Home CTR Exclusives Email security best practices to reduce information theft risk

Email security best practices to reduce information theft risk

Tuesday, 13 July 2010 10:54

Information Security


By Damien Ramé

As the messaging and communication landscape continues to evolve over the years, new communication channels appear and with them, new threats. What used to be a simple mail server configuration handled by local administrators has become a new industry requiring specific skills and expertise. Spammers are using sophisticated techniques to lure end users.  Information theft has turned into a trillion dollar industry in 2009 and is an issue that still isn’t addressed properly by a majority of organizations focused on protecting their customers’ data before securing their own.

Modern email security solutions help address a lot of these issues but Email and IT administrators are sometimes left in the dark by vendors focused solely on profit and cutting costs in an over-commoditized market.  This article aims at presenting a few tips and features to use and apply in order to improve the security of businesses’ email communication systems.

Pay attention to your IP reputation
A large portion of spam – as much as 80% - is sent by a few botnet masters nowadays.  These botnets are modern networks of millions of compromised hosts throughout the planet, each sending all spam it is programmed and ordered to by the botnet master. Newly infected and cleaned computers turn these virtual entities into an ever changing group of IP addresses and thus are very hard to properly identify and block.

To counter the botnets, email security vendors have been using DNSBL systems and have recently developed enhanced Sender Reputation Systems which monitor and rate all IP addresses in real-time based on their email activities (legit mail or spam). Messages being sent from poor reputation sources will then be automatically rejected by mail systems.

IT administrators have to monitor their IP reputation and DNSBL statuses, even more so if one of their end users’ computers has been infected and started transmitting malware or spam, or if an email server on their network was improperly setup and has been used as an open relay.  After the problems have been fixed, administrators should call the organization that blacklisted their IP and work with them to get the issue resolved and the IP removed from the blacklist.

Careful about that MX record for backup mail servers
Many organisations need to have a backup mail server so that email activities continue to operate properly in the event of a server failure.  In order to cut costs, some IT administrators will build a mail infrastructure using a single email security gateway sitting in front of the mail server. 

While this is adequate for smaller setups, too many IT departments make the mistake of declaring the unprotected backup mail server in the secondary MX record (MX Pref 50) in case the gateway (primary with MX Pref 10) fails.

Spammers are very aware of this bad practice and will often target the server defined as the secondary MX.  As a result, the entire infrastructure becomes useless: legit mail only will be sent to the gateway (since regular mail transports follow standards and use the highest MX Pref server available) while spam and malware will bypass email security protections and get into the mail server directly.

Corporate security managers looking for high-availability and fully redundant secure email infrastructures should instead demand and insist on getting adequate professional advice from their email security vendors.  For example, a typical blockade deployment involves a load balancer distributing the email stream to two (or more) gateways being set as primary mail servers (both at MX Pref 10). The gateways synchronize their settings and quarantine through a NAS and a SQL database to deliver secured email to one (or more) protected mail servers. 

Be wary of your users’ white-lists
One of the oldest and most common methods for spammers to get through spam filters is by using the white-listed address spoofing.  After entering envelope data properly, the spammer can fake a sender identity using the body of the message. 

By using the recipient’s email address as the From address, they are able to get through filters when end-users white-list their own email address. Modern email security solutions will prevent users from white-listing their own email addresses automatically and system-wide but email administrators using older systems should pay attention and inform their end users about this possible backdoor.

Block all EXEs by default
All .exe files should be blocked. And the reason is simple. First, the majority of phishing attempts with drive-by-downloads try to entice end users to download and run .exe files.  Second, all malware/viruses/worms are executables and the most common type of executables are .exe files (in a Windows-based environment).  Couple these two facts with Windows’ default permit behavior in terms of security and privileges and these threats get access to the entire computer’s abilities to act as a key logger, a bot, or a disruptive or destructive agent. To add complexity, Windows does not let administrators to easily control and limit execution of programs.  Group policies can be used but a lot of software programs expect full control over resources in order to be able to function properly.

In some relatively rare cases, end users need to exchange legit .exe files. When this situation cannot be avoided, IT administrators should add very strict rules to their email security solution, in a highly controlled manner, to authorize specific executables.  In the end, it will be a lot faster and easier to manage a list of several dozens authorized executables within a global white-list in the email gateway than complex policies comprising millions of blacklisted malware on a system not optimized or natively designed to handle such permissions.

Protect your company with policy management
Inbound and outbound filtering of electronic threats is not enough. The Forrester Research Group indicates that “Corporate Secrets comprise two-thirds of the value of firms’ information portfolios”. Yet, organizations focus their budgets solely on compliance (protection of customer information) rather than information security.  Employee theft and data leakage is extremely costly to businesses, both in terms of dollars and reputation, and email is a medium through which a lot of these happen regularly.

In a recent case, a corporate lawyer at Meraas Capital in Dubai has been accused of industrial espionage after allegedly revealing inside information about the company to a competitor through email. A few years ago, a scandal shaked the Formula-1 world when emails between McLaren chief designer and a Ferrari mechanic were leaked and showed hundred of technical data exchanges eventually leading into a 100M$ fine for McLaren. 

In its May 2010 report, the Radicati Group indicates that these data leakage and policy management solutions are “often easier (and less expensive) to acquire from an archiving or e-mail security vendor as an add-on to an existing solution”. Furthermore, the group’s study shows that the solutions, in order to be effective, must scan both incoming and outgoing messages and attachments and provide a comprehensive message handling including: quarantine, forwarding to specific policy offers, warning, rejecting, delivering and encrypting.

The Pareto principle (also known as the law of the vital few or the principle of factor sparsity) states that, for many events, roughly 80% of the effects come from 20% of the causes.  This is especially true for security and this implies that IT administrators have to pay attention to the smallest details in order to avoid increased risks on that 20%. This in turn means that they have to keep informed on the latest technologies, tools, techniques, threats and risks, in order to effectively combat them. Furthermore, information security is a field that is no longer specific to the IT department. It now encompasses various levels of confidentiality and privacy, and involves most of an organization’s functional units such as Finance, Sales, Marketing, Product Management and Direction. Risk management security programs define the 3P method as a way of to reduce the risk when dealing with human factors: Prevention, Protection and Punishment.  Inbound and outbound email content filtering solutions have to recognize these 3P by protecting organizations’ secrets against data leakage of personal, financial or proprietary information through email, controlling what content can and cannot leave or enter the local system using predefined rules or department-specific moderators, and keeping a trace of what is being sent and received.

Damien Ramé is Marketing Manager at Vircom Email Security.

 

 

White Papers

Achieving Rapid Data Recovery for IBM AIX Environments

The Benefits of Data Replication in HACMP/PowerHA AIX Cluster Management Implementations

Introduction to High Availability for IBM System i High Availability

Five Reasons Why Smaller Organizations Should Consider High Availability

The Benefits of Continuous Data Protection (CDP) for IBM i5/OS and AIX Environments 

State of Resilience of IBM Power Systems (AIX and i5/OS)

Journaling and High Availability - Understanding IBM i Data Protection

Breakthrough Data Recovery for IBM AIX Environments - How New Technologies Are Making Data Protection, Recovery and High Availability Easier and More Affordable

High Availability in an SAP Environment- Keep mission-critical SAP operations running no matter what

How to Solve Downtime Challenges to Manufacturing and Supply Chain Operations

Information Availability: What Every Health Organization Should Know      


Computer Technology News
  See current issue or subscribe below

Subscribe to CTN