Professional Systems Engineering, LLC (PSE)

August 2001 - Cover Story

Email Security Dangerous
Waters Ahead
by Illena Armstrong

About 50 years have passed since the first computer was invented. Known as the UNIVAC, short for universal automatic computer, the world’s earliest commercial machine was far from the personal computers used around the globe today. The success of the eight-ton behemoth nevertheless set in motion the corporate world’s dependence on technology and its current heavy reliance on email.

Even though some experts liken today’s computer era to the navigation of dangerous and uncharted waters during the days of Columbus, about 90 percent of any company’s intellectual capital – that is, their inventions or concepts, can be found in digital format, says Jeff Wyne, vice president of marketing for Atabok. Of that, 45 percent of those corporate ideas are stored in an organization’s email system at any given time.

According to Jeff Smith, CEO of Tumbleweed, about eight billion email
messages buzz across Internet waves. “One of the more serious problems for
enterprises [is determining] how you manage the most pervasive forms of
communications. You can’t turn it off.”

Despite the vast amount of sensitive intellectual data floating around an
organization’s email system and over other untrusted networks, many
companies fail to take proper security measures. Email has become the main
entry point for viruses, spam and frequent breaches of privacy.
“Email is the single largest unprotected application that exists in the
corporate world today. Proprietary and confidential communication regarding
sales and financial figures, contract negotiations, business plans, legal
matters, medical records and operational issues are crisscrossing the
world’s email systems daily,” says Steve Gersten, senior vice president of
sales and marketing for ZixIt. “The message can be easily intercepted, read
and altered. As a result, business transactions, proprietary corporate
information and people’s privacy can be compromised.”

While corporations are beginning to understand the endless security risks
associated with email usage, many are preoccupied with e-commerce and
network security because of the speedy escalation of e-business. “Currently,
we see three challenges that inhibit the wide acceptance of secure email,”
says Gersten:

• “Lack of perceived need. Most people believe that their email messages
are not important enough to secure, but in a corporate environment, valuable
proprietary and sensitive information is sent daily and cybercrime is on the
rise. What the end user may not know is that those emails are susceptible to
four types of attacks: eavesdropping, forgery, denial of origination and
reply. Or, if they know these things they naively believe their company
won’t become a target.

• Lack of interoperable products. There currently is no Internet standard
for secure email. Some believe it will be S/MIME, but this is clearly at
least 10 years in the future. Competing and incompatible standards are
making acceptance of email security products and services slow.

• Ease of use. Until recently, email security products have been
difficult and inconvenient to use. … [For instance,] it was not until very
recently that truly easy-to-use encryption products have become available.”
Use of email shows no signs of slowing, even with the lax security
precautions permeating the current corporate environment. According to
Report Messaging Online 1999, the approximate 569 million mailboxes that
existed in 1999 will grow to 2.3 billion in 2003, while 1999’s 237 million
email users will increase to 835 million. Growth such as this requires
beefing up of current security practices, says Amy Kessler, GROUP Software’s
general manager and vice president for North America. With email being so
easy to use, she notes that corporate areas of concern will need to address:
• legal liability issues, such as retention of information, sexual
harassment or use of legal disclaimers;
• information security, including protection of intellectual value,
confidentiality and defense against viruses;
• network efficiency, by providing for early detection and prevention of
spam, denial-of-service attacks and junk mail.

“The sharing of information is so much threaded throughout a corporation
that you must be thinking of security in different realms. … It is not an IT
issue solely. It is very much going into the business as a whole. It only
takes one small little breach to cost a company tens, even hundreds of
thousands of dollars.”

Navigating Turbulent Waters

As one of, if not the main, form of communications these days, email has a
huge load to bear. An organization must keep its email system productive and
efficient. Though these deeds sound simple enough, the steps needed to set
them in motion can be wrought with problems that demand ongoing dedication.

“Keeping the email system productive means making sure we protect the
system’s integrity. In the past 12 months, we’ve seen visual basic script
(VBS) type worms wreak havoc on corporate email systems,” says Steve
Gottwals, director of product marketing for F-Secure Inc. “Starting with
LoveLetter, there have been many variations to this theme – AnnaKournikova,
HomePage, etc., and email has been the prime vehicle for distribution.”

