hosted by 10 steps to secure messaging jim reavis, president reavis consulting group
TRANSCRIPT
Hosted by
10 Steps to Secure Messaging
Jim Reavis, President Reavis Consulting Group
Hosted by
Agenda
Risks of insecure messaging
Policy
Architecture
Innovative technologies & trends
10 Steps
Companion site: csoinformer.com/10steps
Hosted by
Top Ten Reasons to Secure Messaging
10. Protect intellectual property sensitive to
your corporate mission
9. Avoid “angry” emoticons from your boss
8. Reduce risk of worms running rampant on
your network
7. Poor dating prospects at the unemployment
line
6. Increase user productivity
Hosted by
Top Ten Reasons to Secure Messaging
5. “Sobig fatigue” not covered by workmen’s comp.
4. Securing communications with partners and customers creates new business opportunities.
3. Saying “ILOVEYOU” to the CEO is usually inappropriate outside of the annual Christmas party.
2. Reduce risk of legal liability.
1. Executive washrooms rock!
Hosted by
About Reavis Consulting Group
Provide research and advisory services regarding
best practices and emerging security trends
Clients include Fortune 500 members, gov’t and
information security companies
Publish monthly CSOinformer newsletter
Hosted by
Threats Viruses
Worms
Spam
Insiders/Covert
Channels
Idiot users who got
their job just
because they have
the same last name
as the CEO
IME-mail
AV Gateway
E-mail Server
Firewall
IM
Internal Hosts
Internet
Hosted by
Risks
Data loss, theft & leakage
Compromised systems
Downtime/loss of productivity
Out of compliance with
regulations
Civil litigation
Hosted by
Risk Management
Topic of the year at CISO/CSO gatherings
Definition: the systematic process of managing
an organization's risk exposures to achieve its
objectives in a manner consistent with public
interest, human safety, environmental factors
and the law.
Reduce risk & create opportunities.
Hosted by
Risk Management
Risk Mgt Strategies
• Avoid
• Accept
• Transfer
• Mitigate
Risk Mgt Process
• Establish Risk Profile
• Establish Protection Profile
• Modify PP as RP changes Threat level “Orange”
New business venture
• ROSI
Risk = Value of the Asset X Severity of the Vulnerability X Likelihood of an Attack
Hosted by
Policies
Legal due diligence (e.g. retention laws).
Communicate clearly.
• Acceptable & appropriate usages
• Clear definitions (e.g. what is proprietary)
• Provide examples (e.g. .EXE files prohibited, anything sent
to payroll processor must be encrypted)
Documented acceptance.
How do you attain ROSI with your policy?
Hosted by
Architectural Principles
Proxy all connections
• Hidden messaging methods may be P2P.
Measurement capabilities
Layered Defense Systems
Best of Breed vs Integrated Suite?
Integrated team approach
• How is IT working against your goals?
Hosted by
Architectural Principles
Granular rules control
• Ad hoc blocking of new threats
• Prevent auto-forwarding risks
Compartmentalize
• Improve incident response
• Provide limited service during crises
Redundancy
Education & Awareness
Hosted by
Incident Response
Formalized CERT• Specialized messaging response team
Incident reporting
Response• Containment (unplug, router ACL filters, etc)
• Disinfect, Remediate, Rebuild
Notify external partners
Forensics, analysis, lessons learned
Hosted by
Baseline & Measurement
Network traffic analysis
E-mail & IM logging
Identify dependencies
Trend analysis
Support policy revisions
Creating TCO metrics for budgeting
Don’t horde this information
Hosted by
60%
27%
7% 7%
1 2 3 4
Hosted by
Who wrote the antivirus software used by Microsoft in DOS 6.22?
1.Dr. Solomon2.Central Point3.X-tree4.Microsoft
Hosted by
Antivirus Strategy
Multiple AV tools• Desktop, Server, Email Gateway.
• Antivirus network appliances, Managed AV service.
• How many levels of AV provides ROSI?
Content Filtering (Day Zero defense)• Subject line.
• File attachment types.
Tactics outside of messaging control• Lockdown e-mail client.
• Keep patching virus targets.
Hosted by
Antivirus scanning points
E-mail Client
AV Gateway
Internet
MSSP
SD
1
2
Bay Networks
10 BASE TTX
Ethernet 1
AUIRX
C1Advanced Remote Node
EthernetERRParPWA
OCIOAdapter 1RpsSmi
PCMCIAAdapter 2FailFail
STP UTPRCVE
NSRT
WTLT
Token Ring 2
COM 4 COM 5COM 3
BayStack
Network Layer AV Appliance
E-mail Server
Hosted by
40%
20%
29%
12%
1 2 3 4
Hosted by
What is the Internet Engineering Task Force RFC for OpenPGP?
1.15422.802.1x3.24404.I was told there would be no tests
Hosted by
E-mail encryption services
Virtually unbreakable, often unusable
Key to protecting information and reducing malicious threats
Issue: total cost of ownership (TCO) traditionally a burden
Hot trend: encryption proxy servers/e-mail firewalls
Hosted by
E-mail encryption by proxy
Encryption Proxy
E-mail Server
Proxy manages keys
Encrypts messages
Gives recipient option of secured
SMTP message or Webmail
Webmail Server
Internet
Hosted by
Instant Messaging
Embrace and extend
Proxy connections
Encrypt communications
Logging & Usage profiling
Block dangerous behaviors (file transfers, etc)
Gateway ROSI benefit: IM compatibility
Hosted by
Instant Messaging
IM Proxy
Central configuration & administration
Hosted by
Spam
Why is this a security issue?
Anti-spam approaches:• Keyword filtering
• Bayesian algorithm
• Blacklists/Whitelists
• Community voting
• Tagging vs. blocking
Multiple approaches often necessary.
ROSI Models.
Hosted by
Awareness
Courseware• Reinforce policy
• Educate about threats
• Recognizing viruses
• Safe practices
• What to do, where to go for help
Regular internal AV newsletter
Hosted by
To protect and to serve
IME-mail
AV Gateway
DepartmentalE-mail Servers
Firewall
IM
Internal Hosts
InternetEncryption Proxy
IM Proxy
MSSP
Content/Spam Filtering
Your boss
Network Layer AV Appliance
SD
1
2
Bay Networks
10 BASE TTX
Ethernet 1
AUIRX
C1Advanced Remote Node
EthernetERRParPWA
OCIOAdapter 1RpsSmi
PCMCIAAdapter 2FailFail
STP UTPRCVE
NSRT
WTLT
Token Ring 2
COM 4 COM 5COM 3
BayStack
Hosted by
Summary – the 10 Steps
1. Enforceable policies
2. Architecture
3. CERT & Incident
Response Plan
4. Awareness program
5. Baseline & continuous
measurement system
6. Encryption
7. Proxy everything
8. Multiple layers of
virus/spam protection
9. “Best of Breed”
10. Take an integrated
approach
Hosted by
46%
28%
20%
6%
1 2 3 4
Hosted by
According to IBM Research, in what year did
the first PC virus appear?
1.19842.19863.19884.The year Bill Gates was born
Hosted by
Thank You!