53

I suppose the FBI receives email with attachments, like any other government agency: documents, resumes/CVs, etc. I also suppose they are very careful not to get infected, more than the average user, for obvious reasons. If I were to send an email to the FBI, attaching maybe a PDF with my resume/CV, how are they going to open it?

So I wonder if US government agencies are known to use particular procedures or follow particular standards for dealing with emails safely. I also suppose what I'm asking is not secret information, given the large number of people involved (all the people who work in or for the government are expected to deal with emails safely).

reed
  • 15,398
  • 6
  • 43
  • 64
  • 2
    @schroeder, I added "US" to make it more specific, but info about other countries is also welcome if anybody has anything to say. Info on other highly secure environments is also ok as long as it's specified what environment it is (what kind of company? What purpose? Etc.) There are already several questions on how to open attachments safely here on SE, but it's just generic advice targeted at advanced users. Here I'd like to focus on known existing practices actually in use in supposedly secure environments (like government agencies) – reed Nov 25 '18 at 23:09
  • 1
    Each agency is likely different. I know how the US Treasury and SSA handle it because I used to contract at both agencies. Both were slightly different and Treasury took greater precautions. –  Nov 26 '18 at 11:11
  • 1
    Some generic recommendations from NIST (not specifically about attachments, but about e-mail in general) available here: https://csrc.nist.gov/publications/detail/sp/800-45/version-2/final – jcaron Nov 26 '18 at 12:52
  • Probably insecurely. I can assure you there's no special procedures for a non-security agency I work with. – jpmc26 Nov 26 '18 at 18:04
  • 1
    Encrypted emails are signed with physical 2fa keys. Things too big for email are sent via intranet server (basically our own version of dropbox) that also requires 2fa to sign in. (NASA) Other comments about email filtering and scanning are also correct. – Aaron Nov 26 '18 at 19:27
  • It really depends on the agency. I've seen a case personally where malware was sent to a government employee in a zip file and they just opened it. No policies were in place to prevent it (or at least, no honored policies). – forest Nov 26 '18 at 23:44
  • 1
    While not an answer, I can confirm that the US NAVY uses a separate site called _AMRDEC SAFE: Safe Access File Exchange_. The FBI has their jobs site where you enter your resume details as plain text. I've used both. Can't speak for other branches. – code_dredd Nov 27 '18 at 08:33

2 Answers2

47

While I cannot speak for every government agency everywhere, in highly secure environments, what I have seen [unable to disclose] is:

  • sandbox email attachments
  • no attachments but authorised, attributable file upload tools

In each instance, the attachment is inspected and run in an isolated sandbox. The recipient only interacts with the file through this abstraction.

Oftentimes, the content is extracted as text and reconstructed in a structured way, wherever that is possible.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 4
    I've seen the same thing, plus e-mail content being actually re-written so that any link contained in them would not be the actual link, but something like `internalserver://safeopen/link_in_the_email` . It doesn't prevent bad stuff from happening of course (see https://www.forbes.com/sites/martijngrooten/2018/11/12/cinema-chain-sees-bad-movie-script-play-out-as-it-loses-millions-in-email-scam/ ), but it helps mitigate. – ChatterOne Nov 26 '18 at 11:24
  • 1
    While I do not use [Qubes OS](https://www.qubes-os.org/) (mentioned by [Snowden](https://mobile.twitter.com/Snowden/status/781493632293605376) before), I do listen to their talks to learn what might be the state of the art in the free software world. One of the feature is to [convert an untrusted PDF into a trusted one](https://theinvisiblethings.blogspot.com/2013/02/converting-untrusted-pdfs-into-trusted.html) by turning everything into images... – Alex Vong Nov 26 '18 at 17:40
  • 1
    ...(it's done inside a [disposable VM](https://www.qubes-os.org/doc/dispvm/), so even if the PDF somehow manage to exploit bugs in the conversion program, its effect is still contained within that VM). Another feature is to open PDF in a disposable VM. The talk said this is for example useful for journalists who need to deal with untrust documents often. – Alex Vong Nov 26 '18 at 17:40
  • 4
    @ChatterOne Ironic that you link to Forbes for an article about viruses infecting people. – Nic Nov 26 '18 at 17:49
27

Segmentation is the key technique here.

You never work with sensitive data and external data at the same time. Depending on the sensitivity, you may use a different device that may be air gapped from the external world, but often just a device with mandatory VPN, or a different virtual machines, or SELinux context (hint: SELinux was developed by NSA). Even further employees that handle data from the public are different from employees that handle sensitive data, employees that handles hiring doesn't really need to have access to investigation data, for example and vice versa.

There is usually a procedure to transfer data between sensitive zones, with check and controls about what kind of data can be transferred under what conditions. This is often enforced through some form of MAC (mandatory access control).

Emails are often segmented as well. The mail server may automatically strip attachments from emails by people outside the agency's trusted environment, and they may be automatically tagged for work in untrusted context. You may have internal mailbox that's separate from public mailbox. There are often a form of content filtering in email server and/or client, through antivirus check and/or some form of document classification and protection system.

But most importantly though, security is mainly about human. Regular security drills, practice on detecting phishing, documented procedures, and classifying documents, all works to prevent attacks. Many security vulnerabilities depends on human factors. Software and tools can help prevent errors and make enforcement easier, but ultimately user training is the most important way to protect any system.

I wasn't able to find a publicly available document of email security practices for US government agency, but here's one for Australia. In particular, you may be interested in Page 182 Email Security and Page 190 Email Content Filtering. Other sections that may be of interest is Page 282 Data Transfer and Content Filtering.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
  • 1
    aggressive deleting of email attachments was a major headache when I was working for a defense contractor. Outside of one project where we had to sign/encrypt everything with CAC cards first (AFAIK we never had delivery problems with them), the unofficial SOP with attachments was to send 2 emails. One with the attachment and one saying a message with an attachment was sent so we could at least detect when stealth deletes occurred. When possible, upload to external sharepoint and send a link was often done as a bypass too; but SP was annoying enough that govt people often chose email pain. – Dan Is Fiddling By Firelight Nov 26 '18 at 21:18
  • 1
    @DanNeely That looks like it's more a policy implementation problem. When a mail server quarantined an attachment, it should've left a message describing that it did so, and where to retrieve the attachments and what procedures needed to sign off the release (e.g. attachment from external untrusted party may require to be opened in dedicated sandbox machine, or attachments containing suspected sensitive data need to fill release authorisation form). If the official SOP is causing people to have an unofficial SOP to effectively bypass the security system, that's a problem in the SOP too. – Lie Ryan Nov 26 '18 at 21:52
  • 2
    Totally agree about it being a policy trainwreck (eg `renameMe.piZAtoN`), but one that I saw with multiple govt entities not just once. The worst was one whose email system eagerly deleted images but would let .doc and .ppt files through which meant to send a screenshot I had to package it in something far riskier than a simple .png/jpg It's possible that the move to a unified DoD email system (in progress when I left for commercial work) may have put someone sane in charge of the system; the degree of crazy involved is one of the reasons I'm glad to be out of govt related work. – Dan Is Fiddling By Firelight Nov 26 '18 at 22:28