Since VBS worms, whether carrying destructive payloads or not, automatically
emailed all contacts in certain databases, email servers became overwhelmed.
In these cases productivity was often lost, Gottwals explains.

“In terms of efficiency, that’s where we start talking about spam,” he adds.
“Yes, it’s a problem that has spawned a new class of security solutions –
content filtering solutions. In fact, we are finding many customers looking
for a combined approach to the problem – anti-virus plus filtering.”

A layered anti-virus solution that includes anti-virus scanning at the
gateway, as well as laptop, desktop or handheld anti-virus protection, plus
content filtering mechanisms, is a sound way to go. And while many
corporations are enlisting such tools, anti-virus devices are too frequently
installed after a costly infiltration, says Adrienne MacDonald, public
relations manager with Panda Software U.S. Still other organizations
erroneously think that by installing a firewall they can avoid all types of
attacks.

“A good security system should combine several elements. On the one hand, a
good anti-virus product should be installed throughout the corporate network
to protect all of the entry-points used by viruses. This means that the
network administrator not only has to install the anti-virus product, but
also configure it correctly and ensure that it is kept up to date,” she
says. “However, in order to facilitate this task, a correct and adequate
policy must be established for filtering contents and controlling spam.
Finally, all network users must have basic awareness of computer security.
Here you can see the need for regular courses about this topic for the
company staff.”

Foremost on the minds of executives should be the goals of protecting their
digital assets from unauthorized access, reducing or attempting to fully
eliminate liabilities that can arise from disclosing private
client/corporate data, and preventing the sending of offensive email, says
Jahan Moreh, chief security architect of Sigaba. Addressing the problems
associated with email usage, like viruses, spam or breach of information
involve a number of different steps, adds Moreh, yet all involve the
development of sound policy.

To tackle the problem of viruses, Moreh advises educating users and
maintaining constant awareness programs, while also deploying appropriate
security solutions and proactively monitoring alerts and warnings from
various professional organizations. Email security overall, further explains
Moreh, involves the creation of strong policy, concise communication of this
policy to all users, and employment of easy-to-use tools that comply with
the policy.

Building the Foundation

All security controls begin and end with policy development. Provisions for
security emails are no different.

“A good comprehensive policy includes ensuring that the entire company is
using a standardized email package and is also keeping all servers, virus
protection signatures and email programs up to date with the latest security
patches and/or service packs,” states Robert Vega, vice president of
technical services for Cyber-Ark Software Ltd. “A company should also
develop both a user policy and a security awareness program.”

Such a policy, says Vega, may, for instance, prohibit users from sending or
receiving emails that are unrelated to business. Jokes, chain letters or
family pictures should originate from and go to personal mailboxes, not an
employer’s. The required awareness program could be broken into training
sessions led by security experts or dissemination of educational materials
that review security issues.

Baltimore’s Brian Hansford, senior product marketing manager, concurs that
email security entails establishment of policy, education and enforcement.
As part of the solutions side, companies will need strong anti-virus at the
gateway, a properly configured firewall and content scanning of file types,
certain images, profanity, confidential data and more. Most importantly, IT
staff and other business units cannot work in a vacuum when trying to
address email security and usage issues. “I think it’s really important to
have cross-functional groups working together,” he says. “If human resources
thinks porn is being distributed, they must work collaboratively with IT to
establish [appropriate] policy and tools.”

Tasking employees with signing a written document that outlines acceptable
email usage may be a good idea, too, adds Melissa Zieger, marketing
communications manager for Switzerland-based UPAQ Ltd. “Companies realize
that they can’t expect employees to never use the web or email for personal
reasons, but if they have clear definitions of what is acceptable, then they
can enforce the policy when it is violated,” she says. In this way, “there
is no question of employees not understanding the rules.”

Management must show and enforce email usage policy. As a predominantly
business issue, IT staff cannot be the sole executors of policy. Having a
strong policy in effect and effectively communicating that policy is the
number one step to safeguarding a corporate email system, says Henk Tobias,
chair of the European Forum for Electronic Business (EEMA) and global
infrastructure organization technology manager for Unilever.

The EEMA user interest group has drafted three documents to guide
organizations in implementing email usage policies. These documents detail
strategies for covering three important areas of electronic communications:
email best practice policy, acceptable computer usage policy and
confidentiality issues. Suggestions for building a comprehensive email
policy highlight possible components for acceptable use, prohibited
material, specific rules, message retention, tips for sending and replying
to email and much more.

