Searchsecurityasia Eguide Email Security


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Searchsecurityasia Eguide Email Security

  1. 1. eGuide to Email Security The definitive guide to all things Email Security in Asia September 2008
  2. 2. eGuide to Email Security in Asia SearchSecurityAsia Table of Contents EDITOR’s COLUMN....................................................................................................................... 3 Gartner Lists Security Software Drivers for Asia Pacific........................................................... 3 Why and when e-mail is unsecured............................................................................................. 3 Email authentication showdown: IP-based vs. signature-based .............................................. 3 Exposing the biggest blunders for fighting spam and viruses ................................................. 3 Email and beyond: The evolution of employee monitoring technologies................................ 3 Executive Interview....................................................................................................................... 3 Email encryption: Five steps to success .................................................................................... 3 Quiz: Can you slay spam and viruses?....................................................................................... 3 Salespeople are sharks and other truths of negotiation ........................................................... 3 Best practices: making vendor pitches work for you ................................................................ 3 Security Tip: How to secure e-mail with S/MIME........................................................................ 3 Ask the Security Expert................................................................................................................ 3 Answers to quiz on spam and viruses ........................................................................................ 3 TechTalk: FAQs on e-mail security policies ............................................................................... 3 Contact the editor Victor Ng, editor-in-chief – Jose Allan Tan, content director – Advertise. To find out more about our solutions contact: China, Hong Kong SAR Michelle Palmer, Associate Publisher Tel: +852 2589 2326 Fax: +852 2559 7002 Southeast Asia May Yee Tan 7500A Beach Road, #11-313/315 The Plaza, Singapore 199591 Tel: +65 6395 4581 Fax: +65 6297 7928 Page 2 of 3
  3. 3. eGuide to Email Security in Asia SearchSecurityAsia EDITOR’s COLUMN The most important assets in an enterprise are its people and its business information. They also happen to be the most vulnerable to information security threats. A larger percentage of serious data security breaches come from within the company than from outside. Some are deliberate – unhappy employees about to leave the company may want to sabotage you, or steal information they could use when they join a competitor – while others are unintentional, like employees’ carelessness in handling company information or ignorance in protecting themselves when they are online. Either way, they can put your network and the data in your servers and PCs at risk. That can result in lost productivity and even financial loss. Businesses today have no time for downtime. That’s why it’s important to have a strategy in place where people in your organization are most exposed to security threats – e-mail. Not a day passes when an e-mail user does not encounter spam, scams, hoaxes, phishing mail or malware disguised as e-mail attachments. This e-guide helps you lay a firm foundation for e-mail security, apply the relevant standards and policies, and use the right tools and technologies to protect your employees and your business information. Armed with the information and tips within these pages, you can also test yourselves through the quizzes and exams (answers in the last few pages help you grade your level of knowledge and competence). Enjoy! Victor Ng Editor-in-chief SearchSecurityAsia Gartner Lists Security Software Drivers for Asia Pacific By Jose Allan Tan Despite the uncertainties with the US economy and the continuing roller-coaster ride of crude oil prices, economists and industry observers continue to see positive growth for many of the economies in Asia Pacific. The strong economic environment, driven by local consumption and demand, will keep enterprises and consumers spending. China and India, the two largest economies in the region will drive much of that growth. According to Gartner analysts Matthew Cheung and Ruggero Contu, organizations point to prioritizing, choosing and maintaining security technologies continue to be the top issues for enterprises. “Asia/Pacific companies and government agencies increasingly face pressures to demonstrate compliance with the spirit and the letter of the law under various regulatory requirements, and to show business value and cost-effectiveness for security measures to their international counterparts,” said Matthew Cheung, Sr. Research Analyst Asia Paciifc, Gartner. Ruggero Contu, Principal Research Analyst for Gartner based in Engham, UK, notes that security spending is driving by a variety of pressing concerns, most notably the need to “keep the bad guys out” through defensive measures, such as next-generation firewalls. “However, the quot;let the good guys inquot; discipline, such as IAM, is where business benefits and ROI can be more clearly shown. Stand-alone personal firewall market growth rates will slowly decrease; Page 3 of 3
  4. 4. eGuide to Email Security in Asia SearchSecurityAsia however, we see increased interest and anticipate increased adoption in quot;endpoint security suites,quot; adds Contu. Compliance with government and industry regulations will continue to play a significant role in security spending decisions. Gartner says investments are often justified because the downside of breaches and the negative publicity following it is great. Gartner recently published putting $10.4 billion as the amount spent on security software worldwide in 2007. Analysts cite the increased shift toward offering appliance-based products, particularly within certain segments such as e-mail security and secure Web gateway markets. In 2007, Symantec and McAfee remained the leading players holding 26.6 per cent and 11.8 per cent market share respectively (see Table 1). EMC more than tripled its revenue year-on-year and saw its performance primarily influenced as a result of acquisitions. In addition, Microsoft’s entry into the consumer security protection market will further erode pricing in this segment which eventually will trickle into the professional market, starting with the small office/home office (SOHO), and consequently moving into the SMB market. Table 1: Worldwide: Security Software Vendor Revenue, 2007 (Millions of US Dollars) Company 2007 2007 Market Share 2006 2006 Market Share 2006-2007 Growth (%) (%) (%) Revenue Revenue Symantec 2,768.5 26.6 2,564.3 29.5 8.0 McAfee 1,225.7 11.8 1,072.9 12.3 14.2 Trend 809.6 7.8 701.5 8.1 15.4 Micro IBM 607.9 5.8 465.1 5.3 30.7 CA 419.0 4.0 431.1 5.0 -2.8 EMC 414.6 4.0 121.8 1.4 240.5 Others 4,170.5 40.0 3,338.2 38.4 19.8 Total 10,415.8 100.0 8,694.9 100.0 19.8 Source: Gartner June 2008 Cheung believes that changing vulnerability and threat landscape and continuing requirements for compliance related initiatives are driving vulnerability management programs to expand. “Vulnerability management consists of a combination of technologies and processes to improve security posture,” he adds. On the positive side, “Price competition among vendors is bringing prices down in the more-mature stand- alone market segments, such as antivirus. Changes in the way vendors package and price their solutions in the future will ultimately impact pricing and make some security technologies as pervasive as PCs,” concludes Contu. Why and when e-mail is unsecured By Stree Naidu With last year bringing to light a spate of compliance-related issues among large corporations and charity organizations, there is an increased emphasis on organizations adopting good corporate governance measures to be compliant with the rules and requirements of government regulatory bodies. Organizations need to ensure that all their corporate policies are compliant with government rules and regulations, including electronic communication that covers e-mail correspondence as well. They are faced with an increased need to secure their e-mail exchange policies not only in terms of protection against e-mail threats but also in achieving compliance. Though e-mail security is a universal concern, every industry has unique requirements, business pressures and competitive challenges. Increasing competition, transaction volumes, and customer demand are pressuring companies in the financial services industry to provide more services online. E-mail, Web applications, and electronic file transfers have Page 4 of 3
