Email Security Overview

1
Email Security Overview

• David Maislin Director, North American Sales
  EngineeringJanuary 14, 2014

2
Understanding Email
3
Understanding Email
Clients Outlook Notes GroupWise Web
Email Other Protocols SMTP 25 Proprietary
Servers Exchange Domino GroupWise AppleMail Gatewa
ys Other
Protocols DNS 53 LDAP 389 SLDAP 636 AD
3268 (S)AD 3269 SMTP 25 TLS 25
Routes MX Records or Static IPs
Servers Exchange Domino GroupWise AppleMail Gatewa
ys Other
Clients Outlook Notes GroupWise Web
Email Other Protocols POP 110 IMAP
143 Proprietary
COMPOSE
SEND
TRANSPORT
ROUTE
DELIVER
RECEIVE
READ
4
Size Matters

• As organizations grow expertise is segregated

5
Understanding Compliance
6
Understanding Major Security Privacy Regulations

• HIPAA Health Insurance Portability
  Accountability Act
• Mandates specific technology standards and
  policies that healthcare organizations must
  implement for compliance.
• GLBA Gramm-Leach-Bliley Act
• Forces financial institutions to design,
  implement and maintain necessary safeguards to
  protect consumers nonpublic personal
  information.
• SOX Sarbanes-Oxley Act
• Requires public companies to automate their
  processes of building audit trails and control
  procedures into their IT systems.
• CA SB 1386 California Senate Bill 1386
• A state regulation that requires companies to
  implement systems to detect and prevent security
  breaches, as well as provide counter-measures and
  publicly report breaches

7
Other Regulations

• SEC 17a-4 and NASD 3010
• Requires public companies to keep records for
  auditing security transactions, including review
  of brokers communications with the public
• FDA 21 CFR Part 11
• Controls the authenticity, integrity,
  non-repudiation and confidentiality of electronic
  records
• Payment Card Industry (PCI) Data Security
  Standard
• Mandates the protection of credit cardholder and
  account information across public networks
• USA Patriot Act Homeland Security
• Requires companies to build and maintain an
  infrastructure that can report details of
  information handled and stored online

8
Email Filtering Compliance StrategyContent-Based
Filtering
Sender
Receiver
Content-Based Filtering Strategy
Subject
Manual Trigger?
Yes
Email
Email
Sender
Sender
Message
Encrypt
No
Receiver
Receiver
Regulated Content?
Subject
Subject
Yes
Message
Message
Attachment
Attachment
Attachment
No
Send In The Clear
9
Email Filtering Compliance StrategyIdentity-Based
Filtering
Sender
Receiver
Identity-Based Filtering Strategy
Yes
Encrypt
Who is the receiver?
Authorized?
Email
Email
Sender
Sender
Content Filter
No
Receiver
Receiver
Yes
Encrypt
Subject
Subject
Who is the sender?
Designated?
Message
Message
Content Filter
Attachment
Attachment
No
10
Understanding Email Encryption
11
Understanding Email Encryption
TLS encrypts the network server to server
encryption
S/MIME and PGP can encrypt or sign email server
to server, server to client, client to server,
and client to client. Also for authentication
purposes
Secure WebMail Stores encrypted email on the
server, retrieved by client
12
Email Encryption Methods - TLS

• TLS Transport Layer Security
• Creates a secure connection between email
  gateways over which any amount of data can be
  sent securely using SSL. Note SSL encryption is
  only in effect when the email is in transit.
• Gateway to Gateway (company to company)
  encryption
• Benefits
• Seamless partner to partner encryption
• Completely transparent to the sender and receiver

Email Servers
Email Gateway
Internet
Email Gateway
Email Servers
13
Email Encryption Methods S/MIME and PGP

• S/MIME and PGP
• Encrypts and decrypts the email body and
  attachments S/MIME certificates
• Gateway to Gateway (company to company)
• Gateway to Client (from your company to an
  external recipient)
• Client to Gateway (from external sender to your
  company)
• Benefits
• Seamless partner to partner encryption
• Completely transparent to the sender and receiver
• Automatic harvesting of inbound signing/public
  certificates
• Generates proxy certificates for any internal
  employees via email
• Proxy encryption and signing
• Proxy decryption

Email Servers
Email Gateway
Internet
Email Gateway
Email Servers
14
Email Encryption Methods Secure WebMail

• Encrypts email and provides access through a
  secure web portal
• Gateway to client (from your company to any
  external recipient)
• Universal (zero client side software
  requirements)
• Online and offline secure email
• Self registration, zero registration, and
  automated user management
• Very large email attachment support
• Tracking by recipient, by message, and by
  attachment
• Delivery profiles for message, inbox, and portal
  branding
• Roles for message expiration, password
  requirements, domain limits, message size, and
  message quotas.
• Benefits
• No learning curve
• No client side software

