Corporate Email allows users greater freedom

There are two interesting issues about corporate email – (i) close to 100% of corporate communication is through email and (ii) nearly 80% of the company’s intellectual property – even the very sensitive bits – are either archived in email or travel from one individual to another through this medium. Therefore the importance of email and its correct handling cannot be overemphasized. If you are communicating with a colleague over the Internet, you simply cannot afford to let your mail be exposed at any time.

The above paragraph explains why a large number of companies have come up to offer email security solutions. In this blog, I am reviewing a solution offered by Mimecast, an email  solutions company that is based in London. Mimecast offers full-fledged secure email solutions for Microsoft Exchange and Office 365. Some aspects of the solution are quite imaginative and provide capabilities that did not exist earlier.

To begin with, most of the solution is user managed and not IT staff managed. The IT manager configures the various roles the employees have and the rights associated with each role. Once this is done, users have considerable flexibility to adjust their email settings even for each message in their folders.

In more traditional email systems, any kind of list management is an administrator task which is why at times there is a lag between a request for change and its actual implementation.  Even if there was a provision for users to manage their lists and settings, administrators would be reluctant to allow them near a running system. As a result, the user stays dependent on the IT staff which is not really the best way to run the system. Mimecast comes with a plug-in that controls user rights and how much of a privilege is accorded to users. This plug-in allows the user to do the most common actions while ensuring that the basic stability of the system is never jeopardized. Some users are allowed to make more complex customizations while others are not. For example, users with higher levels of privileges are even authorized to correspond with people who are on a blocked list. This assumes that the executive knows what he is doing and need not be prevented from doing it; the event is however logged should any investigation be required in the future.

In case you think a message is very sensitive, you can even send it to a secure portal that allows the recipients you have selected to read the mail but these users cannot forward or copy these mails. Yet another feature is the capability to convert mail attachments to pdf files and allow large documents to be downloaded using a download link rather than being attached to the mail itself. This is an easy way to manage large documents. All of this is user configurable and selectable and does not require any support from the IT Staff.

Mimecast allows users to perform a number of actions that were previously in the domain of the IT managers. This is simplifying the management of email services and allows the IT staff to work on more critical issues.

Is this the way IT will evolve?

 

Silent Circle coming to encrypt smartphone communications

Phil Zimmerman is a rock star for millions of computer security enthusiasts and professionals. Hundreds of thousands  have greatly benefited from Pretty Good Privacy that he released to the public inspite of being threatened by prosecution by the US Government which found it to be too strong an encryption.

PGP made it easy and practical to encrypt email attachments besides spawning many other uses of the technology. Now Zimmerman is is moving to another domain – he is looking to provide the same or better security to mobile phones and communication using these devices – whether voice or data.

Zimmerman’s new company – Silent Circle is likely to release beta versions for use on both iPhones and on Android devices. The application will encrypt both voice and data. The final version should be out by September.

Unlike PGP that was distributed via the open source movement ,  Silent Circle is looking to charge $20 per month for the service. The question is whether enough paying customers will be concerned about their privacy to subscribe to the service. Silent Circle plans to release a complete set of services that will be as easy to use as PGP is and will offer encrypted email, encrypted phone calls and encrypted instant messaging. Encrypted SMS will be available a little later.

Zimmerman has been given a place in the Internet Hall of Fame for PGP. His demonstrated concern for civil liberties and the freedom of the individual led to this honor. However, with PGP having been bought by Symantec, Zimmerman felt that the product has become too corporate in nature and flavor. With the focus this time on smartphone users, Zimmerman is going back to individuals again.

If two users each have installed the software on their devices, Silent Circle will provide end to end encryption. However, if only one of them has it, then the data stream from his smartphone to Silent Circle’s servers will be encrypted and thereafter it will go in clear stream to the other user. Even this limited capability will have a number of benefits. If you are a diplomat in an oppressive country you can use the service to ensure that any calls you make outside the country will be encrypted till they reach the Silent Circle servers (which are presumably located in the western world).

Security agencies are naturally worried about the implication of this game changer. The FBI is working on a proposal that would require providers of communication services to provide backdoors to any encryption they use. While one can’t argue with the need to assist the security forces in these troubled times, it will be interesting to see how the Silent Circle story pans out in the next few months.

Email Archiving – Consider the Cloud

In 2004 Bank of America was fined $10 million when it failed to hand over some email data to the US Security and Exchange Commission in time. Currently, you are allowed no longer than 72 hours to comply with such a request.

