9
| Date post: | 23-Mar-2016 |
| Category: |
Documents |
| Upload: | connecus-communications |
| View: | 212 times |
| Download: | 0 times |
1
Guide To Email Security
2
Table Of ContentsIntroduction......................................................................................................................................................................................................... 3How.To.Protect.Yourself......................................................................................................................................................................................... 4What.To.Do.If.You.Get.Hacked............................................................................................................................................................................... 5The.Hacker’s.Life.................................................................................................................................................................................................. 6Email.Is.Gold....................................................................................................................................................................................................... 7How.An.Attack.Works............................................................................................................................................................................................ 8
3
Introduction To Email Security
We’re.a.paranoid.bunch.at.Mailchimp..We.proudly.wear.tinfoil.hats,.we.have.secret.hideout.rooms.with.steel.walls,.and.we.have.fireman.poles.and.slides.throughout.the.building.for.quick.evacuation..We.also.have.at.least.24.rottweilers.with.freakin’.lasers.on.their.heads..We’d.go.into.more.detail,.but.let’s.just.say.that.security.is.a.serious.matter.at.Mailchimp..We.take.it.so.seriously.because.our.customers.shouldn’t.have.to.worry.about.their.data..We.spend.a.lot.of.time.talking.about.bad.guys.and.acting.like.bad.guys,.to.figure.out.how.they.think..Our.team.invests.a.lot.of.time.and.money.into.writing.code.to.protect.ourselves.and.our.customers,.and.we.have.lots.of.software.and.hardware.to.protect.our.infrastructure..Our.security.methods.are.there.to.help.keep.you.safe—but.when.it.comes.to.protecting.yourself.and.your.subscribers,.you.have.some.responsibilities.of.your.own..In.this.guide.we’ll.cover.how.you.can.protect.yourself,.what.to.do.if.your.data.has.been.compromised,.some.basics.on.why.an.attacker.might.target.you,.and.why.email.data.is.important.in.the.first.place..We.hope.this.guide.scares.you.into.taking.some.precautionary.measures.to.ensure.your.data.is.safe.
According.to.the.Ponemon Institute,.the.value.of.a.customer.record.is.$204.in.the.US..For.some.people.the.value.is.much.higher,.and.for.oth-ers.it’s.much.lower..Some.people.use.the.simple.“dollars.earned.divided.by.list.size.equals.dollar-per-email.value”.calculation..(So.if.you.made.$120,000.off.your.campaigns.and.had.5,000.subscribers,.then.each.subscriber.is.worth.$24.).Though.some.are.worth.more.than.others,.that.calculation.shows.you.how.valuable.email.addresses.are..And.even.if.you’re.not.earning.money.off.your.subscribers,.there’s.great.responsibil-ity.in.protecting.the.email.addresses.they.provide..Hackers.want.those.addresses.because.they.know.how.to.extract.and.extort.money.from.unsuspecting.people,.tarnish.your.brand.and.cause.some.serious.financial.hassles.for.you..If.you.and.your.service.providers.aren’t.taking.the.proper.precautions.to.protect.your.customers.data,.then.you’re.doing.a.grave.dis-service.to.your.business.and.subscribers.
*ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMER
This guide is intended to serve as a resource on the topic of email security. It is not intended to be
professional advice, nor is it a complete compendium of the information available in this area. The
Rocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about the
information contained within. In sum, while we think this is an awesome guide on the topic, use of
the information contained within the guide is entirely, completely, definitively, absolutely, positively,
100% at your own risk. If you have questions or need specific advice for your situation, please
contact a knowledgeable professional.
by Brandon, deliverability engineer
4
How To Protect Yourself
You.can.never.be.too.cautious.when.it.comes.to.protecting.yourself,.your.business.and.your.valuable.data..Here.are.some.tinfoil-hat.tips.
1..Keep ALL of your systems completely up to date..Not.just.your.operat-ing.systems,.but.your.browser,.Adobe.Reader,.Java,.flash,.etc..These.ancil-lary.applications.are.generally.the.most.problematic.and.easiest.to.hack.Keep.your.anti-virus.programs.up.to.date,.and.if.possible,.use.anti-virus.software.that.has.a.firewall—or.at.the.very.least.malware—protection..Try.something.like.Comodo.