While accounting for these specific areas is inordinately important, where
and how these policies are placed so as not to over-burden the system are
just as imperative, says Tom Buoniello, vice president of product management
of Sybari.

“It just isn’t viruses. What do they want to allow out of the organization
and what do they want to flow within the organization?” he asks. Finding the
most appropriate tools to address this need is no simple task, as companies
cannot act as the proverbial Big Brother 100 percent of the time, he says.
“Companies don’t want to preclude emails that would [cover topics discussed]
around the water cooler. … Because the company owns that system, they do
have the right to look at all those emails. Again, it comes back to
awareness and making employees understand.”

Because this is one of the trickiest aspects of email security, says Pete
Privateer, president of Pelican Security, Inc., companies must always strive
for a “defense in depth” approach.

“Organizations will continue to wrestle with the legal aspects of email. Are
they company property or are they private communications? At the very least,
management must establish a formal policy for the use of email,” he states.
“They must explicitly state that email should be used for business purpose
only and explicitly state what types of email or email attachments will not
be allowed, [such as] hate speech, sending confidential information out of
the company, inappropriate jokes, pornography, etc.”

Other Threats in the Sea

Wireless communication, increased reliance on web-based email within
corporate walls, privacy mandates and still other trends will all impact the
future of email.

For example, when employees use their browsers to access web-based email
accounts that are outside of the corporation’s control, the firewall views
these connections as normal web traffic, says F-Secure’s Gottwals. Another
concern, adds Gottwals, is the wireless always-on situation, which would
allow a virus outbreak to spread even more rapidly to those devices that are
never powered off.

“Most IT personnel are unaware of the true level of the threat that email
represents and they don’t have the right information to make the proper risk
assessment of the level of protection that their current … software gives,”
maintains Alex Shipp, chief anti-virus specialist with MessageLabs. For
instance, he adds that viruses are coming from all sorts of sources, whether
they are home users or Fortune 100 companies.

Add to this the current environment of increasing pressure from regulatory
statutes and business units to keep data safe and IT staff and top-level
managers will have their hands full, says Sigaba’s Moreh. “The challenge for
the IT staff is to provide or use tools that simultaneously satisfy security
requirements and ease-of-use requirements.”

To meet this end, Robert Vibert, anti-malware researcher and solution
architect with Segura Solutions Inc., notes that IT managers should keep in
mind some issues that may become even more troublesome in the future. Some
of these include:

• Increasing volume, both in the number of messages and the size of email
attachments received. This will put a greater strain on the email
infrastructure.
• Delays to the timely delivery of messages caused by increased filtering
requirements.
• The increased use of random attachment filenames to defeat filtering
systems.
• The increased use of encryption to defeat virus scanners, many of which
will fail to warn that the scan of these files was not effected.
• Increased use of multiple payloads. For example, an email worm that
contains a trojan horse for network penetration and a virus for data
destruction.

F-Secure’s Gottwals notes that another issue to think about falls into the
realm of mobility. “As we move into the wireless world, spam will be a much
bigger issue,” he explains. “Clogging up our little screens with junk,
especially if things take time to download, will be very unwelcome and
create an inefficient environment.”

To address this and other current and potential issues, Tom Geller, director
of SpamCon, recommends that organizations establish comprehensive
educational programs and insist upon “good email practices in their
employees. I believe that email is a highly efficient communications medium
if used right, but an endless time and security problem when used wrong.”

And whatever the computer system being used, contends Jonathan Joseph,
project manager, virus protection plan/anti-virus, for Gordano Ltd. in the
U.K., security must be a major undertaking for any organization deploying or
upgrading an email system.

“In general, we recommend that companies should look at a diversity of
platforms and avoid excessive homogeneity. Protection of mail systems from
virus and spam attacks should really be performed at the mail server level,”
Joseph says. “Many mail system have anti-virus and anti-spam mechanisms
added as an afterthought, rather than being an integral part of the system.
These will never be as effective as having an architecture that embraces
such capabilities. … Diversity of OS, application and platform can
considerably reduce exposure.”