  5. 5. eGuide to Email Security in Asia SearchSecurityAsia become mainstream forms of conducting important financial business – and employing technology for securing, monitoring, archiving, and retrieving these communications has become imperative. While financial services firms are required to supervise and record all electronic communication between employees and clients, another requisite is to ensure the security and confidentiality of customer records and information. Ongoing investigations and record multi-million dollar fines in these areas are spurring organizations to re-examine their e-mail compliance efforts and look for technology and automated solutions that can deliver comprehensive compliance at the best cost. Government organizations, on the other hand, both civilian and military, are under increasing pressure to reduce costs while at the same time improving network protection and the availability of online information and services for businesses, constituents, and other agencies. In governments, there is a higher chance of data leakage as there are more data centers and many more people are involved in handling of the data. The adoption of sound data protection principles and practices across the system is recognized as an important task. Over at the healthcare industry, rising costs, stringent regulatory requirements, and increasing exposure to legal liability are prompting healthcare providers and payors to re-examine every aspect of their operations. To overcome these challenges, healthcare providers are increasingly turning to IT, which leads to email security challenges in terms of ensuring all individually identifiable health care information is protected to ensure privacy and confidentiality when electronically stored, maintained, or transmitted. In today's rapidly expanding business environment, time is of critical importance. With competition thriving, businesses have zero-tolerance for technology downtime and need to ensure their IT infrastructure is performing at its optimal utility under maximum security. There is no doubt that e-mail has become a vital tool for business and personal communication. E-mail provides a highly efficient and cost-effective way to deliver person-to-person messages, files and documents across organizational boundaries. According to the Radicati group, there are over 400 million corporate mailboxes worldwide, and more than 45 billion e-mail messages are transmitted each day within enterprises. As a result of this growing use, businesses are increasingly dependent on e-mail to operate their businesses. This rapid boom and increased dependency on e-mails has spawned the rise of e-mail security threats that constantly evolve and raise their ugly heads as the volume of emails traveling around the world increase consistently. E-mail security threats that plague organizations include spam, viruses, scams, identity theft, and leaks of sensitive information. The impact for not executing effective security solutions to keep the ever-evolving menace of email security threats at bay could prove to be both costly and dangerous. Organizations are actually leaving their doors wide open for the destructive effects of spam, viruses and more importantly, unwarranted leakage of sensitive company information and data. Companies do not realize the amount of vital data that is traveling outside their organization via unsecured methods and leaves them prone to information theft. Spam and viruses, on the other hand, can wreak havoc and damage the network and e-mail infrastructure. To evade stronger security measures incorporated by companies and users in general, these threats have lately been masquerading themselves in different forms and characteristics in order to con their victims. More recently, a good example of these evolving threats is the attack of 'Storm Worm', which has been ravaging through millions of user mailboxes. As one of the larger Trojan horse attacks in recent years, it made use of information about a real time storm front in Europe to lure its recipients into opening attachments that promised more details on the storm. Upon clicking on the attachment, users automatically became part of a botnet that left a back door for cyber criminals to steal data or post spam through the infected computer. If such malicious e-mails make their way through an organizations' network, the effects are potentially dangerous, since it gives unwarranted access to confidential company information and business intelligence. Page 5 of 3
  6. 6. eGuide to Email Security in Asia SearchSecurityAsia Therefore, rather than suffer the heavy costs of recovery, organizations are encouraged to invest wisely in intelligent and effective email security solutions that secure every aspect of their electronic communication, both within and outside their organization. Each organization has its own unique security needs when it comes to sending and receiving sensitive information via different modes of communication such as email, file transfers, instant messaging – from complying with government privacy regulations in Healthcare and Financial Services to enforcing corporate policies and protecting intellectual property. One approach is to augment existing perimeter-based security with an additional layer of protection inside the firewall, at the internal desktop. By providing encryption capabilities to individual users, organizations can ensure that sensitive information is delivered safely to both internal and external recipients. For organizations in both the private and public sectors, establishing a communication infrastructure that allows immediate online exchange of business-critical messages and files can provide a significant competitive and operational advantage. While the need for secure online communication may be universal, how it is best implemented varies both by industry and by application. About the author Stree Naidu is Regional Vice President, Asia Pacific for Tumbleweed Communication. This article first appeared on Enterprise Innovation. Email authentication showdown: IP- based vs. signature-based By Noah Schiffman An important aspect of corporate email security architecture is its method of preventive countermeasures. These defenses are charged with thwarting a variety of threats from spam and phishing to malware like Trojans and rootkits. First-line countermeasures include message content inspection. This type of reactive system relies on signature engines and updated databases of known spam and phishing phrases. Additional prevention techniques employ domain filtering using blacklists and whitelists. More effective filters combine heuristic techniques with statistical analysis through Bayesian filters to analyze email based on collected content. However, these detection methods often fall short, relying on slow updates from limited data and resulting in unacceptable numbers of false positives. Furthermore, identity spoofing and domain hopping of malicious senders has weakened the effectiveness of these countermeasures. In response, several types of email authentication technologies have been developed and implemented with varying results. Prevailing authentication methods categorically employ path-based or cryptography-based methods. Path-based or IP-based authentication systems evaluate the network path traversed by email. They rely on DNS records that identify trusted IP addresses for sender validation. This straightforward approach of verifying the message path from sender to recipient has been widely adopted due to its simple implementation. Sender ID and Sender Policy Framework have emerged as the dominant path-based methods in use today. While both of these techniques publish DNS policy records, they use them differently. SPF authentication compares the DNS record against the email's return-path address header (the envelope layer); while Sender ID uses a Purported Responsible Address header validation method, in addition to authenticating the SPF record. Cryptographic, or signature-based authentication systems rely on digitally signing messages with PKI pairing. Recipient mail servers perform signature validation with public keys retrieved from DNS records. This method is utilized by the DomainKeys Identified Mail (DKIM) authentication framework, recently adopted by eBay and PayPal, the two companies most notably targeted by phishing attacks in recent years. While both IP-based and signature-based systems rely on the DNS infrastructure, they fundamentally differ in their focus of email analysis. Path-based systems examine where the message originated; while cryptographic methods look at who sent the message. Page 6 of 3
