SlideShare uma empresa Scribd logo

Email Security

MailChimp
MailChimp

Read this guide online at: http://mailchimp.com/resources/guides/email-security/ We take security seriously at MailChimp—and as an email marketer, you should too. While we have lots of security measures in place to keep your data safe, you've got some responsibilities of your own. This guide explains why evil hackers might want your data, how you can best protect yourself from their attacks, and what to do if you get compromised. What’s inside: Security 101 for email marketers, including: Why email is valuable How to protect your data What to do if you get hacked How an attack works

Tecnologia
1 de 9
Baixar para ler offline
Guide To Email Security 1
Table Of Contents Introduction......................................................................................................................................................................................................... 3 How To Protect Yourself. ....................................................................................................................................................................................... 4 . What To Do If You Get Hacked............................................................................................................................................................................... 5 The Hacker’s Life................................................................................................................................................................................................. 6 . Email Is Gold....................................................................................................................................................................................................... 7 How An Attack Works............................................................................................................................................................................................ 8 2
Introduction To Email Security by Brandon, deliverability engineer We’re a paranoid bunch at Mailchimp. We proudly wear tinfoil hats, we have secret hideout rooms with steel walls, and we have fireman poles and slides throughout the building for quick evacuation. We also have at least 24 rottweilers with freakin’ lasers on their heads. We’d go into more detail, but let’s just say that security is a serious matter at Mailchimp. We take it so seriously because our customers shouldn’t have to worry about their data. We spend a lot of time talking about bad guys and acting like bad guys, to figure out how they think. Our team invests a lot of time and money into writing code to protect ourselves and our customers, and we have lots of software and hardware to protect our infrastructure. Our security methods are there to help keep you safe—but when it comes to protecting yourself and your subscribers, you have some responsibilities of your own. In this guide we’ll cover how you can protect yourself, what to do if your data has been compromised, some basics on why an attacker might target you, and why email data is important in the first place. We hope this guide scares you into taking some precautionary measures to ensure your data is safe. According to the Ponemon Institute, the value of a customer record is $204 in the US. For some people the value is much higher, and for oth- ers it’s much lower. Some people use the simple “dollars earned divided by list size equals dollar-per-email value” calculation. (So if you made $120,000 off your campaigns and had 5,000 subscribers, then each subscriber is worth $24.) Though some are worth more than others, that calculation shows you how valuable email addresses are. And even if you’re not earning money off your subscribers, there’s great responsibil- ity in protecting the email addresses they provide. Hackers want those addresses because they know how to extract and extort money from unsuspecting people, tarnish your brand and cause some serious financial hassles for you. If you and your service providers aren’t taking the proper precautions to protect your customers data, then you’re doing a grave dis- service to your business and subscribers. *ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMER This guide is intended to serve as a resource on the topic of email security. It is not intended to be professional advice, nor is it a complete compendium of the information available in this area. The Rocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about the information contained within. In sum, while we think this is an awesome guide on the topic, use of the information contained within the guide is entirely, completely, definitively, absolutely, positively, 100% at your own risk. If you have questions or need specific advice for your situation, please contact a knowledgeable professional. 3
