[an error occurred while processing this directive]
Securing Your Organization's E-mail
If thereís one thing we take for granted all too often, itís the security of our e-mail systems. Within most organizations, all it takes to bring business to a screeching halt is one external hack, one insider breach, one malware outbreak, or one e-mail server crash. All things considered, I canít think of any more critical business application than e-mail. At least itís the one critical application that, when itís not available, gets everyoneís attention.
All it takes is one weak link in your network or e-mail environment for corporate correspondence to become fair game to anyone with network access. Not only is e-mail an important business tool; itís a very vulnerable application on the network. E-mail communications can be intercepted and misused by unauthorized people.
These issues put business confidentiality, liability and compliance in jeopardy. Your security department personnel need to be aware of them. After all, e-mail is a technology and business tool that falls right in the middle of all the security convergence changes that are taking place today.
There are literally hundreds of ways for someone to take advantage of your e-mail system, but I seem to come across the same issues year after year.
Weakness 1: Password Theft
I used Cain & Abel in an internal vulnerability assessment, and I was able to quickly glean more than 300 passwords off the networkómany of which were being used for e-mail access. Most of the other passwords discovered would likely provide access into usersí e-mail as well, given that most people use the same password across multiple systems. This same type of exploit can be executed even more quickly if thereís unsecured wireless access on your network.
Weakness 2: Archived Files
Many e-mail administrators deny that all of this sensitive information is being stored on workstations in the form of local e-mail inboxes, archived Outlook files and saved e-mail attachments. Whether itís policy or not, the fact is, usersóeveryone from customer service reps to executivesóare storing sensitive information within their personal work environments, and this leads to serious physical security, data retention and other information exposure issues. This is especially true when someone compromises e-mail passwords as demonstrated above or obtains physical access to the system and cracks the computerís password(s) to get in.
Weakness 3: Unpatched Operating Systems
Once access is established, the attacker has full rights to the computer and any e-mails, passwords or files stored on it, putting your messages and sensitive files at risk.
What to Do
Before your organization starts doing anything, a security assessment of your messaging environment needs to be performed. This will highlight weak systems and processes and show you where you need to focus your efforts. Your internal IT or information security team may be able to perform this assessment, or you may want to bring in an outside expert who can provide a new perspective beyond what the internal team sees day in and day out.
The following tools and processes are essential for locking down your organizationís e-mail environment.
Alternatively, for years Iíve used and recommended managed e-mail security providers such as Singlefin and MessageLabs. Although often not quite as feature-rich as an e-mail firewall that would be installed internally, I like these solutions because they keep the attacks and junk from ever reaching your network and e-mail environment. This frees up Internet access bandwidth, server processing cycles, and network storage. A managed service can also be an important part of your organizationís business continuity and disaster recovery efforts, since they can keep receiving e-mails even when your network or Internet connection is down.
The fact of the matter is, encryption can be cumbersome and difficult to implement, much less to manage day to day. The standards bodies and security product vendors have helped simplify things in recent years, and hereís what can be done to lock down typical e-mail communications scenarios in the enterprise without too much money and effort.
Server-to-server e-mail communications can be secured using SSL or TLS. These protocols provide authentication and encryption to keep prying eyes away and can often be implemented as part of an e-mail firewall or commercial e-mail server such as Exchange or GroupWise. A VPN can be used to secure server-to-server links. Secure server communications can be established both internally and with key business partners that are willing and able to establish a secure link.
Workstation-to-server communications on the internal network are often trickier because there are so many workstations to secure. The closest thing to a realistic solution is to implement S/MIME or PGP on each workstation. This will require software and/or digital certificates installed on each machine, but it does work well. At a minimum, your IT team could enable one of these security technologies on systems dubbed critical or sensitive, such as those belonging to security personnel, IT personnel, HR personnel, and executives.
Workstation-to-server communications for remote access or external servers can be secured via POP3 over SSL (POP3S), IMAP over SSL (IMAPS), and SMTP over SSL (SMTPS). Most e-mail servers and clients support these protocols, and theyíre very simple to set up.
Web access (i.e., Outlook Web Access, GroupWise WebAccess) for remote users can be secured by simply enabling and requiring HTTP over SSL (HTTPS) on the Web server.
Wireless networks or data centers where e-mails will be transmitted can be enabled with Wi-Fi Protected Access (WPA) pre-shared keys or an enterprise solution based on RADIUS to keep the airwaves secure. It wonít prevent a malicious authorized insider from taking advantage of sensitive messages, but it will help keep external attackers at bay.
Hard drive encryption should be used, at a minimum, on laptops and even internal workstations and servers that are vulnerable to theft. This will prevent malicious or even curious unauthorized access to the system and its e-mails in the event of theft or loss.
Itís important to note that simple computer password protection isnít enough for this. There are security tools such as the Ophcrack Live CD and Elcomsoft System Recovery that can be used to maliciously crack any and all passwords to provide full access to the system, e-mails, and more.
None of these methods is foolproof or unhackable, but theyíre all much better than the alternative. Just remember that your organizationís employees should never be relied upon to use these security methods when communicating via e-mail. Automating encryption wherever possible is essential for keeping the responsibility out of your usersí hands, and itís not an unreasonable expectation when using current technologies.
Change Management Process
Going Beyond Technology
These policies may pertain directly to your messaging systems, but I recommend keeping them as high-level as possible so that other systems and technologies can fall within the scope. This will make your organizationís security policies much easier to manage going forward. Also, make sure your organizationís ongoing information security assessments and audits include e-mail security testing. This will ensure that new or previously overlooked e-mail weaknesses are discovered using current tools and testing techniques.
About the Author
This article was originally published in the Security Technology & Design magazine. Visit the magazineís Web site at www.SecurityInfoWatch.com.