  7. 7. eGuide to Email Security in Asia SearchSecurityAsia The corporate implementation of these two different authentication methods has revealed their situational strengths and weaknesses. The advantages of using a path-based approach include easy implementation and rapid deployment, without the cryptographic related impact on server performance. Therefore, path- based systems may be beneficial to companies looking to expedite a simple system with minimal resource constraints. However, signature-based standards have the added value of providing message integrity and greater resistance to mail forwarding limitations. Digitally-signed mail is best utilized as a robust solution for corporate protection of email containing intellectual property and other critically sensitive business information. Finally, it is important to note that these differing authentication solutions can work in tandem – several IP/signature combination systems are presently being evaluated with promising results. A comprehensive risk analysis of data sensitivity, coupled with mail traffic metrics, is essential when determining proper requirements and resources for implementing an effective email security strategy. Since the protocols and standards for authentication will ultimately change with emerging threats, it's important to adopt authentication technologies with backwards compatibility and scalability. It is necessary to remember that authentication plays only one role in email security, and must be combined with reputation scoring systems for establishing and updating acceptance and rejection thresholds. Regardless of what email authentication method is employed, their true effectiveness will be ultimately determined by what prevails as an accepted global standard. About the author: Noah Schiffman is a reformed former black-hat hacker who has spent nearly a quarter century penetrating the defenses of Fortune 500 companies. Today he works as an independent IT security consultant specializing in risk assessment, pen testing, cryptography and digital forensics, predictive analysis models, security metrics and corporate security policy. Exposing the biggest blunders for fighting spam and viruses By Joel Snyder The world of antispam and antivirus has become so crowded that it's hard to tell what the best approach is for any company. However, there are some things that people are doing with spam and viruses that are obviously wrong. Let's go through the worst practices in the hopes that you won't get caught up in them – or if you're doing them, that you'll stop. #1 Worst practice: Accepting mail that you have no intention of delivering This is not just a big deal – it's the biggest deal – and it's at the root of some of the worst practices on the Internet today. What's happening here is very simple. Somewhere at the edge of the enterprise is an SMTP MTA. Other mail systems, both spam and non-spam, connect to that SMTP MTA and try to send it mail. For each message, the sending SMTP system has to say, quot;This is for a particular user.quot; The receiving SMTP MTA has three options at this point. It can say, quot;Yes, send me that message.quot; It can say, quot;No, try again later and it might work.quot; Or, it can say, quot;No, don't bother to try again because it will never work.quot; In theory, you'd think, you'd only accept mail that you can deliver. If someone says, quot;This is for Jane Doe,quot; and Jane doesn't work there anymore, you'd expect the SMTP MTA to say, quot;No, go away.quot; But it doesn't always happen that way. Many companies are perfectly willing to accept mail even if they cannot deliver it. This might happen for a couple of reasons. The oldest reason, and probably one of the most common, is that the receiving SMTP MTA doesn't know whether or not the mailbox is valid. It checks the domain name, but it doesn't actually know whether the user exists or not until later. Maybe it looks the user up in a database after it has accepted the message, or perhaps it simply hands the message off to another MTA. The second reason why you might accept e-mail that your MTAs can't deliver is in a misguided attempt to deal with directory harvest attacks (DHAs). The theory behind a DHA is that the spammer tries every possible e-mail address, starting with and ending with, in the hopes of identifying those that are legitimate. If you only accept mail for existing users, then you expose your e-mail directory to the spammer. They find out who can receive mail and, it is presumed, can more efficiently send you junk mail. Page 7 of 3
  8. 8. eGuide to Email Security in Asia SearchSecurityAsia To avoid the dreaded DHA, one school of thought is to simply accept all mail, whether or not the recipient is valid. This doesn't give the spammer any information, although it does tie up your MTA while it accepts mail for nonexistent users. Both of these techniques, while reasonable in 1995, are simply horrible ideas in 2005. The problem is the messages that cannot be delivered. If you refuse a message or a recipient while it is coming over the wire, then handling the error condition of what to do with an undeliverable message is the other guy's problem. Once you've accepted the message, handling the error condition becomes your problem. What are you going to do with these undeliverable messages once you have them? Well, you have a couple of options. You are supposed to try to return them. The problem is that most of them are probably going to be spam. Spammers have two options when they send you mail. They can either use a valid or invalid return address. If they use an invalid one, then you have no way to return the mail and it sits on your MTA, clogging up the queues until your MTA determines that the message is unreturnable. You can't simply drop all messages that can't be delivered (although some misguided postmasters do just that), because then someone who makes a simple spelling error will never know that their message didn't go through. It's even worse if the spammer puts in a valid address. You now send a bounce message to someone who didn't send the e-mail in the first place. In the quantities that spammers send their junk around, this amounts to a denial-of-service attack. There's even a name for it: a quot;Joe jobquot; attack. The last time this happened to my company, we collected over a million bounced messages from MTAs that had accepted mail they couldn't deliver – and then wanted to return it to us. That's a lot of really stupid MTAs. Best practice #1: Deploy smarter MTAs The way to solve this is to not accept mail you can't deliver. If you don't accept it, then the sending MTA has to deal with it – not you. You don't become the instrument for someone else's denial-of-service attack, and you don't have to worry about filling up your queues with mail you can't deliver. If your border MTA isn't smart enough or capable enough to connect to your corporate directory and refuse undeliverable mail, it's time to replace that MTA. As for protection against DHAs, accepting all mail is the wrong approach. A well-designed MTA can detect that a DHA is happening very easily. For example, it might get a message with 100 consecutive invalid recipients. From that point, it's easy – simply refuse all recipients, valid and invalid, for an hour or so. Don't refuse them with a permanent error – just say, quot;Try again later.quot; If the message is from someone who has legitimate mail to send, they'll come back and try again later. If it's a spammer on a DHA, they're going to be gone until the next go 'round. The benefits of refusing mail you can't or don't want to deliver are immense. Because you didn't accept the message, the sending MTA has the chance to send back an error message to the originator of the message. This gives you a chance to track errors and configuration problems, because legitimate mail will get a legitimate error code back to real senders. If you drop the mail into a black hole or some sort of quarantine with a million other messages, you'll never find subtle problems. In fact, if you can get an antispam solution that runs at SMTP time, that's even better. Most antispam scanning engines run after the SMTP dialog is complete, when your mail server has already accepted responsibility for the message. A few bold products are completing the spam content scan during the SMTP dialog itself, while the message is being received but before the final quot;Yes, I will take responsibility for this messagequot; response goes from your mail server to the SMTP sender. If you refuse mail you think is spam, you don't have to worry nearly as much about false positives. If I get back a message from my MTA saying that your MTA didn't accept it because it thought it was spam, then I can do something about it. If the receiving MTA thought it was spam and sent it to some dark occluded hole, there's no way to track it. I sent it; your mail system received it. Where did it go? Even with a good quarantine, it's easy to miss the one false positive in a thousand. Many antispam systems are attempting to do this with the most obvious cases of spam, using techniques such as blacklists, which simply refuse or greatly limit the amount of incoming mail from certain IP addresses. #2 Worst practice: Doing anything with viruses besides deleting them Things have changed very quickly in the world of e-mail. In January 2004, MyDoom forever upset the balance in virus management, and many antivirus systems have not yet figured out how to manage. Prior to MyDoom, when you got a virus, it seemed like a neighborly thing to try and deal with it – maybe clean up the attachment or send a message to the originator of the virus and tell them they had a problem. That was a good strategy – in 2003. But we don't get viruses anymore. Page 8 of 3