2. Run anti-virus and malware scans daily. As.in,.every.single.day.
3..Secure your networks and wifi..Do.NOT.allow.employees.to.use.their.home.computers,.guest.computers,.smartphones.or.iPads.on.your.network..Secure.your.wifi.using.WPA2.or.stronger..If.you.have.mobile.workstations.inside.or.outside.your.networks,.never.use.insecure.wifi,.like.your.local.coffee.shop’s.connection..If.you.must.use.this.type.of.connection,.keep.your.usage.to.an.absolute.minimum...Read.up.on.Firesheep.to.learn.how.much.information.gets.transmitted.on.an.open.wifi.connection.
4. Secure your smartphone with a password or security lock..If.it’s.stolen,.call.your.provider.immediately.and.disconnect.your.phone..Passwords.are.extremely.important.when.it.comes.to.security..Use.different.passwords.for.every.site.you.do.business.with...Do.NOT.use.the.same.password.twice.(see:.Twitter Spam Attack Tied to Gawker Security Breach)..Each.site.should.have.a.unique.password..Consider.using.1Password,.KeePass.or.a.similar.utility.to.help.keep.track.of.all.your.passwords..Keep.in.mind.that.if.someone.steals.your.computer.or.gains.access,.they.can.steal.your.pass-word.database..So.make.sure.your.master.password.is.unique.and.difficult.to.guess..Use.at.least.10-digit.passwords.with.numbers,.letters,.symbols.as.well.as.different.cases..If.you.use.the.same.password.everywhere,.it’s.extremely.easy.for.an.attacker.to.try.your.username.and.password.at.each.and.every.site.they’re.after.
5..Use a single machine for financial transactions..It.shouldn’t.be.used.for.anything.other.than.banking,.and.should.only.be.connected.via.a.wired.connection..Don’t.keep.this.computer.powered.up.unless.it’s.being.used.
6..Be careful what information you share publicly. If.you’re.interviewed.for.something.that.will.be.published.online,.make.sure.you.don’t.mention.software.vendors.or.business.vendors.you.use,.unless.you.can.be.100%.sure.that.your.software.and.business.vendors.will.not.be.hacked.
7..Never open email, IMs and social-media notifications from people you don’t know, haven’t heard from in a long time, or look suspicious. This.type.of.communication.is.often.malicious,.so.skip.it.to.be.safe..If.you’re.unsure,.don’t.reply.to.the.communication,.and.call.the.person.for.confir-mation..Assume.everyone.is.compromised.
5
What To Do If You Get Hacked
Hopefully.you’re.protecting.your.data.like.a.champ.and.nobody’s.after.you..But.if.you.do.get.hacked,.here’s.how.to.handle.it.
1..If it’s a virus or malware on a machine, disconnect ALL machines from your network immediately..At.this.point.it’s.best.to.involve.a.local.IT.company.or.consultant.who’s.trained.in.removing.malware..Don’t.turn.on.any.systems.until.the.threat.has.been.completely.removed..If.you.must.get.to.a.system,.make.sure.it’s.not.on.the.internet,.and.assume.that.anything.and.everything.on.that.system.is.infected.
2..Change all passwords, and security questions and answers that may have been affected..Make.sure.you.do.it.from.a.secure.machine—if.you.change.passwords.on.an.infected.machine,.you’re.giving.the.attacker.all.the.info.they.were.after.on.a.silver.platter..Use.a.secured.network.that.you.trust..If.your.systems.were.hacked,.don’t.trust.your.network.until.all.machines.have.been.given.the.all.clear.
3..Contact your service providers and software providers, and ask them to do a scan for potential data breaches on your account..Also.ask.them.to.lock.your.account.from.further.access.if.you.feel.the.account.is.what.the.attacker.was.after,.or.if.the.account.is.important.enough.to.lock.down.
4..Check your email. Ensure.that.there’s.nothing.in.your.deleted.items.that.relates.to.communication.with.your.service.and.software.providers.
5..Notify your friends, clients and business vendors that you were com-promised..Let.them.know.that.they.shouldn’t.trust.further.communication.from.you.until.otherwise.noted.
