[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    RE: HOW TO encrypt and store mail
From:       Dave Balogh <Dave.Balogh () ivans ! com>
Date:       2011-01-12 19:23:54
Message-ID: E8BFE7BD7495734697A6E11016B45B3C18E8FA46 () TPAEXCHANGE01 ! ivans ! local
[Download RAW message or body]

It requires you to keep logs of changes, file integrity, etc, depending on which PCI \
group you fall under. We have to have file integrity monitoring logs stored in \
multiple places to prevent admin from being able to remove all traces of changes. \
Sure, there's ways around it, but there'd likely be enough warning signs that \
something is happening to take action, assuming there are any auditing controls in \
place..

Why do you have cardholder information (such as the PAN) in e-mail anyways? No way \
around that? We  don't store any cardholder data (well nothing that's required to be \
encrypted) in e-mails or any other system ourside of our PCI network. The data itself \
is encrypted at rest in SQL, and encrypted during transmission to vendors (CC service \
and ACH stuff).

-Dave

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of \
                Kurt Dillard
Sent: Wednesday, January 12, 2011 12:39 PM
To: 'Edgar Zapata'; focus-ms@securityfocus.com
Subject: RE: HOW TO encrypt and store mail

If you don't trust your admins fire them and hire new admins. There's little
you can do to prevent a malicious admin from bypassing security controls. I
would be surprised if PCI requires that you protect your servers and the
data on those servers from your admins.

You can look at the Outlook crypto settings (User
Configuration\Administrative Templates\Microsoft Outlook
2010\Security\Cryptography in group policy), and you can also look at DRM,
such as Microsoft's Rights Management Services. These will encrypt the email
messages at the client and they should remain encrypted on the servers, but
a malicious admin can get around these countermeasures in a variety of ways,
e.g. they can change the RMS policies to grant themselves the right to read
messages regardless of who wrote them or they could install a rootkit and
keystroke logger that collects the executives logon credentials and later
log onto the executive's computer to examine whatever files they want.

-----Original Message-----
From: Edgar Zapata [mailto:edgar.zapata@sitel.com]
Sent: Wednesday, January 12, 2011 9:30 AM
To: Kurt Dillard; focus-ms@securityfocus.com
Subject: RE: HOW TO encrypt and store mail

Thanks Kurt.
I guess that won't do.  As far as I know, and based on the tests that we've
been performing, it only provides for a way so in case the disks are
robbed/stolen they won't be readable unless you have a key (stored in a say
removable USB drive).
It won't prevent the system admin from reading the contents of the mails or
even making copies of the .edb and .stm files for later misues.

We're still searching and testing so I'm open to suggestions.

Thank you.


Edgar Zapata
EMEA Data Systems
+34 913.797.460 T
+34 680.398.372 M
edgar.zapata@sitel.com

Sitel
Calle Impresores, 20 - Planta 2
Parque Empresarial Prado del Espino
Boadilla del Monte - Madrid 28660
SPAIN
www.sitel.com

Please consider the environment before printing.

-----Mensaje original-----
De: Kurt Dillard [mailto:kurtdillard@msn.com] Enviado el: miércoles, 12 de
enero de 2011 18:22
Para: Edgar Zapata; focus-ms@securityfocus.com
Asunto: RE: HOW TO encrypt and store mail

Your using Windows Server 2008, so why not use BitLocker to encrypt the
entire drive?

Regards,

Kurt

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Edgar Zapata
Sent: Wednesday, January 12, 2011 8:09 AM
To: focus-ms@securityfocus.com
Subject: HOW TO encrypt and store mail

Hello,

We are looking for a solution to store and encrypt mails.

We need to comply with PCI (Payment Card Industry) standards.
We have Windows 2008 and Exchange 2007 SP2.

So far, we haven't found a way to encrypt and store mail in Exchange.
We'll be encrypting communications with TLS.

Plus, we need to use OE (Outlook Express) so we can use IMAP for incoming
mail and SMTP for outgoing e-mail.

Any ideas/suggestions are more than welcome.

Thank you.


**CONFIDENTIAL NOTICE**
This e-mail and any files transmitted with it may contain PRIVILEGED or
CONFIDENTIAL information and may be read or used only by the intended
recipient.  If you are not the intended recipient of the e-mail or any of
its attachments, please be advised that you have received this e-mail in
error and that any use, dissemination, distribution, forwarding, printing,
or copying of this e-mail or any attached files is strictly prohibited.  If
you have received this e-mail in error, please immediately purge it and all
attachments and notify the sender by reply e-mail.

**CONFIDENTIAL NOTICE**
This e-mail and any files transmitted with it may contain PRIVILEGED or
CONFIDENTIAL information and may be read or used only by the intended
recipient.  If you are not the intended recipient of the e-mail or any of
its attachments, please be advised that you have received this e-mail in
error and that any use, dissemination, distribution, forwarding, printing,
or copying of this e-mail or any attached files is strictly prohibited.  If
you have received this e-mail in error, please immediately purge it and all
attachments and notify the sender by reply e-mail.

This message and any attachments are intended only for the use of the addressee and \
may contain information that is privileged and confidential. If the reader of the \
message is not the intended recipient or an authorized representative of the intended \
recipient, you are hereby notified that any dissemination of this communication is \
strictly prohibited. If you have received this communication in error, notify the \
sender immediately by return email and delete the message and any attachments from \
your system.


[prev in list] [next in list] [prev in thread] [next in thread]