  9. 9. eGuide to Email Security in Asia SearchSecurityAsia We get worms. We get e-mail that is machine-generated on an infected system with forged sender addresses containing no real content but a lot of malware. Trying to do anything with these messages is a bad idea. When you get a worm-generated e-mail message with malware in it, you don't want to clean it up and send it on, because there is no message there. It's just a wrapper, and the recipient doesn't want it and doesn't need it. During the early stages of MyDoom, people were getting hundreds of these a day. Nor do you want to return the message or send a notification to the sender, because they probably didn't send the malware. You end up sending a notification of a problem to someone who doesn't have the problem, doesn't know what you're talking about and can't do anything about it but get annoyed at you. I get about one of these notifications a day from MTAs run by e-mail administrators who have not figured out they shouldn't be doing this anymore. Best practice #2: Segment or delete If you have the time and energy to keep track of the different viruses and worms, and if you have a well- designed antivirus system, you can try to segment the traffic into twocamps. The worms and malware, which will represent some epsilon short of 100% of your virus traffic, should simply be deleted. The true viruses, ones that attach themselves to an otherwise-legitimate message, can be deleted with a notification to the recipient that they are missing an attachment. If you don't have the time to deal with that, and I don't blame you if you don't, then simply delete the virus- infected e-mail. Silently. Log those messages, of course, and perhaps even stick them in quarantine so you can retrieve them if necessary. But that's not going to happen very often. The extraordinarily virulent and aggressive worms such as MyDoom have so sensitized network administrators to the need for virus scanning that real viruses don't have much of a chance to get through anymore. Of course, as one of the bearers of the quot;every e-mail is sacredquot; torch, I am loathe to delete any message that might have useful content. But I'm also aware that if we inundate end users with notifications about viruses that they didn't get from people they don't know, we're making e-mail less useful. I'd prefer to see antivirus and antispam vendors start to do the differentiation for us. Until that happens, we have to make the best of a bad situation. Email and beyond: The evolution of employee monitoring technologies By David Habben The concept of organizations keeping a watchful eye on employees during company hours is nothing new. From the introduction of the time card 120 years ago, employee monitoring has evolved from simple confirmation that individuals are present and accounted for, to more detailed insight into employee activities taking place while “on the clock.” This evolution has been driven in part by today’s widespread use of email in the workplace, plus the increasing popularity of instant messaging, blogs and other online communication forums - all of which expose companies to new data security risks. The boom in electronic communications, combined with business challenges - such as increased industry competition - and the introduction of data and privacy laws, require employees to take extra steps to reduce the risks associated with outbound email whilst protecting corporate assets in the process. The birth of email Since the first sanctioned commercial use of email in 1988, it has quickly caught on in corporate and personal domains. As email was soon recognized as a critical business tool, it didn’t take long for organizations to identify the potential risks that came with this new form of communication. A quick click on the “send” button could create any number of corporate mishaps, with confidential data – legal documents, customer identity information, and trade secrets – being circulated, whether maliciously or accidentally, inside and outside Page 9 of 3
  10. 10. eGuide to Email Security in Asia SearchSecurityAsia of an organization. In the early to mid-90s, keyword-based email filters, which scanned for specific words before an email was sent, were introduced to help organizations secure individual email messages. This marked the start of genuine enterprise concern regarding data security and was followed by the availability of a range of data protection, monitoring and filtering technologies, resulting in email monitoring solutions becoming increasingly common. Email is not the only culprit The number of electronic communications channels has exploded in the past few years, but email remains a top focus for organizations when it comes to data protection and security challenges. With a staggering 70% of corporate data residing in email, this channel will continue to pose the biggest threat as a means for the improper disclosure of confidential data. However, additional outbound data streams – including HTTP (i.e., blogs, web-based email, message boards), instant messaging and FTP - have entered the mix and can also be conduits for violations of internal communications policies, confidential information exposure or sources of regulatory risk. A 2008 survey conducted by Proofpoint and Forrester looking at issues around outbound email security found that 66% of companies are concerned about ensuring that email can not be used to disseminate trade secrets or valuable intellectual property, yet only 36% are currently performing regular audits of outbound email content. As a result, companies are expanding their use of messaging security solutions beyond traditional anti-spam and virus protection, to defend against the risks posed by outbound email and other messaging streams. The risk is real The respondents of the same Proofpoint/Forrester survey said that their business was impacted by the exposure of sensitive or embarrassing information in the last twelve months. However, many organizations are completely unaware of the type of content flowing outside company walls and, as a result, are in the dark about the potential risk exposure via email. In an audit of one healthcare provider’s outbound email, Proofpoint found hundreds of potential HIPAA (Health Insurance Portability and Accountability Act) violations occurring every hour. Content policy framework: the 4 W’s Regardless of what drives organizations to secure outbound messaging streams, the ongoing challenge across all industries is how to secure critical data once it has been created, while making the information easily available to the necessary constituents. In addition to using technology to help automate the monitoring of outbound messages, the most successful messaging security processes also require well-defined company policies related to the use of email and other forms of electronic communication. The idea of creating policies can be daunting, but in reality, messaging policies can and should be simple, in order to be effective. Whether creating new data security policies or updating existing ones, here are some recommended steps to help with the process: • Why does this impact your business? This should be the first question. Take a deep look at your core business and the external forces impacting operations, such as competitive players and industry regulations, to determine what’s driving your organization forward and how security issues impact this. • What’s your intellectual property? To help prioritize the data that needs to be protected, address the following: What do you sell? What personal private information do your systems contain and just how sensitive is this? Do you work with other parties to create this data? Are you exchanging information with partners and distributors? • Who do you do business with? The next key step is to determine the highest level of risk for your organization, by evaluating: o Who has access to intellectual property? o Where does information flow (i.e., employees, partners, suppliers, customers) Page 10 of 3
  11. 11. eGuide to Email Security in Asia SearchSecurityAsia • Where and when is information accessed? When and how often does the data need to be accessed? Where does it exist on the network? How is it typically accessed (via email, fax, file server, etc.)? A growing concern amongst companies is also the risk of sensitive information being sent via mobile devices as on average, 25% of staff within an organization have access to equipment as BlackBerrys and laptops. This is something that needs to be considered as a top priority. This will give organizations a good baseline understanding of where the highest level of risk and exposure exists and provides a guideline of where to focus energy and efforts tied to messaging security. Survival of the fittest The reality is that email, along with new forms of electronic communications, makes it extremely easy to distribute a company’s digital assets, and organizations need both policies and processes in place to fully secure outbound messaging streams. The need to comply with privacy and data security regulations will continue to drive organizations to expand deployment of messaging security technology, while developing a more complete understanding of the value of corporate data and the potentially costly repercussions of data leaks. Up-to-date data security policies combined with the right technology solution can proactively prevent liabilities created by noncompliant or offensive emails, ensure the privacy of customer and employee data and secure valuable intellectual property and trade secrets, ultimately protecting your business. About the author The writer David Habben is Regional Manager for Proofpoint ( in Asia. This article first appeared on SearchSMBAsia. Executive Interview By SearchStorageAsia team SearchStorageAsia recently secured an interview with Ken Pappas, Security Strategist with Top Layer Networks. Q: We’ve been reading about a rising number of breaches and the potential lost (monetary and or otherwise) from these breaches. Is this because we are getting better at identifying these breaches or criminal elements are just getting sloppy or there really are more breaches? Clearly we have all seen the number of Attackers and Attacks have gone up. This is due to a number of factors; o Exploit tools readily available over the internet o We have moved from people that needed to be highly intelligent to grade level students now hacking companies o Federal and State regulations are now mandating companies to disclose breaches where in the past this was not the case o We see both an older generation and younger generation starting to use computers with no knowledge of ‘temp to click’ or other trickery. Q: Where should the protection of data reside (at the policy level and at the operational level)? You need to focus on multiple places. Protection needs to be addressed at the client and the network side. There is absolutely no single technology out there that can claim complete security coverage. You need a blended security strategy. Data can and does reside on a client’s machine or a back office server. You need to provide an ‘end-to-end’ security focus. Q: There are loads of companies offering solutions to “protect” company data. Can you classify or group these vendor/solutions? Page 11 of 3
