Hosted by

10 Steps to Secure Messaging

Jim Reavis, President Reavis Consulting Group

Hosted by

Agenda

Risks of insecure messaging

Policy

Architecture

Innovative technologies & trends

10 Steps

Companion site: csoinformer.com/10steps

Hosted by

Top Ten Reasons to Secure Messaging

10. Protect intellectual property sensitive to

your corporate mission

9. Avoid “angry” emoticons from your boss

8. Reduce risk of worms running rampant on

your network

7. Poor dating prospects at the unemployment

line

6. Increase user productivity

Hosted by

Top Ten Reasons to Secure Messaging

5. “Sobig fatigue” not covered by workmen’s comp.

4. Securing communications with partners and customers creates new business opportunities.

3. Saying “ILOVEYOU” to the CEO is usually inappropriate outside of the annual Christmas party.

2. Reduce risk of legal liability.

1. Executive washrooms rock!

Hosted by

About Reavis Consulting Group

Provide research and advisory services regarding

best practices and emerging security trends

Clients include Fortune 500 members, gov’t and

information security companies

Publish monthly CSOinformer newsletter

Hosted by

Threats Viruses

Worms

Spam

Insiders/Covert

Channels

Idiot users who got

their job just

because they have

the same last name

as the CEO

IME-mail

AV Gateway

E-mail Server

Firewall

IM

E-mail

Internal Hosts

Internet

Hosted by

Risks

Data loss, theft & leakage

Compromised systems

Downtime/loss of productivity

Out of compliance with

regulations

Civil litigation

Hosted by

Risk Management

Topic of the year at CISO/CSO gatherings

Definition: the systematic process of managing

an organization's risk exposures to achieve its

objectives in a manner consistent with public

interest, human safety, environmental factors

and the law.

Reduce risk & create opportunities.

Hosted by

Risk Management

Risk Mgt Strategies

• Avoid

• Accept

• Transfer

• Mitigate

Risk Mgt Process

• Establish Risk Profile

• Establish Protection Profile

• Modify PP as RP changes Threat level “Orange”

New business venture

• ROSI

Risk = Value of the Asset X Severity of the Vulnerability X Likelihood of an Attack

Hosted by

Policies

Legal due diligence (e.g. retention laws).

Communicate clearly.

• Acceptable & appropriate usages

• Clear definitions (e.g. what is proprietary)

• Provide examples (e.g. .EXE files prohibited, anything sent

to payroll processor must be encrypted)

Documented acceptance.

How do you attain ROSI with your policy?

Hosted by

Architectural Principles

Proxy all connections

• Hidden messaging methods may be P2P.

Measurement capabilities

Layered Defense Systems

Best of Breed vs Integrated Suite?

Integrated team approach

• How is IT working against your goals?

Hosted by

Architectural Principles

Granular rules control

• Ad hoc blocking of new threats

• Prevent auto-forwarding risks

Compartmentalize

• Improve incident response

• Provide limited service during crises

Redundancy

Education & Awareness

Hosted by

Incident Response

Formalized CERT• Specialized messaging response team

Incident reporting

Response• Containment (unplug, router ACL filters, etc)

• Disinfect, Remediate, Rebuild

Notify external partners

Forensics, analysis, lessons learned

Hosted by

Baseline & Measurement

Network traffic analysis

E-mail & IM logging

Identify dependencies

Trend analysis

Support policy revisions

Creating TCO metrics for budgeting

Don’t horde this information

Hosted by

60%

27%

7% 7%

1 2 3 4

Hosted by

Who wrote the antivirus software used by Microsoft in DOS 6.22?

1.Dr. Solomon2.Central Point3.X-tree4.Microsoft

Hosted by

Antivirus Strategy

Multiple AV tools• Desktop, Server, Email Gateway.

• Antivirus network appliances, Managed AV service.

• How many levels of AV provides ROSI?

Content Filtering (Day Zero defense)• Subject line.

• File attachment types.

Tactics outside of messaging control• Lockdown e-mail client.

• Keep patching virus targets.

Hosted by

Antivirus scanning points

E-mail Client

AV Gateway

E-mail

Internet

MSSP

SD

1

2

Bay Networks

10 BASE TTX

Ethernet 1

AUIRX

C1Advanced Remote Node

EthernetERRParPWA

OCIOAdapter 1RpsSmi

PCMCIAAdapter 2FailFail

STP UTPRCVE

NSRT

WTLT

Token Ring 2

COM 4 COM 5COM 3

BayStack

Network Layer AV Appliance

E-mail Server

Hosted by

40%

20%

29%

12%

1 2 3 4

Hosted by

What is the Internet Engineering Task Force RFC for OpenPGP?

1.15422.802.1x3.24404.I was told there would be no tests

Hosted by

E-mail encryption services

Virtually unbreakable, often unusable

Key to protecting information and reducing malicious threats

Issue: total cost of ownership (TCO) traditionally a burden

Hot trend: encryption proxy servers/e-mail firewalls

Hosted by

E-mail encryption by proxy

E-mail

E-mail

Encryption Proxy

E-mail Server

Proxy manages keys

Encrypts messages

Gives recipient option of secured

SMTP message or Webmail

Webmail Server

Internet

Hosted by

Instant Messaging

Embrace and extend

Proxy connections

Encrypt communications

Logging & Usage profiling

Block dangerous behaviors (file transfers, etc)

Gateway ROSI benefit: IM compatibility

Hosted by

Instant Messaging

IM Proxy

Central configuration & administration

Hosted by

Spam

Why is this a security issue?

Anti-spam approaches:• Keyword filtering

• Bayesian algorithm

• Blacklists/Whitelists

• Community voting

• Tagging vs. blocking

Multiple approaches often necessary.

ROSI Models.

Hosted by

Awareness

Courseware• Reinforce policy

• Educate about threats

• Recognizing viruses

• Safe practices

• What to do, where to go for help

Regular internal AV newsletter

Hosted by

To protect and to serve

IME-mail

AV Gateway

DepartmentalE-mail Servers

Firewall

IM

E-mail

Internal Hosts

InternetEncryption Proxy

IM Proxy

MSSP

Content/Spam Filtering

Your boss

Network Layer AV Appliance

SD

1

2

Bay Networks

10 BASE TTX

Ethernet 1

AUIRX

C1Advanced Remote Node

EthernetERRParPWA

OCIOAdapter 1RpsSmi

PCMCIAAdapter 2FailFail

STP UTPRCVE

NSRT

WTLT

Token Ring 2

COM 4 COM 5COM 3

BayStack

Hosted by

Summary – the 10 Steps

1. Enforceable policies

2. Architecture

3. CERT & Incident

Response Plan

4. Awareness program

5. Baseline & continuous

measurement system

6. Encryption

7. Proxy everything

8. Multiple layers of

virus/spam protection

9. “Best of Breed”

10. Take an integrated

approach

Hosted by

46%

28%

20%

6%

1 2 3 4

Hosted by

According to IBM Research, in what year did

the first PC virus appear?

1.19842.19863.19884.The year Bill Gates was born

Hosted by

Thank You!