And, contends David Banes, SARC regional manager Asia Pacific for Symantec,
the use of automated email content filtering software is another way to help
create a productive, safe Internet environment for all employees. He points
out that not only can email content filtering solutions prevent email
messages that are labeled ‘confidential’ from going outside the company’s
network, it can also be used to control and trace email traffic. “Email
monitoring shows courts that an enterprise has made a reasonable attempt to
enforce email and Internet policies,” he says. “Email policies, along with
email content monitoring solutions, help IT to manage email content
effectively and efficiently.”

With email being the most frequently used application today and usually the
least secured, hackers can easily get their hands on confidential data,
warns UPAQ’s Zieger. “And no company, large or small, can afford that kind
of security breach. Companies, therefore, must have a proactive approach to
security and not a reactive one.”

Being proactive is not a one-step process, reminds Panda’s MacDonald. IT
managers will need to stay up-to-date on the latest innovations in security
software and hardware solutions and keep abreast of the countless security
risks.

“The rest of the network users also play a very important role. They must
understand that it is everyone’s responsibility and not just the
responsibility of the technicians,” she states. “If a suspicious file is
received, it is necessary to inform the person responsible. Similarly, they
must be aware that email and the Internet are work tools and should be used
as such.?

Email’s Weakest Links
by Marcella Mazzucca

While many organizations are dealing with security issues by instituting
software solutions as a method of prevention, they are forgetting about the
‘big issues.’ However, by outlining possible risk points and methods
associated with prevention, organizations can stay ahead of the security
game.

* Educate employees about security and their role in the prevention of
security breaches.
* Analyze your network infrastructure and possible intrusion points.
* Institute third-party tools and software packages which relate to your
infrastructure and enable policy enablement and content-management.

Security begins with the employee. Many of the attacks taking place today
feed on employees and their lack of knowledge about security. Security
should be a critical part of the employee education process. Employees
should understand the different methods of intrusion, what security risks
they may be presented with, and how to eliminate the chance for intrusion.
Existing security infrastructures must be severely scrutinized in order to
prevent the infiltration of viruses and hacker intrusions into corporate
networks. In addition, a well-documented security procedures plan should be
developed.

Corporations are particularly at risk with the use of collaborative
messaging platforms and active use of email. Email is the preferred method
of communication, especially for the exchange of documents and files, making
it a virtual breeding ground for viruses. Having an employee understand more
about the type of files that should be exchanged through email and the ones
that are at the most risk can assist in limiting the transfer of viruses.

By not educating your employees you make your corporate networks vulnerable
to attack, leaving you open to hackers and viruses. One virus could shut
down an organization for days, bringing productivity to a halt. Viruses such
as the Love Bug have caused companies billions of dollars in downtime. And
when Microsoft was hacked it made headlines everywhere, causing companies to
question their open environments.
Even with security policies in place, you cannot simply depend on employees
following procedures to maintain a secure environment. Policy enablement and
content-management are also important methods of dealing with security
breaches.

Policy enablement refers to the analyzing of your network structures and the
identification of possible risk points. By identifying these points, an
organization can then implement restriction processes and limit the access
to sensitive areas by requiring user authentication, passwords, etc.

Content-management is another effective method for the management of email
and content that is being transferred through your messaging servers. Tools
that enable the content-management server to reject unsolicited mail by
certain given criteria, such as file name or type, can be strong allies to
IT managers.

Marcella Mazzucca is director of global marketing for media relations with
Sybari Software, Inc.

Email Security? Tough, but Do-able
by Bob Hansmann

It’s no secret that securing all of an organization’s email from worms,
trojan horses, computer viruses and other forms of malicious code is a
daunting task. However, you can eliminate some of the headache of addressing
these threats if you take the time to clearly define the goals of the
security project, carefully choose solutions, and implement sound policies
to keep those solutions effective.

To begin, if you aspire to any level of success, you need to make sure you
understand ‘why’ the email security project must exist. Are there specific
threats that have occurred in the past that you are trying to prevent? Are
there new threats management is concerned with even though you’ve never
experienced them at your organization? Are the threats related to real data
loss, customer confidence issues, hacker agents passing through email, or
simply bandwidth consumption and abuse concerns?

Once you have a firm grasp of what the outcome of the email security effort
should be, you can truly begin to evaluate solutions. You may wish to
consider software-only solutions, or many of the new appliances that are
currently available. Regardless, the software and/or hardware components
should be evaluated for their ability to address the immediate requirements
and their scalability to meet future requirements.

But wait… that’s only half the battle. You defined your problem. You
identified the solution. You put it in place. But one major flaw remains in
the email system that can make all of your efforts useless. Something that
exists in every network and email system. And there is no way to eliminate
it. The human factor.

To minimize the human factor, you must have a security policy in place for
everyone else at the company. Are there certain events or activities they
are required to report to the help desk? Could they be ‘dismissed’ if it is
discovered that they have consciously deactivated the anti-virus software on
their desktop? Are they allowed to receive personal emails through the
company email system? Can they use public browser-based email systems while
at work? Does the company reserve the right to access their email and any
files on their company systems under certain circumstances?

Then it’s just a matter of maintaining the solutions, following the
procedures, and enforcing the policies. Remember, a security project is
never finished. However, if you take the time to do it correctly, it can not
only be an invaluable asset to the company, it can also be a rewarding,
career-building experience. It’s tough, but do-able.

Bob Hansmann is an enterprise product manger with Trend Micro.

The Risk of Outsourcing Email Security
By Noah Groth

Recently, numerous organizations have been evaluating whether or not they
should outsource their email security. That is, they are looking at various
third-party vendors who are promising to manage the encryption,
authentication and digital signing, as well as the actual electronic
transmission, of their organization's email messages.

As with any outsourced services, these secure email services may offer
organizations an opportunity to save money - but there are serious risks.

Reliability of Outsourced Provider

If you outsource email security to a third party, how can you be sure that
its services will be available when you need it?

If a third party's server fails right when your senior management needs to
send an important confidential email message, how do you get the message out
and keep it secure? If the third party's servers are assaulted by a
prolonged or repeated denial-of-service attack, how do your users send
secure transmissions? If the third party either goes out of business or
abandons the business because it is unprofitable, is there another company
ready to take over the service and guarantee continuity of security for your
organization's email messaging?

When you evaluate the outsourcing of so vital a service as email security,
you must keep this reality foremost: Without round-the-clock availability of
the service provider's infrastructure as well as sound system planning and
financial good health, a third-party email security service can pose a
serious liability.

Integrity of the Outsourced Provider's Security Policies and Procedures

In addition to having faith in the service provider's ability to encrypt and
send authenticated messages - on demand - you must also have complete faith
in the third-party's internal security policies and procedures.

At a minimum, the third party should prove its ability to perform the
following:

• limit physical access to the network;
• prevent online access to data on the network;
• scan and contain viruses;
• conduct employee and vendor security screenings;
• provide ongoing security awareness training of employees and vendors.

Typically, these dimensions of security remain within the domain and control
of IT administrators and their organizations.

To ensure continuity of your organization's security practices and
procedures, you must - whenever outsourcing any aspect of your information
security - remember to perform a continuous review of the third-party
provider's security policies and procedures. Further, once you have
performed this review, you either must be satisfied with the third-party
provider's policies or procedures or you must be able to induce the third
party to change its policies and procedures to match your own.

Look Before You Leap

When considering outsourcing, ask yourself: Are you looking to outsource
email management or are you looking to outsource your security? Don't mix up
the two. Outsourcing may save money, but outsourcing creates security risks
that your organization may not be willing to take on.

Look hard at the credentials of those third-party service providers.

• Are they genuine security companies, or are they ISPs or data
management companies that have repackaged their services to capitalize on a
growing need in the marketplace?
• If they don't make the financial returns they'd hoped to make, will
they discontinue their service, change the service (and the level of
security offered) dramatically, or completely disappear?
• Can you really count on them?

Also, ask yourself whether keeping secure email messaging inside your
organization isn't the best policy for you. An internally managed email
security program may be better suited to your organization's information
security requirements. In addition, maintaining an internal system ensures
accountability and control.

Incidentally, you will never be able to avoid creating and maintaining some
form of internal email security program. Because outsourced services
generally focus on protecting messages during transmission, you will need to
establish policies and procedures - and perhaps install encryption
technology - to protect messages and attachments that have been decrypted or
removed from third-party servers.

In conclusion, administrators need to weigh seriously the pros and cons of
outsourcing email management and security. The risks may outweigh the
benefits.

Noah Groth is president of PC Guardian ( www.pcguardian.com).