  12. 12. eGuide to Email Security in Asia SearchSecurityAsia Protection can be in two forms; Pro-active or Reactive. Most vendors provide a Reactive security solution, meaning something has to happen first before the vendors’ product would do anything. Sometimes (in the case of data leakage) this is too late. Other vendors (like Top Layer) provide a Pro-Active solution; inspect everything in both directions on your network before allowing it to pass. Unlike the old firewall, which would allow all traffic to pass if it had a port destination, Intrusion Prevention technology inspects all traffic before it is allowed to enter or leave a network. Q: How does one company what is the right solution for them? Do not be dependent on any single vendor. You have to protect your entire network from the end points to the core of your network. Q: How should they approach the selection of such a solution? What is the security policy for your network and data? Oh, you don’t have a policy? Well this would be the best starting point. Identify what your critical assets are and what you want to protect. Many companies do not have security ‘experts’ on staff. Some promote an IT ‘generalist’ to be the security expert. It does not work this way. We see this in companies as a feel good measure, in that they feel like they have a security expert. Take the right step. If you don’t have a security expert, enlist the help of a security consultant to help define your policies, assess your network, conduct penetration test and provide recommendations for security technology in your network. Most companies focus heavily on the perimeter. While this is important, companies need to also protect the data center (applications and customer records) and the LAN core. We are a much more mobile society and as such almost all of us are using laptops. Those laptops are also being used outside the office and connecting to un-trusted networks. Hackers today are targeting mobile users because most of the networks outside the workplace are far less secure and easier to penetrate. Laptops are then carried into the workplace, plugged into the network, and you have a virus or Trojan outbreak. Having a security box out at the perimeter is not going to protect you. As companies go global and the corporate firewalls extend to business partners and suppliers, how does a company maintain a secured infrastructure without risking business relationships and opportunities? Extending your network beyond your established ‘trusted’ walls creates security risks. Fortunately companies that are now allowing other companies to have access into their networks are installing Intrusion Prevention Systems between the two networks to fully inspect all traffic flows going to and from each location. Q: As we continue to see more complex interaction between users and companies, what can we expect from the level of breaches/data thefts? Looking at the statistics from industry analyst and government agencies, the number of attacks is not going down. Attacks will be far more targeted and sophisticated, hackers are learning how humans react to a certain method of a breach (tempt to click for example) and they are modifying their attack methods. Companies that continue to use and be dependent on firewall technology will be breached the most since hackers have determined how to blow thru a firewall. The lure of easy money continues to be the motivating factor. If a hacker determines that money can be made by penetrating or disrupting a location (like a power station) they are going after it. Q: Are “security” vendors mostly reactive to security breaches? It’s not the vendor but actually the technology that is reactive. Intrusion Prevention Systems (Like Top Layer) provide a Pro-Active solution to many forms of security threats. Like I said earlier, companies cannot be dependent on any single vendor or technology to address all the security requirements to protect your network and your data. About Ken Pappas In addiiton to his Security Strategist role at Top Layer Security, Pappas is also Vice President of Marketing for Top Layer. Previously he ran his own consulting firm specializing in network security, was the Security Strategist at 3Com/Tipping Point, and was the General Manager of the security business division at Enterasys Networks. He has spoken on security topics to many industry and government groups including the Department Of Homeland Security, Higher education consortia, National Retailers Association, InfraGard, Page 12 of 3
  13. 13. eGuide to Email Security in Asia SearchSecurityAsia SIM International and NBC TV on the topic of Cyber terrorism. Pappas is a forensic expert and has recently completed his CISM courseware. Email encryption: Five steps to success By Mike Rothman, Contributor Encryption is one of those technologies that has been around for thousands of years (since the days of Caesar, in fact), but is still very misunderstood. Actually, you use encryption every day, since it's the underlying technology that drives the Secure Sockets Layer and HTTPS protocols. But it seems email encryption remains an enigma at most small and medium- sized businesses (SMBs) because it's been portrayed to solve every information security problem. So, let's take a step back and understand what email encryption can do for you. First and foremost, one of the biggest issues SMBs have is to ensure they are adequately protecting intellectual property. By encrypting emails that contain corporate secrets, there is very little risk of competitors and the like intercepting messages and stealing data. Likewise, in an age where customers are understandably concerned with protecting their private data, encrypting communications ensures that the customer's private data cannot be stolen. Both IP protection and privacy considerations fall into a large, yet amorphous bucket called compliance. Any business dealing with regulatory oversight, or even those now accepting credit cards – which are now subject to the Payment Card Industry standards, needs to be concerned with compliance. Email encryption is not a panacea for compliance, but having the ability to protect critical data is a critical step in the process. Why isn't email encryption more prevalent? In a nutshell, it's due to complexity. Historically, email encryption was very complex to implement and required a significant amount of communication, configuration and experimentation between trading partners to ensure a message encrypted by you could be decrypted by them. Additionally, there was no way to force users to encrypt sensitive messages. IT administrators had to hope users understood how to encrypt the message and that they'd remember to do so when appropriate. Since hope is not a good strategy, most organizations didn't deploy. But as with most technologies, email encryption has evolved and matured over the past few years. It's by no means easy, but it's also no longer cost-prohibitive for SMBs to start experimenting with the technology. The advent of service providers that will host key servers and email gateways that can automate the enforcement of policies has dramatically decreased the effort required to get an encrypted email system operating. Here are five essential steps to encrypting email: 1. What and why? The first step is to define what types of content need to be encrypted. You are best off working with your general counsel (or outside law firms) to ensure that all sensitive data is identified and a policy is created to document the need to protect that data. Content types typically encrypted include customer records, intellectual property, strategy documents, etc. 2. Who and where? Next, it's important to determine which trading partners will participate. The short answer should be all of them. But in reality, many organizations phase in their approach because it's not as easy as flipping a switch and then encryption just happens. Determine if you are going to let users decide what gets encrypted (via desktop software) or whether you'll take a gateway approach that will scan each message automagically and determine if it is required to be protected by the policy. 3. How? There are many different ways to skin this particular cat. You could encrypt messages at the desktop or store messages encrypted on a staging server for pickup via a Web-based email interface. You could also implement the encryption either on the email security gateway or on a separate purpose-built device. The architecture will depend on your scale and number of trading partners. You could have a service provider manage the key server or you can manage it yourself. Value-added resllers and the vendors themselves can certainly help make those decisions, once you've determined that encryption is something you should do. 4. When? Rolling out encrypted email to all of your trading partners at the same time is not advisable. You need to figure out which partners should go first and start working out the details of the Page 13 of 3
