Securing Your Organization’s E-mail

Oct. 27, 2008
One of your most critical business applications may be wide open to attack

If there’s one thing we take for granted all too often, it’s the security of our e-mail systems. Within most organizations, all it takes to bring business to a screeching halt is one external hack, one insider breach, one malware outbreak, or one e-mail server crash. All things considered, I can’t think of any more critical business application than e-mail. At least it’s the one critical application that, when it’s not available, gets everyone’s attention.

All it takes is one weak link in your network or e-mail environment for corporate correspondence to become fair game to anyone with network access. Not only is e-mail an important business tool; it’s a very vulnerable application on the network. E-mail communications can be intercepted and misused by unauthorized people.

These issues put business confidentiality, liability and compliance in jeopardy. Your security department personnel need to be aware of them. After all, e-mail is a technology and business tool that falls right in the middle of all the security convergence changes that are taking place today.

There are literally hundreds of ways for someone to take advantage of your e-mail system, but I seem to come across the same issues year after year.

Weakness 1: Password Theft

There’s likely a weakness on your network this very minute that someone can exploit in a very short period of time using the right tools. For example, anyone connected to the network can download the free network security tool called Cain & Abel, enable a feature called ARP poison routing that effectively turns Ethernet switches into hubs (thus negating their security benefit), and within minutes start capturing e-mail and various other network passwords, all without anyone knowing about it. Once these passwords are captured, viewing, sending, and receiving e-mails from the compromised accounts is only a few clicks and keystrokes away.

I used Cain & Abel in an internal vulnerability assessment, and I was able to quickly glean more than 300 passwords off the network—many of which were being used for e-mail access. Most of the other passwords discovered would likely provide access into users’ e-mail as well, given that most people use the same password across multiple systems. This same type of exploit can be executed even more quickly if there’s unsecured wireless access on your network.

Weakness 2: Archived Files
E-mail is not just used for business communications. It’s almost always used as a file repository as well, and that opens up another, equally serious vulnerability. Based on what I see, I’d venture to guess that the majority of most organizations’ critical information is accessible via e-mail at the user desktop level in the form of archived word processing documents, PDF files, spreadsheets, and so on.
Many e-mail administrators deny that all of this sensitive information is being stored on workstations in the form of local e-mail inboxes, archived Outlook files and saved e-mail attachments. Whether it’s policy or not, the fact is, users—everyone from customer service reps to executives—are storing sensitive information within their personal work environments, and this leads to serious physical security, data retention and other information exposure issues. This is especially true when someone compromises e-mail passwords as demonstrated above or obtains physical access to the system and cracks the computer’s password(s) to get in.

Weakness 3: Unpatched Operating Systems
There are other weaknesses at the computer operating system level that can be exploited to provide an attacker with unauthorized access to e-mail servers and workstations, again placing messages in danger. When network administrators fail to apply software patches quickly enough after vulnerabilities are announced, it can open a significant vulnerability. Someone with access to your network can exploit this type of vulnerability by running a tool such as Metasploit. Within a matter of minutes, this someone could obtain full admin-level access on an e-mail server or any given workstation.
Once access is established, the attacker has full rights to the computer and any e-mails, passwords or files stored on it, putting your messages and sensitive files at risk.

Other Vulnerabilities
Of course, malware, phishing and spam put your organization at risk as well. These vulnerabilities aren’t as big of a deal, since some basic technologies and user awareness go a long way towards fending them off. Nonetheless, they fall into the realm of security and risk management, and they need to be on your radar.

What to Do
As bad as they may sound, most e-mail-related security vulnerabilities can be shored up. Books have been written on what you can actually do about these problems. I’ll cut through the marketing fluff and outline which technologies and practices actually work. You may not be the decision maker or implementer of these solutions, but you’re certainly affected. You can likely influence change to help out your IT team and your organization as a whole, so it’s good to know what’s available.
Before your organization starts doing anything, a security assessment of your messaging environment needs to be performed. This will highlight weak systems and processes and show you where you need to focus your efforts. Your internal IT or information security team may be able to perform this assessment, or you may want to bring in an outside expert who can provide a new perspective beyond what the internal team sees day in and day out.
The following tools and processes are essential for locking down your organization’s e-mail environment.

E-mail Firewall
An e-mail firewall is an appliance or e-mail server-based software that provides firewall-type features for your e-mail servers. Companies like CipherTrust and Marshall Software offer such products. E-mail firewalls can offer malware protection, intrusion prevention, spam filtering, content monitoring and more. This type of protection is a must for any enterprise.
Alternatively, for years I’ve used and recommended managed e-mail security providers such as Singlefin and MessageLabs. Although often not quite as feature-rich as an e-mail firewall that would be installed internally, I like these solutions because they keep the attacks and junk from ever reaching your network and e-mail environment. This frees up Internet access bandwidth, server processing cycles, and network storage. A managed service can also be an important part of your organization’s business continuity and disaster recovery efforts, since they can keep receiving e-mails even when your network or Internet connection is down.