How To Protect Yourself You can never be too cautious when it comes to protecting yourself, your business and your valuable data. Here are some tinfoil-hat tips. 1. Keep ALL of your systems completely up to date. Not just your operat- ing systems, but your browser, Adobe Reader, Java, flash, etc. These ancil- lary applications are generally the most problematic and easiest to hack. Keep your anti-virus programs up to date, and if possible, use anti-virus software that has a firewall—or at the very least malware—protection. Try something like Comodo. 2. Run anti-virus and malware scans daily. As in, every single day. 3. Secure your networks and wifi. Do NOT allow employees to use their home computers, guest computers, smartphones or iPads on your network. Secure your wifi using WPA2 or stronger. If you have mobile workstations inside or outside your networks, never use insecure wifi, like your local coffee shop’s connection. If you must use this type of connection, keep your usage to an absolute minimum. Read up on Firesheep to learn how much information gets transmitted on an open wifi connection. 4. Secure your smartphone with a password or security lock. If it’s stolen, call your provider immediately and disconnect your phone. Passwords are extremely important when it comes to security. Use different passwords for every site you do business with. Do NOT use the same password twice (see: Twitter Spam Attack Tied to Gawker Security Breach). Each site should have a unique password. Consider using 1Password, KeePass or a similar utility to help keep track of all your passwords. Keep in mind that if someone steals your computer or gains access, they can steal your pass- word database. So make sure your master password is unique and difficult to guess. Use at least 10-digit passwords with numbers, letters, symbols as well as different cases. If you use the same password everywhere, it’s extremely easy for an attacker to try your username and password at each and every site they’re after. 5. Use a single machine for financial transactions. It shouldn’t be used for anything other than banking, and should only be connected via a wired connection. Don’t keep this computer powered up unless it’s being used. 6. Be careful what information you share publicly. If you’re interviewed for something that will be published online, make sure you don’t mention software vendors or business vendors you use, unless you can be 100% sure that your software and business vendors will not be hacked. 7. Never open email, IMs and social-media notifications from people you don’t know, haven’t heard from in a long time, or look suspicious. This type of communication is often malicious, so skip it to be safe. If you’re unsure, don’t reply to the communication, and call the person for confir- mation. Assume everyone is compromised. 4
What To Do If You Get Hacked Hopefully you’re protecting your data like a champ and nobody’s after you. But if you do get hacked, here’s how to handle it. 1. If it’s a virus or malware on a machine, disconnect ALL machines from your network immediately. At this point it’s best to involve a local IT company or consultant who’s trained in removing malware. Don’t turn on any systems until the threat has been completely removed. If you must get to a system, make sure it’s not on the internet, and assume that anything and everything on that system is infected. 2. Change all passwords, and security questions and answers that may have been affected. Make sure you do it from a secure machine—if you change passwords on an infected machine, you’re giving the attacker all the info they were after on a silver platter. Use a secured network that you trust. If your systems were hacked, don’t trust your network until all machines have been given the all clear. 3. Contact your service providers and software providers, and ask them to do a scan for potential data breaches on your account. Also ask them to lock your account from further access if you feel the account is what the attacker was after, or if the account is important enough to lock down. 4. Check your email. Ensure that there’s nothing in your deleted items that relates to communication with your service and software providers. 5. Notify your friends, clients and business vendors that you were com- promised. Let them know that they shouldn’t trust further communication from you until otherwise noted. 5
The Hacker’s Life Discussions about hackers usually end with, ”Why don’t they just get a All attacks are planned. There’s an end goal, and because this is the at- job?” The truth is, hacking is their job, and they often make good money tacker’s job, he spends lots of time planning and plotting every step. Just (or enjoy what they do). The laws in many countries are lax enough that like that new promotion you planned in November, the attacker planned cybercrime isn’t considered serious, or there’s just so much other bad the malicious attack on your Social Media Manager. Many people think stuff going on, it doesn’t bubble up. Many countries even overlook this be- hackers don’t put much thought into attacks, and while the 419 scams havior because the criminals pay off and support government officials. The and bad spelling in