  14. 14. eGuide to Email Security in Asia SearchSecurityAsia implementation with them. As you add more partners to the infrastructure, you'll nail down the process, but it's in your best interest to start slow and figure it out incrementally. 5. Refine. Given the policy and compliance drivers for email encryption, any project should have a period where the focus is to refine the policies used to determine which emails are encrypted. This can involve tuning the dictionaries and heuristics and manually auditing a subset of the messages encrypted (and those that aren't) to ensure the policies are being enforced. Ten years ago, it required an armada of consultants and big infrastructure to implement encrypted email. That is no longer the case, but it's still not a walk in the park. But with a diligent process and dedicated project team, email encryption can play a key role in your compliance efforts and can protect both your intellectual property and private customer data. About the author Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta. Reach him via email at Quiz: Can you slay spam and viruses? Take this quiz to assess your knowledge of how to fight spam and viruses. The correct answers are at the end of this eguide. 1.) The term quot;cocktailquot; has been used to describe an antispam technique. What is it? 2.) Is it better to run antispam at the external MTA or on the e-mail client (such as Outlook)? 3.) A company recently announced that its antispam product has no false positives. How is this possible? 4.) You have designed an antivirus strategy that says that all messages with viruses in them are deleted, while all messages without viruses in them are passed on. What have you forgotten? 5.) When mail is received at an SMTP MTA, it is not always known whether the recipient is valid. If, later on, the recipient is found to be invalid, it's probably because the message is spam. What's wrong with simply deleting that message? Salespeople are sharks and other truths of negotiation By Kate Evans-Correia, Editor, One of the biggest mistakes data center managers make when negotiating a sales contract is to trust the salespeople. Not that they're bad people, it's just that managers should never believe that a salesperson has their best interest in mind – ever. An unnecessary adversarial approach? Not if you've ever been burned because you didn't read the fine print. quot;A sales contract is not for the marriage, it's for the divorce,quot; said Jeffrey Gordon, principal, Ts&Cs: Contract Negotiators, a Raleigh, N.C.-based procurement firm. quot;Therefore, you must approach a contract with a leery eye.quot; Gordon, who spoke during the TechTarget Data Center Decisions conference in 2004, said too many IT managers are emotionally embroiled in the negotiations and are not prepared to play hardball. quot;People don't even know what they're signing or buying,quot; he said. Page 14 of 3
  15. 15. eGuide to Email Security in Asia SearchSecurityAsia Companies selling you technology have one objective in mind – to make money. They've got quotas to meet, and products to push. quot;They'll push so hard it'll make you bleed,quot; Gordon said. Calling the shots Bruce Peterson, vice president of systems for The ServiceMaster Co. in Downers Grove, Ill., is one of a growing number of managers who never goes it alone when negotiating a sales contract. Before anyone signs on the dotted line at his company, sales contracts must be reviewed by a team of experts. As an IT specialist, Peterson sets the initial requirements for the technology and lets the experts hammer out the legal details. Peterson said his team is in control. Long before anyone sits down to negotiate, the requirements are established. quot;If it's not our boiler plate, we don't play,quot; said Peterson. Dan Musil, a senior systems engineer for health care firm Baxter International Inc. in Deerfield, Ill., said his department works largely the same way with a team of experts brought in to negotiate. Musil said his role is sort of like a watch dog. quot;We used to call [the vendor's] bluff, if necessary.quot; As surprising as it seems, many companies don't consider the long-term effects of a bad contract, which usually means getting stiffed on maintenance costs, support or, worse, battles over intellectual property. Establishing what you will and will not compromise on is vital to getting a contract you can live with, said Gordon. Your contract can be anything you want it to be. Build it however you want, in your own writing. And never, ever do the negotiating before the vendor has the opportunity to tell you the price. quot;Most of these [managers] have leverage, they just don't use it.quot; With friends like these … The old adage, quot;get everything in writing,quot; is never more true than in negotiating a technology contract. Too often, managers believe that what is said verbally will be upheld. This is not generally the case. It's important to make sure the warranty has everything the vendor offered in his sales pitch. That's where you're getting all the juicy things – the special perks offered to sell you the technology. If you don't, the vendor doesn't have to do anything at all. quot;They can just shrug their shoulders and say, 'sorry, we didn't say we would do that,'quot; said Gordon. Many managers also make the mistake of thinking the vendor is a partner and will often give them information about budgets and products. It's like handing the vendor all your negotiating leverage, said Gordon. quot;Because they thought it was a buddy thing.quot; Time to say bye-bye At some point, however, managers need to be comfortable with walking away from the table because the vendor is refusing to budge. What then? Gordon said managers need to establish a quot;risk matrix.quot; Essentially, list items that you must have, as well as items you want but can live without. You have to be able to compromise, but there will be some things that are non-negotiable. quot;Companies are invested so much into it, they're often not willing to back off,quot; said Gordon, quot;and vendors know this and are going to use this.quot; Big mistake, said Gordon. Managers should never sign a contract if they're not 100% comfortable with the terms. Managers should be willing to do battle if they have to and stick it out – if not, then walk away. A bad contract will always come back to haunt you, more than a failed negotiation. quot;Companies have to realize that in technology negotiations they have the upper hand.quot; Page 15 of 3
  16. 16. eGuide to Email Security in Asia SearchSecurityAsia This article originally appeared on * Editor’s note: A common sales tactic in Hong Kong is offering a “special” one-day only price. Forcing the interested person to make decisions rather too quickly and sometimes without the benefit of hindsight. This tactic is used both with consumer products and high-ticket items like property. Lots of sharks out there! Best practices: making vendor pitches work for you By Al Berg, CISSP You get daily phone calls and e-mails from vendors claiming that your organization's data is at terrible risk – unless you buy their product. This best practices column provides seven ways to save you time and money while effectively managing vendor pitches. Learn to say quot;noquot;. You don't have to meet with every vendor who calls you with a new product or service. This may seem obvious, but a good salesman will be persistent in trying to get a face-to-face meeting, which may tempt you to agree just to be polite or get them off your back. However, this approach wastes your time and the vendor's – what's more, spending time with unneeded vendors affects your organization's bottom line by keeping you from managing more pressing issues. Set vendors straight. Sales folks are smart and don't like to take quot;noquot; for an answer. If they can't get a meeting with the people who are directly responsible for the area where their products fit, they may call around looking for a side door to get in to the organization. When you get a call from a vendor pitching a product that falls under another department's purview, refer them to the correct department head. Prepare the vendor for the meeting. Tell vendors upfront about your needs and expectations. At a minimum, let them know where you are in the decision cycle, and confirm whether or not funding has been allocated for potential use of their products. Identify who on your team will attend the meeting, what their business roles are and how familiar