What is the problem with sending emails with password-protected ZIP files? Thinking about "truly meaningful security measures"
What method do you use when sending business data to external parties? Nowadays, the use of cloud storage services is increasing, but there are still many cases where files are sent as attachments to e-mails.
Some of them may have been instructed by the company to compress the file into a password-protected ZIP file, send it, and immediately send the decompression password by e-mail. However, there is a growing movement to reconsider this approach. This is because password-protected ZIP files often end up as “meaningless security measures” unless you devise ways to use them.
Table of Contents
Why did you review "PPAP"?
The background to the momentum to review the operation of password-protected ZIP files is as follows. In November 2020, Minister of State for Digital Reform Takuya Hirai announced the abolition of password-protected ZIP files, which were used by central ministries and agencies to send document files by email. Password-protected ZIP files are also widely used by private companies, but the direct mention by the government prompted a strong reconsideration of this practice.
When talking about the problem of password-protected ZIP files, the term "PPAP" is used as a derogatory term among experts. When sending a password-protected ZIP file by e-mail, in most cases, an e-mail notifying the password will be sent separately. The process of this operation method is expressed as "Send a ZIP file with password, send password, A encryption, protocol", taking the initials of each.
What's wrong with PPAP?
There are three main problems with PPAP: "network wiretapping", "encryption strength", and "missing antivirus software". Email apps on smartphones and tablets often cannot open encrypted files, and there is also the problem of reduced labor productivity. Let's take a look at each of the three issues above.
Network Eavesdropping
The problem is that the ZIP file is sent by e-mail and the password is also sent by e-mail through the same route. An attacker sniffing the network somewhere in the mail's path could easily obtain the password as well as the ZIP file. It makes no sense to encrypt the file.
If you are sending a password-protected ZIP file by e-mail, the original idea is to notify the password via another channel such as a phone call.
Encryption Strength
Second is encryption strength. As explained at the beginning, central ministries and agencies and many Japanese companies have used password-protected ZIP file encryption functions to maintain confidentiality. If you check the technical specifications of the ZIP file again here, the security strength is high, such as "AES" (Advanced Encryption Standard), which is also used in "WPA" (Wi-Fi Protected Access), which is a security function for wireless LAN. An encryption algorithm is used.
However, there are many ZIP file compression and decompression software, and not a few of them do not support all the encryption algorithms described in the ZIP file specifications. Even if a file is encrypted with a sophisticated algorithm, there is also the problem of usability that it cannot be decrypted if the software used by the recipient does not support the algorithm.
To avoid this problem, use an algorithm called "Traditional PKWARE Encryption" (commonly known as ZIPCrypto), which is supported by all compression and decompression software. In fact, PPAP almost always uses this algorithm.
However, the ZIPCrypto algorithm has low cryptographic strength, and the specification states that "it should not be used except in situations where security is not an issue or when compatibility issues should be avoided". According to a security expert's test, files encrypted with ZIPCrypto can be easily cracked using special software, even on PCs that were released 5 or 6 years ago.
Oversight of antivirus software
The third is oversight of antivirus software. The problem is that if a file infected with malware is encrypted as a password-protected ZIP file, the anti-virus software may not be able to detect the malware and pass it through.
The biggest problem is that people think that "measures have been taken"
The problem with PPAP is that users sometimes think that "security measures are sufficient". . There is also server software that automates PPAP, that is, when an employee sends an email with an attachment, it encrypts all attachments before sending, and automatically sends a password notification email. Many companies have introduced such software as part of their security measures.
They may introduce it with the intention of buying peace of mind, but in reality, they only get a sense of meaningless satisfaction that ``we are working on security measures as a company.''
If you really want to ensure security, you should immediately consider other measures such as stopping PPAP and passing files via online storage. Furthermore, even if a company stops using PPAP, it is likely that emails with attached files will continue to be sent from business partners who are not yet aware of the problem with PPAP. After all, raising the security level of each terminal, in other words, implementing effective security measures, seems to be the top priority for companies to protect themselves from threats.
There was no malware infection
Therefore, the countermeasure proposed by HP Japan is a "real-time threat isolation system" that can isolate and delete malware in a micro-virtual machine. It is the utilization of the protection function. End-users do dangerous things, such as clicking URLs that lead to malicious websites, downloading malicious files, or clicking malware attached to received emails. It's software that protects your device.
This "real-time threat isolation protection" function allows the end user to directly enter the password to extract password-protected ZIP files in the micro virtual machine, so that mail gateway products and anti-virus products can be used as password-protected ZIP files. Even if the file cannot be inspected and missed, it can be opened safely.
The memory space of the micro-virtual machine and the PC itself is isolated at the hardware level, so even if malware runs, it will not adversely affect the PC itself. In addition, even if malware or the like runs on the micro virtual machine, erasing the virtual machine will erase the malicious software at the same time, so there is no need to worry about malware remaining on the PC itself.
In addition to this "real-time threat isolation protection" function, HP Japan has a dashboard that allows you to see the protection status of your device at a glance, and when a serious threat is discovered on your PC, you can immediately see the details. The HP Wolf Pro Security Service is a package of monitoring services by HP security experts that notifies and reports by e-mail.
From the end user's point of view, a high security level can be ensured even if the PC is used normally without being particularly conscious of security, and the system can be operated without any special knowledge as a person in charge of the system. It is possible to greatly reduce the man-hours spent on security measures.
Endpoint protection is important in the age of telework
Due to the spread of the new coronavirus infection, many companies have shifted to telework. As a result, the shape of corporate networks has changed significantly.
Traditionally, if you focused on protecting the network within the company, it would be a measure to some extent. However, now that telework/remote work has begun to spread in earnest, employees will connect to the corporate network from their home PCs through VPNs. It is necessary to consider all possibilities, such as clicking a malicious link through your home internet connection outside of work hours, being infected with malware, connecting to the company network with a VPN, and spreading the malware infection. It's here. In other words, if you are using a PC for business, you should pay attention to ensuring security at all times.
Because we are in a new normal with diverse environments, why not consider using a security solution such as "HP Wolf Pro Security Service" to solidify your protection from endpoints?