1. eGuide to Email Security
The definitive guide to all things Email Security in Asia
2. eGuide to Email Security in Asia SearchSecurityAsia
Table of Contents
EDITOR’s COLUMN....................................................................................................................... 3
Gartner Lists Security Software Drivers for Asia Pacific........................................................... 3
Why and when e-mail is unsecured............................................................................................. 3
Email authentication showdown: IP-based vs. signature-based .............................................. 3
Exposing the biggest blunders for fighting spam and viruses ................................................. 3
Email and beyond: The evolution of employee monitoring technologies................................ 3
Executive Interview....................................................................................................................... 3
Email encryption: Five steps to success .................................................................................... 3
Quiz: Can you slay spam and viruses?....................................................................................... 3
Salespeople are sharks and other truths of negotiation ........................................................... 3
Best practices: making vendor pitches work for you ................................................................ 3
Security Tip: How to secure e-mail with S/MIME........................................................................ 3
Ask the Security Expert................................................................................................................ 3
Answers to quiz on spam and viruses ........................................................................................ 3
TechTalk: FAQs on e-mail security policies ............................................................................... 3
Contact the editor
Victor Ng, editor-in-chief – firstname.lastname@example.org
Jose Allan Tan, content director – email@example.com
Advertise. To find out more about our solutions contact:
China, Hong Kong SAR
Michelle Palmer, Associate Publisher
Tel: +852 2589 2326
Fax: +852 2559 7002
May Yee Tan
7500A Beach Road, #11-313/315 The Plaza, Singapore 199591
Tel: +65 6395 4581
Fax: +65 6297 7928
Page 2 of 3
3. eGuide to Email Security in Asia SearchSecurityAsia
The most important assets in an enterprise are its people and its business information. They also happen to
be the most vulnerable to information security threats.
A larger percentage of serious data security breaches come from within the company than from outside.
Some are deliberate – unhappy employees about to leave the company may want to sabotage you, or steal
information they could use when they join a competitor – while others are unintentional, like employees’
carelessness in handling company information or ignorance in protecting themselves when they are online.
Either way, they can put your network and the data in your servers and PCs at risk. That can result in lost
productivity and even financial loss.
Businesses today have no time for downtime.
That’s why it’s important to have a strategy in place where people in your organization are most exposed to
security threats – e-mail. Not a day passes when an e-mail user does not encounter spam, scams, hoaxes,
phishing mail or malware disguised as e-mail attachments.
This e-guide helps you lay a firm foundation for e-mail security, apply the relevant standards and policies, and
use the right tools and technologies to protect your employees and your business information.
Armed with the information and tips within these pages, you can also test yourselves through the quizzes and
exams (answers in the last few pages help you grade your level of knowledge and competence).
Gartner Lists Security Software Drivers
for Asia Pacific
By Jose Allan Tan
Despite the uncertainties with the US economy and the continuing roller-coaster ride of crude oil prices,
economists and industry observers continue to see positive growth for many of the economies in Asia Pacific.
The strong economic environment, driven by local consumption and demand, will keep enterprises and
consumers spending. China and India, the two largest economies in the region will drive much of that growth.
According to Gartner analysts Matthew Cheung and Ruggero Contu, organizations point to prioritizing,
choosing and maintaining security technologies continue to be the top issues for enterprises.
“Asia/Pacific companies and government agencies increasingly face pressures to demonstrate
compliance with the spirit and the letter of the law under various regulatory requirements, and
to show business value and cost-effectiveness for security measures to their international
counterparts,” said Matthew Cheung, Sr. Research Analyst Asia Paciifc, Gartner.
Ruggero Contu, Principal Research Analyst for Gartner based in Engham, UK,
notes that security spending is driving by a variety of pressing concerns, most notably the
need to “keep the bad guys out” through defensive measures, such as next-generation
“However, the quot;let the good guys inquot; discipline, such as IAM, is where business benefits and
ROI can be more clearly shown. Stand-alone personal firewall market growth rates will slowly decrease;
Page 3 of 3
4. eGuide to Email Security in Asia SearchSecurityAsia
however, we see increased interest and anticipate increased adoption in quot;endpoint security suites,quot; adds
Compliance with government and industry regulations will continue to play a significant role in security
spending decisions. Gartner says investments are often justified because the downside of breaches and the
negative publicity following it is great.
Gartner recently published putting $10.4 billion as the amount spent on security software worldwide in 2007.
Analysts cite the increased shift toward offering appliance-based products, particularly within certain
segments such as e-mail security and secure Web gateway markets.
In 2007, Symantec and McAfee remained the leading players holding 26.6 per cent and 11.8 per cent market
share respectively (see Table 1). EMC more than tripled its revenue year-on-year and saw its performance
primarily influenced as a result of acquisitions. In addition, Microsoft’s entry into the consumer security
protection market will further erode pricing in this segment which eventually will trickle into the professional
market, starting with the small office/home office (SOHO), and consequently moving into the SMB market.
Table 1: Worldwide: Security Software Vendor Revenue, 2007 (Millions of US Dollars)
Company 2007 2007 Market Share 2006 2006 Market Share 2006-2007 Growth
(%) (%) (%)
Symantec 2,768.5 26.6 2,564.3 29.5 8.0
McAfee 1,225.7 11.8 1,072.9 12.3 14.2
Trend 809.6 7.8 701.5 8.1 15.4
IBM 607.9 5.8 465.1 5.3 30.7
CA 419.0 4.0 431.1 5.0 -2.8
EMC 414.6 4.0 121.8 1.4 240.5
Others 4,170.5 40.0 3,338.2 38.4 19.8
Total 10,415.8 100.0 8,694.9 100.0 19.8
Source: Gartner June 2008
Cheung believes that changing vulnerability and threat landscape and continuing requirements for
compliance related initiatives are driving vulnerability management programs to expand. “Vulnerability
management consists of a combination of technologies and processes to improve security posture,” he adds.
On the positive side, “Price competition among vendors is bringing prices down in the more-mature stand-
alone market segments, such as antivirus. Changes in the way vendors package and price their solutions in
the future will ultimately impact pricing and make some security technologies as pervasive as PCs,”
Why and when e-mail is unsecured
By Stree Naidu
With last year bringing to light a spate of compliance-related issues among large corporations
and charity organizations, there is an increased emphasis on organizations adopting good
corporate governance measures to be compliant with the rules and requirements of government
Organizations need to ensure that all their corporate policies are compliant with government rules and
regulations, including electronic communication that covers e-mail correspondence as well. They are faced
with an increased need to secure their e-mail exchange policies not only in terms of protection against e-mail
threats but also in achieving compliance.
Though e-mail security is a universal concern, every industry has unique requirements, business pressures
and competitive challenges.
Increasing competition, transaction volumes, and customer demand are pressuring companies in the financial
services industry to provide more services online. E-mail, Web applications, and electronic file transfers have
Page 4 of 3
5. eGuide to Email Security in Asia SearchSecurityAsia
become mainstream forms of conducting important financial business – and employing technology for
securing, monitoring, archiving, and retrieving these communications has become imperative.