they are with the topics to be discussed. Specify how much time you can allocate for the meeting and find out if they will need any special facilities, such as an Internet connection or a data projector. Get your pre-meeting paperwork in order. Discussing the logistics for potentially deploying security products and services typically requires you to share details with vendors about your organization's networks, systems and procedures. Consider having your legal department draft a joint non-disclosure agreement (NDA) that gets signed by officers of both companies prior to the meeting. Having an NDA in place early in the process protects both parties, and may encourage vendors to share information on future product development plans. Don't underestimate the time it will take to get an NDA signed – the legal folks at both companies may require multiple rounds of edits before they are ready to approve the agreement. Prepare your team members via meeting invitation details. Your meeting invitation should include a two- sentence summary about the vendor and why you've invited them in for a chat. For example, quot;Acme Software is coming in to demonstrate their new security event management package, which correlates IDS alerts, firewall logs, vulnerability scans and syslogs. We are considering this product for use in the network operations center as part of the security monitoring upgrade project. The company's Web site is…quot; Document the process. Assign someone from your team to take meeting minutes, including the names and contact information for all attendees, key points discussed and action items that need to be addressed after the meeting (i.e., unanswered questions from both sides). Circulate the meeting notes to all of the attendees from your organization shortly after the meeting. Follow up with vendors and team members after the meeting. There are a number of tasks that you need to complete after the meeting ends. Ensure questions on both sides are answered and the information is distributed. Get feedback from the attendees – Did the vendor's presentation make them want to proceed further? Did they note any items of special interest? Analyze the feedback and develop an outcome statement for the meeting, such as follow up meetings, product evaluations or quot;don't call us, we'll call you.quot; Clearly communicate the outcome to the vendor in a timely fashion. Page 16 of 3
  17. 17. eGuide to Email Security in Asia SearchSecurityAsia These best practices will go a long way to saving you time and frustration caused by unsolicited vendor calls. The bottom line: Understanding vendors' needs and making them understand those of your organization is key to developing a positive working relationship. About the author Al Berg, CISSP, is a technical director in the Corporate Information Security Department of a firm providing computer services to the financial services industry. Al has been in the information security industry for more than 10 years and has provided consulting services to major corporations and the U.S. Defense Department. Al has spoken at numerous industry conferences in the U.S. and Europe, and has published many articles on networking and security topics. Security Tip: How to secure e-mail with S/MIME By Michael Cobb MIME (Multi-Purpose Internet Mail Extensions) is the most common protocol used for sending non-text files such as audio, video and images via e-mail, and is an extension of the original Internet e-mail protocol SMTP. S/MIME (Secure MIME) is a version of MIME that features RSA encryption and has become the standard method for sending secure e-mail. S/MIME's strength is its ability to validate the identities of e-mail senders and recipients through digital signatures. It is supported by all the major e-mail programs such as Outlook, Outlook Express and Netscape Messenger. This makes using S/MIME fairly straightforward, particularly as the sender and recipient don't need to use the same S/MIME-compliant e-mail program, though browser-based e-mail accounts such as Hotmail don't yet support S/MIME. In order to send an e-mail utilizing S/MIME you need a digital certificate. Your digital certificate allows you to sign your messages so that recipients can verify that mail coming from your e-mail address is in fact from your e-mail address. When you send a digitally signed message your digital certificate is sent along with the message so that the recipient can use it to verify that the message is from you and has not been modified. Anyone who has your digital certificate can then use your public key stored in the certificate to encrypt a reply so that only you can read it by decrypting it with the corresponding private key installed on your machine. Likewise, if you wish to send an encrypted message to someone else, you must first obtain their digital certificate in order to be able to use their public key to encrypt the message so that only their private key can decrypt it. Having to obtain someone's digital certificate in order to encrypt a message to them means that S/MIME is not really practical for a large organization wanting to send encrypted messages to thousands of clients. However as S/MIME provides a high level of sender authentication, it is surprising more organizations haven't installed a public key infrastructure or created an enterprise directory in order to implement S/MIME as a solution to deter today's phishing attacks. If every message leaving a corporate mail server is signed using their digital signature then recipients could easily identify fake messages, as they wouldn't contain a valid digital signature. Thawte offers free, globally recognized, personal e-mail certificates that are signed by their certification authority and are available at If your organization runs Windows Active Directory you can use the free Microsoft Certification Authority that can issue certificates for domain users. If, however, your organization wishes to sign messages going to the general public, it may be better to get a certificate from a recognized Certificate Authority such as VeriSign or Thawte. Either way, you should take advantage of the 128-bit encryption levels now supported by e-mail programs. If you wish to send S/MIME e-mail directly from a Web site, you can use AspEncrypt available at This is an Active Server component that can be used in tandem with AspEmail to send encrypted and signed mail. It also allows your ASP, ASP.NET and VB applications to issue and manage X.509 digital certificates. It is important to remember that although S/MIME e-mail is transmitted securely, once it is decrypted and read by the recipient, it can be copied or printed without limit, so always consider the nature and sensitivity of an e- Page 17 of 3
  18. 18. eGuide to Email Security in Asia SearchSecurityAsia mail's contents before sending it. You must also protect the private key associated with your digital certificate, as this literally is the key to your digital identity. About the author Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Ask the Security Expert Is there a way to use Digital IDs and certificates with webmail? Unfortunately, this is not an option. In order to digitally sign or decrypt your messages, the private key (which is part of your digital ID) has to be installed on the PC you are using to access your webmail. Theoretically, this would be fine if you only accessed your webmail from your own PC. However, one of the main advantages of webmail is that you can access it from any Internet-connected PC. If you installed your digital ID on every public computer you used, you would soon find others using it to impersonate you. This would destroy the whole concept of a digital ID, as it is supposed to be quot;tiedquot; to its owner. This is why current webmail programs, like Hotmail and Yahoo, are unable to handle digital certificates or encryption. So, for now you will have to use an e-mail program such as Outlook Express if you want to sign, encrypt and decrypt your e-mail. If you read your e-mail using a Web browser, it is likely to simply ignore the certificate and just show an smime.p7s attachment. The e-mail displays like any other e-mail but you won't know that it has been digitally signed. You don't have to store your digital certificate and keys on your PC's hard drive. You can use a floppy disk or other removable media, such as a USB key or smart card. In the future, popular webmail services may be able to detect if your digital ID is stored on removable media and therefore allow it to be used. However, unless there is huge demand from the public for such a service, I doubt it will appear any time soon even though it already exists for enterprise Intra and Extranets. The latest version of Outlook Web Access supports S/MIME e-mail, for example. The user must either be using the PC that stores their digital certificate or activate the removable device on which it is stored to make the certificate available to the browser. For example, if you were using a smart card you would need to insert it into a reader and enter the Personal Identification Number (PIN) before the certificate could be used. There are also mail applications for organizations that wish to exchange secure e-mail with external customers and partners who do not have certificates or S/MIME capabilities within their own e-mail applications, such as Entrust's Entelligence WebMail Center. About the author Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 10 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional. Answers to quiz on spam and viruses 1). The cocktail really isn't a single technique. The term describes a mixture of techniques you or your antispam vendor use to determine whether or not a message is spam. A cocktail can have many components, including algorithms that look at content, protocol and headers, and external information, such as IP-based black lists. 2). quot;Betterquot; is always a difficult term in IT. The real answer is that you should run antispam at the point that makes the most sense for your organization, taking into account issues such as the handling of false positives Page 18 of 3
  19. 19. eGuide to Email Security in Asia SearchSecurityAsia and system performance. However, most antispam vendors have discovered that the closer to the Internet their product is, the better it can perform. This is because a direct connection between the antispam system and the spammer gives the system more information, including the real IP address of the sender and even some of the SMTP protocol behavior. If you push antispam towards the user's e-mail client, much of this information is lost or potentially obscured. However, depending on your tolerance for false positives and the actual e-mail load, you may find that some users prefer to have control at their local system or that local control is more appropriate. 3). You can assure that your antispam product has no false positives by never marking any message as spam. By increasing the false-negative rate to 100% (i.e., every single spam is missed), you are assured that no message will be accidentally called spam when it is not. However, as soon as you start to label messages as quot;spamquot; or quot;not-spam,quot; you are assured that there will be both false positives and false negatives. While many products have dropped their false positive rate to a very low level, none can truthfully boast that they have no false positives. Products often claim to have a lower false positive rate than they really do because of the inherent errors in the reporting of false positives. People tend to ignore quot;gray mailquot; false positives (such as messages from mailing lists that are not technically spam), and there is generally a bias to under-report errors in a product that is otherwise very satisfactory. 4). Every virus scanner has three answers: yes, no and quot;I don't know.quot; You need to include in your strategy a plan for dealing with messages that might or might not have a virus in them. Some examples of messages that might show up as quot;I don't knowquot; include encrypted e-mail, messages that cause the virus scanner to crash, or messages with archives that are not supported by the virus scanner or would otherwise exceed the time and space limitations in place for expanding e-mail. 5). It's true that e-mail addressed to invalid recipients are generally spam messages, because this is a common and heavily used spam technique. However, invalid recipients are also the result of spelling errors, from either new incoming e-mail (where the sender didn't know how to type a username or domain name) or replies where the sender made a 'fat-fingered' error. You can weigh the tradeoffs yourself, but it's important that you be aware of the consequences of simply deleting misaddressed e-mail. TechTalk: FAQs on e-mail security policies By Kevin Beaver E-mail security policies are one of those must-haves for every organization, but not always as high on the priority list as they should be. Below are some of the frequently asked questions. Who should enforce e-mail policy rules? Is it better to have more than one person do this, or department managers? There should be a centralized security committee that's responsible for policy oversight. However, the policies should ultimately be enforced by the human resources department, which should be working closely with the various managers. Our company has a very casual style. A formal e-mail policy would go against our company culture. How do we suddenly implement a policy like this when we've never been so formal? The short answer is, if you need it, I think you can gradually ease into the policy by talking about what your e- mail systems and corporate assets are up against and then show the benefits of such a policy. Awareness is key to getting buy-in, especially in a smaller company. How do you distinguish what is a policy and what is an invasion of privacy? I strongly believe (and court cases have proven so) that for the most part, companies have the right to say what can and cannot be done on company time. I think you've got to be reasonable and fair and have a checks and balances system in place to make sure employees aren't getting picked on. This is definitely something everyone should candidly discuss with their lawyer and HR representative to make sure everything is in line. What are some of the hidden costs to an e-mail security policy? What can my company expect to spend? Page 19 of 3
  20. 20. eGuide to Email Security in Asia SearchSecurityAsia Managing the technology that helps enforce policies is probably the biggest issue. It's impossible to say how much a company will have to spend. Start simple at first and only buy into expense solutions if necessary. Many small and midsize businesses don't have an in-house IT staff, so be sure to consult with an expert before you implement any software or service to ensure your time and money is well-spent. Should instant messaging be tied in to an e-mail policy? Excellent point! Yes, don't forget about instant messaging. It's essentially the same as e-mail in many respects – it just uses a different technology. So, you could incorporate IM and call your policies quot;messagingquot; policies. I have a small, privately-owned business with just a handful of computers, a network and basic Internet connectivity. What value will an e-mail policy add to my organization? First of all, it's simply good business practice and the right thing to do. E-mail policies will show your customers that you take their information seriously. Your business partners will see that your organization is worth doing business with. Plus, they can keep you out of hot water if you end up with an HR issue on your hands. They can also keep you on the government's good side too, if your business falls under one of the many state and federal regulations. How much time will it take to create my e-mail policies? Well, that depends on the size of your organization, the complexity of your information systems, and the outcome of your risk assessment, to name a few. Make sure you don't reinvent the wheel. There are many resources that can save you a ton of time. The actual process of creating policies really shouldn't take any more than a day or two. It's the preliminary and follow-up work that'll take more time. Remember, e-mail security policies are not just an IT issue, the process should involve other departments as well. Who should I have review my security policies? Preferably an unbiased outsider who has experience developing security policies. This might only take a day or two or could take a week or longer depending on the complexity of the policy. Consider it as you would for a lawyer reviewing important contracts. It's not going to be inexpensive, but it'll be a very worthwhile investment given what's at stake. What's the difference between an e-mail security policy and the security policy I have setup in my firewall that allows inbound/outbound email? Great question. This often generates a lot of confusion. When working with firewalls, we talk about policies; a firewall policy is basically the business rules that permit or deny a specific type of traffic. This could be e-mail coming from or going to specific systems such as SMTP for your e-mail server or POP3 for your workstations. A firewall policy is essentially the technical implementation of your overall written security policy or policies. My business is considered a HIPAA covered entity. How many policies will it take for us to become compliant with the HIPAA security rule? It's hard to say since this depends on your risk assessment. Again, you must do risk assessment first to figure out where your weaknesses are and then write your policies accordingly. For HIPAA, you'll likely have 1 or more e-mail policies in addition to various other policies related to access controls, backups, passwords, etc. Should my e-mail policy document be part of my employee handbook? You should integrate your policy statement or statements (not your entire document) into your handbook and then make reference the full policy document for more information. About the author Kevin Beaver is the founder and principal consultant of the information security services firm Principle Logic, LLC, based in Atlanta, where he specializes in information security assessments and incident response. He has more than 16 years of experience in IT and is the author of several books on information security including Hacking For Dummies by Wiley Publishing. This article originally appeared on *Editor's note: For more learning guides, buyer's guides and Ask the Expert tips, visit the website at or sign up for your free weekly enewsletter. 2008 Copyright Questex Media All Rights Reserve Page 20 of 3