• home
• about us
  • Company Overview
  • Calsoft Corporate
• solutions
  • Enterprise Applications
  • Customer Relationship Management
  • Enterprise Information Management
• services
  • Business Consulting
  • License Management
  • Implementation
  • Custom Application Development
  • Managed Services
  • Training
  • Infrastructure
• partners
• resources
  • Case Studies
  • Clients
  • Testimonials
  • White Papers
• news & events
  • Press Releases
  • Events
• careers
• contact us
  • Global Offices
  • Call Me Now
  • Request For Information

E-mail Security

Introduction

Email, especially Internet email, has become a basic communications tool. It is one of the most versatile means of transferring information of almost any kind. Any business application where there is a need to transfer information without the requirement for online lookup can be automated with e-mail. Email is also the easiest architecture to deploy for communications with remote employees, business partners, etc.

However, email is notoriously insecure. It is highly vulnerable to interception, and forgery of e-mail is trivial. Therefore without proper security measures, it is highly inadvisable to transfer sensitive information by e-mail, or to put too much trust on information received via e-mail.

Unsolicited bulk email (‘Spam’) is one of the most prevalent threats to network integrity on the public Internet. It causes denial of service at the network level, by flooding bandwidth and overloading email hosts. It reduces productivity both of mail administrators and of end users. This is one area where organizations should give thrust while considering email-messaging security.

We will discuss briefly the various technologies that can be used to secure enterprise wide email messaging systems.

Email Encryption

Fortunately, email encryption along with its sister technology of digital signatures is able to solve all the security problems inherent in sending and receiving email, and to render it more secure than alternative technologies: faxes and letters can be intercepted in transit; encrypted email cannot. Hand-written signatures can be forged; digital signatures cannot.

Most popular email programs like MS Outlook 98 etc support encryption seamlessly, either as a native part of the application or as a plug-in. Certificate servers and other key management tools are also readily available, so deploying an encrypting email infrastructure is relatively straight forward. The decision should not be whether to provide email encryption facilities, but how.

Often, organizations resist implementing email encryption on the grounds that ‘hardly anyone needs it’. This view ignores following important realities.

• In almost any organization, there are users who do need encryption, and whose attempts to implement it are frustrated or made more difficult by lack of corporate standards or support.
• There are many users who should be using encryption, but who do not because they are unaware of it or do not have the initiative to implement it.
• Public-key encryption depends on the recipient of the message having a valid key, and the base of users who may need to receive an encrypted message at some point is much larger than the base of users need to send encrypted messages on a regular basis.
• The pervasive use of digital signatures significantly improves the level of trust which users can place on the use of email. Most users are highly trusting of email, being unaware of the extreme ease with which it can be forged. These are the very users who are least likely to be able to detect a forgery. Universal signing provides protection against forgery, ensuring that email automatically justifies this trust.
• Universal availability of encryption does not force users to use encryption. It merely makes the facility available. There are some users who may not need to use encryption – though the numbers of these users are usually much lower than is commonly believed. Making encryption universally available does not impact on these users in any significant negative way if at all. The only instance in which policies favoring encryption may have a negative impact is if an organization mandates the use of encryption for all email traffic. Because the adoption of encryption is nowhere near universal as yet, this can make it difficult for users to send email to casual correspondents outside the organization, particularly on the Internet.

There are a variety of options when choosing an email encryption platform, but only two are considered standards these days: PGP and S/MIME. Both provide the same facilities – encryption, digital signatures, and key certification – but they make somewhat different approaches.

PGP

PGP (Pretty Good Privacy) has long history as a freeware product, and has therefore seen extensive use worldwide. In 1996, PGP development was formalized and commercialized through the formation of PGP Inc., which was then bought by Network Associates (Makers of McAfee virus detection software, Sniffer network monitoring product etc ).

PGP has several strong points:

• It is compatible with a very wide range of popular email packages. It is supported natively by Outlook Express 5, Eudora and available as a plug-in to Pegasus mail.
• It is available legally outside the United States with very strong encryption. PGP supports key lengths of up to 4096 bits for public keys, and uses strong versions of IDEA and CAST algorithms for actual encryption.
• It provides additional tools which allows the user to encrypt files on the local machine (there is seamless integration with the Windows desktop) and for encrypting the Windows clipboard, which allows encrypted or digitally signed data to be included in any application.
• An API is available which allows it to be more tightly integrated into any custom applications.

Originally PGP was designed as a personal encryption tool. Its certification model is therefore based on a ‘web of trust’, with multiple possible certifiers for a single key, and with provision for lengthy chains of certification and cross-certification. While this scheme is very powerful, it has traditionally made PGP difficult to deploy in a large corporate environment, since in the past it did not readily support centralized or semi-centralized key management, certification and control.

However, this reservation has recently been comprehensively addressed by PGP Inc., who have released a certificate server for centralized key certification, and a policy management agent which allows for policy to be managed using standard SNMP management tools.

PGP has also incorporated key recovery into the commercial version of the product. This allows the creation of a secure ‘master key’ which can be used to decrypt the session key of any message sent by a corporate user. This has two uses: it allows for a ‘back door’ in case a user encrypts valuable information and is then unable to decrypt it for whatever reason, and it allows for central ‘wiretapping’ of encrypted mail in case where sensitive investigations against employees are required.

S/MIME

S/MIME (not to be confused with MIME, the standard for sending document attachments in email) has an illustrious pedigree, having been developed by RSA Laboratories, one of the most respected names in cryptography. S/MIME is not a product in its own right, but a proposed suite of standards with RSA offering toolkits and APIs for vendors to integrate the standard into their products.

