Henry Dalziel | Hacker Hotshots, Latest InfoSec News | August 26, 2013
We have a very topical Hacker Hotshot event this Wednesday with Andrew Jaquith (CTO and SVP Cloud Strategy of SilverSky) titled: “4 Email Security Policy Tips That Can Stop Sensitive Information Leakage”.
Sorry! This event was cancelled!
Andrew is going to outline four pragmatic tips and methods that can help your organization keep your email safe and secure.
Brief Background: Andrew Jaquith
Andrew is the CTO and SVP Cloud Strategy of SilverSky a cloud security provider. With over two decades of IT security experience, most recently as a senior analyst with Forrester Research, we are delighted to have Andrew on the show. Whilst at Forrester, Andrew managed the team coverage for data, endpoint and mobile security topics and worked with 300 customers to assist with vendor selection, compliance, strategy and effective security practices.
Email is inherently insecure!
When e-mail was created 40 years ago, security or anonymity wasn’t factored into the (at the time) new method of communication, and the amazing thing is that it is used more than ever and doesn’t seem to be going away anytime soon. Email, from a security perspective, is a security nightmare. There are many ‘holes’ in the system and indeed many opportunities in which a hacker can intercept the meta data and message contained therein. There are three major places that an attacker could intercept an email. Those are:
1. The endusers
Simply accessing the end-users machine (be that a PC or mobile phone) will enable the hacker to read email. Seems obvious but clearly this is the ‘easiest’ way to access email. The only real security measure here is to password protect access to your device or computer. The same applies to the recipient of the email.
2. Sniffing the network that the email was sent from allows an opportunity to intercept and read the email. PGP (Pretty Good Privacy) software for example will not protect your messages against a determined hacker (or the government) but it will prevent the majority of cyber criminals that are seeking to harvest, for example, credit card numbers and information that can be used for identity theft. PGP is a good email encryption method but it should not be considered as being a magic-bullet. It is worth saying here that although you can encrypt the contents of an email you can not hide the email headers, i.e. the sent and receive data, where it came from, the server it came from etc etc.
3. The email server
Where the email is stored allows a hacker a place to direct an attack. Public email accounts, for example Gmail, whilst encrypting hosted email (although they do scan messages to facilitate advertising) they are powerless to ensure the security of messages once they have left their servers (see point 2).
A badly self-administer email server will allow a hacker, with relative ease, to access the stored email. Also, if the same hacker cracks (or guesses, steals, social engineers or brute forces) your email password, then they have easy access. Email providers (especially the free ones) could do a better job at protecting stored email but owing to the increased overhead costs they tend to shy away from it.
What encryption can we use?
The concept behind encrypting our email messages is simple: instead of sending plain text that any semi-decent hacker can read, you transmit encrypted data. Popular solutions include, as we mentioned above, PGP, and also numerous other mainstream apps and tools that support the open source OpenGPG and S/MIME. Encrypting messages is a simple enough idea, but in reality the approach has advantages and, of course, disadvantages. The advantages are the encrypted emails will be protected across both networks and servers, even in the event of being hacked. The negative is that it is not practical. Encrypting individual messages is a time-consuming activity and judging by the volume of email we all receive this would not be practical. Worth mentioning here our favorite (but still in Alpha testing) form of secure messaging: bitmessage, which works on a peer-to-peer principle.
Email is the most ubiquitous mode of communication on the Internet, period. Email is built into virtually every application that we use on the Internet, think of it like the glue that binds everything we do. The sheer necessity of email means that to conduct any form of commercial business: we need email. Andrew will discuss ways to keep our email safe and we particularity look forward to this Hacker Hotshot web show to hear what impact PRISM, the NSA and the closure of Lavabit has had on email and security.
Andrew is a great guy to explain this, not least because of his experience but also his knowledge having written “Security Metrics: Replacing Fear, Uncertainty and Doubt” [ISBN-10: 0321349989] which has sold more than 10,000 copies and has been praised by reviewers as “one of the best written security books ever.”
Let us know your thoughts, are you concerned about your organizations email? Have you taken any security measures? We’d love to hear from you. If you are reading this after Wednesday August 28th, then fear not since the event will have been recorded and on the same URL.