will prompt
to encrypt the message
Click the Send Unencrypted button (if the
recipients do not have private key)
Click on the Continue button if the recipient
have private key

33
SigningYour Emails

34
Choose the Automatic Download option from the Trust Center and select the options
as shown in the figure
Microsoft Outlook Download Settings

35
Module Flow
Introduction to
Email Security
Email
Security Threats
Email
Security Procedures
How to Obtain
Email
Security Tools

36
Online Email Encryption Service: Lockbin
Lockbin is a free service for sending private email messages
It is used for sending confidential information such as credit card details and business information
https://www.lockbin.com

37
Email Security Tools
Comodo AntiSpam
http://www.comodoantispam.com
Netcraft Toolbar
http://toolbar.netcraft.com
PhishTank SiteChecker
https://addons.mozilla.org
Mirramail Secure Email
http://www.mirrasoft.com
Spamihilator
http://www.spamihilator.com
Encryptomatic MessageLock
http://www.encryptomatic.com
McAfee SpamKiller
http://us.mcafee.com
Comodo Email Certificate
http://www.comodo.com

38
Module Summary
 Email (electronic mail) is a method of exchanging digital messages from a sender to
one or more recipients
 Attachments can contain malicious programs; opening such attachments can infect
the computer
 Spamming is the process of populating the user’s inbox with unsolicited or junk emails
 Hoaxes are false alarms claiming reports about a nonexistent virus
 Do not forget to delete browser cache, passwords, and history
 Consider setting mobile phones to download only headers of emails, not the full email
 Digital signatures are used to authenticate the sender of a message or the signer of a
document
 Email security tools protect passwords and automatically log off email accounts

39
Email Communication Checklist
DON’T CLOSE the browser without properly logging out
DON’T FORGET to delete browser cache, passwords, and history
DON’T SEND personal and financial information via email
DON’T USE just one email account for all purposes
DON’T TRUST the emails from your friends to be secure
DON’T DELETE spam instead of blacklisting it
DON’T FAIL to scan all email attachments and to enable the email
spam filter
DON’T USE simple and easy‐to‐guess passwords

40
Enable https for secure communications/transactions
Be diligent while opening email attachments
Do not click on links provided in email messages
Create strong passwords for logging into mail accounts
Follow email etiquette when forwarding messages
Do not forward or reply to spam and suspicious emails; delete them
Avoid accessing email via unsecured public wireless connection
Avoid accessing the email accounts on shared computers and sending
large attachments in emails

41
Never save your password on the web browser
Sort messages by priority, subject, date, sender, and other options
(Helps in searching email)
Avoid sending confidential, sensitive, personal, and classified
information in emails
Use Bcc: option when sending mail to bulk recipients
Clean your Inbox regularly
Create folders and move email accordingly (Family, Friends, Work, etc.)
Digitally sign your outgoing mails
Send attachments in PDF form rather than Word or Excel formats

42
Configure to check only attachment notifications, but not
attachments
Do not open/send large attachments from mobile
Do not follow links sent in email or text messages
Consider setting mobile phones to download only headers of emails,
not the full email
Install mobile antivirus and keep it up to date
Turn off Show Pictures in your Mobile Browser
To reduce the size of email, send them in plain text
Zip and send any important files
Security Checklist for Checking Emails on Mobile

Cscu module 09 securing email communications

Recommended

Recommended

More Related Content

Similar to Cscu module 09 securing email communications

Similar to Cscu module 09 securing email communications (20)

Recently uploaded

Recently uploaded (20)

Cscu module 09 securing email communications