6.

Security in Networks
Information Security
Er. Shankar Bhattarai, MScEng (IOE,TU)
Network Security Basics
• A computer network, or simply a network, is a collection of connected
computing devices to share information and/or recourses. Network
security is a main issue in computing because different kinds of
attacks are increasing daily.
• Network security covers all phases associated with the security of the
sensitive information resources present on the network.
TCP/IP Model
• It provides for flow control, error control, IP addressing and the
routing of network traffic and an interface between the node and the
physical network
• The Transmission Control Protocol (TCP) and the User Datagram
Protocol (UDP) are used to transmit network data to and from server
and client applications. The main difference between the two protocols
is that TCP uses a connection-oriented transport, while UDP uses a
connectionless type of communication. When the TCP protocol is used,
a special connection is opened up between two network devices, and
the channel remains open to transmit data until it is closed.
Network Architecture Basic
Network Architecture Basic
TCP/IP Model
Transmission Control Protocol, A connection based Internet protocol responsible
for breaking data into packets, which the IP protocol sends over the network. IP is
located at the TCP/IP Internet layer which corresponds to the network layer of the
OSI Model. IP is responsible for routing packets by their IP address.
TCP is a connection based protocol and, is designed to guarantee delivery by
monitoring the connection between source and destination before data is
transmitted. TCP places packets in sequential order and requires acknowledgment
from the receiving node that they arrived properly before any new data is sent.
The original TCP/IP model has four layers while the updated TCP/IP model has five
layers.
application layer, transport layer, network layer, data link layer and physical layer.
Similarities between TCP/IP model and
OSI model
• Both are the logical models.
• Both define standards for networking.
• Both provide a framework for creating and implementing networking
standards and devices.
• Both divide the network communication process in layers.
TCP/IP Model
TCP/IP Model
Application (5)
• This is where most Transmission Control Protocol/Internet Protocol
(TCP/IP) applications live. The software you generate for your end
application will typically interact with some of these applications. The
most commonly used TCP/IP application is HTTP (Hypertext Transport
Protocol) which is used for surfing the internet.
Transport Layer (4)
• This layer sends and receives data to and from the applications
running on its host. The Transport layer assigns port numbers to the
processes running in applications on the host and adds a TCP or UDP
header to the messages received from the applications detailing the
source and destination port numbers.
Network/Internet layer (3)
• Layer 3 is the Network or Internet layer.
• When transmitting data, this layer adds a header containing the
source and destination IP addresses to the to the data received from
the Transport layer.
• When receiving data, this layer is used to determine if the packet
received by the host contains the host’s IP address. If it does, the data
is forwarded up to the Transport layer.
Data Link Layer (2)
• Layer 2 is the Data Link layer. This layer uses a Media Access
Controller (MAC) to generate the frames that will be transmitted. As
the name suggests, the MAC controls the physical transmission
media.
• When transmitting data, this layer adds a header containing the
source and destination MAC addresses to the packet received from
the Network layer (layer 3). The frame it creates will then be
forwarded to the Physical layer.
Data Link Layer (2)
• When receiving data, this layer is used to determine if the frame
received by the host contains the host’s MAC address. If it does, the
data is forwarded up to the Network layer.
Physical layer (1)
• Layer 1 is the Physical layer. It sends and receives signals on the
physical wire or antenna to transmit the bits found in frames.
• There is a PHY found at the end of every network interface (e.g. end
of wire or antenna).
Port Numbers
Protocol Common Port
FTP (File Transfer Protocol) 20, 21
SSH (Secure Shell) 22
Telnet 23
SMTP (Simple Mail Transfer Protocol) 25
DNS (Domain Name Service) 53
TFTP (Trivial File Transfer Protocol) 69
HTTP (Hypertext Transfer Protocol) 80
POP3 (Post Office Protocol version 3) 110
NNTP (Network News Transport Protocol) 119
NTP (Network Time Protocol) 123
IMAP4 (Internet Message Access Protocol version 4) 143
HTTPS (Hypertext Transfer Protocol Secure) 443
• A port number is a way to identify a specific process to which an
Internet or other network message is to be forwarded when it arrives
at a server.
• channel of communication which is numbered between 1 and 65000
• They were originally created to allow multiple programs to use the
same IP address.
Firewall
• A firewall is a hardware device or software application installed on the
borderline of secured networks to examine and control incoming and
outgoing network communications.
• As the first line of network defense, firewalls provide protection from
outside attacks, but they have no control over attacks from within the
corporate network. Some firewalls also block traffic and services that
are actually legitimate.
Firewall
Packet-Filtering Firewall
• Packet-filtering architecture involves checking network traffic for source and destination
addresses, source and destination port numbers, and protocol types. Packet filtering
allows an administrator to exclude traffic based on its source and destination addresses,
and, depending on the device, it can also exclude traffic aimed at specific protocols and
ports or traffic that is sent to or from particular addresses.
Circuit-Level Gateway
• Circuit-level architecture involves monitoring TCP/IP session requests between trusted
hosts on the LAN and non-trusted hosts on the Internet. This monitoring, performed on
the Session layer (layer 5) of the OSI model, is done to determine whether a requested
session is legitimate. When hosts establish a session in TCP/IP communications, they
conduct a procedure called handshaking, in which peers agree on communication
parameters in TCP SYN requests and TCP ACK responses.
SSL: Secure Sockets Layer
• widely deployed security
protocol • original goals:
• supported by almost all browsers, • Web e-commerce
web servers transactions
• https • encryption (especially
• billions $/year over SSL credit-card numbers)
• mechanisms: [Woo 1994], • Web-server authentication
implementation: Netscape
• optional client
• variation -TLS: transport layer authentication
security, RFC 2246 • minimum hassle in doing
• provides business with new
• confidentiality merchant
• integrity
• available to all TCP
• authentication
applications
• secure socket interface
Security Flaws in IP
• IP fragmentation attack
• End hosts need to keep the fragments till all the fragments arrive

