Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > E-Mail Security
dissolutions
May 24 2004, 08:20 PM
What is a Tool Talk?
SANS Tool Talks are an opportunity for you to hear from Information Security Vendors. At SANS we believe that you cannot accomplish Information Security tasks without tools. A surprising number of security professionals have no idea what technology is available in the marketplace. Tool Talks are designed to give you a solid understanding of a problem, and how a vendor's commercial tool can be used to solve or mitigate that problem.


Webcast Overview:
Who's Reading Your Email?
Featuring: Jon Callas and Jim Reavis
Join Jon Callas and Jim Reavis for the PGP Education Series Webcast: "Who's Reading Your Email?" It is a common perception that email messages are analogous to letters contained within sealed envelopes, when in fact they are more akin to postcards, which can be viewed by anyone. From malicious outsiders to rogue systems administrators to search engine "bots," this webcast will detail the many ways in which inappropriate and unintended sources are able to read your email and the risks that situation creates for you and your organization. We will then explain how PGP® Universal is able to counter each of these threats and seamlessly create secure and auditable envelopes for your email messages.



Speaker Bios:


Jon Callas: Mr. Callas served as Chief Scientist at PGP Inc. and as CTO of the Network Security Division for Network Associates Technologies Inc. Mr. Callas also served as Director of Software Engineering at Counterpane Internet Security Inc. and was a co-architect of Counterpane's Managed Security Monitoring system. Most recently, he was Senior Systems Architect at Wave Systems Corporation. His career includes work at Digital Equipment Corporation, World Benders, and Apple Computer. He is the principal author of the Internet Engineering Task Force's (IETF's) OpenPGP standard and a writer and frequent lecturer on system security and intellectual property issues. Mr. Callas has a B.S. in Mathematics from the University of Maryland.

Jim Reavis: Jim is the President of Reavis Consulting Group and editor of the CSOinformer newsletter. Mr. Reavis is also a member of the board of directors of the Information Systems Security Association (ISSA), where his role is that of Vice President of Vendor Relations. For more than 12 years, he has worked in the information security industry as an entrepreneur, writer, speaker, technologist, and business strategist. Mr. Reavis founded SecurityPortal in 1998 and has been an advisor on the launch of many industry ventures.

http://www.sans.org/webcasts/show.php?webcastid=90508

It's 59 mins long and as far as I've listened to it a decent webcast.

Edit:
Also copied in the minutes from their PDF file. (If this is a problem from SANS please PM me.)

QUOTE

SANS Tool Talk © 2004
SANS Institute presents:
Who's reading your email?
• Speakers
– Jon Callas, PGP Inc.
– Jim Reavis, Reavis Consulting Group
• Q/A session with today’s speakers
• Send questions to ‘q@sans.org’

1
PGP Education Series:
Who’s Reading Your Email?
Jon Callas, PGP Corporation
Jim Reavis, Reavis Consulting Group
May 20, 2004

2
• Jon Callas
– CTO, CSO, and co-founder, PGP Corporation
– Primary author: RFC 2440, OpenPGP standard
• Jim Reavis
– President, Reavis Consulting Group
– Editor, CSOinformer newsletter
Presenters

3
Agenda
•Risks of email content disclosure
•How unauthorized sources read email
•Best practices for protecting
unauthorized email disclosure
•Introduction to PGP® Universal
•How PGP Universal protects against
unauthorized email disclosure
•Q&A

4
Email: #1 way to communicate
• 1.2 billion letters and packages delivered
globally per day by postal services
• 4 billion phone calls worldwide per day
• 31 billion electronic mail messages sent
each day around the world

5
Email: Unlimited content
• From one-word replies to dissertations
• Rich content
– File attachments, links, multimedia
– Customer lists, financial data, etc.
• Unlimited recipients
– From 1 to 1 million recipients
– Send to anyone: your colleagues,
competitors, the media

6
Who’s reading your email?
• Competitors
• Hackers
• Litigants
• Insiders
• Search Engines, “Bots”

7
How do they read it?
• Email inadvertently forwarded to
inappropriate recipients
• Disgruntled employees leak data
• Administrators of recipient’s email read data
• Compromised email servers
• Backup email servers run by third parties
• Stolen, sold, decommissioned/archived
equipment
• Legal mandates

