Email security: Good policy is the answer

By on
Email security: Good policy is the answer

Spam clogging up the server was only the start. A sound email policy is the only way to handle security breaches and compliance.

The email security landscape has changed dramatically in the past three years, posing ever growing challenges for infosec professionals. Headline-grabbing viruses and worms have been replaced with malicious code created to make money illegally. Currently, around 70 per cent of new malware detected by anti-virus outfit Kaspersky Labs consists of Trojans delivered through spam mailings, putting an increasing strain on company networks.

"It's clear that the criminal underground has woken up to the potential of conducting 'business' in a wired world," says David Emm, senior technology consultant at Kaspersky. "Most of the malicious code we're seeing is designed to steal confidential data from victim's machines."

The quest for that profitable information is producing new forms of malware all the time, including "ransomware", which "kidnaps" data and files from a user and then demands payment for its release. Image spam is giving particular cause for concern. It involves embedded pictures that bypass standard email protection. Optical character recognition is now deployed in many services, but some have found more sophisticated methods of hiding an image to bypass filters, for example breaking up a picture into smaller pieces and blurring it.

Along with new incarnations, social engineering continues to be a problem. Recent surveys have shown that share-spam, which advises recipients on stock to invest in, does have an effect on markets. And as long as people respond to spam, those behind it will send it.

Overall the message is clear: the job of protecting emails is not getting any easier. "Pretty much all forms of security threat are on the up," is how Andrew Kellet, senior research analyst at the Butler Group, sums up 2006. Which hardly suggests that the security industry at large is on top of things. In fact, Kellet goes as far as saying that although most anti-virus companies claim to have an effective anti-spyware product, few deal with the end-to-end issues of spyware, falling short in the areas of identification and remediation.

Such failings put the onus on the user not to open emails that could contain spyware in the first place - and that is a question of company policy.

But the IT security professional's response to the current security climate is not dictated simply by criminal elements. The enterprise defence model is changing too, as Gerhard Eschelbeck, author of The Laws of Vulnerabilities and chief technology officer of Webroot, explains.

"What was once a very tightly controlled perimeter protection model is now being replaced with open network architectures that enable business communication," he says. "This evolution made it necessary to adjust malware defence. Email and browser-born attacks remain the primary vectors for attack, and protection layers have moved closer to the individual desktop as the gateway has less and less visibility into the threat."

The result is a massive burden on IT resources. There's a battle on two fronts that simply did not exist a few years ago. The need to protect the gateway from mass attacks while simultaneously safeguarding individual users can spread resources thinly.

Some now argue that the answer is to move the focus away from the exterior. The Jericho Forum, a group of industry lobbyists, insists that, with hackers targeting email systems as a method of getting into an organisation, individual devices need more attention than ever.

Access control

This brings us to the thorny issue of email access. Part of their attraction is that emails can be accessed from anywhere, anytime, and there is very little use in trying to prevent it from happening. But if we can no longer lock down devices, corporate strategy needs to change, Emm argues.

"With a laptop under my arm and a smartphone in my pocket, I walk right around gateway protection," he says. "Likewise, with my remote VPN connection, I potentially become the weakest link if my laptop is not secure."

He suggests encouraging best practice. Using plain text email and disabling scripting on machines makes it more difficult for malware writers and spammers to mask links. This is a simple way of reducing the chance of a security breach. The introduction of such ground rules runs the risk of alienating staff, however. It is a difficult balance to strike.

But there has to be some form of control imparted on employees. Critical business information is contained in company emails at every level. In November last year car rental firm Hertz dropped Deutsche Bank after one of the bank's employees sent unauthorised emails to around 175 institutional accounts just as Hertz was entering an initial public offering (IPO).

"It is not just about the loss of business," says Andrew Pearson, executive vice-president for EMEA at Workshare. "There is the PR perspective. What damage will this do for the image of Deutsche Bank in the future?"

So the reputation of the company also rests on the CISO's shoulders. Effective email control and consistent reinforcement of company policy to staff is the only way such aberrations can be prevented.

To avoid the problems caused by outgoing emails containing information they should not, CISOs need to start looking in greater detail at the subject of data loss prevention. Kellett argues that, for too long, the industry has concentrated on what is coming into organisations, without paying much attention to what is leaving them.

"The starting point will be to understand where and how confidential data is being exposed; where and how confidential data is being copied; where confidential data is being sent and, from this, how data loss policies should be enforced," he explains.

It's a complicated process, and one beset by what Kellett calls a "late-to-market" issue: vendors simply did not focus on the problem until recently. The key is balancing the need to inspect everything with the need to encrypt information exiting the company.

Rebuilding trust

The last 12 months have seen some success as organisations invest in restoring trust in email. Microsoft claims the number of companies sending authenticated mail has increased threefold last year. It is the main backer of Sender ID, the rival to DomainKeys Indentified Mail (DKIM) backed by Cisco Systems and Yahoo!. Both test the veracity of emails received and, to some extent, help alleviate the threat of spam. The more companies actively take up email authentication, the more effective the technique will become.

This year will see a continued upward trend in companies taking onboard email authentication, although anyone expecting it to be a 'push-the-button' activity should think again - as with any new technology, implementation can be onerous.

But those calling for, or expecting, an overhaul of simple mail transfer protocol (SMTP), the de facto standard for email transmission, will have to wait. It is not going to disappear overnight. Its age makes it a threat to security, certainly, but the majority of people questioned for this article argued that any new protocol would have problems, and the criminal gangs involved in the creation of malicious code can evolve very quickly.

There is no doubt the battle ground for the future of email will continue to be fought vociferously, but an overhaul would be akin to changing Britain's roads to railway tracks - not everyone is going to be keen and it certainly won't happen quickly. Patch, and, as Kellett advises, "keep up-to-date and keep your users informed", because, in the end, that is all that can be expected of a good CISO monitoring the inbound and outbound flow of emails into his organisation.


Email is increasingly becoming the bane of legal experts around the country as its volume continues to escalate. The biggest task for any CISO is considering how email is handled is making sure employees understand the legal implications of some email.

The Data Protection and Freedom of Information Acts, Sarbanes-Oxley and the UK Companies Bill all have implications in this area. Record-keeping has become a mainstream problem. "You have to take every email individually," says Darren Curtis, a solicitor at law firm Morgan Cole. "Don't keep anything for longer than necessary, but keep everything as long as you should."

It sounds obvious, but if staff are well versed they will know which emails need to be stored. Contracts, for example, need to be kept for around six years, and deeds up to 12 years.

Curtis says each company should assess its own record-keeping requirements. Look at where your company operates and its needs before making a decision on record-keeping policy."Have a data retention policy, in writing," he advises. "That way, at least you have documentation to show if anything goes wrong."

One legal element consistently tested is the business of contract formation, according to Curtis. An email is a written document. For example, if a member of the sales team suggests a price reduction without consent, the company could still find itself legally bound to sell the item for that price, no matter whether the staff member's action was authorised or not.

In September, the Data Retention Directive, adopted by the European Parliament last year, will come into force. It concerns the retention of information by ISPs and telecoms companies and will allow authorities to access data in the course of serious crime investigations. The key to the legislation is that the data must be delivered to the authorities "without undue delay", which means organisations need to be able to retrieve it quickly.

Most Read Articles

Log In

|  Forgot your password?