The document discusses email security and best practices. It notes that email is essential for daily work but poses security risks like unauthorized access, data leakage, and malware infiltration. It recommends configuring email servers securely, establishing policies for email use and retention, monitoring for anomalies, and educating users on secure email practices. Overall, the document emphasizes the importance of securing email infrastructure while enabling effective and appropriate use of email to meet business objectives.
2. What / Why E-mail?What / Why E-mail?
Daily NecessityDaily Necessity
Essential for our SurvivalEssential for our Survival
Personal and Corporate emailsPersonal and Corporate emails
Plethora / type of emailsPlethora / type of emails
ID and Passwords!!ID and Passwords!!
Security and PrivacySecurity and Privacy
Security / Use awarenessSecurity / Use awareness
3. What is Security ?What is Security ?
ConfidentialityConfidentiality
AvailabilityAvailability
IntegrityIntegrity
PrivacyPrivacy
Meet Business ObjectivesMeet Business Objectives
Effectiveness of ResourcesEffectiveness of Resources
Efficiency of ManpowerEfficiency of Manpower
Optimization of ResourcesOptimization of Resources
5. Threats of Email SystemsThreats of Email Systems
Sending of unauthorized messagesSending of unauthorized messages
Leakage of Confidential or sensitive data to un-knownLeakage of Confidential or sensitive data to un-known
external sourcesexternal sources
Malware infilteration through emailMalware infilteration through email
Message Sniffed across networkMessage Sniffed across network
Unsure, if message reached destinationUnsure, if message reached destination
Only 1 in 5 emails sent was legitimate (76% is spam)Only 1 in 5 emails sent was legitimate (76% is spam)
http://www.websense.com/assets/reports/websense-2013-threat-report.pdfhttp://www.websense.com/assets/reports/websense-2013-threat-report.pdf
Allowed free use of gmail, yahoo, hotmail etc in corporatesAllowed free use of gmail, yahoo, hotmail etc in corporates
Allowed access of email on mobile devices iPad, SmartAllowed access of email on mobile devices iPad, Smart
Phones, Notebooks, Web Access (Outside of Corporate LANPhones, Notebooks, Web Access (Outside of Corporate LAN
Defence Systems)Defence Systems)
6. Email ChallengesEmail Challenges
Sync with multiple devices and systemsSync with multiple devices and systems
Email data Traffic ManagementEmail data Traffic Management
Remembering multiple passwordsRemembering multiple passwords
Management of backup of PST files, email data foldersManagement of backup of PST files, email data folders
Growing email storage needs of each userGrowing email storage needs of each user
Duplicated emails with attachment across usersDuplicated emails with attachment across users
Email audit trailsEmail audit trails
Irrelevant 1-2 word email traffic such as Ok, Seen, Thx,Irrelevant 1-2 word email traffic such as Ok, Seen, Thx,
GA, CU, Good Night, Recd etc, etc, etcGA, CU, Good Night, Recd etc, etc, etc
Email Infrastructure complexity and management challengesEmail Infrastructure complexity and management challenges
Archival, Retrieval and Redundancy (DR) challengesArchival, Retrieval and Redundancy (DR) challenges
7. Email – Weakest link...UsersEmail – Weakest link...Users
Have on average > 2-3 email accountsHave on average > 2-3 email accounts
Retain all email history since BCRetain all email history since BC
Delete KEY is infrequently used for unwanted emailsDelete KEY is infrequently used for unwanted emails
Confidential data remains in email content and attachments inConfidential data remains in email content and attachments in
multiple forwarded accountsmultiple forwarded accounts
Pressure IT if email systems down for more than 5 minutesPressure IT if email systems down for more than 5 minutes
Allow push email on all devices, 24x7Allow push email on all devices, 24x7
Saved password in Browsers, Smartphones, Tabs etc (Also useSaved password in Browsers, Smartphones, Tabs etc (Also use
WhatsApp, TrueCaller, Viber simultaneously)WhatsApp, TrueCaller, Viber simultaneously)
Use email to communicate with collegues across desks (VerbalUse email to communicate with collegues across desks (Verbal
communication is reducing)communication is reducing)
8. More Email CulpritsMore Email Culprits
Automated alerts from Email, Backup,Automated alerts from Email, Backup,
Firewall Systems, Applications, BMSFirewall Systems, Applications, BMS
Help Desk Systems and Support TeamsHelp Desk Systems and Support Teams
(Playing football with calls)(Playing football with calls)
Send Read / Receipt for each emailSend Read / Receipt for each email
9. Food for thought
In 1964, 38 people in Queens, New York, witnessed
the murder of one of their neighbors, a young woman
named Kitty Genovese. A serial killer attacked and
stabbed Genovese late one night outside her
apartment house, and these 38 neighbors later
admitted to hearing her screams; at least three said
they saw part of the attack take place. Yet no one
intervened.
Social Psychologists call this phenomena the
Bystander Problem or Bystander Dilemma or
Bystander Effect. I believe the same effect happens
in “Reply All” email communication.
