More than just spam: The email security juggling act

Only those who have been living in a hermit's cave can possibly be unaware of the spam plague that is afflicting companies the world over. For good reason spam is grabbing most of the headlines, but it is also a symptom of the wider problem of email security that is seeing hackers, spammers, fraudsters and virus writers working ever closer together to compromise your systems.

In a relatively short time email has established itself as the main mean of business communication thanks to the ease, speed and cost effective way in which messages can be transmitted to business colleagues and partners around the word. It is now a mission critical application for most organisations.

Yet the very ease of communication that has been at the heart of email's success is proving to be a double edged sword, creating security issues that are testing the abilities of many an IT manager.

The bad news for these managers is that email is the most visible of applications: if email goes down, staff stop working and customers start complaining. Although rather tongue in cheek, a recent survey found that over a third of IT managers viewed the prospect of a week's email downtime more traumatic than getting divorced.

The problem with SMTP

Many of the security problems around email stem from the Simple Mail Transport Protocol (SMTP), which is used to deliver mail. Whilst SMTP has proved very effective at coping with the ever increasing volume of email traffic, it is based on a major flaw: it trusts you. SMTP was conceived in 1982 at a time when the Internet was far less hostile and largely the realm of academics.

SMTP assumes email is delivered in a friendly and co-operative environment: it did not envisage email viruses planting trojans on user PCs, the hijacking of servers to send out nefarious spam or malicious Denial of Service (DoS) attacks.

As your SMTP server cannot anticipate in advance where it will receive an email from it must be configured to accept connections from anywhere on the Internet. Allowing free and open connections to the email server leaves it vulnerable to DoS attacks, where the server is flooded with so many additional invalid emails that the system cannot cope with legitimate messages.

Spam plague

Meanwhile, the inability to determine the origin of the SMTP connections to your mail server, and the absence of a way to reliably identify an email sender's identity with SMTP, has had a particular significance for rising tide of spam. Spammers use forged 'from' addresses to hide their identity, and hijack servers to use as relays for sending out large amounts of junk mail.

Allowing the relay of unwanted emails, due to a misconfigured or hijacked server, consumes valuable server processing resources and bandwidth so delaying your legitimate emails. Your domain will look like it is the origin of spam, doing little for your organisation's image, and will likely prompt other administrators to block all of your company's emails.

Whilst relays can result from a misconfigured server, spammers are resorting to new tactics to compromise mail servers. A recent article on Windows .Net magazine shows how spammers are launching password-guessing attacks against well-known accounts to gain control of servers.

Dictionary or 'harvest' attacks are a further problem with hackers sending large volumes of mail at a specified domain and looking to see whether messages are bounced or not. In this way spammers are able to determine legitimate email addresses at your organisation.

Virus threat

A major threat to any email system is that posed by viruses. The META Group estimates that some 80% of virus incidents are initiated by Internet-delivered email.

Worryingly for IT security professionals there are also growing signs that viruses and spam, once parallel threats, are now rapidly converging. Viruses such as the particularly virulent Sobig-F are designed to turn infected PCs into zombies that can be used by bulk e-mailers to send unsolicited messages that can't be tracked.

Whilst improved education amongst users has meant that many are now aware of the danger of opening files with .exe extensions, many are still blissfully unaware of the dangers posed by .scr, .pdf, .ppt and .vbs attachments.

If, however, you think attachments are your only worry you need to think again. Due to the fact that Outlook and Outlook Express use Internet Explorer to display HTML messages, any flaw in the browser software can expose your email system to carefully crafted malicious messages.

The dangerous payloads carried by modern viruses, combined with the hundreds of hours it can take the skilled staff to complete a virus cleanup of a large organisation, shows how important it is to get on top of the virus threat.

The enemy from within

Spammers, hackers and virus writers may be the high profile threats to your organisation but you should not underestimate the risk posed by the accidental or deliberate leaking of confidential corporate email to the outside world.

In 2002 Cisco was embarrassed when its financial results were inadvertently and prematurely distributed to thousands of employees, instead of one senior executive, in advance of being issued to the financial markets.

Then there is the problem of employees circulating inappropriate and offensive material. One of the first cases involving email in the UK saw a black secretary sue her law firm for sex and race discrimination after a solicitor sent an email requesting her to be replaced by a busty blonde.

The fact that unencrypted email is vulnerable to interception over the Internet has also prompted many organisations to ban the sending of sensitive information via email. Staff are now left with the choice of ignoring the policy, creating a security risk in the process, or resorting to other more expensive and less efficient means of communication such as couriers or face-to-face meetings.

Security foundations

So how do you respond to all of these threats? As all security professionals are aware, good security comes from implementing good security practices and the foundations of good email security can be found in a clear and effective email acceptable use policy.

According to security experts, a good policy needs to define and educate users on email usage rules: what should and should not be emailed, the use of personal email and what to do when faced with unfamiliar email attachments.

Email usage policies are commonplace but having your policy hidden away on a little used part of your Intranet or as part of the soon forgotten staff handbook is unlikely to raise sufficient awareness amongst users. Any policy should be backed up with training and enforced on a consistent basis.

A recent study by IRS Employment Review has shown that employers are getting the message and are taking the issue of email security and liability increasingly seriously. Almost half (45 per cent) of the UK employers surveyed had punished workers for breaching email or internet usage policies.

Keeping the enemy at the gates

Of course an effective email usage policy is just part of the security equation with vendors offering a plethora of technology solutions, both hardware and software based, that can be very effective at keeping the bad guys at bay.

Virus scanners on the email gateway have done much to help reduce the impact of email viruses, whilst spam filters are fast becoming essential to fight the rise and rise of junk mailing. More details on the problems of spam and some of the blocking methods available can be found in our special report 'Spam Wars: How to fight back'.

Policy management tools can help ensure that email policies are being adhered to - reviews of a number of policy management tools can be found here - whilst content filtering engines scan and analyse messaging traffic checking for inappropriate and offensive content, helping minimise the risks of legal action.

Attachment filtering can provide a further level of security by preventing the accidental or deliberate exporting of sensitive information. Blocking attachments by type and size is already common in many organisations but this does run the risk of creating the problem of 'false positives' where valid messages don't get through to recipients.

Meanwhile, the problem of secure delivery of sensitive information over the Internet by email can be addressed by the use of email encryption, although the complexity of this has been a factor holding back wide-scale deployment.

An integrated approach

But just as the spammers and virus writers are getting more sophisticated about their methods, many companies are finding themselves left with a patchwork of separate point solutions, responding to risks as they arise by adding a spam filter here and a virus scanner there.

Whilst dealing with multiple products and vendors does enable IT managers to select so-called best-of-breed solutions, the downside is that it creates an email environment that is complex and resource heavy to manage. Traditionally more complexity has also meant more risk.

The good news for IT managers is that consolidation seems to be taking hold in the email security market, with the acquisition of anti-spam vendor ActiveState by anti-virus company Sophos the latest in a growing trend.

Some security experts argue that single supplier products that offer multiple areas of protection are still too immature and a best-of-breed approach should not be sacrificed just yet.

Other analysts such as the META Group disagree, advocating that companies 'should minimize the number of vendors required for comprehensive email hygiene' A recent study by Osterman research has shown that over 70 per cent of organisations would also prefer email security solutions integrated into a single package.

At the moment, no one vendor can provide a magic silver bullet for email security, but a single supplier approach can make for speedier deployment and, if hardware based, can spare you the installation and compatibility problems that can occur when installing software on your own hardware.

Meanwhile, your administrators will have one interface to use and one point of contact for support.

Vendors, such as Tumbleweed and Borderware, are promoting the benefits of email firewalls.

These offer an integrated solution that, unlike traditional firewalls, provide the functionality to protect against DoS attacks and spam relays , and also offer a variety of other tools such as spam filtering, anti-virus, content filtering and email encryption.

Another vendor, FrontBridge, has taken a different approach by effectively placing a Internet-based screen in front of corporate email servers.

Corporate email servers are configured to only accept email FrontBridge's servers, with spam and virus blocked before they can hit the organisation's email system.

Analysts the META group are predicting that by 2006 single-vendor consoles will handle denial-of-service attacks (e.g., mail bombs, buffer overloads), virus/spam protection, protection against harvest attacks, and content blocking.

Of course much can be done to improve email security by doing the simple things well; keeping patch levels up-to-date, making sure servers are correctly configured and users well educated.

Yet, whilst spam has put email at the top of corporate agendas it presents a good opportunity for companies to take to take a step back and look at how they can manage email security more efficiently and cost effectively.