Just recently, a new industry consortium made up of email providers, financial institutions, social media properties and security providers put their heads together and came up with the DMARC (Domain based Message Authentication, Reporting and Conformance) specification.

With a goal of setting up a collaborative effort to help organizations recognize and fight spoofed emails, spam, and phishing attempts, this group is relying on the deployment of the Sender Policy Framework and DomainKeys Identified Mail to complement existing anti-spam solutions.

With industry leaders like Google, Microsoft, PayPal and Bank of America already signed on, along with 11 other companies, DMARC’s work is certain to make a splash in the IT world.

To better help IT departments understand what DMARC is trying to do, and better prepare them to make a decision regarding DMARC, let’s take a little time and refresh our memory on SPF and DKIM.

Sender Policy Framework

One of the major flaws in the Simple Mail Transfer Protocol is that is allows any computer to send an email using a forged email address. For example, anyone exploiting SMTP could send a spoofed email from their computer at home and make it look like it was coming from a bank.

To address this major flaw in SMTP’s security, the Sender Policy Framework was created in 2003 by Meng Weng Wong. Using special DNS records, the owner of a domain has the ability to specify which computers are allowed to send email messages with the sender address in the specific domain.

Should an unauthorized computer attempt to send a message from the domain in question the SMTP server rejects the sender and the unauthorized computer will receive a rejection message.

SPF is not without vulnerabilities though. Spoofing the mail header information such as From or Sender is not something that SPF helps to protect against. It is also open to what is known as a wide mask vulnerability where spammers specify a wide mask of valid server addresses in hope that spam from their botnets become SPF valid and pass through spam filters.

DomainKeys Identified Mail

DKIM came about by merging the DomainKeys and Identified Internet Mail standards with the purpose of associating a domain name to an email message through a digital signature that can be validated by the recipient.

The signer attaches the digital signature to the message being sent using a private key. A verifier that receives the message then relies on the public key to validate the legitimacy of the signature.

So if an email arrives in a person’s inbox from their bank, and their bank uses DKIM then they can feel confident that the message did in fact come from their bank.

If a spammer tries to send a phishing email to the same person and claims to be a representative of the same bank, the message will be rejected and quarantined by the server – never showing up to the intended recipient.

Flaws found in DKIM include the ability to forward a verified message with the content having been modified. Since SPF does not allow for this, it is common to see DKIM and SPF combined.

DKIM is also known to be resource intensive as a result of the cryptographic checksums that validate the digital signature.

SPF, DKIM and DMARC

According to DMARC.org, DKIM and SPF relate to their specification in the following ways:

DomainKeys Identified Mail (DKIM)

• DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.
• DMARC uses DKIM results as one method (SPF being the other) for receivers to check email./li>

Sender Policy Framework (SPF)

• SPF provides a method for validating the envelope sender domain identity that is associated with a message through path-based authentication.
• DMARC uses SPF results as one method (DKIM being the other) for receivers to check email.

Using the DMARC specification, member organizations can rely on the collaborative efforts of the group to share resources so that spoofed emails can be easily spotted and the amount of resources used in the process can be reduced.

Additionally, they are calling for email senders to sign 100% of their outgoing messages to insure the validity of emails sent.

Get Ready for DMARC – A Review of SPF and DKIM

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

According to most reports, the amount of email spam is diminishing.

Experts credit the takedown of massive botnets like Rustock, a more educated user base and advancements in spam fighting technologies for this trend. However, even though one of the most annoying, and troublesome, threats to email accounts is on a downswing it doesn’t mean for one second that email is no longer a part of the IT infrastructure that is vulnerable to threats.

Understanding the different ways cyber criminals and script kiddies can use vulnerabilities in email clients and servers to attack a system will help any email administrator keep email services running smoothly, and the entire infrastructure safe from a great number of exploits that can do some serious damage.

Listed below are three of the most serious problems that, if ignored, can cause some serious security problems with your email systems.

1. Malware being spread via email

To say that spam levels are dropping dramatically is almost a half truth. While users are seeing less spam advertising pharmaceuticals, financial services, pornography and work at home schemes it doesn’t necessarily mean that spam itself is being beat back.

Actually, while the use of spam for advertising and marketing may be down the numbers are increasing for spam messages that carry something far worse than the Nigerian prince scam. These messages actually contain malware or links to malicious sites.

Knowing full well that many users have been taught not to download attachments they don’t trust, cyber criminals have turned to simply inserting a link to a web site in their emails. When the victim clicks the link, they are taken to a site that runs scripts to infect their computers with Trojan horses, keystroke loggers and other types of malicious software.

2. Information leaks

Not all threats come from outside. Anyone who has worked to secure confidential data knows all too well that one of the biggest areas of concern is information being leaked from an inside threat.

Inside threats happen through a variety of means. You could have a disgruntled employee who is looking to hurt the company or you could have an employee who is looking to make a little extra money moonlighting as a corporate spy. There have even been instances where someone lands a job with a company for the sole reason of stealing confidential or proprietary information.

While these scenarios seem like they came from a Hollywood studio, they do happen – just not that often.

Most likely, you will find that information is leaked by accident. An employee includes something in an email message that is considered sensitive. That email, once it leaves the protection of your company, can now be forwarded on or even intercepted in transit. The contents can then be easily exposed revealing trade secrets, private information or even embarrassing content.

3. Go phish

Phishing is a threat that has been on the radar of most IT administrators for some time. And with recent data breaches, like the recent attack against Epsilon, millions of corporate email addresses have been compromised and are ready to be used in phishing attacks.

The scary part of phishing attacks nowadays is that it is becoming harder to tell them apart from legitimate emails. Take a look at recent PayPal and banking emails that have been sent out requesting people to reset their account passwords or log in to address some issues with their account.

It is becoming tough for people to tell the difference between a real request from their financial institution and one aimed at compromising their login details.

Of course, financial data isn’t the only thing that phishers chum the waters for. They know full well that a majority of people use the same user name and passwords for a majority of web sites. If they can capture a password, they can usually recreate the username for your businesses network resources to allow them free reign over anything the victim has access to.
Safeguarding against email based attacks is something that every IT admin needs to take seriously if they want to protect their network. Employing a solution that addresses the mail servers, mail client, users and other network resources is one of the key steps to protect against as many points of attack as possible.

Addressing Three Major Email Threats

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Administrators confident about the safety of their data encrypted on company laptops should start squirming if a recent court decision passes muster in the United States.

The case involves a Colorado woman who has been ordered to open the encrypted drives on her laptop for federal investigators.

Unlike the cops on television shows and movies, who always seem to have a computer wizard on hand to decrypt a hard drive or crack a password, law enforcement authorities in Colorado, stymied by the encryption on a notebook in the possession of Romona Fricosu, simply went to a judge and asked him to order her to type in her password so they could see what was in the encrypted files.

In arguing against opening the files, Fricosu claimed doing so would violate her civil rights, in particular her Fifth Amendment rights against self-incrimination. Her reasoning was that the government, by forcing her to give up her password for decrypting the drive, were forcing her to incriminate herself if there were anything on the drive tying her to their criminal investigation of a mortgage scam. They believe Friscou is involved the scam that defrauded banks in the Colorado Springs area of some $900,000.