While financial services firms are required to supervise and record all electronic communication between
employees and clients, another requisite is to ensure the security and confidentiality of customer records and
information. Ongoing investigations and record multi-million dollar fines in these areas are spurring
organizations to re-examine their e-mail compliance efforts and look for technology and automated solutions
that can deliver comprehensive compliance at the best cost.
Government organizations, on the other hand, both civilian and military, are under increasing pressure to
reduce costs while at the same time improving network protection and the availability of online information
and services for businesses, constituents, and other agencies.
In governments, there is a higher chance of data leakage as there are more data centers and many more
people are involved in handling of the data. The adoption of sound data protection principles and practices
across the system is recognized as an important task.
Over at the healthcare industry, rising costs, stringent regulatory requirements, and increasing exposure to
legal liability are prompting healthcare providers and payors to re-examine every aspect of their operations.
To overcome these challenges, healthcare providers are increasingly turning to IT, which leads to email
security challenges in terms of ensuring all individually identifiable health care information is protected to
ensure privacy and confidentiality when electronically stored, maintained, or transmitted.
In today's rapidly expanding business environment, time is of critical importance. With competition thriving,
businesses have zero-tolerance for technology downtime and need to ensure their IT infrastructure is
performing at its optimal utility under maximum security.
There is no doubt that e-mail has become a vital tool for business and personal communication. E-mail
provides a highly efficient and cost-effective way to deliver person-to-person messages, files and documents
across organizational boundaries.
According to the Radicati group, there are over 400 million corporate mailboxes worldwide, and more than 45
billion e-mail messages are transmitted each day within enterprises. As a result of this growing use,
businesses are increasingly dependent on e-mail to operate their businesses.
This rapid boom and increased dependency on e-mails has spawned the rise of e-mail security threats that
constantly evolve and raise their ugly heads as the volume of emails traveling around the world increase
consistently. E-mail security threats that plague organizations include spam, viruses, scams, identity theft,
and leaks of sensitive information.
The impact for not executing effective security solutions to keep the ever-evolving menace of email security
threats at bay could prove to be both costly and dangerous. Organizations are actually leaving their doors
wide open for the destructive effects of spam, viruses and more importantly, unwarranted leakage of sensitive
company information and data.
Companies do not realize the amount of vital data that is traveling outside their organization via unsecured
methods and leaves them prone to information theft.
Spam and viruses, on the other hand, can wreak havoc and damage the network and e-mail infrastructure. To
evade stronger security measures incorporated by companies and users in general, these threats have lately
been masquerading themselves in different forms and characteristics in order to con their victims.
More recently, a good example of these evolving threats is the attack of 'Storm
Worm', which has been ravaging through millions of user mailboxes. As one of
the larger Trojan horse attacks in recent years, it made use of information about
a real time storm front in Europe to lure its recipients into opening attachments
that promised more details on the storm.
Upon clicking on the attachment, users automatically became part of a botnet
that left a back door for cyber criminals to steal data or post spam through the infected computer.
If such malicious e-mails make their way through an organizations' network, the effects are potentially
dangerous, since it gives unwarranted access to confidential company information and business intelligence.
Page 5 of 3
6. eGuide to Email Security in Asia SearchSecurityAsia
Therefore, rather than suffer the heavy costs of recovery, organizations are encouraged to invest wisely in
intelligent and effective email security solutions that secure every aspect of their electronic communication,
both within and outside their organization.
Each organization has its own unique security needs when it comes to sending and receiving sensitive
information via different modes of communication such as email, file transfers, instant messaging – from
complying with government privacy regulations in Healthcare and Financial Services to enforcing corporate
policies and protecting intellectual property.
One approach is to augment existing perimeter-based security with an additional layer of protection inside the
firewall, at the internal desktop. By providing encryption capabilities to individual users, organizations can
ensure that sensitive information is delivered safely to both internal and external recipients.
For organizations in both the private and public sectors, establishing a communication infrastructure that
allows immediate online exchange of business-critical messages and files can provide a significant
competitive and operational advantage. While the need for secure online communication may be universal,
how it is best implemented varies both by industry and by application.
About the author
Stree Naidu is Regional Vice President, Asia Pacific for Tumbleweed Communication.
This article first appeared on Enterprise Innovation.
Email authentication showdown: IP-
based vs. signature-based
By Noah Schiffman
An important aspect of corporate email security architecture is its method of preventive countermeasures.
These defenses are charged with thwarting a variety of threats from spam and phishing to malware like
Trojans and rootkits. First-line countermeasures include message content inspection. This type of reactive
system relies on signature engines and updated databases of known spam and phishing phrases. Additional
prevention techniques employ domain filtering using blacklists and whitelists.
More effective filters combine heuristic techniques with statistical analysis through Bayesian filters to analyze
email based on collected content. However, these detection methods often fall short, relying on slow updates
from limited data and resulting in unacceptable numbers of false positives. Furthermore, identity spoofing and
domain hopping of malicious senders has weakened the effectiveness of these countermeasures.
In response, several types of email authentication technologies have been developed and implemented with
varying results. Prevailing authentication methods categorically employ path-based or cryptography-based
methods. Path-based or IP-based authentication systems evaluate the network path traversed by email. They
rely on DNS records that identify trusted IP addresses for sender validation.
This straightforward approach of verifying the message path from sender to recipient has been widely
adopted due to its simple implementation. Sender ID and Sender Policy Framework have emerged as the
dominant path-based methods in use today. While both of these techniques publish DNS policy records, they
use them differently. SPF authentication compares the DNS record against the email's return-path address
header (the envelope layer); while Sender ID uses a Purported Responsible Address header validation
method, in addition to authenticating the SPF record.
Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing.
Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method
is utilized by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and
PayPal, the two companies most notably targeted by phishing attacks in recent years.
While both IP-based and signature-based systems rely on the DNS infrastructure, they fundamentally differ in
their focus of email analysis. Path-based systems examine where the message originated; while
cryptographic methods look at who sent the message.
Page 6 of 3
7. eGuide to Email Security in Asia SearchSecurityAsia
The corporate implementation of these two different authentication methods has revealed their situational
strengths and weaknesses. The advantages of using a path-based approach include easy implementation
and rapid deployment, without the cryptographic related impact on server performance. Therefore, path-
based systems may be beneficial to companies looking to expedite a simple system with minimal resource
However, signature-based standards have the added value of providing message integrity and greater
resistance to mail forwarding limitations. Digitally-signed mail is best utilized as a robust solution for corporate
protection of email containing intellectual property and other critically sensitive business information. Finally, it
is important to note that these differing authentication solutions can work in tandem – several IP/signature
combination systems are presently being evaluated with promising results.
A comprehensive risk analysis of data sensitivity, coupled with mail traffic metrics, is essential when
determining proper requirements and resources for implementing an effective email security strategy. Since
the protocols and standards for authentication will ultimately change with emerging threats, it's important to
adopt authentication technologies with backwards compatibility and scalability. It is necessary to remember
that authentication plays only one role in email security, and must be combined with reputation scoring
systems for establishing and updating acceptance and rejection thresholds.
Regardless of what email authentication method is employed, their true effectiveness will be ultimately
determined by what prevails as an accepted global standard.
About the author:
Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the
defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in
risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics
and corporate security policy.
