This article describes the security threats that exist in the use of email systems today, and what your organization should do about it. These threats originate both from outside and inside your business network.

The Issue

According to a study by email services provider Postini, the top 5 types of email security threats in 2005 were:

1. Viruses: Even though IT departments have been battling viruses for many years, they continue to evolve into new and dangerous forms that can cause damage or take control of your computer network.
   
2. Spam: The flood of unwanted and unsolicited email continued to rise dramatically in 2005. You might wonder who purchases the advertised products ranging from mortgage refinancing to cheap prescription drugs to sex that are available through spam. The purpose of spam is not just about selling products: its uses include delivery of viruses, Trojans, and other malicious software, directory harvest attacks, and creation of botnets (networks of computers under the control of hackers or spammers).
   
3. Directory Harvest Attacks: Valid email addresses are a valuable commodity on the internet amongst hackers and spammers. Directory Harvest Attacks are a method of identifying valid email addresses. There are several variations of these types of attacks, but most of them center on sending huge numbers of email messages. Emails are sent to random email addresses in a domain. For example, emails could be sent to every possible combination of alphanumeric characters at yourdomain.com. Emails that are bounced are identified as invalid email addresses. Those that don’t bounce are identified as valid addresses. One variation that can be more efficient for the attacker is to use a dictionary of common names. For example, emails could be sent to ajohnson@yourdomain.com, bjohnson@yourdomain.com, etc. The affect is that your email server is flooded with useless email and the attacker has successfully identified email addresses within your organization that can be sold to spammers.
   
4. Denial of Service (DoS): In an email DoS attack, an organization is denied the effective use of their email system. This can be accomplished through the use a botnet to flood an email system with spam or junk email. Spam and Directory Harvest Attacks can resemble a DoS attack. The effect is the same: the corporate email system has been rendered unusable or very difficult to use.
   
5. Internal Policy Violations: Organizations often fail to acknowledge that there is a great risk of critical confidential data being stolen from within the organization. Employees, in violation of your email policies, can use email to send out intellectual property, confidential corporate information, or information that is protected by Federal regulation such as the Gramm-Leach-Bliley Act (GLBA), or the Health Insurance Portability and Accountability Act. (HIPAA). In addition, violation of corporate HR policies may result from the misuse of email. Transmission of illegal, sexually explicit, or confidential internal company communications can result in employee lawsuits or public embarrassment. In some cases, employees will use free email systems such as Hotmail or Yahoo to bypass internal controls. Email policy is designed to protect employees from a hostile work environment and to protect the company from the risk of lawsuits and damage to their reputation. Email policies can be used to establish the rule. However, technology must be used to enforce the rule.

In addition, a primary concern for financial institutions and Internet businesses is phishing attacks targeted at the institution’s clients. The purpose of a phishing attack is to trick someone into entering their user ID, password, credit card numbers and other personal information into a bogus Internet website that appears to be a legitimate business website. For more in-depth discussion on this type of attack, refer to the July, 2004 issue of Security Awareness Alert.

These are just a few examples of the types of threats that are evolving on the Internet today. Many organizations give themselves a false sense of security upon installing a computer network firewall. This is a wise step, but with today’s threats from email, it is not enough. Firewalls do not check the content of emails being received or sent out of your organization. This means that email viruses, Trojans, and worms can still pass through this level of security. Even specific “Virus-scanning Software” does not protect against all email launched viruses and attacks.

The risks associated with attacks on your email system are not only technical (data loss, downtime, etc.) but can affect your organization’s reputation and client relationships. The consequences of a successful attack on your email system can be damaging and costly. A more robust response is required as email attacks have increased in frequency and sophistication.

Fighting Back

There is a growing demand for solutions that will combat potentially devastating content distribution and violations of government and industry regulations such as GLBA and HIPAA. Fortunately, there are a number of tools to use against email security risks. Over recent years, the majority of effort in this area has been directed towards the development and implementation of tools to combat external threats from inbound email. These tools include firewalls, virus scanning software, and inbound content scanning.

Many vendors have risen to the inbound spam and malicious code challenges with a number of highly effective solutions. However, strategies for outbound email are just now becoming commonplace. The vendors you consider must display a clear strategy and capability for addressing both inbound and outbound messaging security.

The process of Outbound Content Compliance (OCC) is being used to scan the content of outbound email to make sure that they conform to the email policy of the organization. Many times it is necessary to send confidential information to a business partner or client. For these situations, email encryption is a valuable tool.

There are two main ways to deploy email security inside an enterprise.

1. Integrate a Managed Service at the network perimeter to route all inbound and outbound email through the service provider for comprehensive threat processing.
2. Purchase and install one or more appliances or software products at the network perimeter to process all inbound and outbound email.

Managed Services

Managed email security services are built around network perimeter protection and filter email outside of the enterprise network, removing and blocking viruses, spam, and unwanted content before these emails can pass through the enterprise firewall and damage the internal network. A qualified managed service provider should also have the ability to scan outbound email content for confidential information (OCC) and provide secure data encryption.

Secure Gateways

Organizations can purchase and install their own comprehensive email content checking and an anti-virus gateway on their mail server. These email scanning and relay services should always be isolated in a network Demilitarized Zone (DMZ) to protect the other file servers on the network. These tools can also be equipped to handle OCC and data encryption. When a comprehensive anti-virus protection plan is designed, anti-virus software should be installed on the email exchange server, and also at the individual workstation level. Email is not the only way that a virus can be introduced into your network.
An important concern in the implementation of a Secure Email Gateway is the monitoring and routine maintenance of the device. Organizations with a limited IT staff need to carefully consider whether they have the skills and time to adequately perform these tasks.

Conclusion

There is a need for both inbound and outbound email security controls. The primary differences between Managed Services and Secure Gateways is:

1. Who does the work
2. How much does it cost

In general, Secure Gateways may be less expensive over time, however, the cost of maintenance and surveillance must be factored in. Very large organizations with many email users and with a strong internal technical capability may choose to use the Secure Gateway option.
Organizations that lack the ability or inclination to dig deeply into the technical compliance required to manage an email gateway, will benefit from the secure, automatic, features of the Managed Services option.
Either of these solutions configured to handle both incoming and outbound email will work well.

Assurity River Group can help

Information Security Risk Assessment.  Assurity River Group offers a variety of projects, including Email risk assessments, Network risk assessments, vulnerability assessments, and penetration tests to help you assess your existing security controls and determine cost effective next steps in improving information security. 
Policy and Business Continuity Plan Creation.  Assurity River Group helps organizations draft effective Email and information security policies to ensure ongoing security with all IT systems, for both GLBA and HIPAA compliance. Our Business Continuity Planning services can help you update and improve your Disaster Recovery / Business Continuity plan.
Solutions.  Assurity River Group, with it’s business partners, can provide and implement:

1. Either Secure Email Gateway or Managed Email Security solutions
2. Email content filtering, encryption, and spam protection
3. Managed firewall, IPS, and IDS systems
4. Server or networking systems migrations and upgrades.

Contact Jeff Olejnik (jolejnik@assurityriver.com) at 651.259.6888 for more information.