The focus therefore is firmly on email archiving systems besides all other aspects of security and business continuity. Your email recovery system  must allow you to handle individual messages and other data without having to load hundreds of tapes and scan through them. In short, depending on the line of business you are in, there could be a need to keep your archive on-line.

Storing the mail involves handling physical storage and working with logical storage and setting up backup and recovery systems. Many organizations spend vast amounts of money on setting up archiving systems.

Once effective solution now becoming available is the use of cloud based datacenters,  to you as a user, the cloud possesses limitless resources and you can continue to hire additional storage as your archiving needs grow. Backing up your archive is the responsibility of the cloud service provider. You can even ask for your mail to be backed up in two different data centers, separated geographically so that the same calamity (Hurricane Katrina) can not destroy all copies of your data. Since email usage shows no signs of tapering off, cloud based email is one of the best methods of building scalability into your mail and backup servers.

Yet another risk that must be adequately covered for is ensuring the integrity of your archived emails. You must ensure that all access to the archives is logged and that you can demonstrate the integrity of your archive if ever you are required to.

The answer to all these issues is following a multi layered approach. You must have a technical solution to begin with. This solution will ensure that your servers are secure and that any external / internal hackers are not able to steal data.

The second layer is a policy layer. Ensure that your users are aware of the company policy and what they can and cannot do with their corporate e-mail. Make your email archiving and content inspection policies very clear to your employees when they join you. If this is documented and recorded correctly, it could save you from needless litigation later when someone claims violation of privacy.

The third layer comprises user training. There must be periodic training and employee indoctrination to ensure that everyone is aware of the correct methods to follow.

All of this is not for regulatory purposes alone. There is a wealth of data in your email archive that can be mined for actionable business intelligence. For a large company, where many departments may be interacting with the same client but on different subjects, this data could be used very effectively to derive greater business effectiveness.

Corporate Espionage and email security

With email having become the mainstay of corporate (and personal) communication for the last few decades, the quantity of messages far exceed even those being posted on popular social networking sites. This leads us to the inevitable conclusion that email is not just another IT function but something much more.

The IT administrator is responsible for keeping corporate email humming, there are backups to be made, servers to be patched, users need to helped, created and dropped and security has to be managed. But these are just the essential nuts and bolts that have to be managed to keep the system going.
With ever increasing instances of corporate espionage – private and even state sponsored, email has long been identified as a major source of data loss and corporate secters leakages. In  spite of all the awareness of the subject and the precautions that are being taken, the rate of loss is only increasing.  Only in a few cases, are individual directly responsible for leaking secrets, quite often, the theft of data and secrets is actively carried out by interested parties who have succeeded in identifying the vulnerabilities of the  targeted system.

In spite of the losses involved, a very large proportion of IT managers have said that while they have taken the basic precautions of server hardening etc, they have no mechanism to check if any confidential information is being leaked from their systems.

One tested method of preventing data loss from systems is by inspecting and analyzing outbound email traffic. This data in motion is analyzed by a number of software and hardware solutions. These systems have been provided the policies defined by the corporate data loss prevention rulebooks and scan the mails to ensure that these rules and keyword policies etc are not violated. Many of these solutions can be incorporated in the company firewall. An additional bonus could be that along with the data loss  rules, regulatory compliance rules are also built in. For example, such a solution could also check that HIPAA compliance is not being compromised.

The situation is very clear, there must be well defined corporate rules about data and email security and there should be adequate technology solutions in place to ensure that the rules are adhered to.

The following steps are absolutely necessary-

Senior management must be aware of the possibility of data loss and must issue unequivocal directions to the IT department. The matter cannot be left to the discretion of the IT staff alone.

The corporate data loss prevention policy must be well researched and formulated and applied company wide.

Employees must be clearly aware of what acceptable behavior is as regards personal and company e-mail use. This must be periodically refreshed so that users are regularly reminded of their responsibilities.

While regulatory compliance is not an IT function alone, IT departments and all employees of the company have a role in ensuring that this is not violated. There can be severe penalties and more serious repercussions if this happens. Companies must be very clear about data retention and security requirements of the field of business they are in. They should be able to demonstrate to an inspecting party that every action that can be reasonably expected of them has been taken to safeguard the data they hold.

If the issues involved are very serious, there could even be need to appoint an independent compliance officer who reports directly to the senior management of the company.

