Email and data encryption

SecurityPoint 2008David Strom

david@strom.com+1 (310) 857-6867

(c) David Strom Inc. SecurityPoint 2008 2

Summary

• How private is your data• The role of encryption in data protection

• Different kinds of email and disk encryption

• Encryption deployment options • The role of regulatory requirements and compliance

(c) David Strom Inc. SecurityPoint 2008 3

How private is your personal data?

• What information do you routinely provide online:– Birth date (Facebook)– Postal codes and address (eCommerce)– Age and gender – Email address

• What information is on your laptop?

(c) David Strom Inc. SecurityPoint 2008 4

How private is your corporate data?

• Who has admin rights to everything?• Where do you keep your backups?• What customer info is sent via the

Internet?• How many laptop users and where do

they routinely take them?

(c) David Strom Inc. SecurityPoint 2008 5

Are these actions privacy invasions?

• Sending out a single piece of email with everyone's email address clearly visible in the header

• A Web site that tries to make it easier for its customers to login and track their accounts

• Is a piece of software that records the IP address of the machine it is running on and phones home with the results spyware?

• A US Web site that allows anyone to look up a postal address attached to a telephone no.

(c) David Strom Inc. SecurityPoint 2008 6

(c) David Strom Inc. SecurityPoint 2008 7

What kinds of information do the proposed new laws

consider private?• Your IP address• Your Ethernet MAC address/Windows GUID• Your purchase history with a Web storefront• Your postal address and phone• Your email address• Your credit card, banking account numbers

(c) David Strom Inc. SecurityPoint 2008 8

Be afraid. Be very afraid.

• Lost laptops with customer data • Misplaced USB thumb drives and CDs• Webmail logins from public kiosks• Spyware-infected laptops inside your

firewall• And …

(c) David Strom Inc. SecurityPoint 2008 9

Is your email private? No!

• Sending email is like writing a (unsigned) postcard

• Then leaving it on your kitchen counter• Then handing it to some random

passer-by to give to someone else• Who eventually gives it to the recipient• And, wait, there is more…

(c) David Strom Inc. SecurityPoint 2008 10

And of course, breaches!

• http://www.pogowasright.org/index.php?topic=Breaches

• http://www.privacyrights.org/ar/ChronDataBreaches.htm

• Some scary cost numbers: http://www.crn.com/security/205207370

• http://www2.csoonline.com/exclusives/column.html?CID=33366

(c) David Strom Inc. SecurityPoint 2008 11

The many faces of insecure email

• Webmail: unless you use https, EVERYTHING is in the clear

• Server backups: email stored in many different places that anyone can read

• Logins: POP, SMTP and IMAP do not encrypt your credentials

• Identifying info: SMTP includes IP address, email software version, and other information that could be a privacy concern

(c) David Strom Inc. SecurityPoint 2008 12

And email is easily compromised!

• Modified messages: anyone with system admin access can read, delete, and change any message

• Fabricated senders: anyone can set up a server with any domain name

• Non-repudiation: no delivery confirmation on most systems

• Unprotected backups!

(c) David Strom Inc. SecurityPoint 2008 13

The current state of privacy best practices

• No clear privacy policy or protection• Sometimes, a small obscure link at the

bottom of a Web page that links to a privacy policy in extreme legalese

• Press releases when a breach occurs• Sometimes you remember to type https:• A few people using encryption products

(c) David Strom Inc. SecurityPoint 2008 14

Microsoft is no privacy paragon

• Hotmail break-ins galore• Global ID transmitted inside Word docs• Network collapse from poor DNS config

(2001)• Software updates that scan your disk

(c) David Strom Inc. SecurityPoint 2008 15

The problem

• The laws are changing, and getting tougher on breaches

• Your customer data is no longer a corporate asset -- now it is a liability

• Your employees are entitled to some modicum of data privacy

• There is no such thing as a secure perimeter in the age of the Internet

(c) David Strom Inc. SecurityPoint 2008 16

The end of the secure perimeter

• Remote email, laptops now the norm• IM becoming more popular for corporate use• Most corporations have servers accessible

from the Internet• Most corporations don’t do very much in the

way of endpoint security• Even Hollywood knows about it: the USB

thumb drive in the movie “The Recruit”

(c) David Strom Inc. SecurityPoint 2008 17

So how can encryption help?

• Protect your files on your laptops• Protect your communications between

employees --– Email– IM

(c) David Strom Inc. SecurityPoint 2008 18

Types of disk encryption

• Simple passwords on MS Office docs• File-based encryption like PC-encrypt • Password-protected U3 USB thumb

drives• Laptops with fingerprint scanners• “Whole disk” encryption software

(c) David Strom Inc. SecurityPoint 2008 19

Issues with disk encryption

• User apathy• Lost password recovery• Fear that the files won’t be available

(c) David Strom Inc. SecurityPoint 2008 20

Types of email encryption

• S/Mime• PGP• TLS/SSL on top of SMTP relays

(c) David Strom Inc. SecurityPoint 2008 21

(c) David Strom Inc. SecurityPoint 2008 22

What email encryption buys you

• Eyes only for the recipient• Proves you were the actual sender• Recipient knows whether a message

was modified in transit

(c) David Strom Inc. SecurityPoint 2008 23

Email encryption issues

• No one cares about my communications• Which standard do I get behind?• How do I set up my PKI?• How do I track my certs?• How do I recover a forgotten password?• What happens when my recipients don’t

cooperate?• My early experiences http://strom.com/awards/227.html

(c) David Strom Inc. SecurityPoint 2008 24

Email encryption deployment options

• Always use https: and SSL • Use some form of VPN (1) (2)• Use a secure service provider:

– ZixCorp.com– HushMail.com– Secure-tunnel.com – Even Network Solutions!

(c) David Strom Inc. SecurityPoint 2008 25

(c) David Strom Inc. SecurityPoint 2008 26

And PGP!

• Universal product for Webmail and external communications

• Desktop product for email and disk encryption

• Netshare product for file sharing protection

(c) David Strom Inc. SecurityPoint 2008 27

Keyserver issues

• Not everyone lists their PGP key on them for all of their email accounts

• Only work with PGP versions• You may have a private server• Users need some training to use them

(c) David Strom Inc. SecurityPoint 2008 28

Regulatory requirements and

compliance• What encryption can bring to the party• Privacy protection in advance of

pending legislation• Avoid being tomorrow’s headline about

your next breach or data leak

(c) David Strom Inc. SecurityPoint 2008 29

Encryption compliance benefits

• End-to-end traffic protection• Policy-based key management• Digital signing for authentication and

repudiation• Content scanning for data leaks• Phishing, virus, and spyware prevention

(c) David Strom Inc. SecurityPoint 2008 30

Fred Avolio wrote

• If our business is worthless, if we never have a good idea, if there is nothing about what we do that anyone else would want, then we may be correct. However, that is not a description of our business, at least not for most of us.

• Start signing your e-mail messages with your digital certificate. Use it when confidentiality is important (which is a good deal of the time, is it not?). Just start using it.

http://www.avolio.com/columns/email-security.html (5/2000!)

(c) David Strom Inc. SecurityPoint 2008 31

PGP Resources

• Tom’s Page on PGP http://www.mccune.cc/PGP.htm

• Martin’s client list http://www.bretschneidernet.de/tips/secmua.html