Encryption
The seemingly obvious solution for preventing unauthorized e-mail access is encryption. Just encrypt everything and all will be good. If reducing security risks were only that simple, we’d all be out of a job!

The fact of the matter is, encryption can be cumbersome and difficult to implement, much less to manage day to day. The standards bodies and security product vendors have helped simplify things in recent years, and here’s what can be done to lock down typical e-mail communications scenarios in the enterprise without too much money and effort.

Server-to-server e-mail communications can be secured using SSL or TLS. These protocols provide authentication and encryption to keep prying eyes away and can often be implemented as part of an e-mail firewall or commercial e-mail server such as Exchange or GroupWise. A VPN can be used to secure server-to-server links. Secure server communications can be established both internally and with key business partners that are willing and able to establish a secure link.

Workstation-to-server communications on the internal network are often trickier because there are so many workstations to secure. The closest thing to a realistic solution is to implement S/MIME or PGP on each workstation. This will require software and/or digital certificates installed on each machine, but it does work well. At a minimum, your IT team could enable one of these security technologies on systems dubbed critical or sensitive, such as those belonging to security personnel, IT personnel, HR personnel, and executives.

Workstation-to-server communications for remote access or external servers can be secured via POP3 over SSL (POP3S), IMAP over SSL (IMAPS), and SMTP over SSL (SMTPS). Most e-mail servers and clients support these protocols, and they’re very simple to set up.

Web access (i.e. Outlook Web Access, GroupWise WebAccess) for remote users can be secured by simply enabling and requiring HTTP over SSL (HTTPS) on the Web server.

Wireless networks or data centers where e-mails will be transmitted can be enabled with Wi-Fi Protected Access (WPA) pre-shared keys or an enterprise solution based on RADIUS to keep the airwaves secure. It won’t prevent a malicious authorized insider from taking advantage of sensitive messages, but it will help keep external attackers at bay.

Hard drive encryption should be used, at a minimum, on laptops and even internal workstations and servers that are vulnerable to theft. This will prevent malicious or even curious unauthorized access to the system and its e-mails in the event of theft or loss.

It’s important to note that simple computer password protection isn’t enough for this. There are security tools such as the Ophcrack Live CD and Elcomsoft System Recovery that can be used to maliciously crack any and all passwords to provide full access to the system, e-mails, and more.

None of these methods is foolproof or unhackable, but they’re all much better than the alternative. Just remember that your organization’s employees should never be relied upon to use these security methods when communicating via e-mail. Automating encryption wherever possible is essential for keeping the responsibility out of your users’ hands, and it’s is not an unreasonable expectation when using current technologies.

Change Management Process
Any critical technology or business function needs to have a formal change management process wrapped around it. In the context of e-mail security, this relates to server configurations, patch management, malware updates and ongoing security testing. These are important technologies that help reduce administrative burdens associated with e-mail and ensure everything is in check with regard to messaging security settings.

Going Beyond Technology
Your organization should already have various policies in place covering e-mail. Most IT departments have acceptable usage policies that outline what can and cannot be done with e-mail, but several other e-mail-related security policies are often overlooked. Make sure your organization implements technical and process-related controls that cover the following areas:

• Authentication controls (i.e. login requirements including passwords and multi-factor technologies)

• Business associate communications (i.e. communicating with auditors, hosting providers, contractors, clients, and other organizations including encryption requirements and specific contract provisions)

• Disaster recovery and business continuity (plans and procedures for maintaining e-mail communications during a disaster as well as the requirements for maintaining a disaster recovery and/or business continuity plan)

• Change management (i.e. outlining what, who, why, when, and how related to administrative changes to the messaging environment)

• Data backup, retention and destruction (i.e. what/when/how along with any information classification tie-ins, timelines for retention, and schedules for destruction)
• Encryption (i.e. what messages to/from whom are to be encrypted along with accompanying standards outlining specific encryption methods used such as TLS, PGP, S/MIME, etc.)

• Physical security (i.e. how messaging systems are secured as it relates to building and data center controls)

• Security testing and audits (i.e. what, how, when, and who will perform ongoing security testing of your messaging systems)

• Separation of duties (i.e. roles/responsibilities e-mail/network administrators and security personnel)

• System maintenance (i.e. malware updating and software patching at the client, server, and perimeter levels where applicable)

• System monitoring and incident response (i.e. who, what, when, and how regarding real-time monitoring and reviewing audit logs as well as the requirements for maintaining an incident response plan)

• User authorization (i.e. user provisioning and granting of rights)

These policies may pertain directly to your messaging systems, but I recommend keeping them as high-level as possible so that other systems and technologies can fall within the scope. This will make your organization’s security policies much easier to manage going forward. Also, make sure your organization’s ongoing information security assessments and audits include e-mail security testing. This will ensure that new or previously overlooked e-mail weaknesses are discovered using current tools and testing techniques.

Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT. Mr. Beaver is creator of the Security On Wheels audiobook series and has written six information security-related books including Hacking For Dummies (Wiley) and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). Mr. Beaver can be reached at [email protected].