10 Steps to Secure Messaging

1
10 Steps to Secure Messaging

• Jim Reavis, President
• Reavis Consulting Group

2
Agenda

• Risks of insecure messaging
• Policy
• Architecture
• Innovative technologies trends
• 10 Steps
• Companion site csoinformer.com/10steps

3
Top Ten Reasons to Secure Messaging

• 10. Protect intellectual property sensitive to
  your corporate mission
• 9. Avoid angry emoticons from your boss ?
• 8. Reduce risk of worms running rampant on your
  network
• 7. Poor dating prospects at the unemployment
  line
• 6. Increase user productivity

4
Top Ten Reasons to Secure Messaging

• 5. Sobig fatigue not covered by workmens
  comp.
• 4. Securing communications with partners and
  customers creates new business opportunities.
• 3. Saying ILOVEYOU to the CEO is usually
  inappropriate outside of the annual Christmas
  party.
• 2. Reduce risk of legal liability.
• 1. Executive washrooms rock!

5
About Reavis Consulting Group

• Provide research and advisory services regarding
  best practices and emerging security trends
• Clients include Fortune 500 members, govt and
  information security companies
• Publish monthly CSOinformer newsletter

6
Threats

• Viruses
• Worms
• Spam
• Insiders/Covert Channels
• Idiot users who got their job just because they
  have the same last name as the CEO

E-mail
IM
Internal Hosts
E-mail Server
Firewall
IM
AV Gateway
Internet
E-mail
7
Risks

• Data loss, theft leakage
• Compromised systems
• Downtime/loss of productivity
• Out of compliance with regulations
• Civil litigation

8
Risk Management

• Topic of the year at CISO/CSO gatherings
• Definition the systematic process of managing an
  organization's risk exposures to achieve its
  objectives in a manner consistent with public
  interest, human safety, environmental factors and
  the law.
• Reduce risk create opportunities.

9
Risk Management
Risk Value of the Asset X Severity of the
Vulnerability X Likelihood of an Attack

• Risk Mgt Strategies
• Avoid
• Accept
• Transfer
• Mitigate

• Risk Mgt Process
• Establish Risk Profile
• Establish Protection Profile
• Modify PP as RP changes
• Threat level Orange
• New business venture
• ROSI

10
Policies

• Legal due diligence (e.g. retention laws).
• Communicate clearly.
• Acceptable appropriate usages
• Clear definitions (e.g. what is proprietary)
• Provide examples (e.g. .EXE files prohibited,
  anything sent to payroll processor must be
  encrypted)
• Documented acceptance.
• How do you attain ROSI with your policy?

11
Architectural Principles

• Proxy all connections
• Hidden messaging methods may be P2P.
• Measurement capabilities
• Layered Defense Systems
• Best of Breed vs Integrated Suite?
• Integrated team approach
• How is IT working against your goals?

12
Architectural Principles

• Granular rules control
• Ad hoc blocking of new threats
• Prevent auto-forwarding risks
• Compartmentalize
• Improve incident response
• Provide limited service during crises
• Redundancy
• Education Awareness

13
Incident Response

• Formalized CERT
• Specialized messaging response team
• Incident reporting
• Response
• Containment (unplug, router ACL filters, etc)
• Disinfect, Remediate, Rebuild
• Notify external partners
• Forensics, analysis, lessons learned

14
Baseline Measurement

• Network traffic analysis
• E-mail IM logging
• Identify dependencies
• Trend analysis
• Support policy revisions
• Creating TCO metrics for budgeting
• Dont horde this information

15
Who wrote the antivirus software used by
Microsoft in DOS 6.22?
Hosted by

1. Dr. Solomon
2. Central Point
3. X-tree
4. Microsoft

Cross-Tab Label
0 / 500
16
Antivirus Strategy

• Multiple AV tools
• Desktop, Server, Email Gateway.
• Antivirus network appliances, Managed AV service.
• How many levels of AV provides ROSI?
• Content Filtering (Day Zero defense)
• Subject line.
• File attachment types.
• Tactics outside of messaging control
• Lockdown e-mail client.
• Keep patching virus targets.

17
Antivirus scanning points
E-mail Client
AV Gateway
E-mail Server
Network Layer AV Appliance
MSSP
Internet
E-mail
18
What is the Internet Engineering Task Force RFC
for OpenPGP?
Hosted by

1. 1542
2. 802.1x
3. 2440
4. I was told there would be no tests

Cross-Tab Label
0 / 500
19
E-mail encryption services

• Virtually unbreakable, often unusable
• Key to protecting information and reducing
  malicious threats
• Issue total cost of ownership (TCO)
  traditionally a burden
• Hot trend encryption proxy servers/e-mail
  firewalls

20
E-mail encryption by proxy

• Proxy manages keys
• Encrypts messages
• Gives recipient option of secured SMTP message or
  Webmail

E-mail
E-mail Server
Encryption Proxy
Webmail Server
Internet
E-mail
21
Instant Messaging

• Embrace and extend
• Proxy connections
• Encrypt communications
• Logging Usage profiling
• Block dangerous behaviors (file transfers, etc)
• Gateway ROSI benefit IM compatibility

22
Instant Messaging
IM Proxy
Central configuration administration
23
Spam

• Why is this a security issue?
• Anti-spam approaches
• Keyword filtering
• Bayesian algorithm
• Blacklists/Whitelists
• Community voting
• Tagging vs. blocking
• Multiple approaches often necessary.
• ROSI Models.

24
Awareness

• Courseware
• Reinforce policy
• Educate about threats
• Recognizing viruses
• Safe practices
• What to do, where to go for help
• Regular internal AV newsletter

25
To protect and to serve
Your boss
E-mail
IM Proxy
IM
Internal Hosts
Departmental E-mail Servers
IM
Internet
MSSP
Encryption Proxy
AV Gateway
Firewall
E-mail
Network Layer AV Appliance
Content/Spam Filtering
26
Summary the 10 Steps

• Enforceable policies
• Architecture
• CERT Incident Response Plan
• Awareness program
• Baseline continuous measurement system

• Encryption
• Proxy everything
• Multiple layers of virus/spam protection
• Best of Breed
• Take an integrated approach

27
According to IBM Research, in what year did the
first PC virus appear?
Hosted by

1. 1984
2. 1986
3. 1988
4. The year Bill Gates was born

Cross-Tab Label
0 / 500
28
Thank You!