Get documents about "Broadcast_Email_Guideline
Document Sample
InfraGard Connecticut
Broadcast Email Guideline
Prepared by
Jacob Epstein
August 1, 2004
PRELIMINARY
Overview:
Email is an imperfect vehicle for sharing critical information. As the result of various techniques being employed
that in worst case scenarios empower criminals and terrorist to use email to transport malware to unsuspecting
users, email messaging of critical information as transported for InfraGard Connecticut must be accurate,
verifiable and delivered in a timely manner.
Although various initiatives and projects have been proposed or are works in process that assist obtaining these
goals, replicating email messages on the IGCT WEB site solves the challenges listed above.
A key question raised by members over the years is “How can we trust email when it is easy to spoof
addresses?”. An answer is signing and encrypting messages. This approach has proven unsatisfactory for
InfraGard because only a small percentage of members and elected officials use a standard approach to digitally
sign email such as PGP or PKI certificates.
SSL WEBSITE
The entire InfraGard WEB site runs under a Digital Certificate. IGCT members and the public that visit the site,
view information under Secured Socket Layer, SSL, as indicated by the root URL for the site at
https://secure.infragard-ct.org. This enables any user to verify that they are connected to the official site for
InfraGard Connecticut.
The current InfraGard WEB site has been security hardened and IGCT members and content administrators can
only gain access to key areas of the site via a vetted process. Thus trust is relatively high that information as
posted on the site is correct and accurate. A suite of content management tools has been implemented that assist
in generating and proofing content in a timely manner.
Broadcast Email
IGCT incorporates email listserv technologies to send broadcast email to members and other groups with in the
organization. Although secured, there are inherent weaknesses in the system. As of this writing, these are being
addressed by IGCT’s IT committee.
Key and critical information as well as general information is sent via the listserve. As part of the process of
highlighting critical information especially that flowing from the FBI and the Connecticut DHS, an “Alerts,
Warnings, and Advisories” facility with front page access has been implemented on the WEB site. IGCT
leadership is working towards mirroring all critical email using this and the general news reporting features on the
site.
I some cases, email broadcasts my include introductory information with a link provided to more thorough content
published on the WEB site. This approach facilitate mail transfer especially when attachments may be required
such as portable document files (.pdf). Advantages of this approach include smaller and more efficient text based
emails that can traverse corporate mail filtering systems.
1
Procedure
As a result of the challenges discussed above plus work on tools to expedite publishing, IGCT directs all
members to check the WEB site for critical information. In many if not all cases, critical information broadcast to
members will be posted to the WEB site for verification purposes and also to record and document
communications.
As leaders change and based on need, this procedure may not always be followed for all correspondence,
however it is a goal that at the very least, the most critical and sensitive email broadcasts are also published on
the WEB site.
Public and Private Information
InfraGard Connecticut receives information vetted for Members only. Thus links and notices will be posted in the
public domain so that the description and notification of information is quickly viewable on the home page.
However, viewing the actual information cleared member review only will require that members use there email
address and password to gain access to the information.
As of this writing, members are still undergoing the vetting process requiring an FBI background check. Once the
grace period is complete, only new and renewed members will have access to this information.
Thus it is important that members have tested and regularly use private areas of the WEB site so that they retain
access to critical but private information.
2