8
Points of Risk:
Where is your email at risk?
Read from a user’s
personal folders or laptop
Downloaded from the
email server
“Sniffed” off the
network
Purposely or
accidentally sent
to a malicious or
inappropriate user
Plaintext storage is a key enabler of misuse
SMTP SMTP
DMZ
Internet Email
Server
SMTP
POP3
IMAP4
SMTP
POP3
IMAP4
over SSL/TLS
Email
Client

9
Risks of unauthorized
disclosure
• PR nightmares – embarrassing for a
company
• Intellectual property & other secrets
revealed
• Loss of competitive advantage
• Lost faith in public institutions

10
How do you mitigate risk?
• Awareness
• Policies
• Encryption

11
Awareness
• Educate users about potential risks
– Email is a “postcard,” not a certified letter
– Longevity of messages
– Possibility of content becoming public or being
used in legal proceedings
• Alert users to specific situations: “phishing,”
malicious code, social engineering, etc.
• Train users to manage distribution lists
carefully

12
Policies
• Proper usage of email
• Rules for handling sensitive data
• Retention policies, archives
• Need to audit for compliance
• Even better: tools to enforce
compliance

13
Encryption
• Lockout unauthorized users
• Establish authenticity
• Compensate for weaknesses in
awareness and policy compliance
• Virtually unbreakable
• Historically, difficult to implement

14
PGP Encryption:
The Gold Standard
• PGP encryption
– Invented by Phil Zimmermann in 1991
– A wide majority of all encrypted email uses OpenPGP
– A recognized standard: RFC 2440
• PGP Corporation
– Recognized worldwide leader in secure messaging and
information storage
– Widespread adoption of PGP solutions by enterprises and
Fortune 500 businesses
– Strong presence in U.S. government

15
PGP Universal:
Simplifying Encryption
• To be more widely accepted by the user, encryption
needs to be invisible to the user
• Need network-based solution to encrypt for the user
• PGP Universal provides a next-generation “automatic
encryption proxy” to simplify and accelerate
encryption
• Flexibility to work with a multitude of email clients,
servers, and certificate authorities (CAs)
• Capable of solving all the “points of risk” for improper
email disclosure

16
PGP Universal Solution
• Network-Based Secure Messaging
and Email Encryption
– Transport layer
– Proxy protocols
– Standards-based
– Trusted PGP technology
• Automatic & Transparent
– No impact on users
– Automated key management
– Flexible and configurable
– Cost-effective
Application L7
OSI Stack
Presentation L6
Session L5
Transport L4
Network L3
Data Link L2
Physical L1

17
PGP Universal Policy Engine
• Security Policy Set Per Recipient Domain
– Different policies for different recipient
domains
– Different clusters can have different policies
– Exclusive or inclusive
• Applied Based on LDAP Characteristic
– Gateway licenses
– End-to-End licenses
• Enforces Presence of ADK
– Corporate information recovery
– For PGP Desktop users as well
Domain Policy
Encrypt
Digitally Sign & Send Clear
Send in the Clear
If Encrypt
If Recipient Key - Encrypt Only
If Recipient Key - Encrypt and Sign
If No Recipient Key
Return to Sender
Send Web Messenger
Send WM with Satellite Option
Digitally Sign & Send Clear
Send in the Clear

18
Solving Risk Points: Gateway
Mail encrypted before leaving the organization
Prevents reading email off the network wire
SMTP SMTP
PGP Universal
Server
Internet
DMZ
Email
Client
Email
Client
Email
Client
Email
Client
Email
Server
Forces encryption
to targeted
recipients

19
Solving Risk Points: PGP
Universal Satellite & PGP Desktop
Mail encrypted internally also
Prevents compromised mail server
from disclosing messages
SMTP SMTP
Internet
DMZ
PGP Universal
Satellite
Email
Server
SMTP
POP3
IMAP4
MAPI
Notes
PGP Universal
Satellite
PGP Desktop
PGP Desktop
PGP Universal
Server
Encrypts email at endpoint as well

20
Summary
• Email is the most widely used form of communication
in the world
• Inappropriate disclosure of sensitive email can be the
Achilles’ heel for business and government alike
• PGP Universal enforces key best practices to protect
email internally and externally
• PGP Universal provides the flexibility to work in
complex, heterogeneous environments

21
Thank You
Questions & Answers

F34R
May 24 2004, 09:22 PM
nice share man... webcasts are always good smile.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.