The S/MIME specification is built around the X.509 key certification standard. This is the same standard used for SSL certificates in Web servers and browsers. X.509 is designed around fairly centralized certification, and is therefore relatively easy to implement inside organizations. Implementation across organizations requires a little more effort, requiring some form of cross certification of certificate authority

An increasing number of packages are offering S/MIME support, including MS Outlook, Novell GroupWise and Lotus Notes. It should be noted, however, that not all’ S/MIME’ mail packages actually inter operate properly. Centralized key management – one of the main benefits of X.509 – is often difficult across multiple email platforms.

'Spam' Mail

From the user perspective, unsolicited email (‘Spam’) is a nuisance. From the network perspective, it is a disaster. Cleaning out a few get-rich-quick schemes and an invitation to visit a pornography site from one’s mailbox every day is an annoyance to the average user, but it pales into insignificance compared to the impact on network and server resources. Any mail server serving a sufficiently large user base will have to process tens or hundreds of thousands of items of email, all of which travel over precious Internet bandwidth.

Worse, spammers are always on Internet bandwidth.

Worse, spammers are always on the lookout for innocent mail hosts through which they can send (relay) their spam, in order to disguise their identity. Spammers also often include a false return address on their mail, to prevent them receiving hundreds of thousands of ‘bounced’ undeliverable messages and angry responses from individuals who do not appreciate receiving spam. It is imperative, not only for organization’s own security, but in the interests of good Internet citizenship, to ensure that mail hosts and networks are properly protected against the menace of spam.

Anti-Spam Measures:

The most fundamental step in barricading the network against spam is ensuring that mail servers are configured not to allow third-party relay. Third-party relay, defined as the processing of mail where neither the recipient nor the sender of the message is a local user. Although there are occasional legitimate reasons for using third party relay, very few commercial networks have any need to support it.

Specific (fairly technical) instructions on implementing anti-relay on a wide variety of mail hosts are available on the Web.

Abuse@domainname account

This is the standard format for a mail address used to receive, monitor and act upon apparent network abuse by users of a given domain. For example if your domain name is Calsoft.com you should create a email account called abuse@Calsoft.com and monitored by the administrator. This will provide an excellent early warning system for abuse by users of your network, as well as abuse of your email infrastructure by third parties.

Real-Time Blackout List (RBL)

The real-time blackout list (RBL) is a constantly updated list of known spam sites maintained by a team of volunteers on the Internet. The list contains IP address ranges for known spam originating and relay sites. This list can be used to automatically block access to your site. There are three places where this blocking can be implemented: at the router, at the firewall, or at the email server.

Implementing the RBL at the router is the best option of the three, but involves some configuration of BGP, which may be undesirable for other reasons. Use of the RBL by the email server may require updating the mail agent, and will require small changes to DNS configuration. Implementing RBL at the firewall requires replacement of vendor supplied SMTP proxy, which do not recommend unless the other options are unavailable.

For fully (highly technical) information on how to implement the RBL using the various methods described.

Real-Time Scanning And Filtering

Use of a network based real-time scanning tool will detect and if so configured, block most large-scale spam attacks. However, since network scanners are concerned with patterns of network traffic, rather than the content of messages, they cannot easily detect small-scale spam attacks. It may be feasible to install content filtering software such as a MIMESweeper/SPAMSweeper from Integralis, but there are some significant performance questions when using such programs. Virus scanning of email, should be performed at the email server level rather than using online scanners. Products such as McAfee GroupShield for Windows, Norton AntiVirus for Windows (For Microsoft Exchange 5.5) are useful in this situations.

User Education

In order to minimize the risk of spam originating from your internal network, users need to be aware that spam is unacceptable. Many corporate spamming incidents are the result of user ignorance as to the negative effects of spamming. The organizations email usage policy should be amended to incorporate a clear anti-spam clause. An education drive (Information on the Intranet, newsletter articles, propaganda posters, etc) should supplement this. Once this is in place, decisive action should be taken against spammers, and this action should be widely publicized.

Email Privacy

As electronic mail proliferates in the workplace, many are surprised to find that E-mail privacy is minimal, and that "deleted" E-mails are easily retrieved from desktops or from backups with the help of Disk analysis tools and Restoration tools. So in order to keep your mails safe from prying eyes here are some tips.

If you are using an email client which supports encryption for the personal message folder, you should use it with appropriate passwords (preferably 10 characters numeric and alphanumeric combination) for this message folder. MS Outlook 98, MS Exchange Inbox, Outlook Express etc has got this facility. This will help you in keeping your messages safe from other people who use your desktop.

You can also use some software tools that will compresses and protect your data in harddisk, floppy disks and well as network drives. This will safeguard your email message store as well as your entire data in the desktop. One such product is called Novaho Zipsafe. It has got the features like Built-in compression upto 70%, Encryption from 40 bit to 168 bits, compatability with all file formats. One of the most highlighted feature is ‘Shredder’. This feature makes files unrecoverable to programs that rebuild files after deletion. Stealth Encryptor for Windows is another product, which can be used to protect your desktop data. Stealth Encryptor also has got all the features mentioned above.

For a serious user who is very much worried about email privacy can use a free email service offered by UK based Global Market Ltd. It is called as 1on1Lite, offering a 2048 bit encryption level, also self-destruct messages without a trace (or any smoke) after being read by the intended recipient.

Another consideration in this line is if you are using email servers like MS Exchange or Novell GroupWise make it a point to delete unwanted emails from the message store. Normally these servers keep the emails in the server itself, if you are not using any pop3 email clients. The administrator subjects this message store to periodic backups. So your messages in inbox, sent items and other folders are automatically backed up and at a latter stage it could be subject to inspection. Always make a point to delete unwanted messages; use encryption to keep the confidential messages encrypted in your message store. Also adhere to the email policy of the company you are working for.