Most of what I'm going to cover here is theoretical stuff. Of course, information security planning and design is mostly theory. Once you're done with theory, you're on the tail end of infosec - "incident handling" and "forensics". Anyway... let's cut to the chase first.
Once the attacker has access to your network traffic, unencrypted email is trivial to intercept. Access to that traffic may not be trivial itself depending on the attacker. An external attacker will have a much more difficult time than an insider. So unencrypted email itself is very vulnerable, but access to that data is very hard to predict. That makes this threat hard to quantify... but still very real. The other way to attack this issue is to examine the solution. In this case, it is encrypted email. Encrypted email is relatively easy to implement. There are plugins and email clients that integrate S/MIME and PGP rather well. PGP requires relatively little infrastructure. And by implementing an encrypted email standard, you begin to mitigate the risk of intercepted confidential email (although I admit I'm glossing over a lot of issues: S/MIME vs PGP, user education, licensing, training, etc). In short, encrypted email is so easy to implement that it makes unencrypted email an unacceptable threat. On to some specific questions / answers... On Fri, 2002-02-22 at 10:57, Dave Bujaucius wrote: > 1. Is it really easy? How readily available are sniffing tools that > can do this? Any sniffer in the right location can intercept email. There are also sniffers specifically designed for certain traffic like email (ie: dsniff - http://www.monkey.org/~dugsong/dsniff/ ). > 2. Can it be done from a user's home dial up or DSL type connection? > Can someone in California somehow be scanning mail leaving a New York > location? Assuming an attacker hasn't compromised the network, no. Someone out in the wild Internet can not arbitrarily target all email coming in and out of example.com. If this were possible, US law enforcement wouldn't need projects like Carnivore. > 3. Outside of government agencies that have access to selected ISP's, > how likely is it that a company could be targeted by an outside person > or organization? It would be possible for an individual to attack a specific target. The attacker would have to target example.com's network, or its upstream provider, or maybe even hosts that dial in or otherwise remotely access example.com's network (ie: a worker who uses a VPN connection to access the target's internal network via their home computer on a cable modem). Once they are able to compromise a host (or some network gear), they could then begin to intercept traffic (or continue to attack the network until they are in the position to begin intercepting traffic). It might be worth mentioning a few other factors. First, most attacks are "crimes of convenience". Its rather rare for an individual to have a specific target. It is more likely for someone to stumble on a vulnerable host (or maybe an interesting chunk of traffic), take interest, and exploit their finding. It still leads to compromise of your sensitive data. Finally, do not discount insider threats. Insiders will already have access to the network and will be much harder to detect. You may find that a determined external attacker specifically targeting your network is your least likely threat. -- .: Paul Hosking . [EMAIL PROTECTED] .: InfoSec .: PGP KeyID: 0x42F93AE9 .: 7B86 4F79 E496 2775 7945 FA81 8D94 196D 42F9 3AE9