Exposing the biggest blunders for
fighting spam and viruses
By Joel Snyder
The world of antispam and antivirus has become so crowded that it's hard to tell what the
best approach is for any company. However, there are some things that people are doing with
spam and viruses that are obviously wrong. Let's go through the worst practices in the hopes
that you won't get caught up in them – or if you're doing them, that you'll stop.
#1 Worst practice: Accepting mail that you have no intention of delivering
This is not just a big deal – it's the biggest deal – and it's at the root of some of the worst practices on the
Internet today. What's happening here is very simple. Somewhere at the edge of the enterprise is an SMTP
MTA. Other mail systems, both spam and non-spam, connect to that SMTP MTA and try to send it mail. For
each message, the sending SMTP system has to say, quot;This is for a particular user.quot; The receiving SMTP
MTA has three options at this point. It can say, quot;Yes, send me that message.quot; It can say, quot;No, try again later
and it might work.quot; Or, it can say, quot;No, don't bother to try again because it will never work.quot; In theory, you'd
think, you'd only accept mail that you can deliver. If someone says, quot;This is for Jane Doe,quot; and Jane doesn't
work there anymore, you'd expect the SMTP MTA to say, quot;No, go away.quot; But it doesn't always happen that
way. Many companies are perfectly willing to accept mail even if they cannot deliver it.
This might happen for a couple of reasons. The oldest reason, and probably one of the most common, is that
the receiving SMTP MTA doesn't know whether or not the mailbox is valid. It checks the domain name, but it
doesn't actually know whether the user exists or not until later. Maybe it looks the user up in a database after
it has accepted the message, or perhaps it simply hands the message off to another MTA.
The second reason why you might accept e-mail that your MTAs can't deliver is in a misguided attempt to
deal with directory harvest attacks (DHAs). The theory behind a DHA is that the spammer tries every possible
e-mail address, starting with firstname.lastname@example.org and ending with email@example.com, in the hopes of
identifying those that are legitimate. If you only accept mail for existing users, then you expose your e-mail
directory to the spammer. They find out who can receive mail and, it is presumed, can more efficiently send
you junk mail.
Page 7 of 3
8. eGuide to Email Security in Asia SearchSecurityAsia
To avoid the dreaded DHA, one school of thought is to simply accept all mail, whether or not the recipient is
valid. This doesn't give the spammer any information, although it does tie up your MTA while it accepts mail
for nonexistent users.
Both of these techniques, while reasonable in 1995, are simply horrible ideas in 2005. The problem is the
messages that cannot be delivered. If you refuse a message or a recipient while it is coming over the wire,
then handling the error condition of what to do with an undeliverable message is the other guy's problem.
Once you've accepted the message, handling the error condition becomes your problem. What are you going
to do with these undeliverable messages once you have them? Well, you have a couple of options. You are
supposed to try to return them.
The problem is that most of them are probably going to be spam. Spammers have two options when they
send you mail. They can either use a valid or invalid return address. If they use an invalid one, then you have
no way to return the mail and it sits on your MTA, clogging up the queues until your MTA determines that the
message is unreturnable. You can't simply drop all messages that can't be delivered (although some
misguided postmasters do just that), because then someone who makes a simple spelling error will never
know that their message didn't go through.
It's even worse if the spammer puts in a valid address. You now send a bounce message to someone who
didn't send the e-mail in the first place. In the quantities that spammers send their junk around, this amounts
to a denial-of-service attack. There's even a name for it: a quot;Joe jobquot; attack. The last time this happened to my
company, we collected over a million bounced messages from MTAs that had accepted mail they couldn't
deliver – and then wanted to return it to us. That's a lot of really stupid MTAs.
Best practice #1: Deploy smarter MTAs
The way to solve this is to not accept mail you can't deliver. If you don't accept it, then the sending MTA has
to deal with it – not you. You don't become the instrument for someone else's denial-of-service attack, and
you don't have to worry about filling up your queues with mail you can't deliver. If your border MTA isn't smart
enough or capable enough to connect to your corporate directory and refuse undeliverable mail, it's time to
replace that MTA.
As for protection against DHAs, accepting all mail is the wrong approach. A well-designed MTA can detect
that a DHA is happening very easily. For example, it might get a message with 100 consecutive invalid
recipients. From that point, it's easy – simply refuse all recipients, valid and invalid, for an hour or so. Don't
refuse them with a permanent error – just say, quot;Try again later.quot; If the message is from someone who has
legitimate mail to send, they'll come back and try again later. If it's a spammer on a DHA, they're going to be
gone until the next go 'round.
The benefits of refusing mail you can't or don't want to deliver are immense. Because you didn't accept the
message, the sending MTA has the chance to send back an error message to the originator of the message.
This gives you a chance to track errors and configuration problems, because legitimate mail will get a
legitimate error code back to real senders. If you drop the mail into a black hole or some sort of quarantine
with a million other messages, you'll never find subtle problems.
In fact, if you can get an antispam solution that runs at SMTP time, that's even better. Most antispam
scanning engines run after the SMTP dialog is complete, when your mail server has already accepted
responsibility for the message. A few bold products are completing the spam content scan during the SMTP
dialog itself, while the message is being received but before the final quot;Yes, I will take responsibility for this
messagequot; response goes from your mail server to the SMTP sender. If you refuse mail you think is spam, you
don't have to worry nearly as much about false positives. If I get back a message from my MTA saying that
your MTA didn't accept it because it thought it was spam, then I can do something about it. If the receiving
MTA thought it was spam and sent it to some dark occluded hole, there's no way to track it. I sent it; your mail
system received it. Where did it go?
Even with a good quarantine, it's easy to miss the one false positive in a thousand. Many antispam systems
are attempting to do this with the most obvious cases of spam, using techniques such as blacklists, which
simply refuse or greatly limit the amount of incoming mail from certain IP addresses.
#2 Worst practice: Doing anything with viruses besides deleting them
Things have changed very quickly in the world of e-mail. In January 2004, MyDoom forever upset the balance
in virus management, and many antivirus systems have not yet figured out how to manage. Prior to MyDoom,
when you got a virus, it seemed like a neighborly thing to try and deal with it – maybe clean up the attachment
or send a message to the originator of the virus and tell them they had a problem. That was a good strategy –
in 2003. But we don't get viruses anymore.
Page 8 of 3
9. eGuide to Email Security in Asia SearchSecurityAsia
We get worms. We get e-mail that is machine-generated on an infected system with forged sender addresses
containing no real content but a lot of malware. Trying to do anything with these messages is a bad idea.
When you get a worm-generated e-mail message with malware in it, you don't want to clean it up and send it
on, because there is no message there. It's just a wrapper, and the recipient doesn't want it and doesn't need
it. During the early stages of MyDoom, people were getting hundreds of these a day. Nor do you want to
return the message or send a notification to the sender, because they probably didn't send the malware.
You end up sending a notification of a problem to someone who doesn't have the problem, doesn't know what
you're talking about and can't do anything about it but get annoyed at you. I get about one of these
notifications a day from MTAs run by e-mail administrators who have not figured out they shouldn't be doing
Best practice #2: Segment or delete
If you have the time and energy to keep track of the different viruses and worms, and if you have a well-
designed antivirus system, you can try to segment the traffic into twocamps. The worms and malware, which
will represent some epsilon short of 100% of your virus traffic, should simply be deleted. The true viruses,
ones that attach themselves to an otherwise-legitimate message, can be deleted with a notification to the
recipient that they are missing an attachment.
If you don't have the time to deal with that, and I don't blame you if you don't, then simply delete the virus-
infected e-mail. Silently. Log those messages, of course, and perhaps even stick them in quarantine so you
can retrieve them if necessary. But that's not going to happen very often. The extraordinarily virulent and
aggressive worms such as MyDoom have so sensitized network administrators to the need for virus scanning
that real viruses don't have much of a chance to get through anymore.
Of course, as one of the bearers of the quot;every e-mail is sacredquot; torch, I am loathe to delete any message that
might have useful content. But I'm also aware that if we inundate end users with notifications about viruses
that they didn't get from people they don't know, we're making e-mail less useful. I'd prefer to see antivirus
and antispam vendors start to do the differentiation for us. Until that happens, we have to make the best of a
Email and beyond: The evolution of
employee monitoring technologies
By David Habben
The concept of organizations keeping a watchful eye on employees during company hours is
nothing new. From the introduction of the time card 120 years ago, employee monitoring has
evolved from simple confirmation that individuals are present and accounted for, to more
detailed insight into employee activities taking place while “on the clock.”
This evolution has been driven in part by today’s widespread use of email in the workplace, plus the
increasing popularity of instant messaging, blogs and other online communication forums - all of which
expose companies to new data security risks.
The boom in electronic communications, combined with business challenges - such as increased industry
competition - and the introduction of data and privacy laws, require employees to take extra steps to reduce
the risks associated with outbound email whilst protecting corporate assets in the process.
The birth of email
Since the first sanctioned commercial use of email in 1988, it has quickly caught on
in corporate and personal domains. As email was soon recognized as a critical
business tool, it didn’t take long for organizations to identify the potential risks that
came with this new form of communication.
A quick click on the “send” button could create any number of corporate mishaps,
with confidential data – legal documents, customer identity information, and trade
secrets – being circulated, whether maliciously or accidentally, inside and outside
Page 9 of 3
10. eGuide to Email Security in Asia SearchSecurityAsia
of an organization.
In the early to mid-90s, keyword-based email filters, which scanned for specific words before an email was
sent, were introduced to help organizations secure individual email messages. This marked the start of
genuine enterprise concern regarding data security and was followed by the availability of a range of data
protection, monitoring and filtering technologies, resulting in email monitoring solutions becoming increasingly
Email is not the only culprit
The number of electronic communications channels has exploded in the past few years, but email remains a
top focus for organizations when it comes to data protection and security challenges. With a staggering 70%
of corporate data residing in email, this channel will continue to pose the biggest threat as a means for the
improper disclosure of confidential data.
However, additional outbound data streams – including HTTP (i.e., blogs, web-based email, message
boards), instant messaging and FTP - have entered the mix and can also be conduits for violations of internal
communications policies, confidential information exposure or sources of regulatory risk.
A 2008 survey conducted by Proofpoint and Forrester looking at issues around outbound email security found
that 66% of companies are concerned about ensuring that email can not be used to disseminate trade secrets
or valuable intellectual property, yet only 36% are currently performing regular audits of outbound email
As a result, companies are expanding their use of messaging security solutions beyond traditional anti-spam
and virus protection, to defend against the risks posed by outbound email and other messaging streams.
The risk is real
The respondents of the same Proofpoint/Forrester survey said that their business was impacted by the
exposure of sensitive or embarrassing information in the last twelve months.
However, many organizations are completely unaware of the type of content flowing outside company walls
and, as a result, are in the dark about the potential risk exposure via email.
In an audit of one healthcare provider’s outbound email, Proofpoint found hundreds of potential HIPAA
(Health Insurance Portability and Accountability Act) violations occurring every hour.
Content policy framework: the 4 W’s
Regardless of what drives organizations to secure outbound messaging streams, the ongoing challenge
across all industries is how to secure critical data once it has been created, while making the information
easily available to the necessary constituents.
In addition to using technology to help automate the monitoring of outbound messages, the most successful
messaging security processes also require well-defined company policies related to the use of email and
other forms of electronic communication.
The idea of creating policies can be daunting, but in reality, messaging policies can and should be simple, in
order to be effective. Whether creating new data security policies or updating existing ones, here are some
recommended steps to help with the process:
• Why does this impact your business? This should be the first question. Take a deep look at your
core business and the external forces impacting operations, such as competitive players and
industry regulations, to determine what’s driving your organization forward and how security issues
• What’s your intellectual property? To help prioritize the data that needs to be protected, address the
following: What do you sell? What personal private information do your systems contain and just
how sensitive is this? Do you work with other parties to create this data? Are you exchanging
information with partners and distributors?
• Who do you do business with? The next key step is to determine the highest level of risk for your
organization, by evaluating:
o Who has access to intellectual property?
o Where does information flow (i.e., employees, partners, suppliers, customers)
Page 10 of 3
11. eGuide to Email Security in Asia SearchSecurityAsia
• Where and when is information accessed? When and how often does the data need to be
accessed? Where does it exist on the network? How is it typically accessed (via email, fax, file
server, etc.)? A growing concern amongst companies is also the risk of sensitive information being
sent via mobile devices as on average, 25% of staff within an organization have access to
equipment as BlackBerrys and laptops. This is something that needs to be considered as a top
This will give organizations a good baseline understanding of where the highest level of risk and exposure
exists and provides a guideline of where to focus energy and efforts tied to messaging security.
Survival of the fittest
The reality is that email, along with new forms of electronic communications, makes it extremely easy to
distribute a company’s digital assets, and organizations need both policies and processes in place to fully
secure outbound messaging streams.
The need to comply with privacy and data security regulations will continue to drive organizations to expand
deployment of messaging security technology, while developing a more complete understanding of the value
of corporate data and the potentially costly repercussions of data leaks.
Up-to-date data security policies combined with the right technology solution can proactively prevent liabilities
created by noncompliant or offensive emails, ensure the privacy of customer and employee data and secure
valuable intellectual property and trade secrets, ultimately protecting your business.
About the author
The writer David Habben is Regional Manager for Proofpoint (http://www.proofpoint.com) in Asia.
This article first appeared on SearchSMBAsia.
By SearchStorageAsia team
SearchStorageAsia recently secured an interview with Ken Pappas, Security Strategist with Top
Q: We’ve been reading about a rising number of breaches and the potential lost
(monetary and or otherwise) from these breaches. Is this because we are getting better at
identifying these breaches or criminal elements are just getting sloppy or there really are
Clearly we have all seen the number of Attackers and Attacks have gone up. This is due to a
number of factors;
o Exploit tools readily available over the internet
o We have moved from people that needed to be highly intelligent to grade level students
now hacking companies
o Federal and State regulations are now mandating companies to disclose breaches where in
the past this was not the case
o We see both an older generation and younger generation starting to use computers with no
knowledge of ‘temp to click’ or other trickery.
Q: Where should the protection of data reside (at the policy level and at the operational level)?
You need to focus on multiple places. Protection needs to be addressed at the client and the
network side. There is absolutely no single technology out there that can claim complete security
coverage. You need a blended security strategy. Data can and does reside on a client’s machine or
a back office server. You need to provide an ‘end-to-end’ security focus.
Q: There are loads of companies offering solutions to “protect” company data. Can you classify or
group these vendor/solutions?
Page 11 of 3
12. eGuide to Email Security in Asia SearchSecurityAsia
Protection can be in two forms; Pro-active or Reactive. Most vendors provide a Reactive security
solution, meaning something has to happen first before the vendors’ product would do anything.
Sometimes (in the case of data leakage) this is too late. Other vendors (like Top Layer) provide a
Pro-Active solution; inspect everything in both directions on your network before allowing it to pass.
Unlike the old firewall, which would allow all traffic to pass if it had a port destination, Intrusion
Prevention technology inspects all traffic before it is allowed to enter or leave a network.
Q: How does one company what is the right solution for them?
Do not be dependent on any single vendor. You have to protect your entire network from the end
points to the core of your network.
Q: How should they approach the selection of such a solution?
What is the security policy for your network and data? Oh, you don’t have a policy? Well this would
be the best starting point. Identify what your critical assets are and what you want to protect. Many
companies do not have security ‘experts’ on staff. Some promote an IT ‘generalist’ to be the security
expert. It does not work this way.
We see this in companies as a feel good measure, in that they feel like they have a security expert.
Take the right step. If you don’t have a security expert, enlist the help of a security consultant to help
define your policies, assess your network, conduct penetration test and provide recommendations
for security technology in your network.
Most companies focus heavily on the perimeter. While this is important, companies need to also
protect the data center (applications and customer records) and the LAN core. We are a much more
mobile society and as such almost all of us are using laptops. Those laptops are also being used
outside the office and connecting to un-trusted networks. Hackers today are targeting mobile users
because most of the networks outside the workplace are far less secure and easier to penetrate.
Laptops are then carried into the workplace, plugged into the network, and you have a virus or
Trojan outbreak. Having a security box out at the perimeter is not going to protect you.
As companies go global and the corporate firewalls extend to business partners and suppliers, how
does a company maintain a secured infrastructure without risking business relationships and
Extending your network beyond your established ‘trusted’ walls creates security risks. Fortunately
companies that are now allowing other companies to have access into their networks are installing
Intrusion Prevention Systems between the two networks to fully inspect all traffic flows going to and
from each location.
Q: As we continue to see more complex interaction between users and companies, what can we
expect from the level of breaches/data thefts?
Looking at the statistics from industry analyst and government agencies, the number of attacks is not
going down. Attacks will be far more targeted and sophisticated, hackers are learning how humans
react to a certain method of a breach (tempt to click for example) and they are modifying their attack
methods. Companies that continue to use and be dependent on firewall technology will be breached
the most since hackers have determined how to blow thru a firewall. The lure of easy money
continues to be the motivating factor. If a hacker determines that money can be made by penetrating
or disrupting a location (like a power station) they are going after it.
Q: Are “security” vendors mostly reactive to security breaches?
It’s not the vendor but actually the technology that is reactive. Intrusion Prevention Systems (Like
Top Layer) provide a Pro-Active solution to many forms of security threats. Like I said earlier,
companies cannot be dependent on any single vendor or technology to address all the security
requirements to protect your network and your data.
About Ken Pappas
In addiiton to his Security Strategist role at Top Layer Security, Pappas is also Vice President of Marketing for
Top Layer. Previously he ran his own consulting firm specializing in network security, was the Security
Strategist at 3Com/Tipping Point, and was the General Manager of the security business division at
Enterasys Networks. He has spoken on security topics to many industry and government groups including the
Department Of Homeland Security, Higher education consortia, National Retailers Association, InfraGard,
Page 12 of 3
13. eGuide to Email Security in Asia SearchSecurityAsia
SIM International and NBC TV on the topic of Cyber terrorism. Pappas is a forensic expert and has recently
completed his CISM courseware.
Email encryption: Five steps to success
By Mike Rothman, Contributor
Encryption is one of those technologies that has been around for thousands of years (since the days of
Caesar, in fact), but is still very misunderstood.
Actually, you use encryption every day, since it's the underlying technology that drives the Secure Sockets
Layer and HTTPS protocols. But it seems email encryption remains an enigma at most small and medium-
sized businesses (SMBs) because it's been portrayed to solve every information security problem. So, let's
take a step back and understand what email encryption can do for you.
First and foremost, one of the biggest issues SMBs have is to ensure they are adequately protecting
intellectual property. By encrypting emails that contain corporate secrets, there is very little risk of competitors
and the like intercepting messages and stealing data. Likewise, in an age where customers are
understandably concerned with protecting their private data, encrypting communications ensures that the
customer's private data cannot be stolen.
Both IP protection and privacy considerations fall into a large, yet amorphous bucket called compliance. Any
business dealing with regulatory oversight, or even those now accepting credit cards – which are now subject
to the Payment Card Industry standards, needs to be concerned with compliance. Email encryption is not a
panacea for compliance, but having the ability to protect critical data is a critical step in the process.
Why isn't email encryption more prevalent? In a nutshell, it's due to complexity. Historically, email encryption
was very complex to implement and required a significant amount of communication, configuration and
experimentation between trading partners to ensure a message encrypted by you could be decrypted by
Additionally, there was no way to force users to encrypt sensitive messages. IT administrators had to hope
users understood how to encrypt the message and that they'd remember to do so when appropriate. Since
hope is not a good strategy, most organizations didn't deploy.
But as with most technologies, email encryption has evolved and matured over the past few years. It's by no
means easy, but it's also no longer cost-prohibitive for SMBs to start experimenting with the technology. The
advent of service providers that will host key servers and email gateways that can automate the enforcement
of policies has dramatically decreased the effort required to get an encrypted email system operating.
Here are five essential steps to encrypting email:
1. What and why? The first step is to define what types of content need to be encrypted. You are best
off working with your general counsel (or outside law firms) to ensure that all sensitive data is
identified and a policy is created to document the need to protect that data. Content types typically
encrypted include customer records, intellectual property, strategy documents, etc.
2. Who and where? Next, it's important to determine which trading partners will participate. The short
answer should be all of them. But in reality, many organizations phase in their approach because it's
not as easy as flipping a switch and then encryption just happens. Determine if you are going to let
users decide what gets encrypted (via desktop software) or whether you'll take a gateway approach
that will scan each message automagically and determine if it is required to be protected by the
3. How? There are many different ways to skin this particular cat. You could encrypt messages at the
desktop or store messages encrypted on a staging server for pickup via a Web-based email
interface. You could also implement the encryption either on the email security gateway or on a
separate purpose-built device. The architecture will depend on your scale and number of trading
partners. You could have a service provider manage the key server or you can manage it yourself.
Value-added resllers and the vendors themselves can certainly help make those decisions, once
you've determined that encryption is something you should do.