• Traffic amplification attack

• IP allows broadcast destination
• Problems?
Ping Flood

Internet

Attacking System

Broadcast
Enabled
Network

Victim System
ICMP Attacks
• The Internet Control Message Protocol (ICMP) is a network layer protocol used by network devices to
diagnose network communication issues. ICMP is mainly used to determine whether or not data is
reaching its intended destination in a timely manner.
• The primary purpose of ICMP is for error reporting.
• No authentication
• ICMP redirect message
• Can cause the host to switch gateways
• Benefit of doing this?
• Man in the middle attack, sniffing
• ICMP destination unreachable
• Can cause the host to drop connection
• ICMP echo request/reply
• Many more…
• http://www.sans.org/rr/whitepapers/threats/477.php
Routing Attacks
• Distance Vector Routing
• Announce 0 distance to all other nodes
• Blackhole traffic
• Eavesdrop
• Link State Routing
• Can drop links randomly
• Can claim direct link to any other routers
• A bit harder to attack than DV
• BGP
• Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to
exchange routing and reachability information among autonomous systems (AS) on the
Internet.
• ASes can announce arbitrary prefix
• ASes can alter path
TCP Attacks

SYN
SYN | ACK
ACK
Client
Server
TCP Layer Attacks
• TCP SYN Flooding
• The hostile client repeatedly sends a TCP SYN request to every port on the
server using a fake IP address.