most SPAM might make you think hackers are stupid, book Fatal System Error by Joseph Menn goes into more detail about that. that’s far from the truth. In the book Social Engineering: The Art of Hu- Whether someone is paying government officials, or the laws just don’t man Hacking, Christopher Hadnagy provides information on how much apply, it really doesn’t matter. These criminals exist, and they’re out to get effort a hacker will put into planning and executing an attack. It’s like a any and all information they can. So why do they want your data? chess game—but unfortunately, most of the targets have no idea they’re part of the game. If you have any type of online presence, then you are, 1. To target your personal and/or business finances. Stealing financial ac- have been, or very shortly will be under attack. So you must behave like count information is easy these days. It’s even easier, and far more useful, you’re under attack and secure your assets at all times. to steal credit card information. 2. To target your computers and technology infrastructure. Botnets allow an attacker to use many machines to attack other machines, steal infor- mation and commit various other acts of evil. Once the hacker controls your computer they can: • Log every keystroke you type. The software that records the key- strokes is even built to show fake login pages for financial institutes to log your credentials. • Steal information from your hard drive. The attacker owns your machine and can get at any piece of data they want. Stealing your accounting database and cracking the username and password shouldn’t take more than a few Google searches. • Use your system to send SPAM. The majority of SPAM is sent through systems controlled by botnets. If your system is under the control of a hacker, they can send hundreds of thousands of pieces of SPAM from your system without you ever knowing it. 3. To target your customers. Maybe you have some high-profile clients that the attacker is after. Maybe a client is listed on your site or sent an issue via Twitter. It’s easy to figure out who your clients are, and it’s an easily accessible entry point for an attack. 4. To target employees. A hacker can easily target your employees using social media and direct attacks. It’s easy to find ways to get at your em- ployees, like using family members, college or high-school friends found through Facebook. If an attacker targets one of your employees, he can gain insight into your business practices and target your entire company. 6
Email Is Gold Email addresses are extremely valuable in today’s economy. Referencing back to our quick calculation in the introduction, you can see that an email address can be worth a lot of money to your business. Our identities, important accounts and vital information are attached to email addresses. Chances are your financial institutions use your email address as your username. Your social media accounts, like Facebook and Twitter, tie to your email address. Your email address is a unique identifier—but more importantly, it’s a communication mechanism. We use email to transmit all kinds of important information, and we use email more and more each day. Evil hackers want the email accounts for various reasons. This is just a small list of some stuff they might be after: • Hackers have found that companies who use ESPs generally have clean lists. A clean list means fewer bounces and potentially an en- gaged list. And that means the list will deliver to the inbox and have a higher likelihood of clicks and opens. • The hacker wants your email addresses to send your subscribers . malicious stuff. Maybe your email list has important users like con- gress members. If they can trick your subscribers into clicking links and visiting bad sites, they can then gain access to machines they were targeting. • The hacker is planning a much larger attack and is just harvesting email addresses. • The hacker is planning to resell your subscribers. Know that lists used by marketers often have highly engaged readers and good email addresses. If the hacker wanted to target your customers, they could easily imitate your campaign content and trick your users into following a link to a malicious site. Chances are, the engaged readers will click like they normally would. The list is valuable to you, but it’s just as valuable—if not more so—to the hacker. There’s also a large market for buying and selling email addresses. So not only can the hacker use the email addresses for direct attacks, but they can then sell the addresses to a list broker for further gain. Think that through the next time someone approaches you about selling a list— chances are most of the addresses were gathered unethically. 7
How An Attack Works Remember, the hacker has an end goal. In this section we’ll build a sce- Over the years we’ve seen SPAM grow in maturity. SPAM has moved nario and walk through how an attack is planned and carried out. from poorly spelled 419 scams, to simple phishing scams, and now we see smarter and more targeted SPAM and phishing attacks. Hackers have Let’s say your site is a popular foodie blog. You have a cool newslet- exposure to tools, data and blackhat ESP systems that allow them to run ter signup on your site, and you allow people to comment on your blog. sophisticated campaigns against targeted victims. We see hackers use Somewhere along the way, you were interviewed on a food website about levels of sophitication beyond what most marketers use, like advanced how you handle your business, and most importantly, your marketing. segmentation, dynamic content using conditional merge tags, and combin- You told everyone that you use this really cool newsletter service called ing other data sources to target recipients more effectively. With combined MiamiMail, that you have 280,000 subscribers, and the list grows by data sources, they can effectively attack your employees and users. If the 2,000-3,000 subscribers a week. It’s so much to maintain that you hired attacker can’t obtain enough information, there are sites where a few dol- Debra, a social-media expert, Quinn, an email-marketing guru, and Vince, lars can provide them with just about anything they want to know. Just as a programmer who works with the MiamiMail API. You also talk about your you read your campaigns results, the hacker is using reporting data from guest bloggers and some of the famous chefs that actively participate on their malicious software. When they launch an attack, they use the stats to the blog and answer questions in the comments. You just built this great tweak and refine future attacks. new recipe section, where the same famous chefs comment on the posts. Arthur is a hacker, and he’s just come off a series of attacks against major Arthur builds his campaign to drive his victims toward a site or series of car dealers. He wants to change things up and reads the article about your malicious sites. These campaigns allow him to learn more about the com- site. It piques his interest because you gave some specific details. Here’s puter systems involved, gain access to the owners system, or even worse, what Arthur knows about your business: damage your infrastructure as a whole. He won’t just target employees— he’ll target business associates, family members and friends. Arthur may 1. You use MiamiMail. even use a series of campaigns to learn more information or gain access to specific computer systems. 2. You have a substantial list, and it’s growing quickly. 3. Arthur knows about at least four people in the company: Debra, Quinn, So what is a malicious site? Vince and you. Years ago someone would receive a virus in an email, click it, and get in- fected. Those tactics are still used, but these days most attacks use drive- 4. Arthur also knows some famous people who use your blogging tool. by malware. The basic idea is that you visit a site that the hacker controls. They’ve embedded some javascript or code that runs and infects your 5. Those famous people participate in the recipe section. system. You didn’t have to click anything—you simply visited the site and got infected. If Arthur plays his cards right, he’ll infect the right machines. Arthur takes this data and begins to research the following: Even if he doesn’t get to the systems he wanted, he’ll use the other systems to learn more information or attack elsewhere. And what does an 1. MiamiMail. Find out anything and everything out about them. He trolls infected machine provide Arthur with? Malware infections can include the support forums, signs up for a free account, learns about the API and keyloggers, remote access and access to all the data on your machine or even experiments with the system to send a few test campaigns. network. Once infected, Arthur has unfettered access to your information. Keyloggers allow him to watch all your keystrokes. Yes, EVERY keystroke. 2. Your company’s About page. That really cool Team page came in handy! Malware is designed to run without you ever knowing it has been installed. Arthur finds a few other employees and then begins researching your Arthur can sit and watch and collect and learn. With time he’ll gain access employees and building profiles for Debra, Quinn, Vince and you. He finds to all of your systems or in this case gain access to your MiamiMail ac- your Twitter, Facebook and LinkedIn profiles. He also finds out your home count. Once he has this access, he’ll steal your subscribers and start the addresses, personal email accounts and a few other pieces of information process all over again. At this point, he can target your subscribers to gain he purchases using some stolen credit cards he got from that car dealer access to their systems, attempt to steal credit cards and more. He can scam he ran last week. continue mining data from your system, or rent or sell your system to other hackers for other needs. 3. The famous chefs. If Arthur can’t trick your employees, he might be able to trick one of the chefs and maybe gain some access to the blog. Read more about malware. Scary, huh? We suggest rottweilers with lasers. 8