4. When? Rolling out encrypted email to all of your trading partners at the same time is not advisable.
You need to figure out which partners should go first and start working out the details of the
Page 13 of 3
14. eGuide to Email Security in Asia SearchSecurityAsia
implementation with them. As you add more partners to the infrastructure, you'll nail down the
process, but it's in your best interest to start slow and figure it out incrementally.
5. Refine. Given the policy and compliance drivers for email encryption, any project should have a
period where the focus is to refine the policies used to determine which emails are encrypted. This
can involve tuning the dictionaries and heuristics and manually auditing a subset of the messages
encrypted (and those that aren't) to ensure the policies are being enforced.
Ten years ago, it required an armada of consultants and big infrastructure to implement encrypted email. That
is no longer the case, but it's still not a walk in the park. But with a diligent process and dedicated project
team, email encryption can play a key role in your compliance efforts and can protect both your intellectual
property and private customer data.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach
him via email at firstname.lastname@example.org.
Quiz: Can you slay spam and viruses?
Take this quiz to assess your knowledge of how to fight spam and viruses. The correct answers are at the
end of this eguide.
1.) The term quot;cocktailquot; has been used to describe an antispam technique.
What is it?
2.) Is it better to run antispam at the external MTA or on the e-mail client (such
3.) A company recently announced that its antispam product has no false
positives. How is this possible?
4.) You have designed an antivirus strategy that says that all messages with
viruses in them are deleted, while all messages without viruses in them are
passed on. What have you forgotten?
5.) When mail is received at an SMTP MTA, it is not always known whether
the recipient is valid. If, later on, the recipient is found to be invalid, it's probably because the message is
spam. What's wrong with simply deleting that message?
Salespeople are sharks and other truths
By Kate Evans-Correia, Editor, SearchDataCenter.com
One of the biggest mistakes data center managers make when negotiating a sales contract is to trust the
salespeople. Not that they're bad people, it's just that managers should never believe that a salesperson has
their best interest in mind – ever.
An unnecessary adversarial approach? Not if you've ever been burned because you didn't read the fine print.
quot;A sales contract is not for the marriage, it's for the divorce,quot; said Jeffrey Gordon, principal, Ts&Cs: Contract
Negotiators, a Raleigh, N.C.-based procurement firm. quot;Therefore, you must approach a contract with a leery
Gordon, who spoke during the TechTarget Data Center Decisions conference in 2004, said too many IT
managers are emotionally embroiled in the negotiations and are not prepared to play hardball.
quot;People don't even know what they're signing or buying,quot; he said.
Page 14 of 3
15. eGuide to Email Security in Asia SearchSecurityAsia
Companies selling you technology have one objective in mind – to make money. They've got quotas to meet,
and products to push.
quot;They'll push so hard it'll make you bleed,quot; Gordon said.
Calling the shots
Bruce Peterson, vice president of systems for The ServiceMaster Co. in Downers Grove, Ill., is one of a
growing number of managers who never goes it alone when negotiating a sales contract. Before anyone
signs on the dotted line at his company, sales contracts must be reviewed by a team of experts. As an IT
specialist, Peterson sets the initial requirements for the technology and lets the experts hammer out the legal
Peterson said his team is in control. Long before anyone sits down to negotiate, the requirements are
quot;If it's not our boiler plate, we don't play,quot; said Peterson.
Dan Musil, a senior systems engineer for health care firm Baxter International Inc. in Deerfield, Ill., said his
department works largely the same way with a team of experts brought in to negotiate. Musil said his role is
sort of like a watch dog.
quot;We used to call [the vendor's] bluff, if necessary.quot;
As surprising as it seems, many companies don't consider the long-term effects of a bad contract, which
usually means getting stiffed on maintenance costs, support or, worse, battles over intellectual property.
Establishing what you will and will not compromise on is vital to getting a contract you can live with, said
Gordon. Your contract can be anything you want it to be. Build it however you want, in your own writing.
And never, ever do the negotiating before the vendor has the opportunity to tell you the price.
quot;Most of these [managers] have leverage, they just don't use it.quot;
With friends like these …
The old adage, quot;get everything in writing,quot; is never more true than in negotiating a technology contract. Too
often, managers believe that what is said verbally will be upheld. This is not generally the case.
It's important to make sure the warranty has everything the vendor offered in his sales pitch. That's where
you're getting all the juicy things – the special perks offered to sell you the technology. If you don't, the vendor
doesn't have to do anything at all.
quot;They can just shrug their shoulders and say, 'sorry, we didn't say we would do that,'quot; said Gordon.
Many managers also make the mistake of thinking the vendor is a partner and will often give them information
about budgets and products. It's like handing the vendor all your negotiating leverage, said Gordon.
quot;Because they thought it was a buddy thing.quot;
Time to say bye-bye
At some point, however, managers need to be comfortable with walking away from the table because the
vendor is refusing to budge. What then?
Gordon said managers need to establish a quot;risk matrix.quot; Essentially, list items that you must have, as well as
items you want but can live without. You have to be able to compromise, but there will be some things that
quot;Companies are invested so much into it, they're often not willing to back off,quot; said Gordon, quot;and vendors
know this and are going to use this.quot;
Big mistake, said Gordon. Managers should never sign a contract if they're not 100% comfortable with the
terms. Managers should be willing to do battle if they have to and stick it out – if not, then walk away. A bad
contract will always come back to haunt you, more than a failed negotiation.
quot;Companies have to realize that in technology negotiations they have the upper hand.quot;
Page 15 of 3
16. eGuide to Email Security in Asia SearchSecurityAsia
This article originally appeared on SearchDataCenter.com.
* Editor’s note: A common sales tactic in Hong Kong is offering a “special” one-day only price. Forcing the
interested person to make decisions rather too quickly and sometimes without the benefit of hindsight. This
tactic is used both with consumer products and high-ticket items like property. Lots of sharks out there!
Best practices: making vendor pitches
work for you
By Al Berg, CISSP
You get daily phone calls and e-mails from vendors claiming that your organization's data is at terrible risk –
unless you buy their product. This best practices column provides seven ways to save you time and money
while effectively managing vendor pitches.
Learn to say quot;noquot;. You don't have to meet with every vendor who calls you with a new product or service.
This may seem obvious, but a good salesman will be persistent in trying to get a face-to-face meeting, which
may tempt you to agree just to be polite or get them off your back. However, this approach wastes your time
and the vendor's – what's more, spending time with unneeded vendors affects your organization's bottom line
by keeping you from managing more pressing issues.
Set vendors straight. Sales folks are smart and don't like to take quot;noquot; for an answer. If they can't get a
meeting with the people who are directly responsible for the area where their products fit, they may call
around looking for a side door to get in to the organization. When you get a call from a vendor pitching a
product that falls under another department's purview, refer them to the correct department head.
Prepare the vendor for the meeting. Tell vendors upfront about your needs and expectations. At a
minimum, let them know where you are in the decision cycle, and confirm whether or not funding has been
allocated for potential use of their products. Identify who on your team will attend the meeting, what their
business roles are and how familiar they are with the topics to be discussed. Specify how much time you can
allocate for the meeting and find out if they will need any special facilities, such as an Internet connection or a
Get your pre-meeting paperwork in order. Discussing the logistics for potentially deploying security
products and services typically requires you to share details with vendors about your organization's networks,
systems and procedures. Consider having your legal department draft a joint non-disclosure agreement
(NDA) that gets signed by officers of both companies prior to the meeting. Having an NDA in place early in
the process protects both parties, and may encourage vendors to share information on future product
development plans. Don't underestimate the time it will take to get an NDA signed – the legal folks at both
companies may require multiple rounds of edits before they are ready to approve the agreement.