6
The Hacker’s Life
Discussions.about.hackers.usually.end.with,.”Why.don’t.they.just.get.a.job?”.The.truth.is,.hacking.is.their.job,.and.they.often.make.good.money.(or.enjoy.what.they.do)..The.laws.in.many.countries.are.lax.enough.that.cybercrime.isn’t.considered.serious,.or.there’s.just.so.much.other.bad.stuff.going.on,.it.doesn’t.bubble.up..Many.countries.even.overlook.this.be-havior.because.the.criminals.pay.off.and.support.government.officials..The.book.Fatal System Error by.Joseph.Menn.goes.into.more.detail.about.that..Whether.someone.is.paying.government.officials,.or.the.laws.just.don’t.apply,.it.really.doesn’t.matter..These.criminals.exist,.and.they’re.out.to.get.any.and.all.information.they.can..So.why.do.they.want.your.data?
1..To target your personal and/or business finances..Stealing.financial.ac-count.information.is.easy.these.days..It’s.even.easier,.and.far.more.useful,.to.steal.credit.card.information.
2..To target your computers and technology infrastructure..Botnets.allow.an.attacker.to.use.many.machines.to.attack.other.machines,.steal.infor-mation.and.commit.various.other.acts.of.evil..Once.the.hacker.controls.your.computer.they.can:
• Log.every.keystroke.you.type..The.software.that.records.the.key-strokes.is.even.built.to.show.fake.login.pages.for.financial.institutes.to.log.your.credentials.
• Steal.information.from.your.hard.drive..The.attacker.owns.your.machine.and.can.get.at.any.piece.of.data.they.want..Stealing.your.accounting.database.and.cracking.the.username.and.password.shouldn’t.take.more.than.a.few.Google.searches.
• Use.your.system.to.send.SPAM..The.majority.of.SPAM.is.sent.through.systems.controlled.by.botnets..If.your.system.is.under.the.control.of.a.hacker,.they.can.send.hundreds.of.thousands.of.pieces.of.SPAM.from.your.system.without.you.ever.knowing.it.
3..To target your customers. Maybe.you.have.some.high-profile.clients.that.the.attacker.is.after..Maybe.a.client.is.listed.on.your.site.or.sent.an.issue.via.Twitter..It’s.easy.to.figure.out.who.your.clients.are,.and.it’s.an.easily.accessible.entry.point.for.an.attack.
4..To target employees. A.hacker.can.easily.target.your.employees.using.social.media.and.direct.attacks..It’s.easy.to.find.ways.to.get.at.your.em-ployees,.like.using.family.members,.college.or.high-school.friends.found.through.Facebook..If.an.attacker.targets.one.of.your.employees,.he.can.gain.insight.into.your.business.practices.and.target.your.entire.company.
All.attacks.are.planned..There’s.an.end.goal,.and.because.this.is.the.at-tacker’s.job,.he.spends.lots.of.time.planning.and.plotting.every.step..Just.like.that.new.promotion.you.planned.in.November,.the.attacker.planned.the.malicious.attack.on.your.Social.Media.Manager..Many.people.think.hackers.don’t.put.much.thought.into.attacks,.and.while.the.419 scams.and.bad.spelling.in.most.SPAM.might.make.you.think.hackers.are.stupid,.that’s.far.from.the.truth..In.the.book.Social Engineering: The Art of Hu-man Hacking,.Christopher.Hadnagy.provides.information.on.how.much.effort.a.hacker.will.put.into.planning.and.executing.an.attack..It’s.like.a.chess.game—but.unfortunately,.most.of.the.targets.have.no.idea.they’re.part.of.the.game..If.you.have.any.type.of.online.presence,.then.you.are,.have.been,.or.very.shortly.will.be.under.attack..So.you.must.behave.like.you’re.under.attack.and.secure.your.assets.at.all.times.
