How do US government agencies open their email attachments?











up vote
1
down vote

favorite
1












I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?



So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).










share|improve this question




















  • 1




    @schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
    – reed
    7 hours ago















up vote
1
down vote

favorite
1












I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?



So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).










share|improve this question




















  • 1




    @schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
    – reed
    7 hours ago













up vote
1
down vote

favorite
1









up vote
1
down vote

favorite
1






1





I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?



So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).










share|improve this question















I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?



So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).







email government email-attachments






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 8 hours ago

























asked 8 hours ago









reed

1,7591316




1,7591316








  • 1




    @schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
    – reed
    7 hours ago














  • 1




    @schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
    – reed
    7 hours ago








1




1




@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago




@schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies)
– reed
7 hours ago










2 Answers
2






active

oldest

votes

















up vote
6
down vote













While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:




  • sandbox email attachments

  • no attachments but authorised, attributable file upload tools


In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.



Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.






share|improve this answer






























    up vote
    0
    down vote













    Segmentation is the key technique here.



    You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.



    There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).



    Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.



    But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.






    share|improve this answer





















      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














       

      draft saved


      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198392%2fhow-do-us-government-agencies-open-their-email-attachments%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      6
      down vote













      While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:




      • sandbox email attachments

      • no attachments but authorised, attributable file upload tools


      In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.



      Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.






      share|improve this answer



























        up vote
        6
        down vote













        While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:




        • sandbox email attachments

        • no attachments but authorised, attributable file upload tools


        In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.



        Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.






        share|improve this answer

























          up vote
          6
          down vote










          up vote
          6
          down vote









          While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:




          • sandbox email attachments

          • no attachments but authorised, attributable file upload tools


          In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.



          Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.






          share|improve this answer














          While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:




          • sandbox email attachments

          • no attachments but authorised, attributable file upload tools


          In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.



          Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 7 hours ago

























          answered 8 hours ago









          schroeder

          71.4k29154189




          71.4k29154189
























              up vote
              0
              down vote













              Segmentation is the key technique here.



              You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.



              There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).



              Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.



              But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.






              share|improve this answer

























                up vote
                0
                down vote













                Segmentation is the key technique here.



                You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.



                There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).



                Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.



                But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.






                share|improve this answer























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  Segmentation is the key technique here.



                  You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.



                  There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).



                  Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.



                  But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.






                  share|improve this answer












                  Segmentation is the key technique here.



                  You never with with sensitive data and external data at the same time, depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just different virtual machines or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example.



                  There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).



                  Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context.



                  But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, and documented procedures, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 4 hours ago









                  Lie Ryan

                  20.9k24471




                  20.9k24471






























                       

                      draft saved


                      draft discarded



















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f198392%2fhow-do-us-government-agencies-open-their-email-attachments%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      404 Error Contact Form 7 ajax form submitting

                      How to know if a Active Directory user can login interactively

                      Refactoring coordinates for Minecraft Pi buildings written in Python