Table of Contents

Editor's Corner

Featured In This Issue

Technology Sectors

Overcoming Email Insecurity

Anatomy of an IPS

Security Event Management

How Much Is "Networking As Usual" Costing Your Business

Comprehensive, Unified Threat Management

Akibia Training

Akibia News

Akibia's New Security Solutions Map

Akibia Partners

Contact Akibia

 

 

 

Overcoming Email Insecurity
By Kenneth M. Smith CISSP, GCIH
Principal Security Consultant - Akibia

Networked email became a reality in 1971 when Ray Tomlinson made some modifications to the SNDMSG program used on ARPANET so it could copy a message to another computer across a network. Ever wonder why we use "@" in email messages? You can thank Ray for that.

Internet email is now the most popular form of business communication that corporations use today. The fact that it's completely insecure doesn't seem to be that important. It's assumed, for erroneous reasons, that email messages are a secure means of communicating with someone. As a result, people routinely exchange sensitive information over email. Below are just a few examples of how people and organizations routinely overestimate the security of email.

- A mortgage broker who asks customers to email financial information including social security numbers and bank account information to get the pre-qualification process started. Sometimes these brokers then email back the detailed credit reports to the customer.

- A lawyer who regularly discusses the details of large ongoing cases with clients via email.

- An IT manager who emails detailed infrastructure and security information to vendors and contractors.

- A human resources employee who sends spreadsheets to insurance firms, these spreadsheets include complete details of all employees, including social security numbers and salary data.

- A 'secure' Web site (using SSL) gathers users' application information, then in the backend, simply sends it via regular email to the agent for processing.

Chances are sensitive information about you or your company has been shared, knowingly or unknowingly through one of the above exchanges. More than likely, you or the person sharing the information never suspected the email exchange was not secure. In reality there are many points within the email architecture when the message could be read, modified, deleted, or forwarded. There is no concept of trusted systems or secure data transfer when it comes to most Internet email.

It's also taken for granted that any message is authentic, untouched, and sent from the person displayed in the 'From:' field. It is very simple to send out a forged or spoofed email message to anyone else in the company, or worse, outside the company. This vulnerability opens organizations up to social engineering, embarrassment, and potential litigation.

The Solution to Email Insecurity
Corporations needs to get on board with addressing these problems and help make email a safe and secure means of business communication. Securing email communications will go a long way towards helping companies meet industry and regulatory requirements.

The easiest thing to do is to not send sensitive information via email. But if you must, there are plenty of available solutions and technologies to help increase the integrity and the security of email. Some examples are:

Simple Password Protection / Encryption:
If more robust technology isn't available, or your organization does not exchange sensitive information very often, then simply password protecting or encrypting the content before sending it via email is an easy solution.

This consists of pasting content into an application that provides document password or encryption support, assigning a password, then attaching it to your email. This may sound like a lot of trouble, but it could be automated using a macro or script. The management of passwords could become a bit cumbersome. If you find yourself doing this often, then you probably want to look into one of the other solutions mentioned.

PGP/MIME end-to-end security:
Pretty Good Privacy (PGP) is a mature solution that uses public key cryptography to secure content and digitally sign messages. This requires that software be installed on any users' system in order to send or receive PGP encrypted messages. The commercial version integrates well with most email applications to provide almost seamless email protection. An open source alternative is GNU Privacy Guard (GPG).

S/MIME end-to-end security:
Digital certificates can be used with most email applications and provide seamless message protection using the certificate support built into the email application itself. There is no need to install additional software on the user's machine. All of today's most popular email applications (Outlook, Lotus Notes, etc.) have digital certificate support built in. In fact, Lotus Notes uses its own digital certificates for user authentication and message encryption within the Notes infrastructure.

Obtaining an X.509 certificate is easy and inexpensive. There are even a few certificate authorities providing free certifications for email use. Sending an encrypted message is simple, you just need the recipient's certificate.

Site-to-site secure email encryption products:
Products exist that act as a security gateway, encrypting messages on the fly as they pass between sites. At a basic level, these products encrypt (and sometimes sign) all mail between two points that have the solution installed. A standards-based open initiative known as S/MIME Gateway aims to popularize this type of mail transfer so that this type of secure transfer can occur between different vendors solutions.

Web-based client-to-site SSL mail transport solutions:
These types of solutions provide email protection by rerouting sensitive messages to a secure Web server that is usually placed on your company's DMZ network. This server stores the actual message and sends a notice to the recipient that they have a new 'secure' message waiting, and provides them with a URL. The recipient follows the URL, logs in and is presented with an interface where they can read and reply to your email. This all occurs through an SSL protected session.

Site-to-site TLS encryption between mail hosts:
A feature that is supported by many of today's Simple Mail Transfer Protocol (SMTP) systems is Transport Layer Security (TLS). The Extended SMTP command set (ESMTP) provides the STARTTLS verb. If enabled, this lets two SMTP hosts use TLS to transfer mail within an encrypted tunnel.

As business and communication demands continue to increase, more and more will be demanded of our already burdened electronic mail system. Not only will the volume of mail increase, but more services (XML over email for example) will use email as their transport mechanism. Widespread adoption of secure email will mean that eventually users will expect messages to be digitally signed or encrypted. Anything that is not signed would be suspect, therefore leading to a reduction in the amount of successful phishing, malware, and even spam. The current state of insecurity needs to be addressed if we want our electronic mail system to continue to be the backbone of corporate communications.

Akibia: Providing Enterprise-Class Data Center Solutions, Network & Security Solutions, and Manages Services