Prepare your team members via meeting invitation details. Your meeting invitation should include a two-
sentence summary about the vendor and why you've invited them in for a chat. For example, quot;Acme Software
is coming in to demonstrate their new security event management package, which correlates IDS alerts,
firewall logs, vulnerability scans and syslogs. We are considering this product for use in the network
operations center as part of the security monitoring upgrade project. The company's Web site is…quot;
Document the process. Assign someone from your team to take meeting minutes, including the names and
contact information for all attendees, key points discussed and action items that need to be addressed after
the meeting (i.e., unanswered questions from both sides). Circulate the meeting notes to all of the attendees
from your organization shortly after the meeting.
Follow up with vendors and team members after the meeting. There are a number of tasks that you need
to complete after the meeting ends. Ensure questions on both sides are answered and the information is
distributed. Get feedback from the attendees – Did the vendor's presentation make them want to proceed
further? Did they note any items of special interest? Analyze the feedback and develop an outcome statement
for the meeting, such as follow up meetings, product evaluations or quot;don't call us, we'll call you.quot; Clearly
communicate the outcome to the vendor in a timely fashion.
Page 16 of 3
17. eGuide to Email Security in Asia SearchSecurityAsia
These best practices will go a long way to saving you time and frustration caused by unsolicited vendor calls.
The bottom line: Understanding vendors' needs and making them understand those of your organization is
key to developing a positive working relationship.
About the author
Al Berg, CISSP, is a technical director in the Corporate Information Security Department of a firm providing
computer services to the financial services industry. Al has been in the information security industry for more
than 10 years and has provided consulting services to major corporations and the U.S. Defense Department.
Al has spoken at numerous industry conferences in the U.S. and Europe, and has published many articles on
networking and security topics.
Security Tip: How to secure e-mail with
By Michael Cobb
MIME (Multi-Purpose Internet Mail Extensions) is the most common protocol used for sending non-text files
such as audio, video and images via e-mail, and is an extension of the original Internet e-mail protocol SMTP.
S/MIME (Secure MIME) is a version of MIME that features RSA encryption and has become the standard
method for sending secure e-mail.
S/MIME's strength is its ability to validate the identities of e-mail senders and recipients through digital
signatures. It is supported by all the major e-mail programs such as Outlook, Outlook Express and Netscape
Messenger. This makes using S/MIME fairly straightforward, particularly as the sender and recipient don't
need to use the same S/MIME-compliant e-mail program, though browser-based e-mail accounts such as
Hotmail don't yet support S/MIME.
In order to send an e-mail utilizing S/MIME you need a digital certificate. Your digital certificate allows you to
sign your messages so that recipients can verify that mail coming from your e-mail address is in fact from
your e-mail address. When you send a digitally signed message your digital certificate is sent along with the
message so that the recipient can use it to verify that the message is from you and has not been modified.
Anyone who has your digital certificate can then use your public key stored in the certificate to encrypt a reply
so that only you can read it by decrypting it with the corresponding private key installed on your machine.
Likewise, if you wish to send an encrypted message to someone else, you must first obtain their digital
certificate in order to be able to use their public key to encrypt the message so that only their private key can
Having to obtain someone's digital certificate in order to encrypt a message to them means that S/MIME is
not really practical for a large organization wanting to send encrypted messages to thousands of clients.
However as S/MIME provides a high level of sender authentication, it is surprising more organizations haven't
installed a public key infrastructure or created an enterprise directory in order to implement S/MIME as a
solution to deter today's phishing attacks. If every message leaving a corporate mail server is signed using
their digital signature then recipients could easily identify fake messages, as they wouldn't contain a valid
Thawte offers free, globally recognized, personal e-mail certificates that are signed by their certification
authority and are available at http://www.thawte.com/email. If your organization runs Windows Active
Directory you can use the free Microsoft Certification Authority that can issue certificates for domain users. If,
however, your organization wishes to sign messages going to the general public, it may be better to get a
certificate from a recognized Certificate Authority such as VeriSign or Thawte. Either way, you should take
advantage of the 128-bit encryption levels now supported by e-mail programs.
If you wish to send S/MIME e-mail directly from a Web site, you can use AspEncrypt available at
www.aspencrypt.com. This is an Active Server component that can be used in tandem with AspEmail to send
encrypted and signed mail. It also allows your ASP, ASP.NET and VB applications to issue and manage
X.509 digital certificates.
It is important to remember that although S/MIME e-mail is transmitted securely, once it is decrypted and read
by the recipient, it can be copied or printed without limit, so always consider the nature and sensitivity of an e-
Page 17 of 3
18. eGuide to Email Security in Asia SearchSecurityAsia
mail's contents before sending it. You must also protect the private key associated with your digital certificate,
as this literally is the key to your digital identity.
About the author
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a
consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS
Security and has written numerous technical articles for leading IT publications.
Ask the Security Expert
Is there a way to use Digital IDs and certificates with webmail?
Unfortunately, this is not an option. In order to digitally sign or decrypt your
messages, the private key (which is part of your digital ID) has to be installed on
the PC you are using to access your webmail. Theoretically, this would be fine if
you only accessed your webmail from your own PC. However, one of the main
advantages of webmail is that you can access it from any Internet-connected
PC. If you installed your digital ID on every public computer you used, you
would soon find others using it to impersonate you. This would destroy the
whole concept of a digital ID, as it is supposed to be quot;tiedquot; to its owner.
This is why current webmail programs, like Hotmail and Yahoo, are unable to handle digital certificates or
encryption. So, for now you will have to use an e-mail program such as Outlook Express if you want to sign,
encrypt and decrypt your e-mail. If you read your e-mail using a Web browser, it is likely to simply ignore the
certificate and just show an smime.p7s attachment. The e-mail displays like any other e-mail but you won't
know that it has been digitally signed.
You don't have to store your digital certificate and keys on your PC's hard drive. You can use a floppy disk or
other removable media, such as a USB key or smart card. In the future, popular webmail services may be
able to detect if your digital ID is stored on removable media and therefore allow it to be used. However,
unless there is huge demand from the public for such a service, I doubt it will appear any time soon even
though it already exists for enterprise Intra and Extranets.
The latest version of Outlook Web Access supports S/MIME e-mail, for example. The user must either be
using the PC that stores their digital certificate or activate the removable device on which it is stored to make
the certificate available to the browser. For example, if you were using a smart card you would need to insert
it into a reader and enter the Personal Identification Number (PIN) before the certificate could be used.
There are also mail applications for organizations that wish to exchange secure e-mail with external
customers and partners who do not have certificates or S/MIME capabilities within their own e-mail
applications, such as Entrust's Entelligence WebMail Center.
