w soph65 - Who's Snooping on Your Email, Książki IT

[ Pobierz całość w formacie PDF ]
//-->Who’s Snoopingon Your Email?What to look for in a secure email gatewayByChris McCormack,Senior Product Marketing ManagerSince revelations that the U.S. government is collecting massive amounts ofdata from electronic communications, the notion of online privacy has takena big hit. Yet the loss of sensitive corporate data is not merely a questionof government snooping or corporate espionage. Email poses the highestrisk for accidental data exposure, breaches of privacy, or non-compliancewith data protection regulations. In this whitepaper we’ll help you navigatetoday’s threats to email security. We’ll explain the obstacles to complianceand show you why you need a secure email gateway that offers more thanjust encryption.A Sophos WhitepaperSeptember 2013Who’s Snooping on Your Email?Your email is an open bookAlmost all email traffic traverses the public Internet unencrypted in plain text format. It’slike sending a postcard in the mail. Anyone that stumbles across it, either maliciously orcoincidentally, can read the full content without you ever knowing.You might be wondering who could be interested in reading your email. What about your ISPor online mail service provider? Google is definitely interested. In a recent court filing, Googleacknowledged that Gmail users have no “reasonable expectation” of privacy or confidentiality.1In its motion to dismiss a May 2013 class action lawsuit against it, Google stated:“All users of email must necessarily expect that their emails will be subject to automatedprocessing. Just as a sender of a letter to a business colleague cannot be surprised thatthe recipient’s assistant opens the letter, people who use web-based email today cannotbe surprised if their emails are processed by the recipient’s [email provider] in the courseof delivery. Indeed, a person has no legitimate expectation of privacy in information hevoluntarily turns over to third parties.”2That’s a “stunning admission,” according to the Consumer Watchdog advocacy group, whichrecommends that people concerned with email privacy shouldn’t use Gmail.3Unfortunately,that’s no solution. It’s about as practical as recommending people not use email at all. Even ifyou don’t use Gmail, undoubtedly you have to correspond with customers, partners, or otherstakeholders that do.You might also have heard of PRISM, a clandestine mass electronic surveillance data-miningprogram run by the U.S. National Security Agency (NSA) for the last several years. The NSAcollected and stored untold amounts of messaging traffic from Google, ISPs, and other onlinemail services like Hotmail and Yahoo.But the risks with email are not limited to intentional snooping by the likes of Google orthe NSA. How many times have you accidentally “replied-all” to an email intended for onerecipient? Or accidentally sent an email to the wrong individual thanks to auto-complete in youremail client? This happens all the time. And the consequences of sending sensitive informationto the wrong person could be devastating, ranging from publicly acknowledging a leak, to fines,loss of trust, reputation damage, and worse.1 http://www.theguardian.com/technology/2013/aug/14/google-gmail-users-privacy-email-lawsuit2 http://www.dailytech.com/Google+Yes+we+Read+Your+Gmail/article33184.htm3 http://www.consumerwatchdog.org/newsrelease/google-tells-court-you-cannot-expect-privacy-when-sending-messages-gmail-people-who-careA Sophos WhitepaperSeptember 20131Who’s Snooping on Your Email?Spoofing, spearphishing and snowshoe spamThen there’s the latest email attacks to consider, such as phishing, which continue to evolve.Phishing is the act of attempting to acquire information such as usernames, passwords or creditcard details by masquerading as a trustworthy email.Phishing is often successful because of a technique known as email address spoofing, wherethe attackers use addresses in the “from” field that mimic legitimate accounts such as a bank,or even one using your company’s domain name to make the email appear to come from aninternal sender like your IT department.The latest trend is to target specific individuals or groups within organizations in a morepersonal and devious manner—now called spearphishing. Spearphishing is a common tacticof Advanced Persistent Threat campaigns, which aim to gain entry to the target organization’snetwork and obtain confidential information.Last but not least, there’s good old-fashioned email spam. Thanks to your existing anti-spamfilter, you’re probably not seeing most of it and you can easily identify the odd email fromNigerian princes that gets through.But people are still susceptible to certain kinds of trickery and can be fooled into openingmalicious attachments. Researchers have found that spam appearing to come from a socialmedia site like Facebook is more effective.4Spammers are getting more innovative, using techniques like snowshoe spamming to evadeanti-spam filters. Snowshoe spamming, as the name implies, spreads the load out across anenormous number of IP addresses. That makes it difficult for anti-spam filters to catch it all,improving the chances that one might get through to a user’s inbox.Compliance with government regulationsSecuring sensitive information for customers, partners, and employees isn’t just a bestpractice—it’s often the law. Compliance with regulations is a priority