Internet
Email Servers
15
Email Encryption Methods Desktop Messenger

• Employee to Employee Encryption
• Protects sensitive internal messages to the
  desktop
• Provides senders with a Send Secure button
• Solves problems of enrollment, key distribution,
  authentication
• Uses S/MIME encryption standards
• New users receive messages via Web system with
  links for enrollment
• Benefits
• Adds layer of protection for key internal users
• External users receive Secure WebMail
• No change to user paradigm
• Removes the hassles of managing PKI-based

Internet
Email Gateway
Email Servers
Sensitive Internal Communication
16
Messaging Delivery Methods File Messenger

• File Messenger
• Large files route around email servers
• Benefits
• End users send files with email applications
• Large files dont waste space on email servers
• Track by recipient and attachment
• Completely secure
• Uses existing standards based technologies
• Supports digital signing and encryption using
  existing email standards

Internet
Email Servers
17
Hosted Solutions

• Hosted solutions present several issues
• Sensitivity of data
• Archive and recovery of sensitive email
• Who is liable if data is lost?
• Viability and volatility of hosting company
• Sender and recipient email addresses can be
  considered identifiers
• Recipient must sign up with external service to
  read their confidential data
• Service may use email address lists for other
  purposes

18
Steganography

• The art and science of writing hidden messages in
  such a way that no one apart from the intended
  recipient knows of the existence of the message
• In contrast to cryptography, where the existence
  of the message itself is not disguised, but the
  content is obscured. Quite often, steganography
  is hidden in pictures.
• Arent we trying to block image based spam
  already?

A GIF carrier file containing the airport map
Original message or attachment
19
Email Encryption Best Delivery Approaches
How?
Desktop to Desktop
Gateway to Desktop
Secure Web Delivery
Gateway to Gateway
Who?
Business-to-Business
Best Practice
Best Practice
Business-to-Consumer
Best Practice
Employee-to-Employee
Best Practice

• Tips
• Seek encryption transparency
• Select vendor solutions that support industry
  standards and interoperability
• Look for vendor solutions that can provide
  transparency for both outbound and inbound secure
  email
• Look to automate the acceptance of
  customer/member/patient email messages through a
  Web portal

20
Domain Key Identified Mail (DKIM)

• Authentication framework for email using
  public-key cryptography and key server technology
  to permit verification of the source and contents
  of messages by either Mail Transfer Agents (MTAs)
  or Mail User Agents (MUAs).
• The ultimate goal of this framework is to permit
  a signing domain to assert responsibility for a
  message, thus protecting message signer identity
  and the integrity of the messages they convey
  while retaining the functionality of Internet
  email as it is known today. Protection of email
  identity may assist in the global control of
  "spam" and "phishing".

21
Why Do Spammers Send Spam?
22
Malicious Threats - Worldwide
23
Understanding Malicious Threats Denials of
Service Attacks
They start attacking from network, from all over
the Internet
24
Bounce Address Tag Validation (BATV)

• Bounce Address Tag Validation (BATV) defines a
  framework for mechanisms that validate the value
  in the mail from command.
• Header policies can tag the mail from header
  for outbound email
• MAIL FROM david.maislin_at_tumbleweed.com
• Is transformed to
• MAIL FROM tagdavid.maislinKEY123_at_tumbleweed.com
  
• Where KEY123 is the Bounce Tag
• Only accept inbound email bounces with unique tag
  in mail from header
• Reports can be generated on all BATV violations

25
Understanding Malicious Threats Directory
Harvest Attacks
During a directory harvest attack, spammers use
brute force against an email server to compile
comprehensive lists of valid email addresses to
use or sell. Meantime, the plethora of probes
overwhelms the email server, creating a denial of
service from the vast amount of non-delivery
reports the attack generates.
Directory Harvest Attack (DHA)
550 Email Bounce
26
Understanding Spamming Techniques
27
Basic Email Network

• Enterprise threats are typically inbound

Out of Control Disk Growth Performance
Degradation Spam/Viruses inside network No
Recipient Validation
Email Server(s)
28
Basic ISP Email Network

• ISPs are completely different
• Threats are inbound
• Threats are outbound
• Threats are domain to domain

Domain 1
Internet
Domain 2
Domain X
29
Recipient Validation Issues

• Not all invalid recipient email is rejected by
  all Mail Servers
• Mail servers can be part of the problem
• Spam can still get through