7
Email Is Gold
Email.addresses.are.extremely.valuable.in.today’s.economy..Referencing.back.to.our.quick.calculation.in.the.introduction,.you.can.see.that.an.email.address.can.be.worth.a.lot.of.money.to.your.business..Our.identities,.important.accounts.and.vital.information.are.attached.to.email.addresses..Chances.are.your.financial.institutions.use.your.email.address.as.your.username..Your.social.media.accounts,.like.Facebook.and.Twitter,.tie.to.your.email.address..Your.email.address.is.a.unique.identifier—but.more.importantly,.it’s.a.communication.mechanism..We.use.email.to.transmit.all.kinds.of.important.information,.and.we.use.email.more.and.more.each.day..Evil.hackers.want.the.email.accounts.for.various.reasons..This.is.just.a.small.list.of.some.stuff.they.might.be.after:
• Hackers.have.found.that.companies.who.use.ESPs.generally.have.clean.lists..A.clean.list.means.fewer.bounces.and.potentially.an.en-gaged.list..And.that.means.the.list.will.deliver.to.the.inbox.and.have.a.higher.likelihood.of.clicks.and.opens.
• The.hacker.wants.your.email.addresses.to.send.your.subscribers..malicious.stuff..Maybe.your.email.list.has.important.users.like.con-gress.members..If.they.can.trick.your.subscribers.into.clicking.links.and.visiting.bad.sites,.they.can.then.gain.access.to.machines.they.were.targeting.
• The.hacker.is.planning.a.much.larger.attack.and.is.just.harvesting.email.addresses.
• The.hacker.is.planning.to.resell.your.subscribers.
Know.that.lists.used.by.marketers.often.have.highly.engaged.readers.and.good.email.addresses..If.the.hacker.wanted.to.target.your.customers,.they.could.easily.imitate.your.campaign.content.and.trick.your.users.into.following.a.link.to.a.malicious.site..Chances.are,.the.engaged.readers.will.click.like.they.normally.would..The.list.is.valuable.to.you,.but.it’s.just.as.valuable—if.not.more.so—to.the.hacker...
There’s.also.a.large.market.for.buying.and.selling.email.addresses..So.not.only.can.the.hacker.use.the.email.addresses.for.direct.attacks,.but.they.can.then.sell.the.addresses.to.a.list.broker.for.further.gain..Think.that.through.the.next.time.someone.approaches.you.about.selling.a.list—chances.are.most.of.the.addresses.were.gathered.unethically.
8
How An Attack Works
Remember,.the.hacker.has.an.end.goal..In.this.section.we’ll.build.a.sce-nario.and.walk.through.how.an.attack.is.planned.and.carried.out..
Let’s.say.your.site.is.a.popular.foodie.blog..You.have.a.cool.newslet-ter.signup.on.your.site,.and.you.allow.people.to.comment.on.your.blog..Somewhere.along.the.way,.you.were.interviewed.on.a.food.website.about.how.you.handle.your.business,.and.most.importantly,.your.marketing..You.told.everyone.that.you.use.this.really.cool.newsletter.service.called.MiamiMail,.that.you.have.280,000.subscribers,.and.the.list.grows.by.2,000-3,000.subscribers.a.week..It’s.so.much.to.maintain.that.you.hired.Debra,.a.social-media.expert,.Quinn,.an.email-marketing.guru,.and.Vince,.a.programmer.who.works.with.the.MiamiMail.API..You.also.talk.about.your.guest.bloggers.and.some.of.the.famous.chefs.that.actively.participate.on.the.blog.and.answer.questions.in.the.comments..You.just.built.this.great.new.recipe.section,.where.the.same.famous.chefs.comment.on.the.posts..Arthur.is.a.hacker,.and.he’s.just.come.off.a.series.of.attacks.against.major.car.dealers..He.wants.to.change.things.up.and.reads.the.article.about.your.site..It.piques.his.interest.because.you.gave.some.specific.details..Here’s.what.Arthur.knows.about.your.business:
1..You.use.MiamiMail.
2..You.have.a.substantial.list,.and.it’s.growing.quickly.
3..Arthur.knows.about.at.least.four.people.in.the.company:.Debra,.Quinn,.Vince.and.you.
4..Arthur.also.knows.some.famous.people.who.use.your.blogging.tool.
5..Those.famous.people.participate.in.the.recipe.section.
Arthur.takes.this.data.and.begins.to.research.the.following:
1..MiamiMail..Find.out.anything.and.everything.out.about.them..He.trolls.the.support.forums,.signs.up.for.a.free.account,.learns.about.the.API.and.even.experiments.with.the.system.to.send.a.few.test.campaigns.
