Every time someone in your company or organization sends or receives email they are opening up the possibility that infected emails are being distributed. Sooner or later everyone experiences the results of not using adequate email security practices.
Every day someone’s system or entire enterprise community is being probed by hackers.
Administrators can prevent a lot of problems from happening by having and following some common best practices for email security. Some of those best practices include routinely publicizing a company’s email security policies. Just having email security policies in the first place is a step in the right direction.
You can’t expect end users to follow the rules when they are unaware or have forgotten those policies. You must constantly educate and remind your end users of those policies on a routine basis. Maybe it is once a month or maybe once every two months will be sufficient to maintaining a security-aware end user community.
Here then are some email security policies worth noting that any organization can document and use in their best business practices.
1. Steganography is the action of hiding a message in plain sight using some format that is commonly used every day such as email or bitmap images. Steganography can be used to pass intellectual property from within a company to someone in particular on the outside. An example would be if a company were working on a secret or proprietary piece of software and then suddenly while browsing the Internet they recognize their code posted in the open on someone else’s public website.
As part of your company or organization’s best security practices and policies should be a software package that allows you to identify steganography software. This anti-steganography tool should be able to scan systems in the same manner as if it were looking for viruses.
Another solution to prevent steganography from being used is to bring in a security company that can perform forensics analysis on bitmap images and email attachments.
2. You can now secure the email messages that you send to someone by using encryption communications. The process works like this: I need your public key for me to send encrypted email messages to you. You need my public key for you to send encrypted email messages to me.
To get the process started you must first create your email message and then “digitally sign” it. Most email clients today have some method for digitally signing an email. There may be a delivery option or a pull down menu which allows you to choose “sign” this email message. When a sender digitally signs their email message they are including their Public Key certificate. The recipient of the sender’s email can then store the sender’s public key information.
When the recipient (of the digitally signed email from a sender) wishes to send an encrypted email to the previous sender then they just need to select the “secure this email” option using the previously stored public key information. A receiver of an encrypted email message can decrypt the message using their own private key.
3. And one of my personal favorites is when you receive email from some “World” organization such as the International Monetary Fund (IMF) or the World Bank Auditors. The tease is the first line informing you that you have received some unimaginable amount of money such as US$10,000,000.00 dollars that were it true, would change your life forever. I love the requisite misspellings – got to have those to make the email believable that it came from some third world country.
The catch, of course, is that they only ask you to send some small amount of money as a token of trust or to cover their transfer fees. Or they ask you to send them your full banking information and any form of identification with complete addresses, etc.
By now you’d think that most everyone within your organization would be familiar with these types of scams but sadly there is always someone who desperately wants to believe in their good fortune.
Your security policies should clearly state the pitfalls of opening up emails from the “Barrister” of such and such a country or from the International Monetary Fund. And type in black and white not to divulge personal information or send money in any efforts to receive a thousand times more in response.
The above security best practices are just a very small number of the many possible ways to have secure email.