For those that need to justify to management a case for deploying DKIM I've done up this draft risk assessment. Does this sound fair? Do I need to add anything? Any corrections to ambiguious terms / statements welcome.
Security Risk Assessment: Step 1: What assets are you trying to protect? Peoples’ integrity. Specifically the ability to socially engineer a person via email is possible and can cause the loss of financial assets, information and systems integrity. Step 2: What are the risks to these assets? People who want to socially engineer people to: 1. obtain financial information like bank accounts, corporate finance control systems, corporate credit cards; 2. obtain corporate information like classified or sensitive information. Information that an organisation may have like credit card or medical records, people’s contact details, weapon locations, physical security vulnerabilities etc.; and/or 3. Install trojans or malware on a system with the assistance of a person, hence violating the confidentiality, and potentially the integrity and availability of all information they have access to. This is achieved by convincing an email recipient that the sender is someone that has the authority or respect, to entice them to take an action that they would not otherwise perform for the true sender. Step 3: How well does the security solution mitigate those risks? Email on its own does not mitigate the threat at all. There are no integrity or authenticity controls on email. SPF mitigates this risk by ensuring the IP address that sends the email matches that of an allowed IP in a DNS record set by the alleged sender. The recipient’s email server verifies the return path (where a bounced email will be sent to) that indicates the alleged sender. The return path of the email however is forgeable. As such, SPF may only be effective until such time as the attackers learn to forge the return path to evade detection. Domain Keys Identified Mail (DKIM) digitally signs the content of the email and a majority of the email headers including the From address, Subject, and Date/Time. The act of DKIM verification will ensure that no forged emails enter the recipient’s email system for participating sender domains. The recipient then needs to verify the From address domain and base their trust on that information. DKIM, being a public key digital signature system, ensures that the distribution of the public key used to verify email, does not allow anyone to forge a DKIM signature. As the public key distribution is based on DNS, its reliability is limited to the maximum integrity of DNS records ( Threat Analysis of the Domain Name System (DNS) [1]). Step 4: What other risks does the security solution cause? Until the sender domain publishes a DKIM key and sender signing policy in DNS, there is a risk that a user could come to accept a forged email as legitimate where they previously may not have. DKIM provides a domain level trust. It does not protect against an insider pretending they are another person inside the same network. Email lists tend to modify emails and therefore invalidate the signatures of the email. Appropriate vendor products are needed to address this inconvenience in such a way that still protects against email forgery. The loss of a private key could make the sender domain susceptible to being used as a false email source. Emails sent by mobile users need to be signed also and if email is sent without this occurring, then the email may not arrive at their destination. DKIM software, as it is involved in complex parsing as email, has the potential to contain software vulnerabilities. DKIM signing/verifying software lies on an email path that will be executed for every email sent and received. The software, if vulnerable, has the ability to be remotely exploited without user intervention. Step 5: What costs and trade-offs does the security solution impose? There is a time/effort/financial cost in deploying appropriate software to sign and to verify emails going through an email gateway. There is the additional maintenance training cost associated with the product and the DKIM technology in general. Minimising the impact to users of emailing lists without additionally onerous complexity is a cost to the vendors and agency. The benefits in preventing a socially engineered person from doing something they shouldn’t can be measured in legal/marketing trouble, financial amounts, political trouble and the cost of cleaning up after a targeted malware infection. Risk assessment methodology thanks to: Schneier, Bruce, "Beyond Fear, Thinking Sensibly about Security in an Uncertain World", Copernicus Books (September 2003) Links: [1] ftp://ftp.rfc-editor.org/in-notes/rfc3833.txt Other Risks/Benefits/Comments/Questions welcome. (This work is hereby given to the public domain - do what you want with it. I neither want/desire any copyright claims on it) -- Daniel Black -- Proudly a Gentoo Linux User. Gnu-PG/PGP signed and encrypted email preferred http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x76677097 GPG Signature D934 5397 A84A 6366 9687 9EB2 861A 4ABA 7667 7097
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