for organizations inhealthcare, financial services and government. And even if you’re not, you need to consider dataprotection laws that might affect your customers.There are a number of regulator acts in nearly every region that dictate compliance anddisclosure requirements in the event of a data leak. In the U.S., there’s the GLBA governingfinancial institutions, PCI DSS for payment card security, HIPAA and HITECH for the healthcaresector, and numerous state regulations to consider. And if you’re in another jurisdiction, thereare similar regulations there too.What they all have in common are requirements for the encryption of personal informationthat is either stored or transmitted electronically (via email or otherwise). These laws typicallydefine penalties or fines for non-compliance and disclosure requirements in the event of a leakor breach.4 “Evolving spammers using bogus social media email to fool users,” BizReport, August 28, 2013, http://www.bizreport.com/2013/08/evolving-spammers-using-bogus-social-media-email-to-fool-use.htmlA Sophos WhitepaperSeptember 20132Who’s Snooping on Your Email?Three simple steps to compliance:1. Start with defining a policy and educating usersProvide your employees and stakeholders with a documented policy that explains the keyelements of your data loss prevention strategy. Focus on the types of data you need to protect,your motivations for protecting it, the consequences if you don’t, and the procedures to follow toensure it’s protected.2. Deploy email data protection technologyYour users and policy must be supported by effective, transparent technology. You need asolution to protect from accidental loss and to secure sensitive data that must leave theorganization. A secure email gateway with policy-based encryption is an essential element ofany effective data protection compliance solution.3. Start with the essentials, expand over timeData protection can easily become overwhelming, which is why it’s important to prioritize yourdata protection needs. Start with the most likely source of leaks: email. Make sure you’ve gotthe necessary policies in place to protect your most sensitive client, employee, or partner datafirst—such as credit card numbers, social security numbers and other PII or HIPAA data. Oncethose policies are running smoothly you should consider broadening your implementation.What’s holding you back?With all this motivation to secure your email and have an encryption solution in place, what’sholding you back?Complexity:Most email encryption solutions are difficult to source, deploy and manage. Youneed a significant investment to evaluate and deploy infrastructure that has such wide-reachingimpact on the entire company. It would make your life a lot simpler if there was a solutionyou could drop in place from your existing security vendor—one that doesn’t require a bigdeployment project and specialized staff to manage.Cost:Most email encryption solutions are expensive in up-front dollars, plus ongoing costsof managing and maintaining the solution. Wouldn’t it be ideal if there was an email securitysolution that offered encryption and DLP within your existing anti-spam budget?User experience:Most email encryption solutions are disruptive to end-user workflow. Theyrequire explicit activity on the part of users to encrypt sensitive email, inviting mistakes. Orusers need to deal with encrypted email outside of their normal email workflow, reducingproductivity and increasing resistance to adoption. A better solution runs transparently in thebackground, automatically encrypting email based on DLP polices, without impacting users orrequiring new client software.A Sophos WhitepaperSeptember 20133Who’s Snooping on Your Email?What to look for in a secure email gatewayHere is a checklist of features to look for in an effective secure email gateway solution for dataprotection.Simplicity and ease of managementÌLook for a secure email gateway solution that combines anti-spam, DLP, and simplepolicy-based email encryption in a single product from a single vendor, managed from asingle consoleÌYour selected solution should include pre-defined sensitive data types so it’s easy to buildDLP policies out of the boxÌEnsure the email encryption policies are simple enough that anyone on your staff caneasily create new policies or fine-tune existing policies without training or documentationÌSelect a solution that doesn’t require tedious and complex key managementGreat user experienceÌAn effective email encryption solution should automatically scan both email andattachments for sensitive data types, and encrypt it before it leaves the organization—automatically and transparently, without forcing users to flag emails for encryption (incase they forget)ÌChoose an email encryption solution that doesn’t disrupt senders or recipients. It shouldallow users to send email as they always have, using their preferred email client on theirdesktop, laptop, mobile device, or onlineÌYour email encryption solution should not require special software or launching a webportal for recipients to view encrypted emailAffordabilityÌIdeally, select a solution that provides DLP and email encryption within your existing anti-spam budgetÌSelect a solution that’s easy to evaluate and implement—without special hardware,software, or training on top of your existing anti-spam solutionA Sophos WhitepaperSeptember 20134 [ Pobierz całość w formacie PDF ]