About the author
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 10 years of
experience in the IT industry and another 16 years of experience in finance. He is the founder
and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and
support in data security and analysis. He co-authored the book IIS Security and has written
numerous technical articles for leading IT publications. He is also a Microsoft Certified Database
Administrator and a Microsoft Certified Professional.
Answers to quiz on spam and viruses
1). The cocktail really isn't a single technique. The term describes a mixture of techniques you or your
antispam vendor use to determine whether or not a message is spam. A cocktail can have many
components, including algorithms that look at content, protocol and headers, and external information, such
as IP-based black lists.
2). quot;Betterquot; is always a difficult term in IT. The real answer is that you should run antispam at the point that
makes the most sense for your organization, taking into account issues such as the handling of false positives
Page 18 of 3
19. eGuide to Email Security in Asia SearchSecurityAsia
and system performance. However, most antispam vendors have discovered that the closer to the Internet
their product is, the better it can perform. This is because a direct connection between the antispam system
and the spammer gives the system more information, including the real IP address of the sender and even
some of the SMTP protocol behavior. If you push antispam towards the user's e-mail client, much of this
information is lost or potentially obscured. However, depending on your tolerance for false positives and the
actual e-mail load, you may find that some users prefer to have control at their local system or that local
control is more appropriate.
3). You can assure that your antispam product has no false positives by never marking any message as
spam. By increasing the false-negative rate to 100% (i.e., every single spam is missed), you are assured that
no message will be accidentally called spam when it is not. However, as soon as you start to label messages
as quot;spamquot; or quot;not-spam,quot; you are assured that there will be both false positives and false negatives.
While many products have dropped their false positive rate to a very low level, none can truthfully boast that
they have no false positives. Products often claim to have a lower false positive rate than they really do
because of the inherent errors in the reporting of false positives. People tend to ignore quot;gray mailquot; false
positives (such as messages from mailing lists that are not technically spam), and there is generally a bias to
under-report errors in a product that is otherwise very satisfactory.
4). Every virus scanner has three answers: yes, no and quot;I don't know.quot; You need to include in your strategy a
plan for dealing with messages that might or might not have a virus in them. Some examples of messages
that might show up as quot;I don't knowquot; include encrypted e-mail, messages that cause the virus scanner to
crash, or messages with archives that are not supported by the virus scanner or would otherwise exceed the
time and space limitations in place for expanding e-mail.
5). It's true that e-mail addressed to invalid recipients are generally spam messages, because this is a
common and heavily used spam technique. However, invalid recipients are also the result of spelling errors,
from either new incoming e-mail (where the sender didn't know how to type a username or domain name) or
replies where the sender made a 'fat-fingered' error. You can weigh the tradeoffs yourself, but it's important
that you be aware of the consequences of simply deleting misaddressed e-mail.
TechTalk: FAQs on e-mail security
By Kevin Beaver
E-mail security policies are one of those must-haves for every organization, but not always as high on the
priority list as they should be. Below are some of the frequently asked questions.
Who should enforce e-mail policy rules? Is it better to have more than one person do this, or
There should be a centralized security committee that's responsible for policy oversight. However, the policies
should ultimately be enforced by the human resources department, which should be working closely with the
Our company has a very casual style. A formal e-mail policy would go against our company culture.
How do we suddenly implement a policy like this when we've never been so formal?
The short answer is, if you need it, I think you can gradually ease into the policy by talking about what your e-
mail systems and corporate assets are up against and then show the benefits of such a policy. Awareness is
key to getting buy-in, especially in a smaller company.
How do you distinguish what is a policy and what is an invasion of privacy?
I strongly believe (and court cases have proven so) that for the most part, companies have the right to say
what can and cannot be done on company time. I think you've got to be reasonable and fair and have a
checks and balances system in place to make sure employees aren't getting picked on. This is definitely
something everyone should candidly discuss with their lawyer and HR representative to make sure everything
is in line.
What are some of the hidden costs to an e-mail security policy? What can my company expect to
Page 19 of 3
20. eGuide to Email Security in Asia SearchSecurityAsia
Managing the technology that helps enforce policies is probably the biggest issue. It's impossible to say how
much a company will have to spend. Start simple at first and only buy into expense solutions if necessary.
Many small and midsize businesses don't have an in-house IT staff, so be sure to consult with an expert
before you implement any software or service to ensure your time and money is well-spent.
Should instant messaging be tied in to an e-mail policy?
Excellent point! Yes, don't forget about instant messaging. It's essentially the same as e-mail in many
respects – it just uses a different technology. So, you could incorporate IM and call your policies quot;messagingquot;
I have a small, privately-owned business with just a handful of computers, a network and basic
Internet connectivity. What value will an e-mail policy add to my organization?
First of all, it's simply good business practice and the right thing to do. E-mail policies will show your
customers that you take their information seriously. Your business partners will see that your organization is
worth doing business with. Plus, they can keep you out of hot water if you end up with an HR issue on your
hands. They can also keep you on the government's good side too, if your business falls under one of the
many state and federal regulations.
How much time will it take to create my e-mail policies?
Well, that depends on the size of your organization, the complexity of your information systems, and the
outcome of your risk assessment, to name a few. Make sure you don't reinvent the wheel. There are many
resources that can save you a ton of time. The actual process of creating policies really shouldn't take any
more than a day or two. It's the preliminary and follow-up work that'll take more time. Remember, e-mail
security policies are not just an IT issue, the process should involve other departments as well.
Who should I have review my security policies?
Preferably an unbiased outsider who has experience developing security policies. This might only take a day
or two or could take a week or longer depending on the complexity of the policy. Consider it as you would for
a lawyer reviewing important contracts. It's not going to be inexpensive, but it'll be a very worthwhile
investment given what's at stake.
What's the difference between an e-mail security policy and the security policy I have setup in my
firewall that allows inbound/outbound email?
Great question. This often generates a lot of confusion. When working with firewalls, we talk about policies; a
firewall policy is basically the business rules that permit or deny a specific type of traffic. This could be e-mail
coming from or going to specific systems such as SMTP for your e-mail server or POP3 for your workstations.
A firewall policy is essentially the technical implementation of your overall written security policy or policies.
My business is considered a HIPAA covered entity. How many policies will it take for us to become
compliant with the HIPAA security rule?
It's hard to say since this depends on your risk assessment. Again, you must do risk assessment first to figure
out where your weaknesses are and then write your policies accordingly. For HIPAA, you'll likely have 1 or
more e-mail policies in addition to various other policies related to access controls, backups, passwords, etc.
Should my e-mail policy document be part of my employee handbook?
You should integrate your policy statement or statements (not your entire document) into your handbook and
then make reference the full policy document for more information.
About the author
Kevin Beaver is the founder and principal consultant of the information security services firm
Principle Logic, LLC, based in Atlanta, where he specializes in information security assessments
and incident response. He has more than 16 years of experience in IT and is the author of several
books on information security including Hacking For Dummies by Wiley Publishing.
This article originally appeared on SearchCIO-MidMarket.com.
For more learning guides, buyer's guides and Ask the Expert tips, visit the website at
www.SearchSecurityAsia.com or sign up for your free weekly enewsletter.
2008 Copyright Questex Media All Rights Reserve
Page 20 of 3