Archiving your mail

Besides the more exotic threats to email, one of the more commonly encountered one is the user himself. A large number of users delete and lose email than try and get the administrator or the service provider to somehow return it to them. E mail archiving is designed to solve this problem. There are many other reasons why email needs to be archived – these could be

  • Compliance with regulations
  • To handle legal issues
  • Back up and disaster recovery
  • Reducing the load on email servers
  • Monitoring content

Most email archiving solutions are stand alone applications that integrate with the enterprise email server to receive and accumulate mail. Obviously, every email archiving solution assures and demonstrates to its users that the original email can never be altered.

Besides storing, the archive indexes and provides rapid search capability. This ensures that corporations looking for a history of discussion carried out by different users can be found if a single unique keyword is maintained to track the subject. This is what you often see when you mail a customer care center.  The tracking number provided to you helps track your complaint while it is being addressed and can be used a year later to revive the issue again.

Corporate email archiving is a $5 billion dollar industry today and will only continue to grow.

But what if you are an individual user? Maybe a professional who freelances?

One good option to use in that case is to create a personal storage file using MS Outlook. Other mail clients will have some similar options too. You create this using the File menu, go to File >  New > Outlook Data File.  Create a PST file with the name you want and if you wish, give it a password as well. You can now save your mail in this folder. This folder is not on the server but on your PC. The folder can be copied and taken to another machine if you wish and you can simply do a File > Open > Data File to navigate to the folder and mount it.

Some email horror stories

Many wise men and women end up getting terribly embarrassed because of not taking their email security seriously. It somehow does not occur to most people that unless properly secured, an email is nearly similar to a post card.

Here are some interesting shockers –

Sarah Palin

Used a Yahoo! Account for official work. In itself this is an offence because all official emails have to be archived. To top that she used her wedding date as the password and put her wedding details (including the date) on her facebook page. You guessed the rest.

Neal Patterson – CEO, Cerner Corporation

Believed email was a confidential medium and bad manners were acceptable. He once sent out a threatening email to his managers. The mail was leaked to the press and caused a 22% drop in the company’s stock price.

Climate Research Unit, UK

This unit supplies the UN with much of its climate research data. One day an email sent by its Head made the rounds – in that mail he informed someone in his staff that he had altered temperature data for the last 20 years to hide a declining trend. The credibility of CRU took an understandable hit as did that of the CEO himself.

Galleon Group

When this group was being suspected of insider trading, its founder Raj Rajratnam thought it clever to create fake emails within his company to make the SEC think that purchases were regular business deals rather than insider trading. Found guilty of 14 counts of conspiracy and fraud.

Hundreds more have suffered similarly because they thought mail was secure and confidential. As an email user, remember to keep your official and private accounts separate and every time you mail something out expect to see it in the news.  Unless you have taken care to set up email encryption systems that work and trained your people to use them correctly.

Keep your em@il ID private

A large number of sites and applications have begun to ask you to login using your email. This trend is understandable because many users tend to mix up usernames they do not use very often. This leads to difficulty logging in. Email IDs are of course used on a daily basis and hence remembered more easily.

So you end up giving out your email ID to hundreds of sites. If you were ever to lose control over your email, it would be a major catastrophe. Since your password reset instructions are sent to your email, all that a hacker needs to do, once he has got hold of your email and worked out your password, is to ask for a password reset for (say) your online bank. The password reset link is mailed right back.With the deluge of social networking sites, setting your mail password reset hint as ‘The name of your first pet’ and then posting pictures of ‘Tommy and Me’ online is a recipe for disaster. Take care. Don’t make things easier for hackers than they need to be.

Many heavy users have at least two email IDs. One is used for serious work, the other for social networks and to give out to sites where you are registering just to check out what they offer etc. This is a good practice. You can always set up a mail forwarding between the two later. This way your main work mail account stays clutter free while spam and junk may accumulate in the more public account, the added benefit of such an approach is that even if someone is to get into this email ID, they will not be able to follow the link to get into your main email.

An interesting trick is to alter your email address. For example if you have an email such as ‘myname@gmail.com’, Gmail allows you to create variations such as ‘trial+ myname@gmail.com’ or ‘my.name@gmail.com’. Gmail allows you to filter mail on basis of the text string you have added. No one can login using this email since such an account does not exist. Check if your email service supports this.

With bots crawling the web to harvest email IDs from websites and wherever else they can, it makes sense to put your email ID on your blog or web page in a form that cannot be machine read easily. This is why you often see addresses such ‘myname at gmail dot com’. Since bots are getting smarter all the time, they can probably figure out that this is an email ID and concatenate the string to get a valid ID. Therefore, it makes sense to replace the ‘at gmail dot com’ bit with a logo of gmail or whichever mail service you use.

