Sidewinder on email security
Davey Winder, the IT security journalist of the year, reminds IT managers about the basics of email security.
Email threats and risks are changing. In just two months, mail management specialist SurfControl has seen the global volume of email grow by 50 per cent, largely “thanks” to the “image spam” trend.
In case you haven’t come across it, image spam is the current weapon of choice for getting around spam filters. These filters tend to inspect mailing histories, IP addresses, phrases, words etc before deciding whether to let a mail through.
"The overall increase in [email] volume not only poses threats to productivity, but to security, network resources and legal liability."
They’re not so good at inspecting images: indeed, to a computer, an image may be so many 1s and 0s that it makes no sense at all.
Image spam exploits this. And to add insult to injury, image spams are huge – typically ten times the size of a text or HTML spam - which is why email volumes are growing so rapidly.
“The overall increase in volume not only poses threats to productivity, but to security, network resources and legal liability” warns Hamish Patel from SurfControl. Which is why getting your email security right is so important, and why I am in Newcastle with coal this month. Forgive me if I am telling you something you already know, but if this is new to you, it’s terribly important.
Keep IT Simple, Stupid (KISS)
At its most basic, email security really isn’t rocket science. You just need to follow some simple rules, such as these from Robin Unsworth, director at IT consultancy Qedis:
Back-end security:
- Keep spam filters up to date
- Encrypt emails to secure privacy
- Use digital signatures to authenticate who your messages have come from
Remote Access:
- Restrict it to those who really need it
- Use a secure Internet channel, with a certificate in place to encrypt traffic
- Use third party hardware that acts as a proxy to increase security
- Secure handheld devices
Physical Security:
- Ensure that unauthorised people can’t walk up to a desktop and access email
- Ensure that the server is stored in a physically secure location
Meta matters
Of course, you also need to apply a little sideways logic to build on the basics and make sure your email is really secure. Hands up if you’ve thought about the hidden data that is regularly sent within Word document attachments, for example? Cathy Brode, chief executive officer at 3BView has. “Tracked changes and other metadata can accidentally reveal confidential information,” she warns. “You should consider one of the solutions available to automatically remove this metadata as documents are emailed.”
Cash strapped NHS managers need not panic; there are free tools from Microsoft for Office that will strip this kind of metadata from documents. And Office 2007 has a nifty tool called the Document Inspector to clean emails automatically.
Think it’s a fuss over nothing? Drug company Merck didn’t after it was revealed that it had admitted awareness of links between Vioxx and heart attacks within the metadata of a Word document…
User focus
Brian T. Contos, chief security officer at security management company ArcSight, reminds us that the biggest concern for the NHS is probably confidential patient data. “The threats are primarily associated with insiders in terms of data leakage; so management monitoring should be carefully focused.” Again, applying the KISS concept, this really means keeping an eye upon:
- What is being sent out
- Who is sending it
- Who are they sending it to.
Policy matters
"Effectively communicating policies provides an organisation with the opportunity to educate employees about why the issue in question is a concern and to get their buy-in to tackling it."
This little list shows that technology is important but not the only solution when it comes to email security. The rules of engagement change with a large enterprise like an NHS trust, with a large number of un-savvy users. As David Karp, a director at Ipswitch, says: “All the technology on the list can come to naught if the end user is not properly educated in the ins and outs of email, and they don’t pay close attention to the policies laid down by IT management.”
One concept that is key in that comment is education. And cloaking an Acceptable Use Policy in legal jargon is not the way to achieve this.
Robin Saunders, managing director of NETconsent, says: “Effectively communicating policies provides an organisation with the opportunity to educate employees about why the issue in question is a concern and to get their buy-in to tackling it.”
Incidentally, although security programs are gearing up to combat image spam, passing on all the classic anti-spam messages via user education is considered the best defence.
Policy for policy setters
As well as creating a policy for users, IT managers must also work within acceptable use parameters. NHS Connecting for Health’s information governance guidelines on the exchange of Person Identifiable Data (PID) via email state quite clearly what are, and are not, acceptable methods of protection, for example.
While it is acceptable to exchange PID within an NHSmail email chain and protect PID within a file encrypted using Advanced Encryption Standard (AES) - at 256-bit preferably - it is not acceptable to exchange PID in the clear (even over the NHS network outside of NHSmail), protect PID within a simple password protected file or a WinZip archive using standard Zip 2.0 encryption.
In the light of this, it should be treated as best practise to ensure that IT staff are provided with their own Acceptable Use Policy covering the technical administration of email within the organisation.
About the author: Author, journalist and consultant Davey Winder has been writing about security issues for 16 years and is the current IT Security Journalist of the Year, an award from BT.