Recomendados

Why is email security important?
Why is email security important?Why is email security important?
Why is email security important?NeoCertified
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
How to use mailchimp
How to use mailchimpHow to use mailchimp
How to use mailchimpMinna Corcuera
 
Email Security Overview
Email Security OverviewEmail Security Overview
Email Security Overview- Mark - Fullbright
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)Prafull Johri
 
Email and web security
Email and web securityEmail and web security
Email and web securityshahhardik27
 
Mailchimp Introduction
Mailchimp IntroductionMailchimp Introduction
Mailchimp IntroductionJerry Hickman
 

Recomendados

Why is email security important?
Why is email security important?Why is email security important?
Why is email security important?NeoCertified
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
How to use mailchimp
How to use mailchimpHow to use mailchimp
How to use mailchimpMinna Corcuera
 
Email Security Overview
Email Security OverviewEmail Security Overview
Email Security Overview- Mark - Fullbright
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)Prafull Johri
 
Email and web security
Email and web securityEmail and web security
Email and web securityshahhardik27
 
Mailchimp Introduction
Mailchimp IntroductionMailchimp Introduction
Mailchimp IntroductionJerry Hickman
 
Email Security Best Practices
Email Security Best PracticesEmail Security Best Practices
Email Security Best PracticesKnowBe4
 
Advantages & disadvantages of web 1.0 vs web 2.0
Advantages & disadvantages of web 1.0 vs web 2.0Advantages & disadvantages of web 1.0 vs web 2.0
Advantages & disadvantages of web 1.0 vs web 2.0Nifras Ismail
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Mais conteúdo relacionado

Destaque

Email Security Best Practices
Email Security Best PracticesEmail Security Best Practices
Email Security Best PracticesKnowBe4
 
Advantages & disadvantages of web 1.0 vs web 2.0
Advantages & disadvantages of web 1.0 vs web 2.0Advantages & disadvantages of web 1.0 vs web 2.0
Advantages & disadvantages of web 1.0 vs web 2.0Nifras Ismail
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web securityrajakhurram
 
Web security presentation
Web security presentationWeb security presentation
Web security presentationJohn Staveley
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 

Destaque (6)

Email Security Best Practices
Email Security Best PracticesEmail Security Best Practices
Email Security Best Practices
 
Advantages & disadvantages of web 1.0 vs web 2.0
Advantages & disadvantages of web 1.0 vs web 2.0Advantages & disadvantages of web 1.0 vs web 2.0
Advantages & disadvantages of web 1.0 vs web 2.0
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Lecture 6 web security
Lecture 6 web securityLecture 6 web security
Lecture 6 web security
 
Web security presentation
Web security presentationWeb security presentation
Web security presentation
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 

Último

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Último (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Email Security

