How do US government agencies open their email attachments?
up vote
1
down vote
favorite
I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?
So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).
email government email-attachments
add a comment |
up vote
1
down vote
favorite
I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?
So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).
email government email-attachments
1
@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?
So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).
email government email-attachments
I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?
So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).
email government email-attachments
email government email-attachments
edited 8 hours ago
asked 8 hours ago
reed
1,7591316
1,7591316
1
@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago
add a comment |
1
@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago
1
1
@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago
@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago
add a comment |
2 Answers
2
active
oldest
votes
up vote
6
down vote
While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:
- sandbox email attachments
- no attachments but authorised, attributable file upload tools
In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.
Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.
add a comment |
up vote
0
down vote
Segmentation is the key technique here.
You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.
There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).
Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.
But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
6
down vote
While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:
- sandbox email attachments
- no attachments but authorised, attributable file upload tools
In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.
Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.
add a comment |
up vote
6
down vote
While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:
- sandbox email attachments
- no attachments but authorised, attributable file upload tools
In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.
Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.
add a comment |
up vote
6
down vote
up vote
6
down vote
While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:
- sandbox email attachments
- no attachments but authorised, attributable file upload tools
In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.
Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.
While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:
- sandbox email attachments
- no attachments but authorised, attributable file upload tools
In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.
Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.
edited 7 hours ago
answered 8 hours ago
schroeder♦
71.4k29154189
71.4k29154189
add a comment |
add a comment |
up vote
0
down vote
Segmentation is the key technique here.
You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.
There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).
Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.
But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.
add a comment |
up vote
0
down vote
Segmentation is the key technique here.
You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.
There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).
Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.
But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.
add a comment |
up vote
0
down vote
up vote
0
down vote
Segmentation is the key technique here.
You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.
There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).
Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.
But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.
Segmentation is the key technique here.
You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.
There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).
Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.
But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.
answered 4 hours ago
Lie Ryan
20.9k24471
20.9k24471
add a comment |
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198392%2fhow-do-us-government-agencies-open-their-email-attachments%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago