A couple of previous corporate situations in France and Japan highlight the importance for companies to implement archiving systems. Email is the primary communication source for companies being able to track historical information. With both the Kerviel-Société Générale and Livedoor scandals, employee email and instant message archived records were critical to the companies as the scandals unfolded. This included executive communications, as well.

Both situations are reminders that these days electronic messages are a constant way of life for all business professionals. For company self preservation, it is important to keep track of commitments employees have made or have not been making on behalf of the organization. This is where archiving systems facilitate in maintaining message communications, while protecting a company’s business  interests.  As innovative new technologies, like the iPhone, move messaging outside the constraints of the traditional corporate IT infrastructure, an organization must strive to capture all instances of employees’ business related messages. This requires that archiving be taken out of employee’s hands.

A fake email supposedly coming from Deutsche Bank led the French bank Société Générale to realise that something was not kosher with transactions being made by a junior trader, Jérôme Kerviel. An investigation was initiated when bank management concluded Mr. Kerviel had exposed it to 50 billion euros of potential liability.  All of Jérôme’s messages stored by the bank came under scrutiny.

The New York Times previously reported “One top Société Générale executive informed investigators that Mr. Kerviel rarely used his office e-mail account. In 12 months he had only sent 60 messages from his corporate email account.  Apparently instant messaging was Mr. Kerviel’s primary business communication method of choice.” Referencing whatever electronic records that were available, the bank quickly responded to minimize its liability by making good on Kerviel’s outstanding trading positions.

During a thorough investigation, a key question that needed to be answered was whether Kerviel acted alone. The bank examined thousands of messages stored from the bank’s internal instant message system. This included communications some between Kerviel and a suspected accomplice, Moussa Bakir,  who was an employee at a company called Fimat. In one message that warranted particular attention, Mr. Bakir communicated to Kerviel, “You have done nothing illegal in terms of the law.” And at least one e-mail suggested that an assistant inside the bank had also helped Kerviel.

The outcome of the investigation was critical to the bank and its investors, as responsibility for the scandal was distributed. Had the bank not been archiving email and instant messages, its investigation and steps taken to minimize the damage would have been seriously hampered.

In the instance with Livedoor, an Internet service company in Japan, email message archives saved the company.   Livedoor, a popular web portal in Japan, became caught up in an accounting scandal that led to criminal prosecution of several executives, including the CEO. Executive email records figured prominently in the investigation. As an example, archived email messages indicated Livedoor executives deceived other business entities by offering to purchase stock the company already owned.

Although this situation gave Livedoor a big black eye, the company still survived through it. As an entity separate from the individuals who serve as executives, the company regrouped and pressed ahead as a viable competitor in the Japanese Internet market. It installed a new CEO who said, “When you’re a company with 2,000 staff and 200,000 shareholders, people expect some corporate responsibility.”

Livedoor received much unwarranted publicity from this situation.  A hard copy of an email circulated in Japanese politics pointing to evidence there was an attempt by the firm’s former CEO to use company funds for bribing top Japanese politicians. The company conducted an internal investigation of its records.  From that investigation the new CEO was able to publicly express skepticism that such a bribe took place. Archived records also allowed the company to prove the bribe allegations were not true.

So retrievable electronic communication records positioned the new CEO to deflect suspicion away from the company.  The bribe email was later proven to be fake. This scenario highlights how today’s competitive business environment dictates companies preserve email. Just as electronic archives can inform an enterprise about its commitments, they can protect it from false accusations and even eBlackmail.

Any questions?

Archiving is Insurance against eBlackmail

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Authentication of message integrity ensures no one has tampered with the message or modified its content. When authentication is requested, the Message Queuing runtime digitally signs the message when it is sent. Then the destination queue manager verifies the digital signature before it places the message in the destination queue. Once message integrity is established, Message Queuing verifies who sent the message.

The Authentication & Online Trust Alliance (AOTA) was established to create a trusted global online ecosystem and foster the elimination of email and internet fraud, abuse and cybercrime. OTA’s main goal is to  enhance trust, confidence and the protection of businesses and consumers.  Through their member companies, chapters and organization affiliates, AOTA represents over one million businesses and 500 million users worldwide.

To make good on its mission, the AOTA published the “Authentication Directory“.   This directory is a resource to assist companies in locating and working with companies that support leading forms of email and domain authentication.  While such authentication alone is not a silver bullet to counter online fraud and email abuse, it is a recommended best practice for all companies and email marketers.  Companies listed in the directory include mutual collaboration with Microsoft, AOL, Comcast, Netzero, Earthlink, Gmail etc.

The effectiveness of this directory benefiting marketers is based on better understanding the various email authentication methods being implemented.

• DomainKeys Identified Mail (DKIM) is a method for E-mail authentication, allowing a person who receives email to verify that the message actually comes from the domain that it claims to have come from. The need for this type of authentication arises because spam often has forged headers.

• Sender ID Policy Framework (SPF) allows software to identify messages that are or are not authorized to use the domain name in the SMTP HELO and MAIL FROM (Return-Path) commands, based on information published in a sender policy of the domain owner.  Microsoft provides a free Sender ID Framework SPF Record Wizard Tool.   This four-step wizard will guide you through the process of creating a new SPF record for your DNS domain.

• Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide security and data integrity for communications over TCP/IP networks such as the Internet.

How close does your comany come to using all of these authentication methods?  Which ones are working to secure email being received in the email users’ Inbox?

Is this email authentic?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

“Honeypots: Tracking Hackers“  is a solid primer to this very necessary technology, which becomes a powerful teaching tool.  It starts with a basic explanation of honeypots and the different trapping roles they can play.  The book moves on to deeper explorations of six kinds of real world honeypot configurations, which include Back Officer Friendly, Specter, HoneyD, Mantrap, Homemade Honeypots and Honeynets.

What really makes this book thorough is a chapter focused on legal issues surrounding honeypot use. Three legal experts actually contributed to this section of the book. Crucial areas covered are entrapment, privacy and organizational liability. The book leaves no stone unturned by covering the Fourth Amendment, the Electronic Communications Privacy Act, the Wiretap Act, and the Pen Trap Statute. All these important areas are covered from the angle of how each relates to implementations of honeypots.

This book is definitely aimed at many levels of honeypot knowledge, from beginner to advanced technologists.  With this book you will gain an understanding of honeypot concepts and architecture, as well as the skills to deploy the best honeypot solutions for your environment. You will arm yourself with the expertise needed to track attackers and learn about them on your own.  In addition to technology staff, security professionals, researchers, law enforcement agents, and members of the intelligence and military communities will find this book indispensable.

Lance Spitzner spends quite a bit of time, in several chapters, to cover honeypot maintenance and how to interpret the data analysis being captured. Spitzner places a decent amount of emphasis to point out that honeypots are not just one time setups that you throw out on to your network and wait for the arrival of attackers. Honepots require constant monitoring  and must be properly maintained.  Otherwise, a honeypot only provides a firm grip on an empty learning sack with no real education being accomplished. “Honeypots: Tracking Hackers” is a very timely and informative reference guide for all email administrators to keep within easy reach.

Hacker Security Honeypot Guide

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The benefits associated with archiving Microsoft Exchange email and associated data, creates many cost effective solutions. Archiving facilitates government regulatory or civil litigation searches for ediscovery requests. It also allows for more complete archive journaling, and provides storage benefits for both mailbox growth and the various storage devices that can be utilized.

Although lowering storage reduction costs is a common denominator for email archiving, compliance requirements are moving more companies to implementing archiving strategies. Depending on the motivation factors, cost savings on storage are subject to interpretation by different people.  For some people, compressing email could reduce licensing, as well as storage hardware costs.  For others it may mean creating a mailbox for end users, which has virtually unlimited space.

The majority of Microsoft Exchange Server archiving solutions have some form of compression that reduces the size of overall archived emails.  For an Exchange email administrator, an unlimited space mailbox really just means eliminating the user responsibility of being concerned about having to archive their email. This allows mailboxes to grow as long as there is more than adequate disk space real estate available to allow seamless expansion.  The limitations of unlimited mailboxes are usually determined by the archiving options provided by the archiving solution. According to the Ferris Research blog, Microsoft recommends against using stubbing techniques.  Microsoft further recommends using 3rd party email archiving solutions that allow configurations to move email messages completely out of the mailbox without leaving stubbing foot prints  inside the mailbox.

6 different stubbing techniques are provided below only for informational purposes, but are not best practices recommended by Microsoft.

1. Substitute body and attachment with a plain text Stub
2. Substitute body attachment with HTML Stub
3. Maintain plain text body only with deleted attachment
4. Maintain HTML message body only, with deleted attachment
5. Maintain HTML body and image with deleted attachment
6. Message attachment residing in the archives

Will your current archiving procedures or planned archiving solution meet all future email storage requirements?

Archive Stubbing Techniques Not Recommended

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Although we take email for granted, the use of email can easily get out of control for administrators. People rarely walk down to another office to have a discussion or idea exchange.  Writing an email that can be sent to multiple people with attachments slowly uses up massive amounts of hard disk space.

For any organization, this massive storage usage creeps up.  Savvy administrators keep an eye on these behind-the-scene scenarios that create this creeping storage nightmare:

• People are trying to maintain their position by copying everybody who’s anybody, which duplicates emails.
• People have that “pack rat” mentality and keep years worth of emails within folders. This includes the document attachments.
• Email box quotas attempt to manage disk space, but many staff find a way to circumvent this process to get approval to have their quota increased.
• The IT department gets tagged for managing high I/O hardware processing, whiling balancing backup storage costs.
• Let’s not forget the IT department’s added burden of trying to control bulging email data stores.

Email archiving helps eliminate these issues or at least implement controls for better storage resource manageability. There are various types of archiving solutions. For example, stubbing is often a key variable involved in the email archiving solution. Stubbing creates a pointer, which is maintained on the email server, such as Microsoft Exchange.  The original message and attachments is moved over to an alternate archive storage area. When a user wants to look up a historical email, the stub is referenced. Then that message is retrieved from archive. This provides the benefit of a reducing the size of the mailbox.

Although stubbing eliminates the problem of mailbox storage, over time problems can arise. Email stubs can actually cause server performance issues. This is caused by the increase in the number of messages and related stubs being pointed back and forth. This may result in stubbing being a finger in the dyke approach that does not curtail the growing email storage problem.

Other alternatives for facilitating archive storage of email includes:

• Eliminating personal folders. This removes the burden of users to maintain their own local email storage. No longer do users need to purge mailboxes to comply with quota limits and, since there are no local PST files, email performance is improved while reducing the risk of data loss.
• Trimming duplicate emails through single instance stores (SIS) reduces space taken up by multiple copies, which greatly reduces storage requirements.
• Instant access to archives without the need for quotas and stubbing. Users can store as much email as they like without incurring the performance hit that stubbing introduces.
• End user self-service allows continuous access to archived email. Content indexing allows email users to access all email, while providing improved searching capabilities.

Tips for controlling your archive storage system

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Maybe your email archiving and retention project is far off down the road, so in the interim period now might be a good time to organize email folders on your Exchange 2007 server. While you’re waiting or planning an archiving strategy, you can leverage the new features of Exchange Server 2007. The “managed folders” feature allows setting email limitations and retention rules. How about being able to prevent email users from storing messages in their Inbox longer than a specified time period? This feature can also be used to make sure messages in other locations are retained for a certain period of time.

Other options with Exchange 2007 server allow for controlling how messages related to a particular topic are retained for a specific amount of time. You will need to combine managed folder capabilities with other Exchange 2007 email tools, such as transport rules, quota limits, and defining public folders to create an automated retention process.  You can also set email archiving rules.

Before automating email storage quota limits and retention periods on Exchange 2007 mailboxes and folders, we must set up managed folders. As an example, the first step is to use, let’s say “Project XYZ” as an example to create a manage folder.  This allows email users to store messages related to that specific project in a particular folder where the messages will be safe from deletion or archiving for five years.

So now we proceed with the creation of a folder that will be used to store all messages related to “Project XYZ” :

1. Open the Exchange Management Console. Navigate through the console tree to Organization Configuration > Mailbox
2. Select Mailbox.
3. Click the New Managed Custom Folder link in the Actions pane to launch the Managed Custom Folder wizard.
4. On the wizard’s initial screen, enter a name for the managed folder that you are creating. For the purposes of this practice session, name the folder Project XYZ.
5. Click New to create the folder.
6. When Exchange 2007 completes the creation of the “Project XYZ” folder, click the “Finish” button. The folder “Project XYZ” that was just created will now be listed on the Managed Custom Folders tab.

Exchange as a Temporary Archive Solution

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Started in 2005, the Electronic Discovery Reference Model (EDRM) Project was created to address the lack of standards and guidelines in the electronic discovery market.  EDRM is a great reference tool to develop guidelines and standards for ediscovery consumers and service providers.  EDRM helps reduce the cost, time and manual work associated with ediscovery.

Referencing the  accompanying EDRM diagram on their web site, the 8 areas lay out a structured foundation for facilitating the implementation of an archiving software solution.  This makes life easier with providing all the players standard guidelines, as part of the archiving and information retrieval process related to legal and government requests.

We will cover a cursory overview of EDRM.

Information Management
Getting your electronic house in order to mitigate risk and expenses should electronic discovery become an issue. This covers the initial creation of electronically stored information all the way through its final disposition.

Identification
This refers to the process of learning the location of all data which a company has a duty to preserve and potentially disclose in an upcoming  legal proceeding.

Preservation
Preservation for electronic discovery has become a complicated, multi-faceted, steadily-changing concept in recent years.  Certain suggested standards and guidelines have been emerging to provide checklists for those preparing to respond to electronic requests for production.

Collection
The acquisition of electronic information, which is  tagged as potentially relevant in the identification phase.

Processing
Electronic discovery processing must accommodate a wide variety of unstructured data, handle each form in a manner appropriate to its file type, and generate output that is structured in accordance with review requirements that often vary from one law firm to the next.

Review
At its most basic level the document review is used to sort out documents the company will actually provide and privileged documents that will be withheld.

Analysis
During this process, important knowledge for a case can be discerned from the large body of collected documents and email messages.

Production
With the unprecedented increase in the amount of electronic data that is being created and stored in the corporate environment, there has been a corresponding increase in focus on how that data that has been collected and reviewed is ultimately produced in civil litigation and regulatory investigation

Presentation
Displaying electronic information in front of audiences (i.e. depositions, hearings, trials, etc.), especially in native or near native file formats.

For more details on EDRM visit the Electronic Discovery Reference Model Project web site.

EDRM Guides Archive Strategy

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

No matter how email users may complain, friendly reminders regarding email security protecting company information assets are part of the ongoing education process.  Email users quickly forget that the company owns the information within each email account. The email system is owned by the company, not the email user. This also implies that it’s up to each person to ensure that their email account is always secure. People lazily create passwords that are familiar and easy to hack.

Email administrators are the gate keepers to ensure email accounts are kept secure.  Sometimes this requires setting up secure procedures, which appear to be an inconvenience to the end user community. So forcing 8 character passwords, instead 6 character passwords can make all the difference.  The inconvenience is minimal compared to thwarting password dictionary attacks or brute force attacks.

Raising the security wall also calls for insisting people use pass phrases, rather than passwords.  Choosing a simple password typically makes a dictionary attack easier for the account hacker.  People take the path of least resistance by selecting names of pets, kids, spouses, birthdays, house address or basically something that ends up being an extremely poor password choice.

The success of a dictionary attack is improving because hackers are smartly using large dictionaries and combining them with foreign language dictionaries. The addition of technical dictionaries increases the chance of hitting on the correct password.  Another way dictionary attacks are successful is variations in manipulating word strings within each dictionary.  For example, a hacker will spell dictionary words backward and forward.

Considerations to Minimize Brute Force Attacks

• Force people to enter a longer length password or phrase (8 to 10 characters)
• Allowing the pass phrase to contain characters other than numbers, such as *,  # or $
• Lock the account after 5 failed login attempts

A brute force attack will always succeed, eventually. The deciding factor with brute force attacks will be systems with sufficiently longer pass phrase combinations, which could require years to complete.

Raising the Security Wall Higher

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Before the email archiving software selection process starts or any implementation meetings begin, something more important must occur first.  Quite a few questions regarding email retention policy must be answered.  This is a difficult, but very necessary process. It will be time well spent, while making the implementation of an archiving solution much smoother.

What are the company’s current document retention policies? If there aren’t any policies, now is the time to establish how long and how far back email documents should be stored for immediate retrieval.  If there are established retention policies, a review of what works and what doesn’t is required. Does anything need to be modified?  Are policies that worked previously, appropriate for the current business climate?

Other driving factors that dictate retention policy is regulatory and eDiscovery requirements. Depending on a company’s industry, Sarbanes-Oxley will impact decisions for document retention periods. So a review of how the company currently handles these requirements must be performed.

Now is the time to review current manual or semi-automated retention procedures. This allows for early adjustments and modifications. If current retention and retrieval processes are outdated or inefficient, an archiving solution will only automate the same ineffectiveness.

Certainly, it’s easy to say “we need to keep everything”.  In the early stages of implementing retention policies, this might be an acceptable temporary place to start.  Anything is better than nothing.  At some point, there has to be a balance between specific retention periods and realistic storage requirements being be put in place.

Consider retention alignment for all current document management and communication policies.  If email is kept for 4 years and other documents are kept for 7 years, there could a serious misalignment that produces a negative impact.  If any eDiscovery requests come up, a company could be liable for producing 7 years of email, if other internal document management systems retain information for 7 years.

Identify which departments are responsible  owners of retention policy compliance. Does the ownership for storing and retrieving historical email lie with one department or is it interdepartmental? There is too much at stake to expect the IT department to take sole ownership.  Beyond the legal department, there may be departments that have specific compliance specifications for document retention.

Taking the time to tweak or implement retention policies is worth the effort. When an archiving solution is introduced, this prep work facilitates a company realizing immediate benefits in a shorter period of time.  Misunderstandings, miscommunications and confusion are eliminated when eDiscovery or regulatory requests are initiated.

What is Our Email Retention Policy?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

One reason organizations implement honeypots is to identify malicious botnets.  A honeypot, which is a fake network, is designed to attract and analyze botnet activity. In order for the honeypots to educate us with data, we need to develop a better understanding of how botnets achieve their missions. Let’s review potential activities performed by some of the various types of botnets.

1. Distributing Malware
Many times botnets are used to quickly distribute new bots on open networks. For our botnet friends this is actually not very hard to accomplish. The reason this is easy is due to bots being able to potentially implement scripts for downloading and executing any file via HTTP or FTP. This is exactly how email viruses are spread using a replicating botnet. In a very short period of time a self replicating botnet can hook into 10,000 computer hosts. This sets up a staging platform for exponentially spreading a mail virus around the world, in a very short period of time.

2. Eliminating Competition with Google AdSense
Companies pay Google a pay-per-click fee for each time their ad receives a mouse click. These clicks are supposed to increase traffic to a company web site, which should result in more sales. Companies on a limited budget can potentially go broke, if the number of clicks on their Google ad is more than the actual sales generated. It is a known fact that unscrupulous companies have previously eliminated competition by artificially inflating their Google ad sense clicks. This type of attack leverages botnets to automatically and continuously click on these Google advertisements. Google has since implemented security measures to makes this type of botnet attack infrequent.

3. Large Scale Identity Theft
Botnets can quickly generate those famous phishing emails.  So large numbers of people are fooled into visiting bogus web sites, because the emails appear to be from legitimate companies (i.e. Paypal, eBay).  These botnets kick out massive amounts of emails to lure people into going online to submit personal information. These fraudulent emails are created and sent by bots via a programmed spamming algorithm. These same bots can also host multiple fake brand name websites to harvest identity information. Just as quickly as one of these fake sites is shut down, another one can pop up.

4. Traffic Sniffers
Using a legitimate packet sniffer, bots can search for interesting clear text (unencrypted) data being passed back and forth by a compromised computer. These sniffers are solely focused on retrieving sensitive information, such as user name and password. The data found through this sniffing process can also stumble across other interesting information. If a computer is compromised multiple times, while also being a host for more than one botnet, data packet sniffing can also allow for gathering additional sensitive information from another botnet. So it’s possible for one botnet to steal from another botnet or even take over that botnet.

5. Keyloggers
If the compromised machine uses encrypted communication channels, such as Secure POP3 or HTTPS, simple botnet sniffing of network packets on a target computer will not work. The reason why sniffing will not work is the appropriate decryption key for the packets is unavailable. Of course there are other bots that do offer features to provide a malicious work around in this situation. With the help of keylogger bots retrieving sensitive information is now a piece of cake for attackers. On top of that bots can be programmed with a selecting filtering mechanism that looks only for certain of key strokes. For example the bot can be programmed to look for key strokes sequences near the keyword “ebay.com”. This expedites stealing what people may believe to be secret information. Now imagine this single keylogger botnet running on thousands of infiltrated computers. Then throw in the fact these computers are all running simultaneously to quickly retrieve personal account information to harvest back to the initiating attacker.

5 Lessons that Botnets teach Honeypots

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Many organizations implement the use of serial naming procedures for individual host servers. In most cases, access to these servers is through a single well known host name which uses some kind of load balancing or round robin allocation of web traffic to direct customer requests to each individual host.  This round robin technique can also be used for balancing the load of  email servers.  So clustered email servers are just as much at risk with using serial host naming.  For example, responding to a well known name www.supersales.com there could be 3 individual hosts called www1.supersales.com, www2.supersales.com and www4.supersales.com.

Problems with the foolish adoption of a serial host naming convention lie with the probability that hackers will eventually cycle through individual host names in order to discover forgotten or insecure hosts. Many times an organization may have many “load balanced” hosts typically available through a well known host name or URL. Some of these hosts may not be configured as well as the others. So a hacker can use the individual hosts name to connect directly to the server. There is a good chance these attempts can potentially compromise the weaknesses of one or more servers.

Trouble is just around the corner for security beaches, if a serial host naming convention is implemented by an organization. It is a very simple process for a hacker to serially cycle through probable host names. The goal is to potentially uncover server hosts that may have been removed from service (i.e. available through the main server URL).  So organizations should not use a host naming policy that makes it easy for an attacker to discover non-public servers.  For example, a hacker identifies that there are two public servers called cadillac.supersales.com and volkswagen.supersales.com. It does not take a rocket scientist to figure out they can try other car manufacturer names to uncover additional non-public hosts.  So the use of popular beer names, the seven dwarfs, countries, cartoon characters, super heroes, car manufacturers and colors etc. should not be used.

A proactive defense is recommended:

• Don’t even think about using sequential or closely related server host names. Only lazy administrators implement serial naming convention to make server names easier to remember for maintenance purposes.
• Use individual unrelated names for server hosts.
• Do not provide Internet accessible forward or reverse DNS entries for hosts that do not actually require named access over the Internet. Access to these hosts can be maintained through appropriate load balancing schemas and address translation.
• Ensure the management of authoritative DNS servers is performed correctly. This ensures only authorized hosts appear within the public DNS entries and the DNS server is correctly configured to disallow zone transfers.

Serial Host Naming is Dopey

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Today, most enterprises turn to Email Archiving and Management (EAM) to reduce costs and control information overload. With digital information, specifically email and messaging mushrooming faster than most enterprises can manage it, EAM projects have become a cost of doing business. EAM is fast becoming a business necessity.

The “Email Archiving and Management Report“,  published by CMS Watch, provides a clear strategy for your implementation team.

The domain of EAM is broad enough to touch multiple areas within your enterprise, including both technical and business departments. Managers have several common reasons to justify applying EAM technologies:

• To be proactive with legal requests and ediscovery requests
• To be in compliance with local governing requirements regarding information management
• To improve the performance of their e-mail environment (Exchange, Notes, or Groupwise)
• To reduce email volume on servers to reduce the need to buy more licenses
• To provide back up and disaster recovery for their e-mail system
• To improve storage management costs and needs

The marketplace keeps finding new reasons for applying EAM technologies. Compliance, for example, is a relatively new rationale. Traditionally, the sales and buying processes focused on systems management and storage requirements.

Most firms deploy EAM to address a single need, rather than meeting a range of needs to fully leverage the breadth of EAM offerings. In some cases, enterprises deploy EAM simply to provide a back up to an Exchange Environment; others use it to regulate and monitor the messaging of a particular subgroup within the organization.

While most enterprises deploy EAM related applications for a specific need or activity, all of these systems offer quite broad capabilities beyond their core focus elements. Some capabilities span across industries or  provide a more general purpose.

Many of these offerings have a lot in common as they respond to the market’s growing need to meet ever more complex requirements. In order to survive, most enterprises today depend on high volumes of email running efficiently through their system. Virtually all enterprises require that messaging be a part of the underlying IT infrastructure. Many decision makers describe systems such as Microsoft’s Exchange as the single most important communication and business application within their operation.  For these reasons email archiving and management solutions must be carefully implemented.  Email communication cannot be disrupted.

Applying Email Archiving and Management Technologies

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Although a bit dated, a white paper titled “The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks“  provided many security lessons which are still appropriate today. This white paper was the result of a honeynet implemented at Georgia Institute of Technology.