2..Your company’s About page. That.really.cool.Team.page.came.in.handy!.Arthur.finds.a.few.other.employees.and.then.begins.researching.your.employees.and.building.profiles.for.Debra,.Quinn,.Vince.and.you..He.finds.your.Twitter,.Facebook.and.LinkedIn.profiles..He.also.finds.out.your.home.addresses,.personal.email.accounts.and.a.few.other.pieces.of.information.he.purchases.using.some.stolen.credit.cards.he.got.from.that.car.dealer.scam.he.ran.last.week.
3..The famous chefs..If.Arthur.can’t.trick.your.employees,.he.might.be.able.to.trick.one.of.the.chefs.and.maybe.gain.some.access.to.the.blog.
Over.the.years.we’ve.seen.SPAM.grow.in.maturity...SPAM.has.moved.from.poorly.spelled.419.scams,.to.simple.phishing.scams,.and.now.we.see.smarter.and.more.targeted.SPAM.and.phishing.attacks..Hackers.have.exposure.to.tools,.data.and.blackhat.ESP.systems.that.allow.them.to.run.sophisticated.campaigns.against.targeted.victims..We.see.hackers.use.levels.of.sophitication.beyond.what.most.marketers.use,.like.advanced.segmentation,.dynamic.content.using.conditional.merge.tags,.and.combin-ing.other.data.sources.to.target.recipients.more.effectively..With.combined.data.sources,.they.can.effectively.attack.your.employees.and.users..If.the.attacker.can’t.obtain.enough.information,.there.are.sites.where.a.few.dol-lars.can.provide.them.with.just.about.anything.they.want.to.know..Just.as.you.read.your.campaigns.results,.the.hacker.is.using.reporting data.from.their.malicious.software..When.they.launch.an.attack,.they.use.the.stats.to.tweak.and.refine.future.attacks.
Arthur.builds.his.campaign.to.drive.his.victims.toward.a.site.or.series.of.malicious.sites..These.campaigns.allow.him.to.learn.more.about.the.com-puter.systems.involved,.gain.access.to.the.owners.system,.or.even.worse,.damage.your.infrastructure.as.a.whole..He.won’t.just.target.employees—he’ll.target.business.associates,.family.members.and.friends..Arthur..may.even.use.a.series.of.campaigns.to.learn.more.information.or.gain.access.to.specific.computer.systems.
So what is a malicious site?
Years.ago.someone.would.receive.a.virus.in.an.email,.click.it,.and.get.in-fected..Those.tactics.are.still.used,.but.these.days.most.attacks.use.drive-by.malware..The.basic.idea.is.that.you.visit.a.site.that.the.hacker.controls..They’ve.embedded.some.javascript.or.code.that.runs.and.infects.your.system..You.didn’t.have.to.click.anything—you.simply.visited.the.site.and.got.infected..If.Arthur.plays.his.cards.right,.he’ll.infect.the.right.machines..Even.if.he.doesn’t.get.to.the.systems.he.wanted,.he’ll.use.the.other.systems.to.learn.more.information.or.attack.elsewhere..And.what.does.an.infected.machine.provide.Arthur.with?.Malware.infections.can.include.keyloggers,.remote.access.and.access.to.all.the.data.on.your.machine.or.network..Once.infected,.Arthur.has.unfettered.access.to.your.information...Keyloggers.allow.him.to.watch.all.your.keystrokes..Yes,.EVERY.keystroke...Malware.is.designed.to.run.without.you.ever.knowing.it.has.been.installed...Arthur.can.sit.and.watch.and.collect.and.learn..With.time.he’ll.gain.access.to.all.of.your.systems.or.in.this.case.gain.access.to.your.MiamiMail.ac-count..Once.he.has.this.access,.he’ll.steal.your.subscribers.and.start.the.process.all.over.again..At.this.point,.he.can.target.your.subscribers.to.gain.access.to.their.systems,.attempt.to.steal.credit.cards.and.more..He.can.continue.mining.data.from.your.system,.or.rent.or.sell.your.system.to.other.hackers.for.other.needs..
Read.more.about.malware..Scary,.huh?.We.suggest.rottweilers.with.lasers.