We have learned from security breaches and clarified some that we should have known. This paper examines many issues and focuses only on 10 solutions that all security professionals need.
Security breaches can be avoided if we learn from our past mistakes and the damage done to others. Security breaches can expose flaws, misconfigurations, and expose design mistakes that many organizations continue making.
1. Email is not confidential
Since its inception, email has been a simple text-based communication medium. This is often forgotten or misunderstood.
Many people who access their email through a web browser use HTTPS as the prefix for the URL. This means that their connection will be secure. The TLS-encrypted connection protects you from reading and accessing your messages, but not from sending or receiving them. Email clients can also set up TLS connections to connect to their ISP or office email server. This connection is secure for sending or receiving messages, but it can only be used between the client and their local email server. Messages sent via the Internet to others and received by them are often sent in plain text.
Email messages sent and received via a public Internet link will most likely be sent in plain-text format. Many email service providers, such as Google, Microsoft, and Yahoo, are currently working together to establish encrypted email transmissions between themselves or other participants in their initiative. It could take many years before all messages can be encrypted for transport.
Here are some ways to email.
Reduce the amount of information that you send via email. This will prevent problems (or heartache) if your email is intercepted by your employer, your family members, government, hackers, and others. You should choose a more secure method to transfer information, such as encrypted file exchange, secured chat or video conference.
Second, use an email encryption solution. While standalone email client extensions have been around since years, there are many ways to add encryption services to web-based mail using browser extensions. Mailelope, PassLok For Email and SendSafely are just some of the browser extensions that you should be considering. ProtonMail and Hustmail, as well as other encrypted email services, are just a few of the examples.
A digital cert can be obtained to allow you to use an email client standalone. You can also add a proprietary encryption tool such as PGP (commercial), GPG (GNU licensed), or OpenPGP.
No matter which solution you choose, the main drawback to client-based email encryption solutions is that your recipient must also be able to decrypt and verify digitally signed messages.
2. No network is 100% secure
You are well aware that security is not a completed project. It is always a journey that has many stops.
It is impossible to create a network that is 100% secure. There are many ways to compromise security. Many organizations believe their security is perfect and that their network cannot easily be hacked. They also believe they can trust their environment. Each year, hundreds of organizations learn that hackers can hack networks to steal confidential data and cause damage.
It is important to realize that most of the technology we use today is still very new and has not matured. We are constantly trying to find the newest and most advanced gadgets and the best technology.