Secure E-Mail Access
Recently attacks by the "not so sophisticated persistent threat" focused on e-mail security. In many cases, e-mail credentials were either brute forced, or retrieved from compromised databases (in some of these cases, password re-use was a contributing factor).
During Wednesday's threat update webcast, I would like to do a segment focusing on e-mail security, and was wondering what our readers do to secure e-mail. Some of the challenges I see:
- the use of "cloud based" e-mail services like gmail.
- mobile access to e-mail
- access to e-mail from multiple devices
- e-mail encryption and authentication (PGP/S-Mime)
- e-mail forwarding security (if someone has e-mail forwarded to a personal e-mail address)
Please let me know if you have any novel ideas to address these problems that I should cover, or if you would like me to cover any additional questions.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
there are several provider of business class secure email.
Voltage, PGP/Symantec, CISCO are the most popular in the US. But these solutions are normally based on some proprietary technology like ibe or the envelopes from cisco. PGP does not really manage to solve the most important challenges: simplicity for the users.
In europe the requirements are a little bit more complex, so the market is completely different. There are some german products like Zertificon which are where strong with their appliances. But the leader seems to be Totemo from switzerland. They have a so called internal encryption which works really nice with cloud based services like Office 365 and offers the most simplicity and security with the possibility of central dataflow control.
best regards
miiister
Feb 7th 2012
1 decade ago
If you are concerned about documents being leaked there should be a policy in place that they never be transmitted via email. Of course, if certain documents absolutely need to be transmitted, there are always things you can do like password protected and encrypted archives but that's more on a file level than an email level.
In short, have a policy users will be able to abide by and enforce it.
John
Feb 7th 2012
1 decade ago
Johnny
Feb 7th 2012
1 decade ago
miiister
Feb 7th 2012
1 decade ago
Johnny
Feb 7th 2012
1 decade ago
RLE
Feb 7th 2012
1 decade ago
IDP/IDS (Juniper) and SPAM filtering (Proofpoint) of OUTBOUND traffic, as well as monitoring e-mail web interface logs (IIS) have been critical for my organization in detecting compromises, and we have also used our web proxy to help mitigate those compromises.
On the [slightly] proactive side, we have a reasonable password change/complexity policy in effect, and audit our system directory monthly for inactive user accounts.
ChrisG
Feb 7th 2012
1 decade ago
Henry
Feb 8th 2012
1 decade ago
yubikey is my last step in authentication for all accounts online or to logon to a machine.
Some of my machines have both a hardware password and a software password.
Hardware password is on the mother boards of the laptops and cannot be deleted by any means you may think of,
Lose it and you're in deep doo-doo,
you will have to contact the manufacturer for a master password for hardware and you have to convince them that you really own the machine.
Keep your passwords from others,
They are like the combination to your banks' vault.
mrclarke
Feb 8th 2012
1 decade ago
sasha
Feb 21st 2012
1 decade ago