  • 1.
  • 3. Table Of Contents Introduction......................................................................................................................................................................................................... 3 How To Protect Yourself. ....................................................................................................................................................................................... 4 . What To Do If You Get Hacked............................................................................................................................................................................... 5 The Hacker’s Life................................................................................................................................................................................................. 6 . Email Is Gold....................................................................................................................................................................................................... 7 How An Attack Works............................................................................................................................................................................................ 8 2
  • 4. Introduction To Email Security by Brandon, deliverability engineer We’re a paranoid bunch at Mailchimp. We proudly wear tinfoil hats, we have secret hideout rooms with steel walls, and we have fireman poles and slides throughout the building for quick evacuation. We also have at least 24 rottweilers with freakin’ lasers on their heads. We’d go into more detail, but let’s just say that security is a serious matter at Mailchimp. We take it so seriously because our customers shouldn’t have to worry about their data. We spend a lot of time talking about bad guys and acting like bad guys, to figure out how they think. Our team invests a lot of time and money into writing code to protect ourselves and our customers, and we have lots of software and hardware to protect our infrastructure. Our security methods are there to help keep you safe—but when it comes to protecting yourself and your subscribers, you have some responsibilities of your own. In this guide we’ll cover how you can protect yourself, what to do if your data has been compromised, some basics on why an attacker might target you, and why email data is important in the first place. We hope this guide scares you into taking some precautionary measures to ensure your data is safe. According to the Ponemon Institute, the value of a customer record is $204 in the US. For some people the value is much higher, and for oth- ers it’s much lower. Some people use the simple “dollars earned divided by list size equals dollar-per-email value” calculation. (So if you made $120,000 off your campaigns and had 5,000 subscribers, then each subscriber is worth $24.) Though some are worth more than others, that calculation shows you how valuable email addresses are. And even if you’re not earning money off your subscribers, there’s great responsibil- ity in protecting the email addresses they provide. Hackers want those addresses because they know how to extract and extort money from unsuspecting people, tarnish your brand and cause some serious financial hassles for you. If you and your service providers aren’t taking the proper precautions to protect your customers data, then you’re doing a grave dis- service to your business and subscribers. *ATTENTION: EXTREMELY IMPORTANT OBLIGATORY LEGAL DISCLAIMER This guide is intended to serve as a resource on the topic of email security. It is not intended to be professional advice, nor is it a complete compendium of the information available in this area. The Rocket Science Group, LLC d/b/a MailChimp expressly disclaims any and all warranties about the information contained within. In sum, while we think this is an awesome guide on the topic, use of the information contained within the guide is entirely, completely, definitively, absolutely, positively, 100% at your own risk. If you have questions or need specific advice for your situation, please contact a knowledgeable professional. 3
  • 5. How To Protect Yourself You can never be too cautious when it comes to protecting yourself, your business and your valuable data. Here are some tinfoil-hat tips. 1. Keep ALL of your systems completely up to date. Not just your operat- ing systems, but your browser, Adobe Reader, Java, flash, etc. These ancil- lary applications are generally the most problematic and easiest to hack. Keep your anti-virus programs up to date, and if possible, use anti-virus software that has a firewall—or at the very least malware—protection. Try something like Comodo. 2. Run anti-virus and malware scans daily. As in, every single day. 3. Secure your networks and wifi. Do NOT allow employees to use their home computers, guest computers, smartphones or iPads on your network. Secure your wifi using WPA2 or stronger. If you have mobile workstations inside or outside your networks, never use insecure wifi, like your local coffee shop’s connection. If you must use this type of connection, keep your usage to an absolute minimum. Read up on Firesheep to learn how much information gets transmitted on an open wifi connection. 4. Secure your smartphone with a password or security lock. If it’s stolen, call your provider immediately and disconnect your phone. Passwords are extremely important when it comes to security. Use different passwords for every site you do business with. Do NOT use the same password twice (see: Twitter Spam Attack Tied to Gawker Security Breach). Each site should have a unique password. Consider using 1Password, KeePass or a similar utility to help keep track of all your passwords. Keep in mind that if someone steals your computer or gains access, they can steal your pass- word database. So make sure your master password is unique and difficult to guess. Use at least 10-digit passwords with numbers, letters, symbols as well as different cases. If you use the same password everywhere, it’s extremely easy for an attacker to try your username and password at each and every site they’re after. 5. Use a single machine for financial transactions. It shouldn’t be used for anything other than banking, and should only be connected via a wired connection. Don’t keep this computer powered up unless it’s being used. 6. Be careful what information you share publicly. If you’re interviewed for something that will be published online, make sure you don’t mention software vendors or business vendors you use, unless you can be 100% sure that your software and business vendors will not be hacked. 7. Never open email, IMs and social-media notifications from people you don’t know, haven’t heard from in a long time, or look suspicious. This type of communication is often malicious, so skip it to be safe. If you’re unsure, don’t reply to the communication, and call the person for confir- mation. Assume everyone is compromised. 4