Federal District Court Judge Robert Blackburn didn’t buy that argument. Fricosu might be self-incriminating  herself if she were being asked to utter the password to the files or to give it to the investigators in some other way. However, she was only being asked to type in the password.

The government said it wasn’t interested in knowing what the password was. In fact, it said Fricosu could type the password into the laptop without any government operatives hovering over her. For that reason, the password could be treated like a key is treated in the physical world. Since the courts have ruled that the government can compel someone to give it the key to a safe or other repository of potential evidence in a case, Judge Robinson reasoned, it can compel Fricosu to type in her password.

Although the Fricosu case will be appealed and isn’t settled in law yet, it should give administrators some food for thought. It’s not that far of a stretch, for instance, from treating a password for decrypting files  as a key to treating passwords to anything that way.

That can have broad implications for your data’s security should you ever have to lock horn with any government for any reason. While Fricosu was involved in a criminal matter, the logic underlying the case could be extended to non-criminal government activity such as tax audits or compliance reviews.

With that in mind, should alternatives to passwords be considered? For example, if voice recognition were used to replace passwords, then the “utterance” test might be met and your data might be better protected against intrusive legal searches. Then there’s the question of whether other biometric solutions used for authentication are as legally vulnerable as simple passwords. If a retina has to be supplied to open a laptop, is that a potential act of incrimination?

One thing administrators should take away from the Fricosu decision, should it be upheld by the appellate courts, is that their passwords and the passwords of their organization’s users aren’t as safe as they as they used to be—and neither is anything that can be decrypted with a password.

Government can force you to decrypt your data

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gates: Momentous security memo

For computer security experts, January 15 marked the anniversary of a red letter day. It was the 10th anniversary of the day that Microsoft decided to get serious about security.

On that day in 2002, a memo from Bill Gates to Microsoft employees declared the company would be entering a new era, an era of “Trustworthy Computing.”

“In the past,” Gates wrote, “we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software.”

“So now,” he continued, “when we face a choice between adding features and resolving security issues, we need to choose security.”

Gates’ commitment to security came when the Windows world was reeling from two monster malware attacks from the previous year Code Red and Nimda. Code Red exploited buffer overflows to attack Internet Information Services (ISS) running under Windows Server. It infected an estimated 300,000 PCs.

Unlike Code Red, Nimda was a worm that used multiple attack vectors to rapidly infect computers connected to the Internet. The technique was extremely effective and within 22 minutes of its release on September 18, 2012, it became the most widespread malware in the world.

It’s with that backdrop that Gates emailed his memo to his employees. One group of workers was particularly glad to see their boss’s missive: the company’s malware fighters.

“It’s not an understatement that the memo felt, to me, like the arrival of Gandalf and Eomer at Helm’s Deep in the film The Lord of the Rings: The Two Towers at a moment of great despair; at last we were getting some relief and might survive” Christopher Budd, who worked on security issues for 10 years at Microsoft, wrote in Betanews.

“In a single movement, Gates enshrined security, privacy and reliability as central, aspirational ideals,” Budd observed. “Like all ideals, there have been better and worse times in realizing them, but their central importance was never open to question. That memo eliminated the resistance that made our work so hard and gave us the power to do the right thing for customers.”

Budd asserted that the memo gave the security and privacy factions in the company the power to stand toe-to-toe with those primarily concerned with revenue and growth. He wrote:

“In a way, it represents a statement of conscience for the company and we used it as such, with success.”

Since the memo was issued, Microsoft has made security an important part of its product development cycle. That’s led to security features like library randomization and BitLocker drive encryption in Windows 7 and Secure Boot, a way in Windows 8 to foil BIOS attacks. It has made Windows Server IIS as secure as its open source competitor, Apache, too.

It has also lifted Microsoft’s browser, Internet Explorer, from a security nightmare to one of the most secure ways to surf the Web today. A 2010 report from independent software tester NSS Labs found:

“Internet Explorer 9 was by far the best at protecting users against socially-engineered malware.”

Unfortunately, it’s hard to change a bad security reputation forged over many years and IE’s user share has fallen from its once dominant position of more than 90 percent to under 50 percent of all users.

Microsoft's Trustworthy Computing program turns 10 years old

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gestures can replace passwords in Windows 8.

Why it has taken Microsoft so long to make password security more than an afterthought when it introduces a new operating system is anybody’s guess. Nevertheless, with Windows 8 it is making an effort to help users manage their passwords in an efficient and secure way.

Everyone has dozens of accounts they need for which they need to memorize passwords. Most people, though, only commit a few passwords to memory and just reuse them over and over again. A study in 2007, for example, found that the average Internet user had 25 accounts that required password access, but they only used six passwords to access their accounts.

Security pros decry the multiple use of passwords but there are plenty of sites on the web where if your password fell into the wrong hands, the consequences would be trivial. Reusing passwords for those sites should be acceptable. There are sites where unique passwords are a must, though, such as banking or credit card payment sites.

With Windows 8, Microsoft is addressing several nettlesome issues that discourage people from creating and using strong passwords. In the upcoming version of Windows, user names and passwords are stored in a secure location called the Credential Password Vault.

The latest version of Microsoft’s web browser, Internet Explorer 10, is designed to automatically access the Vault for your credential information, but other browsers and applications will eventually be able to access the area, too.

What’s more, if you have or obtain a Windows Live ID, you’ll be able to synchronize the Vaults across all your devices. Not only does that remove the annoying situation of trying to remember credentials for a site when you’re away from the device where you created those credentials, but it can provide a safety net should the password information on any one device be corrupted.

Synchronization appears to be pretty robust too. Microsoft says it can take place behind a firewall. However, websites can block the storage of credentials used to access them. Some banks do that. In that case, synchronization will not work because your credentials won’t be stored in your Vault.

Another intriguing aspect of the Credentials Password Vault is that it can also store security keys. Typically, those keys involve the use of hardware tokens to authenticate a person’s identity. The Vault, however, is designed to work with something called the Trusted Platform Module, which is being incorporated into more and more computers these days. The Vault and the Module, which acts as a virtual security token, can team up to perform the same function as token-based key pair system.

For tablets or computers with touchscreens, Windows 8 has an even neater password option. It allows you to take a photo of your choice and use it to access your slate by performing a series of gestures on it.

Although some security experts are skeptical of the method, and even Microsoft acknowledges that smudges on a screen could compromise the gesture password, the approach has the potential to be more secure than ordinary password schemes. Microsoft estimates that there are 398 trillion five gesture combinations that could be applied to a photo, compared to 182 million combinations for a five-character password and nine trillion combinations for an eight character one.

Windows 8 Offers New Password Features

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Organizations that want to see that their employees have the tools to get their jobs done often allow them to use their own devices to do it. While that policy can set the teeth of many administrators on edge, it’s fast becoming a fact of life in the workplace.

One of the prime culprits behind the popularity of BYOD—Bring Your Own Device—is Apple’s iPhone. Not only did it become a favorite among the rank and file workers in many companies, but also among the top brass in many of them, too. That made it difficult for IT departments to keep the smartphones from invading their domains.

Now all kinds of smartphones are slipping by the door, many of them ill-suited for a corporate environment. They can be insecure. They can also be a headache to support. The iPhone, though, while conceived as a consumer device, has an edge on its competitors in an enterprise environment. That’s why administrators should be in Apple’s corner when the BYOD wave breaks over their organizations.

Granted, Research In Motion’s Blackberry smartphones are among the most secure in the world, which is why they’re the favorites of law enforcement, military and intelligence agencies, but RIM hasn’t been able to keep up with the technology breakthroughs made by its competitors, like Apple and Google, so it has been losing its adherents even in corporate markets where it was a darling for many years. A recent outage where some customers lost Blackberry service for up to three days hasn’t helped the platform’s image either.

One of the iPhone’s strongest suits is its robust support of Microsoft Exchange ActiveSync policies. In fact, outside of phones that run Windows Mobile, which are dwindling since Microsoft moved to its Windows Phone 7 platform, the iPhone supports more ActiveSync policies than any other mobile.

The iPhone ecosystem is also built to make recovering a phone’s contents, as well as moving its contents to a new phone, easy. Apple’s new iCloud service automatically backs up a phone’s apps and data to the cloud. In addition, iTunes, the software used to sync a phone with another computer, keeps a copy of a phone’s contents locally.

The iPhone’s support of ActiveSync compares starkly with Android smartphones, where VPN connections are hampered by no support of PEAP-secured WiFi in versions 2.x and 3.x of the operating system. In addition, on-device encryption and complex passwords are unsupported by 2.x.

Some administrators, though, are less concerned about security with all these alien devices than with providing support for them. That’s where the iPhone can really shine. Its intuitive interface makes it not only easy for its operators to use, but for support people to troubleshoot.

A study released during the summer, for instance, showed that it costs, on average, $4 more per person to support an Android or Blackberry user than its costs to support an iPhone operator. One of the biggest factors contributing to those increased costs was support call referrals.

Support organizations are usually organized into levels. If one level can’t solve a caller’s problem, it booted to another level staffed with more expertise. What the study found was that 37 percent of Blackberry support calls had to be referred to another agent. For Android calls, it was far worse: 77 percent.

So administrators, when BYOD starts invading your bailiwick, you may want to become a cheerleader for the iPhone, not only because it’s more secure, but a lot easier to support.

Why the iPhone should be the BYOD of choice for administrators

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Whenever a new cool technology is introduced into a consumer smartphone, for every “wow” it sparks from an early adopter, an “ouch” is elicited from a system administrator. That appears to be the case with Siri, the “personal assistant” in the latest model of Apple’s iPhone, the 4S.

The 4S was introduced on October 5 and has proven to be extremely popular, with four million units sold during the first weekend it was available to consumers. Some of those consumers, however, are going to find that their shiny new toys are going to be mobilis non gratus when they try to connect them to their corporate networks. That’s because some organizations consider the smartphones a security risk.

At the root of the problem is Siri. It allows you to use your voice to issue commands and posit queries to the phone. For instance, you can say, “Where can I eat pizza around here?” And Siri will respond with a map with nearby pizza joints tagged on it. Or, without any training, you can ask it to call someone from your address book while you’re driving your car so you don’t have to touch the phone.

Sounds cool, doesn’t it? It’s so cool that Apple couldn’t resist turning the feature on by default. So when you take the 4S out of the box, Siri is on when you power up the mobile. What’s worse—and the real rub for administrators—is that Siri continues working even when the phone is locked with a password.

Ordinarily, when an iPhone is password protected, when you turn the phone on, a lock out screen appears. To get past that screen, you need to enter your password. With Siri activated, though, the lock out screen appears, but you can still give the phone voice commands. You can send email and text messages. You can access the phone’s address book and calendar. And you can make phone calls.

The only thing you can’t do is search the Net. Try to do that and Siri’s female voice will inform you that she will not ferret the Web when the phone is locked.

While Apple wasn’t about to disable a shining achievement like Siri from an out-of-the-box 4S, doing so is pretty easy. You drill down through settings>general>passcode lock and turn off “allow access to Siri when locked with a passcode.” That, though, reduces the utility of the phone, since part of Siri’s value is it allows you to perform functions with the phone without touching it. If you have to type in a pass code, you’ll definitely have to touch it.

However, the fact that Siri can be turned off is irrelevant to administrators. That’s because they need to compel devices that connect to their networks to be password protected. If a phone full of corporate secrets is lost or stolen, they don’t want to be wondering if it was password protected or not.

That’s not the case with the iPhone 4S. An administrator can never know when or if Siri’s passcode override has been turned off by a user. The possibility will always be lurking that Siri will be used to compromise an errant phone. Until administrators can access a phone’s Siri settings, the way they can access passcode settings through the Microsoft Exchange interface Apple supplies with its iPhones, the 4S will remain a pariah in many security-conscious organizations.

iPhone's Siri could pose threat to email security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Have you checked the spam flowing into your organization lately? Microsoft has, and it has reported its findings in its Security Intelligence Report for the first half of this year.

The report, which is based data collected from 600 million computers worldwide, noted that pharmacy spam remains a favorite of junk emailers. An analysis of telemetry data from Microsoft customers who process tens of billions of messages a month using the company’s Forefront Online Protection for Exchange (FOPE) shows that 28 percent of all spam is non-sexual pharmacy junk. By comparison, sexual pharma spam is at the low end of the spectrum at 3.1 percent.

Behind pharma junk are non-pharmacy product ads (17.2 percent), 419 or “Nigerian” scams (13.2 percent), financial services (8.9 percent) and gambling (6.1 percent).

In the past, the report noted, some spammers tried to evade content filters by sending messages composed entirely of one or more images. This tactic appears to be losing favor among junko artists, as only 3.1 percent of the spam blocked by FOPE during the first half of the year was image spam, compared to 8.7 percent in 2010.

Microsoft researchers also found fewer “spikes” in spam activity during the period than in the past. Typically, volumes for a spam category spike as junksters mount short-lived, large-scale campaigns for it. Month to month volume changes were much more gradual during the first half of 2011, they discovered, except in one category: fraudulent university diplomas. That’s usually a very low volume type of spam, but in February it spiked to four percent of all spam. A similar spike occurred around the same time in 2010.

While the kind of junk spammers are flinging at organizations remains similar to the past, the amount of it has decreased significantly, according to Microsoft. From July 2010 to May 2011, the amount of spam blocked by FOPE plummeted from 89.2 billion to 21.9 billion messages. Microsoft attributed the volume declines to two botnet takedowns: Cutwail, in August 2010, and Rustock, in March 2011. “The magnitude of this decrease suggests that coordinated takedown efforts such as the ones directed at Cutwail and Rustock can have a positive effect on improving the health of the email ecosystem”, its report said.

FOPE is stopping most spam at the perimeter of the organization’s using it, the report noted, which frees up resources that would be consumed by more-intensive anti-spam methods. From 85 to 95 percent of incoming messages are blocked at the network edge each month, while the remaining five to 15 percent must have content-based rules applied to them. However, over the last year, the report showed the amount of edge blocked spam steadily declining, from 95 percent in July 2010 to around 85 percent in June 2011.

Much of the world’s spam is delivered through botnets, networks of compromised computers that respond to spammers’ commands remotely. During the first half of the year, Microsoft researchers found some interesting jockeying for position among the nations hosting spambot IP addresses.

While India remained at the top of the heap, with around 11 percent of all spambot IP addresses, and Russia remained strong with around a 7.7 percent share, some newcomers broke into the top five ranks from the first to second quarter of the year. Korea, for instance went from a 2.9 percent share to 8.4 percent to claim second place. Meanwhile, Vietnam jumped from four percent to 7.3 percent and Indonesia increased from 2.4 percent to 5.6 percent.

What spam is in your inbox? Microsoft breaks it down.

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Over the years, Microsoft has taken its lumps when it comes to security however as a company, they have taken some pretty impressive strides to make sure that their products are more secure.

However, their security efforts have not been limited to just their products. They have launched several educational campaigns aimed at helping users better secure their computers and networks.

These efforts can be seen by Microsoft’s latest report, Microsoft Security Intelligence Report, and its corresponding website.

This project was set up to provide businesses and consumers with hard data concerning security risks and best practices from Microsoft themselves on how to mitigate the various risks.

Being the producer of the most popular email client software packages – Outlook, Hotmail, Outlook Express and Windows Live Mail – they have a definite interest when it comes to helping users guard against email threats.

Spam, according to Microsoft:

• Wastes resources
• Distracts recipients
• Puts assets at risk for greater security problems
• Provides an avenue for social and criminal hacking attempts
• Provides an avenue for phishing scams against users

While stopping these issues definitely is a concern for Microsoft internally, educating their customers on how to eliminate the problems associated with spam will certainly help them sell more products to people looking for the most secure product on the market.

A Look Inside Microsoft

According to their website, Microsoft filters between five to ten million email messages every day that contain malware and/or spam. On a daily basis, they see threats that include spyware, worms, attacks from botnets and polymorphic viruses attacking their email messaging systems. Each day more than 100 different types of executable files are removed from incoming messages sent to Microsoft employees.

So we can safely say that as an organization, there is little that they haven’t seen when it comes to protecting email systems.

To best fight the many different threats facing email, all inbound email to Microsoft much pass a three-tiered process to include anti-malware scanning, file removal and spam filtering.

The importance of this approach is simple. Stop threats before they reach the user.

Incorporating an anti-malware scan into messaging systems helps protect the integrity of your systems because threats can be stopped before a user has the opportunity to allow infected files to compromise a computer or network.

Likewise, a file removal process prevents malicious executables sent via email attachment from ever having the chance to launch. Followed with adequate spam filtering, this process reduces the need for organizations to rely solely on a desktop based security solution or a network firewall. Both of which do not provide comprehensive protection on their own.

These strategies seem like common sense steps that we would hardly need to rely on Microsoft to provide. However many organizations neglect to incorporate these simple strategies into their planning.

Other Ideas from Redmond

Keeping systems protected cannot be done by simply scanning incoming messages for threats. Other steps need to be taken. The best practices that Microsoft recommends to organizations are as follows:

• Provide email submission services on port 587.
• Require SMTP authentication for email submissions.
• Abstain from interfering with connectivity to port 587.
• Configure email client software to use port 587 and authentication for email submission.
• Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions.
• Monitor outbound email traffic patterns and look for deviations from normal behavior, such as abnormally large bursts of email traffic.
• Disable computers or individual email accounts that have been compromised and are being used to send out spam.
• When possible, process abuse complaints from third parties for email that originated from your mail servers. These complaints often point the way to a compromised computer.

As email administrators, we tend to look to hardware and software solutions to keep things running smoothly and securely. However, protecting systems and users from threats is ultimately our responsibility. Knowing the best way to do so is part of the job description.

Turning to experts for advice when it comes to security does not mean we are unable to do things on our own, it means we are wise enough to use what works and smart enough to know where to look.

Email Security Best Practices from Microsoft

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When the U.S. CAN SPAM Act was passed eight years ago, critics of the measure doubted it would put a dent in the flow of Internet junk mail. They were right, but few would have predicted that many spammers would use the law as a subterfuge for their pesky activities. They do that with “snowshoe spam.”

It’s called that because it exploits the principal used by snowshoes to prevent their wearer from sinking into deep snow. They do that by distributing a walker’s weight over a larger area of snow. Snowshoe spam keeps junk e-mail from being sunk by a system’s spam defenses by spreading the spew across multiple IP addresses.

That can be particularly effective against an email system’s volume filters. Those filters monitor the origin of email. If a large volume of email with the same content is coming from an IP address, those filters will start blocking the email and treat it as spam. By using multiple IP addresses, spammers can keep the volumes on any single IP address low enough to submarine the thresholds used by the volume filters.

Another distinctive feature of snowshoe spam is that it’s designed to appear to conform to CAN SPAM, the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003. That act requires email marketers to include an unsubscribe mechanism and a postal address in their solicitations, as well as bars the use of forged headers and requires messages to be sent from a marketer’s own network.

Spammers have found is easy to “game” the law, however. They include unsubscribe links, as the law prescribes. Some, though, have the links lead to virtual dead letter boxes on the Internet where they can be ignored. Most honor the links, however, because they know very few people will use them. That’s because most organizations advise their employees not to respond to such links. Doing so, they warn, verifies an email address to a spammer, making it more valuable to them.

They include postal addresses in their spam, too. Those are usually post office boxes, which allow the spammers to preserve their anonymity.

They meet the other requirements in the law by registering hundreds or thousands of static domains. That gives their messages true headers but the domains can be easily disposed of. They also lease hundreds of IP addresses to meet the “own your network” requirement. That also allows them to move from one range of IP addresses to another should a range be blocked by spamfighters.

Unlike illegal spammers, who distribute malware and pedal black market prescription drugs with their junk mail, snowshoe spammers tend to make their money from affiliate programs where they’re paid on a pay per click or pay per action basis.

In recent months, some large illegal spam operations have been taken down by law enforcement authorities. Earlier this year, for example, Microsoft and U.S. Marshals took down the Rustock network, which at the height of its operation infected 1.6 million computers worldwide and gorged the Net with 30 billion spam messages a day. And in April, the FBI began dismantling the Coreflood botnet, which had infected 2.3 million PCs.

While those high visibility raids appear to have an impact on worldwide spam levels—cbl.abuse.com reports that spam volumes have dropped from 2800 messages per second in October 2010 to 800 a second in September 2011—snowshoe spam levels continue to climb and will continue to do until CAN SPAM is amended to address the problem.

Junk mail law contributes to expansion of 'Snowshoe Spam'

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Every year, the Online Trust Alliance publishes its Online Safety Honor Roll and Scorecard to measure the adoption of security measures across the Internet.

Basically, it is a report card of measuring the steps public and private companies, as well as government agencies, are taking towards cyber security.

This year email made some promising gains when it comes to authentication.

“Domain level email authentication is a potent weapon in the fight against spam and phishing attacks.  But, for it to work, legitimate emailers must authenticate the messages they send and receiving domains must refuse delivery of unauthenticated messages,” according to David Vladeck, Director of the FTC’s Bureau of Consumer Protection.

According to this year’s scorecard, more than 56 percent of all those surveyed are using either Sender Policy Framework (SPF) or DomainKeys Identified Mail (DKIM). For the first time, email authentication has gone beyond 50 percent showing a marked improvement when it comes to email security.

The report, which breaks down results by segment, shows that:

• Social media sites lead with 92 percent adopting email authentication
• Internet retail coming in second with 84 percent adopting standards
• FDIC banks just making the grade at 59 percent
• Government agencies falling behind at 38 percent

However, while government still lags behind the average, they did make an 18.8 percent increase from last year’s numbers – so they are getting better.

So if your organization is one of those lagging behind there are a few things you can do when it comes to email authentication.

Sender Policy Framework

Sender Policy Framework is an IP based solution to prevent spammers and attackers from spoofing your email addresses. By creating an SPF record for your email’s Domain Name System, recipients can be assured that email with your domain actually comes from your organization.

To set this up the email administrator needs to follow these steps:

1. Inventory the IP addresses that send emails from your company. This needs to include remote workers, email service providers and third parties.
2. Once you have a collection of all the necessary IP addresses you would need to create the authentication records, TXT files, for your organization using the Microsoft Sender ID Framework Wizard (http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard)  or the SPF Record Wizard (http://www.openspf.org). These records are then published by your team.
3. Now using the tool from OpenSPF (http://www.openspf.org/why.html) your team needs to validate that the records published are error free.

Once the records are published your email administrative team will need to maintain these records and make changes as necessary.

DomainKey Identified Mail

DKIM, used in conjunction with SPF, is considered to be the best way to authenticate your email messages.

Essentially, when using DKIM, a certificate is created and added to the txt field on a specific DNS server.

When the recipient receives the email, it verifies the signature in the DKIM header against the certificate that is on the DNS server of the signer’s domain preventing it from being spoofed.

Unfortunately, setting up DKIM is not as simple as SPF as it varies based on your infrastructure. Working with your email provider and IT department you will be able to set up this complimentary piece to the Sender Policy Framework. More information can be found at http://www.dkim.org.

Even though using DKIM and SPF together are considered one of the most effective ways to prevent spoofing and phishing attacks using your email addresses it is not foolproof.

Whenever there is money to be made through illicit means, there will be people out there one step ahead of the game. This is certainly true when it comes to email.

In addition to employing solutions like those mentioned here, it is more important than ever for organizations to monitor their brand to make sure that nothing is being done to compromise the level of trust that customers, and constituents, have for them.

As email security measures grow increasingly complex, so do the attacks against these systems. Using trusted methods and professionals is the only way that security can stay out in front.

Email Authentication More Important Than Ever

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If there’s one rule that’s been drummed into the heads of all email users, it’s “don’t open executable files in email attachments.” But what if an email recipient doesn’t know they’re opening an executable file because its name has been cleverly disguised using Unicode?

Unicode is an international standard used to create a unique number for every character used by computers regardless of program, platform or language.

Its 109,000 characters, though, contain more than just letters from the alphabets of the world. It includes control characters, too. One of those characters can switch the direction at which a computer reads text. That can be valuable when a processor has to deal with languages like Hebrew and Arabic that read right to left or, as malware artists have discovered, when someone wants to camouflage a file name.

Those felonious fellows have found that inserting the right-to-left override character (U+202e) at a strategic point in a file name can mask its malevolent potential. What’s more, not only does it hide that potential from the recipient of the email carrying the pernicious payload, but it hides it from email filters, too.

This tactic isn’t new. In 2009, the Mozilla Foundation issued an advisory on the subject.

“When downloading a file containing a right-to-left override character (RTL) in the file name, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body,” wrote Mozilla security researchers Jesse Ruderman and Sid Stamm.

“An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file,” they explained.

About a year after Mozilla issued its advisory, a security firm identified the tactic being used to disguise executable files attached to billions of messages from spammers. But when those spam outbreaks occurred once every 10 to 14 days, recent activity sends spam blasts out as frequently as three times a day.

Hidden in many of those devious file names is the Bredolab Trojan. It’s a malware family designed to steal system information and turn a computer into a zombie on a botnet, where it will receive malicious URL’s and files from a Net bandit’s command and control server.

What the spammers are doing is taking their malware and giving it a name like corp_invoic_8.14.2011_pr.phylcod.exe. Then they insert the left-to-right override character after the p-h-y-l in phylcod. That tells a computer to take everything after the control character, read it right to left and display the results. The file name then looks like this: corp_invoic_8.14.2011_pr.phylexe.doc.

Some email programs will recognize the true name of a file, even it has been altered with a control character. Prominent security writer Brian Krebs, for instance, tried to send an executable file with a name disguised by the right-to-left method through Gmail. The Web application recognized the ruse and gave him its standard message about not allowing executable files to be sent through Gmail—only it displayed the message backwards!

Unfortunately, many email programs can be fooled by the right-to-left dodge, especially if the executable is in a zip or archive file. That’s why a good policy for any organization is to have its members check with the sources of unexpected files they receive attached to emails.

Clever coding conceals malware in email attachments

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Typo squatting has been around as long as the Internet Domain Naming System (DNS), but Net bandits have added a twist to the practice that appears to be very effective in intercepting corporate email.

In a typical typo squatting scenario, people register misspelled domain names of high traffic websites. The idea is to capture traffic they ordinarily wouldn’t get at their website and turn it into money, either through advertising at the site or by compromising the visitor’s computer by infecting it with malware.

A variation of that technique that’s gaining popularity uses “doppelganger domains” to exploit typos in corporate email addresses. Those typos result less from misspellings than from failing to properly punctuate addresses with subdomains.

For example, the URL for IBM Sweden is se.ibm.com. A doppelganger attacker would register the domain seibm.com to capture email whose authors forget to type in that pesky extra period.

Once the domain is registered, the dop sets up a server configured to catch all email traveling through the net addressed to someone at a misspelled email address for which they’ve set up a domain.

Now the bunco artist is ready to mount a classic “man-in-the-middle” attack. Misaddressed mail enters the dop’s server, is copied, and forwarded to its destination with the doppelganger domain in the return address. If a response is sent from its destination, it will travel back to the dop server, be copied, and then sent on its way to the original sender. Those exchanges can continue indefinitely.

But who really types in email addresses anymore? Apparently, a lot of people.

Two researchers at the Godai Group set up 30 doppelganger domains and in six months, they were able to intercept 20 gigbytes of data. In that data were invoices, contracts, employee credit card and banking information, configuration details for the external routers of a large IT consulting company and the passwords for accessing the devices, and information for accessing the VPN network of a company that manages motorway tolls in the United States.

“Each company in the Fortune 500 was profiled for susceptibility to doppelganger domains and 151 companies (or 30%) were found to be susceptible,” wrote the researchers, Peter Kim and Garrett Gee, in a recently released report.

“In large corporations, email usage is extremely high which dramatically increases the likelihood of mis-sent emails and data leakage,” they explained.

Remarkably, they discovered, only one company detected its doppelganger and only two users noticed they were sending mail to a dop.

Kim and Gee also noted [pdf] that many doppelgangers had already been created for the world’s largest corporations, including Cisco, Dell, HP, IBM, Intel and Yahoo. Most of those dops were owned by entities in China, they added.

What’s an email administrator to do to counter this kind of attack?

• Persuade your company to buy up and register all your doppelganger domains. Then configure your external DNS server to bounce mails sent to the dops.
• If you discover a doppelganger domain, file a Uniform Domain Dispute  Resolution Policy complaint with ICANN.
• Configure your internal DNS servers not to resolve doppelganger domains. Of course, that will only affect the outbound email of your organization. External email could still be picked off by the dops.
• As an alternative to configuring your DNS server, you can configure your email server to block any outbound mail headed for a dop.
• Let everyone in your business network—employees, customers and partners—know about the doppelganger domain so they’ll be aware of the attack.
• You can also make sure that auto-addressing is turned on across your system. If your users don’t have to type in email addresses, then they can’t make typos in them.

Configure your email system to prevent exploitation by doppelganger domains

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

<sarcasm> Okay, sit down, I have some shocking news for you. TLS has been hacked, broken, smashed to bits. The technology that secures almost all of the secure Internet traffic we rely upon daily has been cracked. We’re all doomed, our bank accounts are going to be plundered, and ecommerce will come to an end. We might just as well all return to the trees; we made a good go of it, but society as we know it is done.</sarcasm>

In all seriousness though, the latest blow to the technologies that help to secure significant amounts of traffic on the Internet was delivered this week by Thai Duong and Juliano Rizzo, two security researchers who plan to demonstrate proof of concept code at the Ekoparty Security Conference in Buenos Aires, Argentina, that can actually decrypt TLS 1.0 traffic. It is a proof of concept, not a zero day exploit already developed into a Metasploit plug-in, so there’s no need to panic quite yet.

TLS 1.0 is one of the most commonly used encryption protocols for securing traffic, including HTTPS, SMTP/TLS, and secure versions of POP3 and IMAP. We use it whenever our clients access our email servers using any secure protocol including web mail, and when we send TLS protected mail between our systems and our partners.

Defined in RFC 2246, it was proposed as a replacement for SSL 3.0, which is actually still widely used today. TLS 1.0 is a Cipher-block chaining protocol, where a block of plaintext is XOR’d with the block of ciphertext that precedes it. BEAST uses a type of cryptologic attack called a “known plain-text” attack to figure out the encryption, exploiting a vulnerability in TLS 1.0 that has long been theorized as a problem with the protocol.

TLS 1.1 and 1.2 both exist as successors to TLS 1.0, and neither are vulnerable to this same flaw, but have not been widely implemented in part because the flaw in 1.0 wasn’t real, at least, not until now. Internet Explorer can use both, but they must be enabled. SChannel in Windows 2008 and 2008R2 can use them as well, but again, must be enabled. The easiest way to do this domain wide for Windows users is to use a group policy to enable “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, but don’t do that just yet. This can have some undesirable effects on a typical PC. Read this KB article and test carefully before making a system-wide change like this, and then keep in mind that Chrome, Firefox, and most other browsers cannot use TLS 1.1 or 1.2 at the time of this writing. Even with Windows software, this setting is advisory only. It enables them to use TLS 1.1 and 1.2, but it doesn’t force them to. Many websites using HTTPS only implement TLS 1.0, and clients will be able to fall back to that.

The duo’s proof of concept application is called BEAST, for Browser Exploit Against SSL/TLS, and apparently does to a very effective job of decrypting authentication cookies used by websites to grant users access to secured content that requires authentication. Apparently the attack works like this: a bit of JavaScript is injected into a user’s browser session when they visit a compromised website or click on a link that takes them to a site set up to deliver the code; it then works with a network sniffer to capture encrypted cookies passed between the client and a server, which it is then able to decrypt.

To exploit a system, an attacker must first deliver the JavaScript to the browser, and then must have a sniffer in place to capture the packets. A well patched system, running current antivirus, and protected by mechanisms like a proxy server, should be difficult to attack. If an attacker can do all of that to a user, they can probably do anything else they want already, which means they probably already own the victim’s computer.

The good news is that the exploit for this vulnerability, and the proof of concept application, were both developed by good guys. By demonstrating that this sort of attack possible and practical, it will likely motivate developers of browsers and web servers to deploy TLS 1.1 and 1.2 capable versions of their software. Google has already released a patch that, while still using TLS 1.0, defeats this particular attack, and the developers of OpenSSL and the Network Security Services libraries used now have real reasons to implement the stronger protocols.

So, what can be done to help mitigate this? Follow the points below:

1. Keep up-to-date on all vendor patches, both for your operating system and all applications you use.
2. Keep antivirus software up-to-date, use real-time scans, and perform scheduled full scans regularly.
3. Close all browser sessions, and use a fresh session with no other open tabs whenever you need to browse to a secure site, like your bank, credit card, webmail, etc.
4. Close that browser completely when you log off.
5. Consider disabling JavaScript in your browser.
6. Consider using a sandboxed version of a browser.
7. Watch for, and implement, updated libraries for encryption as soon as they are available from your vendors.

In researching for this article, I came across a handy website that can show you just which protocols your browser uses to secure an HTTPS session. It uses a self-signed certificate, so be ready to get a warning dialog, but check out https://www.mikestoolbox.net/ to see some interesting information about your browser, and to test any changes you make to supported encryption protocols.

Keep Calm and Carry On

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In Understanding Email Encryption Part 1 I covered not only why encrypting email is important, but also the two different types of email encryption: asymmetrical and symmetrical.

There was another section that briefly mentioned some of the barriers that impede buy-in from management when it comes to an encryption solution. But these were only touched upon.

Unfortunately when it comes to making a pitch for encryption, those who understand the need for it are an easy sell. Those who either don’t understand it or see the need for it often cite one or more of these stigmas that are attached to email encryption as reason to avoid it.

Should you find yourself being stonewalled when giving your reasons for email encryption, here are a few points you can make to counter any disbelievers.

Of course the consequences that come from disputing your boss in front of others is something that encryption can’t protect against, so use them at your own risk.

Encryption makes us look paranoid

In the previous post I quoted a survey respondent as saying: “normal people don’t encrypt normal email messages” when asked about adopting encryption for email.

The problem is that society does tend to raise an eyebrow at those who act paranoid. Let’s be honest here, they are outright ridiculed.

And no one wants to be made fun of. But that is playground thinking. As a customer, client or employee I want to know that my personal or confidential information is being protected. Email encryption can make me look silly if I am sending a joke to a friend and I use DES cryptography, but if account information is being sent from my bank I want to see a bit of protection put in place.

One way to counter this is to ask, “would you rather someone think you a bit paranoid, or would you rather be in the news like the Oak Ridge Laboratory, CitiGroup, Sony, Target, Chase, etc.”

Encryption is too complicated for most users

15 years ago, email was too complicated for most users. There was a time when the telephone was complicated technology.

And yes, there was a time when cryptography for email messages was quite a bit of work but now it is rather simple and solutions operate seamlessly with your company’s email client.

Outlook offers two separate methods of encrypting email messages. You can encrypt a single message, using 3DES by going to the Message tab in the Options group and click on the Encrypt Message Contents and Attachments button.

After that you simply write your message and send it on its way.

Encrypting all messages can be done as well but that requires all recipients to have your digital ID to decrypt the contents.

Still, that doesn’t seem too difficult now does it?

Encryption is too expensive for us

Another stigma is that encryption is for large companies, not small or medium sized businesses – this isn’t entirely accurate.

Sure, an organization can spend a good deal of money on an expensive appliance that requires add-ons and plug-ins. But you don’t have to spend that much.

With Software as a Service models, even the smallest company can purchase a service contract for only what they need. Be it one user or a thousand.

There are even companies that cater these services to smaller organizations specifically to keep costs within reason.

Software as a Service solutions can also help negate the belief that encryption will be too much of an undertaking for your IT staff as well. Since the company is buying the service, there is nothing for the IT people to set up, configure, troubleshoot, monitor, etc.

Encryption, like any other technology, has changed over the years. But so has the need for it. There was a time when email wasn’t such a lucrative target for attackers. There was a time when regulations mandated certain security baselines be put in place. There was a time when using encryption required a Master’s Degree in Computer Engineering. But all that has changed. Let your company know it’s about time their mentality regarding protecting email messages does as well.

Understanding Email Encryption (Part 2)

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

It doesn’t matter if your company uses email to communicate corporate secrets, confidential financial information, or just an invite to the annual picnic; people who weren’t intended to see the message shouldn’t be able to.

To prevent prying eyes from having the opportunity to read your corporate emails encryption is usually the first choice among email administrators who understand security. However, according to a study done by Princeton University titled “Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted E-Mail” there are still many barriers to companies implementing email encryption:

• The belief that encryption is not needed because a company is too small
• Encryption flags a message as being important or secret
• Encryption solutions are too complicated for users
• Email encryption solutions are too hard to implement and set up
• Using encryption makes the company look paranoid
• Receiving encrypted messages can be annoying

To quote one respondent of the study, “normal people don’t encrypt normal email messages.”

Lack of understanding

It seems that with so many responses like this, most people have a lack of knowledge when it comes to email encryption.

So let’s start with when someone would want to use encryption. Ask yourself, “Does it matter who reads this email?” For any messages where the answer is no, encryption isn’t necessary.

But if you answer yes, the messages should be secured. Considering 99 percent of all email still travels over the Internet without being secured, it would be safe to assume that there are messages in that 99 percent where the answer to our question would be yes so an understanding of email encryption is certainly warranted.

Types of encryption

There are hundreds of encryption solutions available for home and corporate users. Some are extremely hard to break; others can be broken rather easily by someone who knows what they are doing. Others still have been completely untested. These solutions generally fall under one of two types of encryption: Symmetric or Asymmetric.

Symmetric Key Encryption

A basic definition of symmetric key encryption is where both parties share a single secret key. This works best to prevent casual viewing or the accidental disclosure of sensitive information.

It works by the user typing their email message and, using the shared secret key, encrypting it into cipher text. The cipher text message is then sent to the recipient(s) where the same shared secret key is used to turn the encrypted message back into plain text for reading.

Symmetric key cryptography commonly relies on algorithms such as AES, Twofish, RKZIP, DES, Blowfish and IDEA.

Asymmetric Key Encryption

Also called public-key cryptography, asymmetric encryption requires two separate keys. One is used to encrypt the plain text of the message, called the public key, and another, called the private key, will decrypt the cipher text. The way it works is that a public key and private key are created and mathematically linked to each other. The public key is then published so anyone with access to this key can send encrypted messages to the holder of the private key, which is not shared.

This is very different than the single shared key or symmetric encryption and no longer requires a secure exchange or the single shared key as necessary with symmetric encryption.

The asymmetric method works when the email sender writes the message in plain text and encrypts it using the public key. The encrypted message, now in cipher text, is sent to its intended recipients. The recipient needs to use the sender’s private key to decrypt the message back into plain text so it can be read.

The algorithms that asymmetrical encryption relies on are RSA, PGP, DSA and Diffie-Hellman.

To add an additional layer of security to public-key encryption, some senders use a digital signature as well. The digital signature signs a message with the sender’s private key. Recipients use their public key to verify that the sender is who they claim to be. Not only is the confidentiality of the message now protected, but the authenticity as well.

You can see where this could be used to help fight phishing scams, especially when an internal email address is spoofed to compromise user credentials or steal information.

Even if you decide that encryption should be added to your existing layers of email security, end-users still have to buy in or they will continue to send plain text messages that are not protected. In part two, we will look at some of the stigmas that are associated with using email encryption and how you, as an email administrator, can overcome them with your users.

Understanding Email Encryption (Part 1)

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

So you have been tasked with securing your organization’s email services.

There are quite a few guides available on the Internet and in different computer bookstores that can take you through the basics – and if you are ahead of the game you may have already done your homework.

So you have looked at your email server, or servers, and taken the recommended steps of:

• Installing a commercial email security solution,
• Updating the server’s operating system,
• Patching all required software,
• Turning off all unnecessary services,
• Configuring your email server to sit behind the external firewall,
• Encrypting your email storage,
• Setting a back up schedule,
• Testing the recovery portion of your back up,
• Training your users on your company email policies.

Confident that your email services are now secure, you can roll up your sleeves and attack the next item in the pile of projects that is sitting on your desk, right?

Not just so fast. Unfortunately, there is still quite a bit of work to do.

What am I missing?

Like any other computer service, email requires many different users to share information with the email server or cluster of servers. Each user connects via a desktop computer, a laptop, tablet, or smart phone; as result, there is a two way communication going on between them where data is exchanged. Can you see where we are going with this?

That’s right. Even if the servers that drive your company’s email are secured, there still remains that one variable that is often the root of so many security problems – the user.

If just one of those many users connects to the company’s email servers with an unsecured or infected device, it could mean disaster for your organization’s email. Considering the fact that email is still the preferred method of business communication and you could have some serious problems on your hands.

Securing the endpoint

Your company can buy the top of the line security tools, train users until they can recite policies in their sleep and keep everything under a watchful eye, but all it takes is one zero-day vulnerability to be exploited on a device that a user connects to your network with and you can consider yourself compromised.

You see, attackers know that the weakest point in any organization is the user and his or her computer. Servers are often guarded with firewalls, intrusion detection and prevention devices, and diligent operators. The low hanging fruit is the user so that is where the attackers concentrate.

Training is always considered the best way to enforce security in an organization. The thought is that if people are aware of what the threats are and what they can do to stop them, then most attacks can be mitigated. We know that’s not the case. Training and education works, but only so much. Instead of being looked at as the solution, it should be considered a part of a larger plan to stop threats against your email. Other elements of the overall strategy should include:

Check your computers for malware

No solution is going to stop 100 percent of all malicious software from infecting computers on your network. However, having a solution in place that constantly scans your network devices for malicious software is a crucial part of your overall security because believe me, something is better than nothing. However, this means running anti malware software that will be automatically updated. Even better, make sure you can configure the solution so that users can’t opt to postpone the updates.

Update the OS and all software

After you have tested the updates and patches published for your computers’ operating systems and software, make sure that they are installed. Most patches are released to fix problems and plug up exploits found in the software code. Not updating your machines leaves them open to attack.

Update the browser

As email moves to the cloud, it is essential that the browser used in your organization is updated as regularly as any other software. This includes any plug-ins or extensions used by the browser. Even if you are still hosting mail services yourself, websites continue to grow as a method of delivering malware to computers, using a secured browser is essential to protect users from being infected by seemingly harmless sites that they visit.

Email security is not easy. As with any other portion of your infrastructure’s security, it takes diligence, knowledge and skill. However email security cannot be avoided because it is simply too hard of a task to complete. You can certainly look into solutions that help ease the workload and make up for any deficiencies when it comes to this job.

Secure Your Desktop – Protect Your Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When you don’t understand something that your job requires you to know, the most logical thing to do is research the topic and learn as much as you can about it. For many people who find security as part of their job description, learning as you go is the only option available. Yet despite the fact that there is so much information readily available to us, misconceptions regarding email security still confuse many professionals tasked with maintaining the confidentiality, integrity and availability of email services.

Blocking executable files will stop malware from being spread among users

Filtering all attachments that include .exe or .msi, was once a common way to keep users from sending infected files to one another through email. This is still considered by many to be a best practice for securing email systems, however as more tech savvy workers entered the workforce, they found ways around this. Generally, people will simply change the extension on a file and send it in an email attachment to a co-worker, friend, or family member. The recipient simply downloads the file and changes it back to the correct file extension. If that file has malware attached to it, the recipient will become infected when the file is opened and that could spread to other machines on your network.

Another scenario that dates this method of securing email, and is much more common, is when a user receives an email with a link in it. This link takes the user to a seemingly harmless website that is hosting drive-by downloads that install malware onto a computer when the person visits the site. No action on the part of the user is necessary other than clicking on the link.

Email security solutions need to address both of these scenarios in order to truly offer protection.

Attackers target large companies because that is where the rewards are greater

We often hear about how large financial institutions are hit by attackers where the number of users whose confidential information is stolen tops up to millions; or maybe it’s an attack against a huge government organization like the Oak Ridge National Lab attack that makes the headlines. At the same time, we almost never hear of a mom and pop store where the same thing happens. That’s because it’s not sensational. A small business being breached doesn’t warrant enough interest from the major networks but that doesn’t mean it never happens. It actually happens more frequently to small and medium sized enterprises than it does to the big corporations.

Large companies often have the budget to better secure email systems against attack where smaller companies often rely on security by obscurity as their solution and attackers know this. Whether they are looking for the lower hanging fruit, or simply trying to hone their skills, SMBs are frequent targets of email security attacks.

Finding security products that are geared towards SMBs is essential not only because they are affordable, but because they are tailored to the needs of these organizations.

Email encryption is only for healthcare and financial institutions.

It is true that these two industries are required by certain regulations to encrypt email messages, while other industries have nothing that says encryption is necessary it still is good practice to make sure your emails aren’t sent in plain text across the Internet.

There are many reasons why a smaller company would want to protect information sent via email. You could be sending confidential information about employees, details about an investigation, sensitive company financial data, strategies for growing your business… the list is endless. But no matter what the reason for keeping a lid on the contents of your message, if it is not encrypted then anyone with the know-how can capture and read these emails.

Email stored behind your firewall is more secure than email stored in the cloud

Cloud security is one of the most hotly debated topics when it comes to email security. Moving email services to the cloud will certainly take security and control out of your hands and put that responsibility on your cloud provider. But that doesn’t always have to be a bad thing.

If you research cloud providers and find one that takes security seriously and is open to answering questions about your email and data, then odds are their staff will be better able to handle security than a small IT department where the staff wears many different hats.

Cloud providers also have multiple data centers to handle back-up and recovery, as well as multiple layers of security.

Getting the right information when it comes to security can be rather difficult. There are many supposed “experts” who make a great deal of money selling snake oil to companies whether it is in the form of a security solution or education. The key is to read as much as you can and always look for the counterpoints when it comes to finding the best solution. If you spend enough time doing your homework up front, you will spend less time in the future dealing with mistakes.

Misconceptions About Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When Epsilon Data Management disclosed a breach of its email system panic struck cyberspace. Names like JP Morgan Chase, Citi Bank, Staples, Verizon and Hilton were listed as some of the customer databases that had been compromised as a result.

As many customers of these companies started receiving emails explaining that their email was exposed in the breach and could be used in illicit activities, email administrators starting looking at what they could learn as a result of this catastrophe.

Lesson One – Take Security Seriously

A Ponemon Institute study titled The State of IT Security: A Study of Utilities and Energy Companies stated that companies were more concerned with preventing network downtime than they were stopping a cyber-attack.

Of course, no one should find this surprising. After all, if an e-commerce site or CRM portal goes down, business can come to a halt. No business means no income so by all means this is going to take precedence. Besides, anyone who has been tasked with securing any type of technology doesn’t have the ROI that upper management is looking for when giving a project the go ahead.

In order to prevent another incident like Epsilon from happening, cyber security needs to be at the forefront of IT and management’s agendas. With the increasing problem of Advanced Persistent Threats, email security needs to be looked at and any weaknesses shored up.

Lesson Two – React Appropriately

The breach of Epsilon happened on March 30^th. By April 1^st it was disclosed to the public. This gave Epsilon, and their clients, ample time to put together a response based on the details of the data breach. For this, they should be applauded.

Far too often companies who are victims of this type of cyber crime spend so much time spinning their wheels deciding how to soften the blow of negative press that they forget the ramifications it can have on individual customers.

By making the details known from the beginning, the customers of Epsilon’s corporate clients were able to receive fair warning about phishing scams and other illicit activity that would certainly be a result of their email being exposed.

Lesson Three – Heed the Warning Signs

Another thing Epsilon did right was that they discovered the breach quickly. Had they not recognized that there was unusual activity going on, the breach would have yielded much more than the 2 percent of the customer base that had be compromised.

Epsilon was warned, along with other companies, that there was a high likelihood of a malicious hacking attack that would take place against email distributors. To mitigate this threat Epsilon beefed up its monitoring capabilities to watch for anomalies.

Lesson Four – Segment Your Data

Security professionals who have analyzed the data breach, such as Anup Ghosh, Founder and Chief Scientist for Invincea, think that this may be the work of a single attack.

“As we learn more about this breach, it could be very possible that a single intrusion was utilized to gain access to the data across all of these brands. Is this indicative of a potentially broader threat from a cloud perspective? Maybe yes, maybe no – only time will tell as we learn more and pull back more layers of both onions,” he went on to say.

It is a common suggestion in the security world that data should be segmented. For example, Client A’s data should be kept apart from Client B and Client C, or data should not be stored on the same server as web applications (which is common when it comes to default installations). Yet while this is often suggested, it is hardly ever practiced.

Segmenting data protects you because in the event one data set, application, network segment, etc. is compromised, all of your stored is not exposed as a result. It basically makes the attacker work harder for a big pay day. Of course if you are monitoring appropriately you will be able to spot the intrusion before more data is stolen.

The truth is Epsilon was not the last large company to have sensitive information regarding customers stolen. It will happen again. However if we can take the lessons learned and make security even tighter, then the gap between such incidents will continue to widen.

Lessons We Should Learn From Epsilon

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators