Birth date (Facebook) Postal codes and address (eCommerce

1
Email and data encryption

• SecurityPoint 2008
• David Strom
• david_at_strom.com
• 1 (310) 857-6867

2
Summary

• How private is your data
• The role of encryption in data protection
• Different kinds of email and disk encryption
• Encryption deployment options
• The role of regulatory requirements and compliance

3
How private is your personal data?

• What information do you routinely provide online
• Birth date (Facebook)
• Postal codes and address (eCommerce)
• Age and gender
• Email address
• What information is on your laptop?

4
How private is your corporate data?

• Who has admin rights to everything?
• Where do you keep your backups?
• What customer info is sent via the Internet?
• How many laptop users and where do they routinely
  take them?

5
Are these actions privacy invasions?

• Sending out a single piece of email with
  everyone's email address clearly visible in the
  header
• A Web site that tries to make it easier for its
  customers to login and track their accounts
• Is a piece of software that records the IP
  address of the machine it is running on and
  phones home with the results spyware?
• A US Web site that allows anyone to look up a
  postal address attached to a telephone no.

6
(No Transcript)
7
What kinds of information do the proposed new
laws consider private?

• Your IP address
• Your Ethernet MAC address/Windows GUID
• Your purchase history with a Web storefront
• Your postal address and phone
• Your email address
• Your credit card, banking account numbers

8
Be afraid. Be very afraid.

• Lost laptops with customer data
• Misplaced USB thumb drives and CDs
• Webmail logins from public kiosks
• Spyware-infected laptops inside your firewall
• And

9
Is your email private? No!

• Sending email is like writing a (unsigned)
  postcard
• Then leaving it on your kitchen counter
• Then handing it to some random passer-by to give
  to someone else
• Who eventually gives it to the recipient
• And, wait, there is more

10
And of course, breaches!

• http//www.pogowasright.org/index.php?topicBreach
  es
• http//www.privacyrights.org/ar/ChronDataBreaches.
  htm
• Some scary cost numbers http//www.crn.com/securi
  ty/205207370
• http//www2.csoonline.com/exclusives/column.html?C
  ID33366

11
The many faces of insecure email

• Webmail unless you use https, EVERYTHING is in
  the clear
• Server backups email stored in many different
  places that anyone can read
• Logins POP, SMTP and IMAP do not encrypt your
  credentials
• Identifying info SMTP includes IP address, email
  software version, and other information that
  could be a privacy concern

12
And email is easily compromised!

• Modified messages anyone with system admin
  access can read, delete, and change any message
• Fabricated senders anyone can set up a server
  with any domain name
• Non-repudiation no delivery confirmation on most
  systems
• Unprotected backups!

13
The current state of privacy best practices

• No clear privacy policy or protection
• Sometimes, a small obscure link at the bottom of
  a Web page that links to a privacy policy in
  extreme legalese
• Press releases when a breach occurs
• Sometimes you remember to type https
• A few people using encryption products

14
Microsoft is no privacy paragon

• Hotmail break-ins galore
• Global ID transmitted inside Word docs
• Network collapse from poor DNS config (2001)
• Software updates that scan your disk

15
The problem

• The laws are changing, and getting tougher on
  breaches
• Your customer data is no longer a corporate asset
  -- now it is a liability
• Your employees are entitled to some modicum of
  data privacy
• There is no such thing as a secure perimeter in
  the age of the Internet

16
The end of the secure perimeter

• Remote email, laptops now the norm
• IM becoming more popular for corporate use
• Most corporations have servers accessible from
  the Internet
• Most corporations dont do very much in the way
  of endpoint security
• Even Hollywood knows about it the USB thumb
  drive in the movie The Recruit

17
So how can encryption help?

• Protect your files on your laptops
• Protect your communications between employees --
• Email
• IM

18
Types of disk encryption

• Simple passwords on MS Office docs
• File-based encryption like PC-encrypt
• Password-protected U3 USB thumb drives
• Laptops with fingerprint scanners
• Whole disk encryption software

19
Issues with disk encryption

• User apathy
• Lost password recovery
• Fear that the files wont be available

20
Types of email encryption

• S/Mime
• PGP
• TLS/SSL on top of SMTP relays

21
(No Transcript)
22
What email encryption buys you

• Eyes only for the recipient
• Proves you were the actual sender
• Recipient knows whether a message was modified in
  transit

23
Email encryption issues

• No one cares about my communications
• Which standard do I get behind?
• How do I set up my PKI?
• How do I track my certs?
• How do I recover a forgotten password?
• What happens when my recipients dont cooperate?
• My early experiences http//strom.com/awards/227.h
  tml

24
Email encryption deployment options

• Always use https and SSL
• Use some form of VPN (1) (2)
• Use a secure service provider
• ZixCorp.com
• HushMail.com
• Secure-tunnel.com
• Even Network Solutions!

25
(No Transcript)
26
And PGP!

• Universal product for Webmail and external
  communications
• Desktop product for email and disk encryption
• Netshare product for file sharing protection

27
Keyserver issues

• Not everyone lists their PGP key on them for all
  of their email accounts
• Only work with PGP versions
• You may have a private server
• Users need some training to use them

28
Regulatory requirements and compliance

• What encryption can bring to the party
• Privacy protection in advance of pending
  legislation
• Avoid being tomorrows headline about your next
  breach or data leak

29
Encryption compliance benefits

• End-to-end traffic protection
• Policy-based key management
• Digital signing for authentication and
  repudiation
• Content scanning for data leaks
• Phishing, virus, and spyware prevention

30
Fred Avolio wrote

• If our business is worthless, if we never have a
  good idea, if there is nothing about what we do
  that anyone else would want, then we may be
  correct. However, that is not a description of
  our business, at least not for most of us.??
• Start signing your e-mail messages with your
  digital certificate. Use it when confidentiality
  is important (which is a good deal of the time,
  is it not?). Just start using it.
• http//www.avolio.com/columns/email-security.html
  (5/2000!)

31
PGP Resources

• Toms Page on PGP http//www.mccune.cc/PGP.htm
• Martins client list http//www.bretschneidernet.d
  e/tips/secmua.html