  • 6. What To Do If You Get Hacked Hopefully you’re protecting your data like a champ and nobody’s after you. But if you do get hacked, here’s how to handle it. 1. If it’s a virus or malware on a machine, disconnect ALL machines from your network immediately. At this point it’s best to involve a local IT company or consultant who’s trained in removing malware. Don’t turn on any systems until the threat has been completely removed. If you must get to a system, make sure it’s not on the internet, and assume that anything and everything on that system is infected. 2. Change all passwords, and security questions and answers that may have been affected. Make sure you do it from a secure machine—if you change passwords on an infected machine, you’re giving the attacker all the info they were after on a silver platter. Use a secured network that you trust. If your systems were hacked, don’t trust your network until all machines have been given the all clear. 3. Contact your service providers and software providers, and ask them to do a scan for potential data breaches on your account. Also ask them to lock your account from further access if you feel the account is what the attacker was after, or if the account is important enough to lock down. 4. Check your email. Ensure that there’s nothing in your deleted items that relates to communication with your service and software providers. 5. Notify your friends, clients and business vendors that you were com- promised. Let them know that they shouldn’t trust further communication from you until otherwise noted. 5
  • 7. The Hacker’s Life Discussions about hackers usually end with, ”Why don’t they just get a All attacks are planned. There’s an end goal, and because this is the at- job?” The truth is, hacking is their job, and they often make good money tacker’s job, he spends lots of time planning and plotting every step. Just (or enjoy what they do). The laws in many countries are lax enough that like that new promotion you planned in November, the attacker planned cybercrime isn’t considered serious, or there’s just so much other bad the malicious attack on your Social Media Manager. Many people think stuff going on, it doesn’t bubble up. Many countries even overlook this be- hackers don’t put much thought into attacks, and while the 419 scams havior because the criminals pay off and support government officials. The and bad spelling in most SPAM might make you think hackers are stupid, book Fatal System Error by Joseph Menn goes into more detail about that. that’s far from the truth. In the book Social Engineering: The Art of Hu- Whether someone is paying government officials, or the laws just don’t man Hacking, Christopher Hadnagy provides information on how much apply, it really doesn’t matter. These criminals exist, and they’re out to get effort a hacker will put into planning and executing an attack. It’s like a any and all information they can. So why do they want your data? chess game—but unfortunately, most of the targets have no idea they’re part of the game. If you have any type of online presence, then you are, 1. To target your personal and/or business finances. Stealing financial ac- have been, or very shortly will be under attack. So you must behave like count information is easy these days. It’s even easier, and far more useful, you’re under attack and secure your assets at all times. to steal credit card information. 2. To target your computers and technology infrastructure. Botnets allow an attacker to use many machines to attack other machines, steal infor- mation and commit various other acts of evil. Once the hacker controls your computer they can: • Log every keystroke you type. The software that records the key- strokes is even built to show fake login pages for financial institutes to log your credentials. • Steal information from your hard drive. The attacker owns your machine and can get at any piece of data they want. Stealing your accounting database and cracking the username and password shouldn’t take more than a few Google searches. • Use your system to send SPAM. The majority of SPAM is sent through systems controlled by botnets. If your system is under the control of a hacker, they can send hundreds of thousands of pieces of SPAM from your system without you ever knowing it. 3. To target your customers. Maybe you have some high-profile clients that the attacker is after. Maybe a client is listed on your site or sent an issue via Twitter. It’s easy to figure out who your clients are, and it’s an easily accessible entry point for an attack. 4. To target employees. A hacker can easily target your employees using social media and direct attacks. It’s easy to find ways to get at your em- ployees, like using family members, college or high-school friends found through Facebook. If an attacker targets one of your employees, he can gain insight into your business practices and target your entire company. 6
  • 8. Email Is Gold Email addresses are extremely valuable in today’s economy. Referencing back to our quick calculation in the introduction, you can see that an email address can be worth a lot of money to your business. Our identities, important accounts and vital information are attached to email addresses. Chances are your financial institutions use your email address as your username. Your social media accounts, like Facebook and Twitter, tie to your email address. Your email address is a unique identifier—but more importantly, it’s a communication mechanism. We use email to transmit all kinds of important information, and we use email more and more each day. Evil hackers want the email accounts for various reasons. This is just a small list of some stuff they might be after: • Hackers have found that companies who use ESPs generally have clean lists. A clean list means fewer bounces and potentially an en- gaged list. And that means the list will deliver to the inbox and have a higher likelihood of clicks and opens. • The hacker wants your email addresses