10. Denial of Email Systems..
Aside from annoying a lot of people – all at once – ‘Reply to All’ abuse
can bring enterprises to a screeching halt as messaging servers
attempt to process the onslaught of email – as the U.S. State
Department found out in January.
When a U.S. State Department employee accidentally sent a blank
email to a global distribution list of thousands, an email storm ensued.
Some recipients used ‘Reply-to-All’ to demand to be removed from the
list.
Others used ‘Reply to All' to tell their co-workers, in often less than
diplomatic language, to stop responding to the entire group using
‘Reply-to-All.’
Some users then compounded the problem by trying to recall their
initial replies.
The recall generated another round of messages to the entire group.
Senior officials became involved as the huge volume of email resulted
in a major denial-of-service and, we suspect, a huge drop in worker
productivity.
* Denial of Service is when mail servers stop working due to overload
attack.
11. Email Stats
Detail 2012 2016
Total Email A/cs 3.3 bn 4.3 bn
Business Email a/c 989 mn 1078 mn
Consumer Email a/c 2970 mn 3548 mn
Business Email / day 100.5 bn 123.9 bn
Source: http://www.radicati.com/?p=9659
12. Email: Where are we today?Email: Where are we today?
Traffic Across InternetTraffic Across Internet
13. Email: Where are we today? -Email: Where are we today? -
InfrastructureInfrastructure
14. Email: Where are we today?Email: Where are we today?
Our work StyleOur work Style
15. Email: Where are we today?Email: Where are we today?
Daily Work Plan ...out of WindowDaily Work Plan ...out of Window
16. Email: Where are we today?Email: Where are we today?
Looking For Futuristic SolutionLooking For Futuristic Solution
18. Key Controls - Email Security
Appropriate management of email
Infrastructure
– Confidentiality, Integrity and
Availability
Effective and Efficient use of resources to
meet Business Objectives
Awarenesss and Implementation of Email
ettiquettes
19. Email – Information Security
Hardening of Email Servers, Infrastructure
Enable allowed ports and services
Enable Spam, Virus protection
Mail relay controls
Size and email traffic quotas
Password Policies
Monitoring of
Logs,
Exceptions and abnormal behavior
Performance
Build ISP link, Infrastructure Redundancy to
maintain Email Systems in HA mode
20. Encrypt emails when relaying sensitive data
Applicable Need to Know and Use rules on Data
Drives in LAN as per data classification
Implement Email Acceptable use policies
Implement email retention policies
Implement Data Leak Protection tools / methods
Monitor user activities
Email – Information SecurityEmail – Information Security
21. Effective and Efficient use to meet
Business Objectives
Reduce loads on Online and backup storage needs
Delete past data as per retention policy
Set user quota
Disallow attachments of large size > 5 MB even in
LAN (Use temporary file shares)
Reduce or manage Fixed / Mobile devices accessing
emails
Reduce Internet traffic Stress
Utilize and manage time for better productivity
22. Email: Awareness and Ettiquettes
Understand Cyber Crime and Criminals are out there to
fool, cheat, excite or even SCARE you
Verify sender email address
Do not open attachments from unknown Sender or Not
Relevant Subject
Reply All – Use in special situations only
Do not Reply all with attachements
Delete forwarded message trails contents, where not
relevant (Remove attachments in case of reminders etc)
Use strong and complex passwords
23. Restrict attachment size (1 or 2 mb)
Do not initiate or forward unwanted chain mails
Delete emails older than 2 years
Check and re-check subject, contents, attachments,
recepients before sending
Limit personal use of Business email accounts
Act on emails not forward (pass the buck)
Yes your email reaches destination, avoid sending Did
you Get it? Ok Please Confirm? Are you Sure?
Use Read Receipts as Optional and not mandatory
Email: Awareness and EttiquettesEmail: Awareness and Ettiquettes
24. Whats happening in other Corporates?
Email etiquette(s) are being taught
Companies Disabling 'Reply-All' Button,
Rather Than Dealing With Inane Email
Threads - The latest to do so is Nielsen, which did so
with a cheery memo to staff explaining why this would "reduce
non-essential messages in mailboxes, freeing up our time as
well as server space." That's one way to think about it.
30. Just a plain Thanks.
(No Thank you emails)
We offer our rich experience to meet your Business Requirements and Objectives
in the IT Audits, IT Governance, Risk, Security Awareness, CISA, CISM Training and
IT Strategy consulting areas.
Our specializations includes reviews of ERP, CBS, Information Architecture, IT Efficiency
and Effectiveness to deliver value amongst other things.
We have worked with Al Rajhi Takaful in KSA, Qatar Steel, WFP, WHO, UNOPS, Govt of
India and many other reputed companies across the world.
We shall be happy to discuss your requirements,
Look forward.
Sanjiv Arora, CISA, CISM, CGEIT, CHPSE
Contact Cell +91 98102 93733, e-mail – sa@tech-controls.com, www.tech-controls.com