From "Kim Browne" akstcbarnhardmnsdgs_at_barnhard.c
omSent 11/26/2006 0749 PMTo
bfrederick_at_company.comSubject Mississippi
catfish Out-miltonare different things, though
the words are often used synonymously. a person
may be proud without"perhaps," said darcy, "i
should have judged better, had i sought an
introduction but i am
Fuzzy logic sent this email to bfratangelo_at_compan
y.com
30
Some Spam is Hard to Detect

• Not all email is easily recognized as spam
• Spammer techniques evolve to bypass filters

From "Kim Browne" akstcbarnhardmnsdgs_at_barnhard.c
omSent 11/26/2006 0749 PMTo
bfrederick_at_company.comSubject Mississippi
catfish Out-miltonare different things, though
the words are often used synonymously. a person
may be proud without"perhaps," said darcy, "i
should have judged better, had i sought an
introduction but i am
Random phrases containing Nonsense and gibberish
31
Phishing Attacks
32
The Image Spam Problem

• Image spam presents a new challenge to spam
  filters
• Messages are sent as images instead of text
• Gibberish text is inserted to fool content
  filters
• Image files are randomized to avoid signature
  detection
• Spammers alter every possible file attribute to
  trick filters
• Changing image size, margins, color shades
• Adding random noise, dust and speckles
• Splitting or breaking images
• Assembling multiple images into animated GIFs
• The impact has been significant
• Spam rates have increased sharply as image spam
  bypasses many legacy spam filters
• Most vendors have lacked the ability to view or
  filter image content

Growth in Image Spam Quantity Tumbleweed Message
Protection Lab, Nov. 2006
33
Image Spam Techniques
34
Adaptive Image Filtering
Use this image
to identify this image ...
or this image.
35
Clever spamming techniques

• Can you spot the difference between these two
  penguins?

36
Original Image
JPG Image 2.97K
HTML Table 273K

• Original Image

• HTML Table
• Each table cell represents a colored pixel

37
Adaptive Image Filtering Techniques
Varying Image Spam
38
New Breed of Viruses / Malware

• Rapid spread by zombies and botnets
• Signature-based approach not keeping up
• 10 hours to develop signatures vs. 3-7 hours for
  attacks to peak

39
Zero-Hour vs. Traditional Anti-Virus

• Virus Outbreak Production complements
• Signature-based Antivirus products

McAfee, Kaspersky signature-based AV Virus Outbreak Protection
Within 5-10 hours Within 1-2 minutes Response time
Email, Web, IM Email only Services protected
Yes Yes Defend
Yes No Clean and Repair
Scan after updates Block infection Spyware Defense
Periodic update of signature pack Real-time pull Update mechanism
Heavy load Lightweight CPU Impact
Let some through Catch them all Multi-wave attacks
40
The Continuing Fight Against Spammers

• Effective anti-spam requires expertise, constant
  adaptation, layering of new techniques

Image Filtering

• Image Pattern Analysis
• Adaptive Image Filtering
• Dynamic Engine Update

Pattern Detection
Pattern Detection

• Edge Defense
• Outbreak detection
• Reputation
• Recurrent Pattern

• Edge Defense
• Outbreak detection
• IP Reputation
• Recurrent Pattern

Behavioral Analysis
Behavioral Analysis
Behavioral Analysis

• Heuristics
• Bayesian
• Statistical Analysis
• Message intent - AI

• Heuristics
• Bayesian
• Statistical Analysis
• Message intent - AI

• Heuristics
• Bayesian
• Statistical Analysis
• Message intent - AI

Content Filtering
Content Filtering
Content Filtering
Content Filtering

• Lexical Analysis
• Weighted Word lists
• Regular Expressions
• Signature/Hash

• Lexical Analysis
• Weighted Word lists
• Regular Expressions
• Signature/Hash

• Lexical Analysis
• Weighted Word lists
• Regular Expressions
• Signature/Hash

• Lexical Analysis
• Weighted Word lists
• Regular Expressions
• Signature/Hash

3
4
2
5
2002-2004
2005
2007
1998-2002
41
Common Architectural Deployment Mistakes
42
The Single Box Solution?
MX Record mycompany.com 215.23.3.130
Firewall
192.168.1.125
192.168.1.130
Email Server
43
The Single Box Solution?
Firewall
192.168.1.130
MX Record mycompany.com 215.23.3.130
192.168.1.125
192.168.2.130
Email Server
Plan for redundancy and failure around hardware
and networks! Start with the best hardware and
work down, not the cheapest.
44
LDAP Mistakes
Firewall
192.168.1.110
192.168.1.130
Service Account Bind
192.168.1.125
192.168.1.111
192.168.2.130
Email Server
Service Account Bind
Everything looks great Redundancy is
everywhere What could go wrong?
45
LDAP Mistakes
Firewall
192.168.1.110
192.168.1.130
Service Account Bind
192.168.1.125
192.168.1.111
192.168.2.130
Email Server
Service Account Bind
LDAP account gets locked out Moved LDAP user when
bind DN was unique Resetting password is
pointless as it will automatically lock
again Customer perceives this is as a product
issue
46
Network Mistakes
Firewall
192.168.1.110
192.168.1.130
LDAP Bind
192.168.1.125
192.168.2.130
192.168.1.111
Email Server
LDAP Bind
Recipient validation stopped working Customer
blames product States nothing has changed
47
Network Mistakes
Firewall
192.168.1.110
192.168.1.130
LDAP Bind
192.168.1.125
192.168.2.130
192.168.1.111
Email Server
LDAP Bind
The Firewall rules changed The ISP changed The
DNS Changed They are using DNS names instead of
IP Address
48
Incompetence - Spam Still Gets Through!
Firewall
MX Record mycompany.com 215.23.3.130
192.168.1.125
192.168.1.130
192.168.1.131
192.168.1.132
Email Server
49
Solutions Work. The Email Architecture Does Not
MX Record 1 mycompany.com 215.23.3.130
Firewall
192.168.1.125
192.168.1.130
192.168.1.131
192.168.1.132
Email Server
MX Record 2 mycompany.com 215.23.3.125
WebMail webmail.mycompany.com 215.23.3.131
Examine All MX Records! Examine All WebMail Ports!
MX Record 3 isp.mycompany.com 220.1.23.5
50
The Case of the Nasty NAT
Firewall
MX Record mycompany.com 215.23.3.120
Firewall NATs 215.23.3.120 to 192.168.1.125
192.168.1.125
Email Server WebMail
DNS Record webmail.mycompany.com 215.23.3.120
51
The Case of the Nasty NAT What Happens to
WebMail?
Firewall
Firewall now NATs 215.23.3.120 to 192.168.1.130
MX Record mycompany.com 215.23.3.120
192.168.1.125
192.168.1.130
Email Server WebMail
DNS Record webmail.mycompany.com 215.23.3.120
52
The Case of the Nasty NAT Add Public IP NAT
to WebMail
Firewall
Firewall now NATs 215.23.3.120 to 192.168.1.130
MX Record mycompany.com 215.23.3.120
192.168.1.125
192.168.1.130
Email Server WebMail
DNS Record webmail.mycompany.com 215.23.3.125
It is not always a drop-in appliance solution. It
is a consultative approach to solving real world
problems
53
Email Architecture Issues

• Tiered MX records can cause performance issues
• Uneven distribution of inbound and outbound email
• Email queues can backup during email peak periods

Datacenter 1
Datacenter 2
Internet
MX 10 30
MX 20 20
MX 30 10
MX 40 5
MX 50 5
MX 60 5
MX 70 10
MX 80 15
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
SMTP1
SMTP2
SMTP3
SMTP4
SMTP5
SMTP6
SMTP7
SMTP8
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
54
Load Balancers Deployed, but No Recipient
Validation

• No recipient validation passes mail to email
  server
• Some email servers use closest match and some
  spam makes it through
• Emails bounce and are processed many times
  causing extra network traffic, slow performance,
  quarantining of invalid email, and backup of
  invalid email

Internet
MX10 50
MX10 50
Datacenter 1
Datacenter 2
Load Balancer
Load Balancer
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
SMTP1
SMTP2
SMTP3
SMTP4
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
55
Load Balancers and Recipient Validation Deployed

• Recipient validation allows email in for valid
  recipients only
• 100 of invalid recipient email dropped at
  gateway
• No more email bounces
• Improved mail server performance, no more
  quarantining invalid email

Internet
MX10 50
MX10 50
Datacenter 1
Datacenter 2
Load Balancer
Load Balancer
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
Spam Gateway
LDAP2
LDAP4
LDAP3
LDAP1
SMTP1
SMTP2
SMTP3
SMTP4
SMTP5
SMTP6
SMTP7
SMTP8
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
Mail Servers
56
Trends by Content and IP
57
Trends by DNS Black List and IP
58
Trends by Denial of Server and IP
59
Trending Produces Results
60
IP Layer Blocking

• Trends occur by IP address
• Permanently block ranges of IP addresses at the
  network layer
• No need to ever scan content when a connection
  cant be made
• Spammers cant circumvent IP blocks

61
Inbound Email Best Practices Before
62
Inbound Email Best Practices After
63
Questions?