Re: [fw-wiz] Securing email by inhibiting urls

On Thu, 11 Aug 2011, Chris wrote:

3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus
protecting all mail servers.

The mail server isn't the target, the desktop is- that's where your
protection needs to be.

We don't have issues with executables etc in mail as attachments. We mostly
see encrypted .zip or Ms Excel/Word attachments in emails made to look like
they are coming from someone friendly. The well trained employee with a
short memory or bad recall clicks the attachment or url linked to a file and
game is over. These are zero day payloads that are not detected by anyone.

Which is it? Attachments, or links? Those are two different issues.
Seems to me like not letting encrypted attachments through would be a
good start. It also seems that not letting most MIME types through the
HTTP proxy would be a good second step. Exceptions on a by-domain basis
tend to take about a week to get cleared up if you do it during
end-of-month cycles.

We have spent lots of money getting them reverse engineered and the security
firms are impressed. We can block all attachments but that doesn't stop a
user clicking a link to a hacked page that delivers payload (making
this up but its not far from true). With business constraints etc, our best
option now is to strip/modify urls/links in emails but our current systems
don't have that feature.

The other option is to simply control what's run at the client. I've got
a customer with complete software restriction policies on that's had so
few malcode outbreaks in the last five years that I can think of three
that I had to respond to. Everything in %windir% is either a path or a
hash rule, as is everything in %programdir%. Nothing else is allowed to
run. DLL monitoring isn't on, as the performance hit isn't worth the few
times a decade a DLL injection may happen. The best thing is that things
that do get executed can't plant a Trojan, so most "infections" end up as
a zero sum game. Once you've got the bulk of the Windows and
vendor-specific rules in, maintenance is less than an addition a month.

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list

firewall-wizards mailing list