• The server responds to each such attempt with a SYN/ACK response (a TCP
packet whose SYN and ACK flag bits are set) from each open port
• Starting the second step of “three way handshake” procedure and as long
as the “Three way handshake” procedure is not either complete or
terminated, the status of connection is referred as “Half open connection”
TCP Layer Attacks
• TCP SYN Flooding
• During this time, the information about the pending connection will
be registered and processed which will take some amount of memory
and processing capabilities at the destination machine.
• An attacker exploit this fact sending an extensive amount of SYN
packet in a very large rate aiming to consume most resources
(memory and process capabilities) of the target machine- thus make it
unavailable for other, legitimate connection requests.
TCP Layer Attacks
• IP Address spoofing is the key principle for conducting a successful
SYN-ACK Flood attack. By spoofing the source address, an attacker can
flood the target with SYN packets while ensuring all “SYN-ACK”
answers will be sent back to spoofed IP addresses which will never
answer the final “ACK” packet.
• by doing so the attacker can consume memory and CPU on the
target machine making it unavailable for legitimate connection
request.
TCP Layer Attacks
• TCP Session Hijack
• Session hijacking refers to an attack where an attacker take over a
valid TCP communication session between two computer.
• Attackers can sniff all the traffic from the established TCP session and
perform identity theft, information theft, fraud, etc. Since most
authentication only occurs at the start of a TCP session.
• The attacker steals a valid session ID and uses it to authenticate
himself with the server.
TCP Layer Attacks
IP spoofing attack
• This technique is used from the attackers to gain unauthorized access
to the servers. The attacker will send messages to the server not with
his own IP address, but with a “trusted” IP address.
• In this way the server will not understand that it is getting traffic from
an attacker.
• After the attacker will find the “trusted IP” address, will modify the
headers of the packets in the way that the attacked server will think
the packets are coming from “trusted” IP.
TCP Layer Attacks
IP spoofing attack
Application Layer Attacks
• Similar to SYN flood infrastructure attacks, the attacker attempts to
overload specific functions of an application to make the application
unavailable or extremely unresponsive to legitimate users.
• Examples of application layer attacks include HTTP floods, cache-
busting attacks, and WordPress XML-RPC floods.
• Applications don’t authenticate properly
Enterprise Network Security
Enterprise Network Security
• To maintain proper security over widely distributed enterprise network, it is
essential to be able to conduct certain security-related
processes from single, centralized security management location. Among these
processes or functions are
• Single point of registration (SPR) allows network security manager to enter new
user (or delete terminated user) from single centralized location and assign all
associated rights, privileges, etc.
• Single sign-on (SSO) also sometimes known as secure single sign-on (SSO), allows
users to log into enterprise network and be authenticated from client PC location.
• ACS (Access Control System)
• Authentication Authorization and Accounting
Adaptive Security Appliance
• A firewall is a network security device that monitors incoming and
outgoing network traffic and decides whether to allow or block
specific traffic based on a defined set of security rules.
• Firewalls have been a first line of defense in network security
• They establish a barrier between secured and controlled internal
networks that can be trusted and untrusted outside networks, such as
the Internet.
Intrusion Detection System (IDS)
• An intrusion detection system (IDS) is a device or software application
that monitors a network for malicious activity or policy violations.
• Any malicious activity or violation is typically reported or collected
centrally using a security information and event management system.
• The main difference being that firewall performs actions such as
blocking and filtering of traffic while an IDS detects and alert a system
administrator or prevent the attack as per configuration.
• Some IDS’s are capable of responding to detected intrusion upon
discovery. These are classified as intrusion prevention systems (IPS).
• Intrusion prevention system (IPS) is intended to prevent malicious events from occurring
by preventing attacks as they are happening. There are a number of different attack types
that can be prevented
• The determination of what is malicious is based on either behavior analysis or signature
based detection.
• Signature-based IPS monitors packets in the system or Network and compares with pre-
configured and pre-determined attack patterns known as signatures.
• using an IPS including (among others):
• Denial of Service
• Distributed Denial of Service
• Exploits (Various types)
• Worms
• Viruses
Vulnerability
• A vulnerability is a weakness or flaw in software, hardware, or
organizational processes, which when compromised by a threat, can
result in a security breach.
• A computer system vulnerability is a flaw or weakness in a system or
network that could be exploited to cause damage, or allow an
attacker to manipulate the system in some way.
Vulnerability
Causes / State
• Design Flaws
The two major components of a computer system, hardware and software, quite often have
design flaws. Biggest problems in system security vulnerability are due to software design
flaws. Rush to finish, Overconfidence and use of nonstandard or untested algorithms can result
design flaws.
• Poor Security Management
Security management is both a technical and an administrative security process that involves
security policies and controls that the organization decides to put in place to provide the
required level of protection.
The most effective way to meet those goals is to implement security risk assessment through a
security policy and securing access to network resources through the use of firewalls and
strong cryptography.
Good security management is made up of a number of implementable
security components that include
• risk management,
• information security policies and procedures,
• standards, guidelines,
• information classification,
• security monitoring,
• security education.
• Incorrect Implementation
Incorrect implementation very often is a result of incompatible
interfaces. Two product modules can be deployed and work together
only if they are compatible. That means that the module must be
additive, that is the environment of the interface needs to remain
intact.
• Internet Technology / poor configuration of network
Internet technology has been and continues to be vulnerable. There
have been reports of all sorts of loopholes, weaknesses, and gaping
holes in both software and hardware technologies.
• Social engineering
Social engineering is an outside hacker's use of psychological tricks on
legitimate users of a computer system, in order to gain the information
(like usernames and passwords) one needs to gain access to the
system.
software vulnerabilities
Operating system vulnerabilities: Operating systems are the main
sources of all reported system vulnerabilities.
• Port-based vulnerabilities: Besides operating systems, network service
ports take second place is sourcing system vulnerabilities. For system
administrators, knowing the list of most vulnerable ports can go a long
way to help enhance system security by blocking those known ports at
the firewall.
• Application software based errors.
• System protocol software such as client and server browser.
various steps involved in Vulnerability
Assessment
• Collection of data: The first step of the assessment is to collect all the necessary data
regarding the resources used in the system like IP addresses of the system, media
used, hardware used, kind of antivirus used by the system, etc. Once all these details
are collected, further analysis can be done.
• Identification of possible network threat: We can locate the possible cause and
loopholes of the network threats in the network, that can harm our system. Here, we
also need to prioritize the threat that should be attended first as the need of the
system is to deal with the big threat first.
• Analyzing the router and WI-FI password: It is necessary to check that the passwords
used to login into the router and the password used to access the Internet is strong
enough so that can’t be easily cracked. Also, here it is essential to validate that the
password should be changed on a regular interval of time so that the system will
become more immune to attacks.
various steps involved in Vulnerability
Assessment
• Reviewing Organization’s Network strength: The next step is to
evaluate the network strength of the system with respect to the usual
attacks inclusive of the distributed denial of service (DDoS), man-in-
the-middle attack (MITM) and network intrusion. This, in turn, will
give us a clear picture of how our system will respond in case of these
attacks and if it is capable to rescue itself or not.
• Security Assessment of Network device: Now analyze the response
of the network devices like a switch, router, modem and PC against
network attacks. This will elaborate on the reaction of the devices
with reference to the threats.
various steps involved in Vulnerability
Assessment
• Scanning for identified Vulnerabilities: The final step of the assessment is
to scan the system for the known threats and vulnerabilities that are
already present in the network. This is done by using various scanning
tools.
• Report Creation: The documentation of the network vulnerability
assessment process is very crucial. It should contain all the activities
performed from start to the end and the threats found during the testing,
along with the process to diminish them.
• Repetitive Testing: One should keep reviewing and analyzing the system
for new possible threats and attacks and should take all possible
measures to mitigate them.
Types of Network Security Attacks
Types of Network Attacks
1) Man-in-the-Middle Attacks
With man-in-the-middle attacks, the hacker tries to hijack the traffic between two network devices.
This hacker typically does this by substituting one of the devices' IP addresses with a fake one which
enables the messages being transmitted to be intercepted and retrieved.
2) Rootkit
Rootkits are stealthy programs designed to gain administrative rights and access to a network device.
Once installed, hackers have full and unrestricted access to the device and can, therefore, execute
any action such as spying on users or stealing confidential information without any hindrance.
3) Phishing
This is the most well-known network attack technique whereby the hacker sends the users an email
with an infected link. Clicking on the link within the email then releases a virus or malware that
infects the device and spreads through the network until it is contained.
4) Denial-of-Service
With this attack, hackers co-opt hundreds or thousands of devices, using them to send
messages to a network server. Eventually, a threshold is reached whereby the server
becomes overwhelmed and is unable to process all the inbound traffic. This results in
the crashing of the network server and the website, therefore, becoming unavailable.

5) SQL Injection Attack

Most website backend databases are manipulated using Structured Query Language
(SQL) applications. With an SQL injection attack, hackers look for and exploit
vulnerabilities in these SQL applications such that they are able to tinker with, and
potentially cause damage, to the backend databases and adversely impact the relevant
websites.
Securing Network
Reconnaissance
• Reconnaissance is a set of processes and techniques (Footprinting,
Scanning & Enumeration) used to covertly discover and collect
information about a target system.
• Network reconnaissance is a term for testing for potential
vulnerabilities in a computer network. This may be a legitimate
activity by the network owner/operator, seeking to protect it or to
enforce its acceptable use policy. It also may be a precursor to
external attacks on the network.
Securing Network
Reconnaissance
• During reconnaissance, an ethical hacker attempts to gather as much
information about a target system as possible, following the seven steps
listed below −
• Gather initial information
• Determine the network range
• Identify active machines./Devices
• Discover open ports and access points
• Fingerprint the operating system
• Uncover services on ports
• Map the network
Virtual Private Network (VPN)
• VPN stands for Virtual Private Network (VPN), that allows a user to connect to a private network over the
Internet securely and privately. VPN creates an encrypted connection that is called VPN tunnel, and all
Internet traffic and communication is passed through this secure tunnel.
• VPNs make it possible to securely access and exchange confidential data over shared network
infrastructure, such as the public Internet.
• Remote Access VPN:
Remote Access VPN permits a user to connect to a private network and access all its services and
resources remotely. 
• Used by home users, or private users to
• Bypass regional restriction on the internet and
• Access blocked websites
• Site to Site VPN:
A Site-to-Site VPN is also called as Router-to-Router VPN and is commonly used in the large companies.
Companies or organizations, with branch offices in different locations, use Site-to-site VPN to connect the
network of one office location to the network at another office location.
Virtual Private Network (VPN)
Protocols used in VPN
• Internet Protocol Security (IPSec):
Internet Protocol Security, known as IPSec, is used to secure Internet
communication across an IP network.
• IPsec is a collection of protocols that assist in protecting
communications over IP networks. IPsec protocols work together in
various combinations to provide protection for communications.
• Uses group of protocols (Encapsulating Security Payload (ESP),
Authentication Header (AH), and Internet Key Exchange (IKE)
protocol) , Encryption , Transmission and Decryption
Virtual Private Network (VPN)
IPSec secures Internet Protocol communication by verifying the session
and encrypts each data packet during the connection. IPSec runs in 2
modes:
• (i) Transport mode
• (ii) Tunneling mode
• The work of transport mode is to encrypt the message in the data packet
and the tunneling mode encrypts the whole data packet. IPSec can also
be used with other security protocols to improve the security system.
• IPsec tunnel mode is used between two dedicated routers, with each
router acting as one end of a virtual "tunnel" through a public network.
Virtual Private Network (VPN)
Point–to–Point Tunneling Protocol (PPTP):
It is older version of tunneling protocol. PPTP or Point-to-Point Tunneling
Protocol generates a tunnel and confines the data packet. Point-to-Point Protocol
(PPP) is used to encrypt the data between the connection. PPTP is one of the
most widely used VPN protocol and has been in use since the early release of
Windows. PPTP is also used on Mac and Linux apart from Windows. Supports
cross platforms but now, support to PPTP has dropped in some operating system.
Secure Shell (SSH):
Secure Shell or SSH generates the VPN tunnel through which the data transfer
occurs and also ensures that the tunnel is encrypted. SSH connections are
generated by a SSH client and data is transferred from a local port on to the
remote server through the encrypted tunnel.
SSL
• SSL is short for secure socket layer - a technology that encrypts communication
between users and a website.
• It was first developed by Netscape in 1995 for the purpose of ensuring privacy,
authentication, and data integrity in Internet communications. SSL is the
predecessor to the modern TLS encryption used today.
• This encryption ensures that important data such as usernames, passwords, and
credit card information is sent from the user to the site without the risk of
interception.
• An SSL-certified website runs on https protocol. This activates the browser padlock
or a prominent green browser bar to show visitors it is safe to browse. Reputable
websites use SSL to protect their customer’s data and their online transactions;
their reputation depends on it.
SSL
• SSL initiates an authentication process called a handshake between
two communicating devices to ensure that both devices are really
who they claim to be.
• SSL also digitally signs data in order to provide data integrity, verifying
that the data is not tampered with before reaching its intended
recipient.
SSL
• The most common and well-known use of SSL/TLS is secure web browsing
via the HTTPS protocol. A properly configured public HTTPS website
includes an SSL/TLS certificate that is signed by a publicly trusted CA.
Users visiting an HTTPS website can be assured of:

• Authenticity. The server presenting the certificate is in possession of the

private key that matches the public key in the certificate.
• Integrity. Documents signed by the certificate (e.g. web pages) have not
been altered in transit by a man in the middle.
• Encryption. Communications between the client and server are encrypted.
Intrusion Detection System
• Intrusion detection is the process of monitoring and analyzing system
events, to identify and report such intrusions
• An intrusion detection system (IDS) automates the process, and
includes monitoring events, logging related data, analysis, and means
to report events requiring human attention.
Intrusion Detection System
• Host Based IDS events may be derived from kernel-generated
operations and audit records, application logs (noting userid),
filesystem changes (file integrity checks, file permissions, file
accesses), and system call monitoring; plus specific to the host,
network accesses, incoming/outgoing packet contents, and status
changes in network interfaces (ports open, services running).
• Resource use patterns (CPU time, disk space) may reveal suspicious
processes
• (Reconnaissance: Nmap).
• Dual-use tools are used by both white-hats and black-hats.
• For example, Nmap (Network mapper) is an open-source network scanner
with a point-and-click graphical interface. Among other features, it supports:
• finding IP addresses of live hosts within a target network;
• OS classification of each live host (OS fingerprinting, above);
• identifying open ports on each live host (port scanning); version detection (for
open ports, identifying the service listening, and version); and
• network mapping (building a network topology—hosts and how they are
connected).
• Vulnerability scanner:
• Nessus: Nessus is a widely used remote vulnerability scanner—again dual use, and in
this case proprietary (free for non-commercial use). It has discovery capabilities, but
the focus is vulnerability assessment.
• Nessus is one of the many vulnerability scanners used during vulnerability assessments
and penetration testing engagements, including malicious attacks.
• Configuring Nessus to run a scan includes specifying targets (IP addresses or network
ranges), port ranges and types of port scans (similar to Nmap)
• (Metasploit: vulnerability exploitation framework). The well-known opensource
Metasploit framework, a toolkit and application providing command line, console, and
browser point-and-click interfaces, is used by systems administrators for penetration
testing, and by black-hats for (unauthorized) exploitation of network services.
Denial of service (DoS)
• Denial of service (DoS) attacks are those that deny legitimate users the availability
of resources and services, by intentional acts that severely degrade performance
or cause outright failure.
• To classes of DoS attacks:
• I. One class exploits latent implementation flaws (software vulnerabilities).
• II. A second exhausts resources (bandwidth, CPU, main memory, disk), by flooding to
overwhelm by traffic volume, or by consuming fixed resources (SYN floods below), or
requesting resource-intensive operations (e.g., generation of asymmetric key pairs).
• A flooding attack may be possible even by a single attack machine, limited only
by its CPU speed and link capacity, continually sending packets to a target. Such
high packet rate attacks may exploit link speed asymmetries, i.e., use hosts with
high-bandwidth connections to attack targets with lower-bandwidth connections.
• DDOS. A distributed denial of service (DDoS) flooding attack is one
that uses large numbers of devices across a wide array of addresses
(e.g., using a botnet).
• A distributed denial-of-service (DDoS) attack is a malicious attempt to
disrupt the normal traffic of a targeted server, service or network by
overwhelming the target or its surrounding infrastructure with a flood
of Internet traffic.
• DDoS attacks achieve effectiveness by utilizing multiple compromised
computer systems as sources of attack traffic.
Honeypot
• A honeypot is a security mechanism that creates a virtual trap to lure attackers. An
intentionally compromised computer system allows attackers to exploit
vulnerabilities so you can study them to improve your security policies. You can
apply a honeypot to any computing resource from software and networks to file
servers and routers.
There are two primary purpose of honeypot designs:
• Production honeypots—serve as decoy systems inside fully operating networks and
servers, often as part of an intrusion detection system (IDS). They deflect criminal
attention from the real system while analyzing malicious activity to help mitigate
vulnerabilities.
• Research honeypots—used for educational purposes and security enhancement.
They contain trackable data that you can trace when stolen to analyze the attack.
Honeypot
Email security
• Email security is the term for any procedure that protects email
content and accounts against unauthorized access.
• Email is popular with hackers as a tool for spreading malware, spam,
and phishing attacks.
• They use deceptive messages to trick recipients into sharing sensitive
information, resulting in identity theft. They lure people into opening
attachments or clicking hyperlinks that install malware (such as email
viruses) on the user’s device. Email is also a main entry point for
attackers looking to access an enterprise network and breach valuable
company data.
Email security
• There are multiple ways to ensure the security of enterprise email accounts – but it’s important to
combine employee education with comprehensive security policies and procedures.
• Password Cycling: Require employees to use strong passwords and mandate frequent password
changes. This helps to ensure that, even if a password is compromised, its use can be limited.
• Secure Login: Ensure that webmail applications use encryption. This is standard functionality, but critical
to prevent emails from being intercepted by malicious actors.
• Spam Filtering: Implement scanners and other tools to scan messages and block emails containing
malware or other malicious files before they reach end users. Even relatively benign spam – such as
marketing offers – can hamper productivity if employees have to manually remove it from their inboxes.
• Spyware Protection: A robust cybersecurity program or a dedicated spyware removal service that can
dispose of malicious email attachments and repair altered files/settings.
• Email Encryption: Encryption technologies such as OpenPGP let users encrypt emails between sender
and recipient. This is a necessity for businesses where sensitive information is shared frequently via
communication platforms like email.
Pretty Good Privacy (PGP)
• PGP provides a confidentiality and authentication service that can be
used for electronic mail and file storage applications.
• Available free worldwide.
• Based on extremely secure algorithm, public key encryption
• Developed by Philip R. Zimmermann in 1991
Secure / Multipurpose Internet Mail Extensions (S/MIME)
• S/MIME is standard for exchanging secure mails with the help of
encryption.
• Uses public key encryption to sign, encrypt and decrypt email.
• Verify using trust certificate
• Previously, Mails were supposed to carry text only.
• S/MIME provides support for varying content.
• Supported by major email programs like Outlook, Netscape.
• S/MIME was originally developed by RSA Data Security Inc.
END
• Check your email
• https://haveibeenpwned.com/