CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [261]
E-mail security is a product of reducing its functionality and user behavior modification. As for functionality, secure e-mail is e-mail that does not execute mobile code, nor does it interpret and display HTML. Consider not allowing attachments to reach your clients; strip them off at the firewall. However, this will greatly reduce the ease of data exchange many rely on daily. Spam filtering services should be added to your e-mail delivery system, if they are not already part of your antivirus solution and your ISP’s e-mail services. All inbound e-mail should be quarantined until scanned. E-mail servers should be deployed as separate systems from all other services on the LAN. As for user behavior modification, teach your users the following rules:
■ Don’t open any attachments from unknown entities.
■ If you receive an attachment from a known entity, contact them to verify that they intended to send it.
■ Don’t send any attachments to anyone; use a true file exchange system instead, such as Secure FTP (SFTP), yousendit.com, or hushmail.com.
■ If attachments are needed, set up a separate account for sending and receiving them (Gmail is a great tool for that).
■ Never click on links sent via e-mail.
■ Never believe what you read in an e-mail message without confirming it with a third-party source.
■ Set up one e-mail address for business communications, a second for personal communications, and a third for all other forms of communication.
■ Use only your third e-mail address when registering with a website or handing out your contact information to others. Only after they prove trustworthy should you hand out one of your two primary e-mail addresses.
■ Don’t blindly follow any instructions included in an e-mail; hoaxes are common.
■ Report all suspicious activities or messages to the security administrator.
■ Don’t attempt to unsubscribe from spam; it’s just a ruse to get you to verify that the e-mail address used is valid, and it will encourage more spam.
■ Learn to use client-side black lists and white lists.
■ Never reveal personal data to anyone via e-mail because phishing attacks are prevalent and con artists are trying to steal your identity.
■ Don’t forward malicious e-mails to others.
■ Report fraud, abuse, spoofing, and spam to the proper authorities (such as spoof@ebay .com and spoof@paypal.com).
As you can see, most of the security benefits with e-mail communication arise from user behavior modification. User behavior modification is often an important part of the overall security infrastructure. However, it cannot operate alone; actual technical security mechanisms and physical access controls must be used to enforce security policy. User behavior modification combines awareness, training, and education. Your goal with user behavior modification is to encourage people to “buy into” the company’s security stance. The more people understand and believe in a security mechanism, the more likely they will uphold it and work within its confines. Without it, people will find ways to get around, subvert, or disable the security mechanism. This concept of user behavior modification applies to every aspect of security, not just e-mail communication security.
File-Sharing Basics
Many work tasks require exchanging files regularly. Unfortunately, the most convenient method of exchange is to attach them to e-mails, which is a problematic issue (see the discussion in the preceding section). So, if security is important and file exchange essential for productivity, a secure method of exchanging files is needed. There are several secure file-exchange solutions available that either add security to the standard FTP solution or are built on more proprietary technology.
When deploying a file-sharing system, here are some important security ideas to keep in mind:
■ Don’t