to send your subscribers . malicious stuff. Maybe your email list has important users like con- gress members. If they can trick your subscribers into clicking links and visiting bad sites, they can then gain access to machines they were targeting. • The hacker is planning a much larger attack and is just harvesting email addresses. • The hacker is planning to resell your subscribers. Know that lists used by marketers often have highly engaged readers and good email addresses. If the hacker wanted to target your customers, they could easily imitate your campaign content and trick your users into following a link to a malicious site. Chances are, the engaged readers will click like they normally would. The list is valuable to you, but it’s just as valuable—if not more so—to the hacker. There’s also a large market for buying and selling email addresses. So not only can the hacker use the email addresses for direct attacks, but they can then sell the addresses to a list broker for further gain. Think that through the next time someone approaches you about selling a list— chances are most of the addresses were gathered unethically. 7
  • 9. How An Attack Works Remember, the hacker has an end goal. In this section we’ll build a sce- Over the years we’ve seen SPAM grow in maturity. SPAM has moved nario and walk through how an attack is planned and carried out. from poorly spelled 419 scams, to simple phishing scams, and now we see smarter and more targeted SPAM and phishing attacks. Hackers have Let’s say your site is a popular foodie blog. You have a cool newslet- exposure to tools, data and blackhat ESP systems that allow them to run ter signup on your site, and you allow people to comment on your blog. sophisticated campaigns against targeted victims. We see hackers use Somewhere along the way, you were interviewed on a food website about levels of sophitication beyond what most marketers use, like advanced how you handle your business, and most importantly, your marketing. segmentation, dynamic content using conditional merge tags, and combin- You told everyone that you use this really cool newsletter service called ing other data sources to target recipients more effectively. With combined MiamiMail, that you have 280,000 subscribers, and the list grows by data sources, they can effectively attack your employees and users. If the 2,000-3,000 subscribers a week. It’s so much to maintain that you hired attacker can’t obtain enough information, there are sites where a few dol- Debra, a social-media expert, Quinn, an email-marketing guru, and Vince, lars can provide them with just about anything they want to know. Just as a programmer who works with the MiamiMail API. You also talk about your you read your campaigns results, the hacker is using reporting data from guest bloggers and some of the famous chefs that actively participate on their malicious software. When they launch an attack, they use the stats to the blog and answer questions in the comments. You just built this great tweak and refine future attacks. new recipe section, where the same famous chefs comment on the posts. Arthur is a hacker, and he’s just come off a series of attacks against major Arthur builds his campaign to drive his victims toward a site or series of car dealers. He wants to change things up and reads the article about your malicious sites. These campaigns allow him to learn more about the com- site. It piques his interest because you gave some specific details. Here’s puter systems involved, gain access to the owners system, or even worse, what Arthur knows about your business: damage your infrastructure as a whole. He won’t just target employees— he’ll target business associates, family members and friends. Arthur may 1. You use MiamiMail. even use a series of campaigns to learn more information or gain access to specific computer systems. 2. You have a substantial list, and it’s growing quickly. 3. Arthur knows about at least four people in the company: Debra, Quinn, So what is a malicious site? Vince and you. Years ago someone would receive a virus in an email, click it, and get in- fected. Those tactics are still used, but these days most attacks use drive- 4. Arthur also knows some famous people who use your blogging tool. by malware. The basic idea is that you visit a site that the hacker controls. They’ve embedded some javascript or code that runs and infects your 5. Those famous people participate in the recipe section. system. You didn’t have to click anything—you simply visited the site and got infected. If Arthur plays his cards right, he’ll infect the right machines. Arthur takes this data and begins to research the following: Even if he doesn’t get to the systems he wanted, he’ll use the other systems to learn more information or attack elsewhere. And what does an 1. MiamiMail. Find out anything and everything out about them. He trolls infected machine provide Arthur with? Malware infections can include the support forums, signs up for a free account, learns about the API and keyloggers, remote access and access to all the data on your machine or even experiments with the system to send a few test campaigns. network. Once infected, Arthur has unfettered access to your information. Keyloggers allow him to watch all your keystrokes. Yes, EVERY keystroke. 2. Your company’s About page. That really cool Team page came in handy! Malware is designed to run without you ever knowing it has been installed. Arthur finds a few other employees and then begins researching your Arthur can sit and watch and collect and learn. With time he’ll gain access employees and building profiles for Debra, Quinn, Vince and you. He finds to all of your systems or in this case gain access to your MiamiMail ac- your Twitter, Facebook and LinkedIn profiles. He also finds out your home count. Once he has this access, he’ll steal your subscribers and start the addresses, personal email accounts and a few other pieces of information process all over again. At this point, he can target your subscribers to gain he purchases using some stolen credit cards he got from that car dealer access to their systems, attempt to steal credit cards and more. He can scam he ran last week. continue mining data from your system, or rent or sell your system to other hackers for other needs. 3. The famous chefs. If Arthur can’t trick your employees, he might be able to trick one of the chefs and maybe gain some access to the blog. Read more about malware. Scary, huh? We suggest rottweilers with lasers. 8