Spam filters are getting better; security is improving all the time, but is a step or two behind due to its reactive nature. Simple precautions are important and cut down the risk of account compromise.

 

 

Email from a Cyber Cafe

Many of us who travel are at times forced to access mail from a cyber café. The café has prominent notices telling you that it is protected by the best firewall solution. If you fire up your laptop, connect to the wi-fi in the café, are you safe?

The issue with wi-fi safety in public places is not about what is happening from the internet end of the firewall.  It is what is happening inside the firewall that should be causing worry.

Let’s look at some scenarios. When you browse the net, sites that are not SSL secured (i.e. where the URL does not begin with an “https” will be communicating with your laptop in clear text. Anyone inside the cyber café or within range of its wi-fi can put a packet sniffer and see precisely what you are sending back and forth. No big deal if all you are doing is checking game scores. But even then, why should someone know that you are interested in ping-pong?

For every e-commerce transaction, you can take it for granted that you will have an SSL connection and your URL will begin with “https” and not “http”. This ensures a secure connection from the moment your login window comes. If you are using your own laptop (and not a shared PC), you are safe. The same is the case with many (but definitely not all) email clients as well.

Using HTTPS

If you are going to be using insecure locations often, and need to see your mail, it will be wise if you can switch to an https based service. There are many which are freely available. Even if you are very fond of your insecure email service (after all that was the only place where you could use an ID you wanted) you can often set up a mail forwarding / mail collecting service so that you can see your mail using a more secure email client.

Importing Mail

Importing Mail

Just another point before I sign off. If you are using a public computer, be aware that regardless of SSL settings, https or no https, if someone has loaded a keylogger (could be either software or hardware) your keystrokes may be captured and examined at leisure. Think of it everytime you enter a user name / password.

On the other hand you could setup an encrypted email service with CryptoHeaven, and completely by-pass those security implications, because your connection would be encrypted, and each message and file would also be individually encrypted.  This eliminates all snooping, as entire traffic is secured and nothing leaves your PC is plain form.

 

Email Spoofing

 

There could be many types and instances of email spoofing. Essentially they all tend to show a different location of origin when it was actually sent from another source. The aim is to trick the receiver into taking a wrong decision regarding the authenticity of the message he/she has received. Combined with clever social engineering, email spoofing could also be tricking the user into revealing passwords and account details etc.

Spoofing email is not difficult since Simple Mail Transfer Protocol (SMTP) lacks authentication. In case an administrator has configured his mail server to accept connections to the SMTP port, anyone can connect to that port and issue commands to generate mail that can appear to originate from any real or fictitious address. Informed users can also spoof their email addresses by other methods.

Mail Spoofing

Administrators are often alerted to spoofed mail by users or by mysterious bounced email messages. Much can be found by examining system logs and mail headers of the spoofed mail. The header will contain much information (history of hops, Received: and “Message ID” etc) which will allow any good system administrator to figure out what is happening. However do remember that if the mail system hacker connected directly to the SMTP port, then this information may not be available.

This leads naturally to the importance of good system management and why good system administrators are essential. You can offer your users improved security by following best practices and guidelines. There is no rocket science to it. Just harden your servers, shut down unnecessary services and close ports that are not needed. It is also important that logging is enabled and the firewalls are configured correctly to make all incoming SMTP connections go through a centralized mail hub. This improves logging and will help counter email spoofing attempts.

 
Image from http://www.veterangeek.com
 

How secure is your email

Depends.

If you are considering a business environment or exchanging love notes or something similar, email can be made nearly completely secure. A large number of solutions exist that you can use. The strength of the solution would also depend on the complexity you and the other party are willing to put up with.

However, if there is a suspicion that you are working against the country, are with the bad guys and are using the encryption to build a terror network then (thankfully) the security of email encryption can be a mirage. All encrypted mail services, in their terms and conditions, whether for paid or free services, clearly specify that the service is not to be used for illegal purposes.

In a recent case, when an illegal drug dealer was found to be using Hushmail (a major encrypted email service) to conduct illegal sales of a banned drug, law enforcement agencies were able to get 12 CDs worth of encrypted mails from Hushmail following a Court order. Read about the case here.

An interesting aspect of the case was the fact that these 12 CDs contained encrypted data. The Federal government did not seem to mind this. Which tells us something!

Continue reading