Two or more honeypots on a network form a honeynet.  A Honeynet is a network, placed behind a reverse firewall that captures all inbound and outbound data. The reverse firewall limits the amount of malicious traffic that can leave the Honeynet. This data is contained, captured, and controlled. Any type of system can be placed within the Honeynet, to include those systems that are currently employed on the network that the Honeynet is intended to protect. Standard production systems are used on the Honeynet, in order to give the hacker the look and feel of a real system. A Honeynet is a network that is intended to be compromised, to provide the system administrator with intelligence about vulnerabilities and compromises within the network.

Some of the lessons realized:

1. Start Small – If you are going to install a Honeynet within your enterprise, start small. Begin initially with a single machine and operating system that you are familiar with installed behind the reverse firewall. This will allow you to begin to understand how to analyze the data that you will receive on the Honeynet. You will also be able to fine tune your configuration. The more machines that you have, the more data you will most likely receive going to and from the Honeynet.

2. Maintain good relations with your enterprise administrators. Inform your network administrators of the types of exploits that you are seeing. In some cases, they will already be aware of these exploits, but in other cases, you will have been the first person to notice them.  The enterprise administrators should benefit from your efforts since they most likely provided you with the range of IP addresses that you are using for the Honeynet.

3. Focus on attacks and exploits originating from within your enterprise network. Theses are the attacks that can do the most damage to your enterprise. Inform your enterprise administrators immediately of these types of attacks since they indicate machines that have already been compromised within the enterprise.

4. Don’t publish the IP address range of the Honeynet. There is no need to do this. Hackers and worms are constantly scanning across the Internet for machines to exploit. You Honeynet will be found and attacked.

5. Don’t underestimate the amount of time required to analyze the data collected from the Honeynet. This data must be analyzed every day. You will be collecting lots of information and it must be analyzed to provide any benefit. Most attacks take seconds to compromise and take over a vulnerable system. It can take weeks to analyze and document such an attack.

6. Powerful machines are not necessary to establish the Honeynet. The Georgia Tech Honeynet did not use state of the art machines and it functioned as intended.

Six Good Lessons taught by Honeynets

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Archive solution implementation dictates that the project management team balance 3 variables:

1. Archiving solution still facilitates the day to day business operations, in-line with the company mission.
2. Meet regulatory requirements and minimize turn around time for legal document requests.
3. Provide flexibility to maintain service level agreements with email user community.

With his paper on “Deep Dive Into Email Archiving Products“,  Stephen Foskett displays obvious experience in the archiving arena.  This paper is a result of Stephen working as a vendor independent storage consultant to end users for over 10 years.   Stephen has also been a feature writer for industry publications, such as TechTarget’s “Storage Magazine“. He has taught full day seminars on storage virtualization.  In 2008 Microsoft awarded Stephen Foskett MVP status in the area of File System Storage.

Stephen’s document explains essential attributes of email archiving solutions. These attributes aid in managing mail server growth, meeting compliance standards, and managing system usage.  Archiving solutions must consider that it is still “business as usual” with email service level agreements (SLA).  The IT department must still ensure email systems are continuously running throughout the entire archive solution implementation.

The biggest question becomes “Why Archive Email“? Some of the variables in answering this question include:

1. Considering the management of mail server growth. This falls into the responsibility of the IT department, who usually wants to control email system data growth.  With storage and capacity in mind, key features for the IT department are stubbing and compaction of files.
2. Provide an archiving infrastructure that addresses compliance and legal requests for information.  Decisions must be made for legal or business needing a record of email. So considerations for email record completeness and being able to do searches are extremely important.
3. Managing system usage goes to the heart of considering everyday business operations. Along with this management and users will want enhanced access to historical information. So the archive system should provide flexible, easy to use interfaces

Up front, the archive project team must define a complete requirements document to include:

• Business Requirements
• Response time processes for legal requests for information
• Regulatory Compliance
• Cost Reduction
• Balancing functional against technical requirements
• Considering whether the system will interface with clients
• Classifying messages based on organizational requirements
• Managing long term growth storage capacity
• Balancing performance with scalability

Other questions addressed in Stephen Foskett‘s document are:

• Can the archive solution guarantee every message is captured?
• Will Legal be happy with the output?
• Does it single-instance entire messages or attachments separately?
• What type of audit/access logs does it produce?
• Can it create chain of custody reports? Bates numbering?

Why should you archive your emails?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Today the United States Computer Emergency Readiness Team (US-CERT) updated their website regarding the potential of rogue SSL certificates being generated.  US-CERT is part of the United States Homeland Security Agency. This alert is based on a report that identified a vulnerability in the Internet Public Key Infrastructure (PKI) used to issue digital certificates for secure websites. As an Internet standard, MD5 has been employed in a wide variety of security applications, and is also commonly used to check the integrity of files. The authors of the report provided a proof of concept by executing a practical attack scenario and successfully creating a rogue Certification Authority (CA) certificate trusted by all common web browsers. This certificate allows the authors to impersonate any website on the Internet, including banking and e-commerce sites secured using the HTTPS protocol.

The report further explained how the authors’ simulated attack took advantage of a weakness in the MD5 cryptographic hash function that allows the construction of different messages with the same MD5 hash. This is known as an MD5 “collision”. Previous work on MD5 collisions between 2004 and 2007 showed that the use of this hash function in digital signatures can lead to theoretical attack scenarios. Our current work proves that at least one attack scenario can be exploited in practice, thus exposing the security infrastructure of the web to realistic threats.

The US-CERT also issued a “Vulnerability Note“. The impact of this security issue is that an attacker can construct forged data in a variety of forms that will cause software using the MD5 algorithm to incorrectly identify it as trustworthy. Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.

Microsoft addressed concerns by responding to this report.  Microsoft stated “it was not aware of specific attacks against MD5. So previously issued certificates that were signed using MD5 are not affected and do not need to be revoked. ” Microsoft further stated that “most public Certificate Authority roots no longer use MD5 to sign certificates, but have upgraded to the more secure SHA-1 algorithm. Customers should contact their issuing Certificate Authority for guidance.”

Microsoft Calms SSL Security Alert

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The “Electronic Discovery Law Blog” published by K & L Gates provides detailed information for plotting an archiving course.  Rule 26 is an amendment to the United States Federal Rules of Civil Procedure (FRCP). This rule covers the discovery of “electronically” stored information. Hence, in walks eDiscovery for email archiving.  Rule 26 sets the stage for magnifying why companies need to get with the program for implementing archiving solutions. A video by comedian, John Cleese, offers sound advice on the seriousness of Rule 26.

A couple of areas Rule 26 covers:

1. Electronically Stored Information from Sources that Are Not Reasonably Accessible
Amended Rule 26 creates a two tiered approach to the production of electronically stored information. It makes a distinction between information that is reasonably accessible and that which is not. Under this section of Rule 26, a company receiving a legal request for information does not necessarily have to produce it. Requested information does not have to be produced, if  electronically stored information from sources that it [a company] identifies as not being reasonably accessible because of undue burden or cost. If the requesting legal entity tries to compel discovery of such information, the company must show the information as being not reasonably accessible because of undue burden or cost. Once a company proves this request is unreasonable, a court can only order discover for good cause, subject to the provisions of Rule 26.

This two-tier system seeks to provide a balance. It provides an equitable approach to resolve the unique problem presented by electronic stored information:

• Information that may be located in a variety of locations with different types of access.

• Information from more easily accessible sources.

This provision for Rule 26 received a great deal of attention during the public comment period. The Rule 26 Advisory Committee made substantial changes to both the proposed rule and to the accompanying comments. This addressed the public concerns voiced, while balancing the interests of both requesting and responding eDiscovery parties. The responding company receives protection from being forced to tap hard to access sources. This covers instances when retrieving information or determining the presence of responsive content cannot be achieved without incurring a substantial burden or cost. The requesting legal entity benefits from knowing the sources of the responding organization does not intend to search, but has a method of obtaining this information if it is truly warranted.

2. Asserting Claim of Privilege or Work Product Protection After Production
This part of Rule 26 establishes that company information be destroyed once court processing is completed. This protects the company.  It can claim their corporate electronic data is privileged information and can assert a protective right to ownership of this material. The rule further provides that the company being asked to produce the electronic information must establish the privilege or work product claim. Then notify the receiving parties of the claim and the grounds for it. The legal requesting entity  must return, sequester, or destroy the specified information. The FRPC Committee notation clearly states that Rule 26 does not address whether the privilege or protection is waived by the production of information. This part of Rule 26 simply prohibits the receiving party from using or disclosing the information. It also requires the producing party to preserve the information, until the claim is resolved.

If this still seems unclear, feel safe in the knowledge this is the English translation of Rule 26.  All the more reason to include your legal department when implementing an email archiving strategy.

eDiscovery FRCP Rule 26 – Can your company comply?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

So your company is still sitting on the fence about implementing archiving software for proactive eDiscovery.  Will the global financial crisis become your company’s wake up call for eDiscovery solutions?

As world economic events unfold, it’s becoming painfully clear that archiving software is not just for financial institutions that must follow corporate or government compliance regulations.

Laid off employees are filing record numbers of wrongful termination law suits. According to the The Denver Post labor and employment lawyers are warning that a tidal wave of wrongful-termination lawsuits is expected in the coming months as the jobless burn through their savings, run up debt and find few work prospects in the worst economic downturn in decades.

Attorneys specializing in labor law say they haven’t been this busy since the late 1980s, as strapped corporate clients seek their counsel on how to reduce staff without inviting litigation.

“Unfortunately, we’re doing a lot of that lately. Nobody is immune,” said Jay Krupin, who leads the labor and employment practice at Epstein Becker Green’s Washington office.

Krupin walks clients through a checklist of laws and company policies that need to be considered in identifying positions to be eliminated, including notification requirements, severance-pay provisions and a “disparate impact analysis” to guard against terminating those in a protected class who might have grounds to sue.

In the middle of these upcoming litigation storms will be a company’s ability to strategically position itself for historical email retention and expeditious retrieval of email document attachments.

In the long run, the cost of eDiscovery and risk can be lowered by implementing email archiving software for quicker responses to legal requests for information. One of the key components with eDiscovery requests is being able to follow threaded conversations. A person sends an email. A couple of people reply back. Maybe there are 4 or 5 more email volleys with the same or different people responding back and forth. And that is only one email thread.  Archiving software makes it much easier to track and retrieve hundreds of multi-threaded email conversations.

Now is the time to implement an archiving solution before it it’s too late. Bite the budget bullet. Do it now, before you have to.

Archiving Software Key to Global Financial Crisis

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

A report submitted to Congress on improving national cyber security is right on time, as U.S. President elect Barrack Obama prepares to assume his official duties in January 2009.

The Chicago Tribune reported that earlier this month, Center for Strategic International Studies (CSIS) Commission delivered a “Securing Cyberspace for the 44th Presidency” report to Congress. Recommendations in the report call for the creation of a new White House office that would guard the United States against computer attacks from hackers and foreign governments.

According to the commission, “unknown foreign entities” in 2007 hacked computers at the Departments of Defense, Homeland Security and Commerce, as well as NASA. Hackers broke into Defense Secretary Robert Gates’ unclassified e-mail and probe Defense Department computers “hundreds of thousands of times each day,” said the commission, a panel of leading government and computer industry experts.

A senior State Department official told the commission that the department had lost thousands of gigabytes of data due to computer attacks, and among the Homeland Security divisions reporting computer break-ins was the Transportation Security Administration, which provides airport security. Hacking attacks compromising intellectual property have cost U.S. companies billions of dollars, the report stated.

“The damage from cyber attack is real,” the report continued. “Ineffective cyber security, and attacks on our informational infrastructure in an increasingly competitive international environment, undercut U.S. strength and put the nation at risk.”

The Center for Strategic International Studies (CSIS) Commission on Cybersecurity announced on its web site that it has released its final report, “Securing Cyberspace for the 44th Presidency“. The Commission’s three major findings are:

1. Cybersecurity is now one of the major national security problems facing the United States.
2. Decisions and actions must respect American values related to privacy and civil liberties; and
3. Only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will improve the situation.

The commission report provided 25 recommendations that cover several key areas:

• Create a Comprehensive National Security Strategy for Cyberspace

• Organize for Cyber Security

• Partner with the Private Sector

• Regulate for Cyber Security

• Secure Industrial Control Systems

• Use Acquisitions rules to Improve Security

• Manage Identities

• Modernize Authorities

• Revise the Federal Information Security Management Act

• End the Division between Civilian and National Security Systems

• Conduct Training for Cyber Education and Workforce Development

• Conduct Research and Development of Cyber Security

Perfect Timing with Obama and Cyber Security Report

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities.  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

The diagram attached shows exactly how Cross Site Scripting (XSS) dupes online customers. During an XSS attack everything looks fine to the unsuspecting online customer, who may be subject to unauthorized access, theft of sensitive data, and financial loss.

Tim Wilson of Dark Reading reports American Express has been wrestling for more than a week with cross-site scripting vulnerabilities that could jeopardize the personal information of its customers, according to security researchers.

This vulnerability violates the PCI Data Systems Security (PCI DSS) guidelines that Amex itself helped to create, McCree observes. The PCI DSSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI DSS establishes a set of comprehensive requirements for enhancing payment account data security, which was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The ARegister’s Dan Goodin previously reported “The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.”

An American Express company spokesperson said security is a top concern at Amex and said company employees would investigate the two reported vulnerabilities.

On its Bugzilla@Mozilla site the Mozzilla organization provides some historical development notes on fixes it has been working on for its web browser to thwart XSS.

The Dangers of Cross Site Scripting

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Let’s eliminate the confusion by understanding the difference between archiving and eDiscovery. Both are tied together, but serve two (2) distinct functions. The everyday operations performed with software processes that maintain historical email correspondence is that component referred to as archiving.  eDiscovery enters the business picure as an official legal or regulatory compliance request. eDiscovery requests ask for specific documentation which may be attached to an email or may contain relevant verbiage within the body of an email.

Let’s focus on those companies that perform eDiscovery. These companies are very different and unrelated to companies that provide archiving software solutions. You will find in your research that archiving software is referred to as “eDiscovery software”. The interchangeability of terms is semantical, at best.

The e-discovery 2.0 blog provides Gartner’s published eDiscovery MarketScope for 2009. Written by Debra Logan, John Bace, and Whit Andrews, it may very well be THE “buyers guide” available for companies interested in using electronic discovery technology to lower costs.

The eDiscovery MarketScope analyzes about 20 software companies focused on electronic data discovery. Based on extensive interviews with end customers and data from the companies themselves, Gartner rates the companies using criteria similar to those used in its famous Magic Quadrant reports. It also identifies market trends, and makes predictions for 2009 and beyond.

This report is required reading for anyone considering an investment in eDiscovery, known as archiving software.

Gartner’s investigation found that many of its corporate clients are saving large amounts of money by using eDiscovery software to reduce the amount spent on lawyers and legal service providers. It reports that customers typically recover their investment from buying eDiscovery software within 3-6 months of implementation.

Gartner addresses what is probably the most common question I get asked by corporate counsels and litigation support managers – namely, “Isn’t there a single product I can buy that will do end-to-end eDiscovery, covering all aspects of the EDRM?” The answer, of course, is “no” and Gartner goes further by predicting that the answer will remain “no” until at least 2011. For the immediate future, companies will need to buy “best of breed” archiving products from different vendors for the various stages of the EDRM model. This ensures they integrate smoothly.

Email Archiving Facilitates eDiscovery Processes

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators