Firewall Wizards mailing list archives
Re: Securing email by inhibiting urls
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 13 Aug 2011 00:07:05 -0400 (EDT)
On Thu, 11 Aug 2011, Chris wrote:
3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus protecting all mail servers.
The mail server isn't the target, the desktop is- that's where your protection needs to be.
We don't have issues with executables etc in mail as attachments. We mostly see encrypted .zip or Ms Excel/Word attachments in emails made to look like they are coming from someone friendly. The well trained employee with a short memory or bad recall clicks the attachment or url linked to a file and game is over. These are zero day payloads that are not detected by anyone.
Which is it? Attachments, or links? Those are two different issues. Seems to me like not letting encrypted attachments through would be a good start. It also seems that not letting most MIME types through the HTTP proxy would be a good second step. Exceptions on a by-domain basis tend to take about a week to get cleared up if you do it during end-of-month cycles.
We have spent lots of money getting them reverse engineered and the security firms are impressed. We can block all attachments but that doesn't stop a user clicking a link to a hacked ford.com page that delivers payload (making this up but its not far from true). With business constraints etc, our best option now is to strip/modify urls/links in emails but our current systems don't have that feature.
The other option is to simply control what's run at the client. I've got a customer with complete software restriction policies on that's had so few malcode outbreaks in the last five years that I can think of three that I had to respond to. Everything in %windir% is either a path or a hash rule, as is everything in %programdir%. Nothing else is allowed to run. DLL monitoring isn't on, as the performance hit isn't worth the few times a decade a DLL injection may happen. The best thing is that things that do get executed can't plant a Trojan, so most "infections" end up as a zero sum game. Once you've got the bulk of the Windows and vendor-specific rules in, maintenance is less than an addition a month. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://www.PaulDRobertson.net/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing email by inhibiting urls, (continued)
- Re: Securing email by inhibiting urls Jean-Denis Gorin (Aug 12)
- Re: Securing email by inhibiting urls Marcus Ranum (Aug 12)
- Re: Securing email by inhibiting urls Timothy Shea (Aug 11)
- Re: Securing email by inhibiting urls Kurt Buff (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Kurt Buff (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Raphael Rivera (Aug 11)
- Re: Securing email by inhibiting urls Victor Williams (Aug 11)
- Re: Securing email by inhibiting urls Mark E. Donaldson (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 12)
- Re: Securing email by inhibiting urls Paul D. Robertson (Aug 12)
- Re: Securing email by inhibiting urls Chris (Aug 12)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Ilias - (Aug 11)