When starting out, many small businesses set up their email using one of the free accounts available to them. Services like Gmail by Google, Hotmail from Microsoft or Yahoo!’s mail service, provide a working email address with almost no maintenance for a business just getting its feet wet.

However this may not be the best way to make a first impression with your potential customers.

Listed below are seven reasons why you need to ditch the yourcompany@freeemail.com and go with an address that better reflects the image you want your company to have.

1. Free email looks less professional

People associate free email services like Gmail or Hotmail as a personal accounts. Businesses, on the other hand, should have an email address that looks more professional. In fact, a study by Visible Logic in Amsterdam found that 70 percent of people view email messages coming from free email services as less professional when used by a business.

2. Free email looks spammy

Over the years, people have been burned so often by spam that they have become very adept at spotting shady looking emails in their inbox. One way to spot an email that may have malicious intent is by looking at the address. If you email address doesn’t look legitimate, your messages may be overlooked by overly cautious recipients.

3. Free email looks cheap

When people receive an email from your company and it has the @freeemail.com trailing it, your company looks cheap. For less than five bucks a month, you can set up an email address with your company’s domain. Sometimes you can even get a few of these for free when you host your company’s website. Customers who see that you are unwilling to spend a few dollars on this are often left to wonder what else your company may be skimping on.

4. You lose credibility when you use free email

A legitimate, professional looking email address tells your customers that you are here to stay.

Not only that, but having multiple email addresses such as: info@yourcompany.com, sales@yourcompany.com or service@yourcompany.com shows others that you are a well structured organization. The impression one gets when there is one, free email as the sole contact is that one person is handling everything for a company. This may scare larger clients away for fear that the company cannot handle their needs.

In today’s business atmosphere, trust is everything. Especially when it comes to online sales. Every little thing your company can do to establish trust and credibility will help your business grow.

5. Free email is less secure

Remember the old saying: there is no such thing as a free lunch? Well that applies to email as well.

True, Google, Yahoo!, Microsoft and the other free email providers do everything they can to make sure that their email services are as secure as possible, but things can slip through the cracks.

To pay for “free” email, users are subject to advertisements. While these help pay for the servers and storage space, they also have been linked to spam and hijacking. There have been several cases where businesses have had bank accounts and other confidential information compromised by cyber criminals who intercept email messages of companies that use free email services.

6. Free email may put you out of compliance

Nowadays, there are regulations and laws that govern so many industries and their record keeping that many large companies have entire legal teams dedicated to just compliance related issues.

But smaller companies are not immune to compliance. Companies of all sizes need to be aware of HIPPA when it comes to healthcare, PCI DSS when dealing with credit cards, and CAN-SPAM Act when it comes to marketing.

Free email likely does not offer you the tools required to be in compliance with any of these, or the many other, laws or regulations for email use.

7. You miss out on marketing your brand

Having your website’s domain name in every email you send out gives you the opportunity to build your company’s brand. Info@yourcompany.com puts your web site address in the minds of your customers. They know where to turn to when they need your services because they are so used to seeing your domain in every communication from you.

7 Reasons to Ditch That Free Email Address

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

You may have read the stories about how Atos Origin, a French IT services company, is looking to make their offices an email-free workplace by the year 2013 to eliminate what they call email pollution.

By turning to collaborative social medial tools, such as the Atos Wiki, employees have already seen a 20% reduction in “email pollution” six months after this initiative went into practice.

Volkswagen has also attempted to cut back on after hour’s emails being sent to and from employees Blackberrys in a similar effort. However, while cutting back on emails like Atos is trying to do may seem trend setting, it hardly seems to be a realistic goal.

Not only because of how many workplaces have become reliant on emails to get work done, but rather how these people use email to get work done.

As we all know, emails are not only used to deliver electronic messages. People in office buildings all over the world have found ways to “hack” their email accounts to do much more than send and receive messages.

Let’s take a look at some of the most creative, but common, ways email is used for things other than email.

Instant Messaging

Instant messaging is still taboo in many corporate settings. For some reason, IMs still conjure up images of the old AOL chat rooms in the eyes of most managerial types. So instead of embracing the technology, it becomes banned in the workplace.

Creative employees have learned that they can send a quick message to a coworker using the subject line alone. For example, sending a message with a subject that reads I have the research for your project EOM tells the recipient everything they need to know and lets them know that your subject line is the entire message (that is what the EOM, or End of Message, means).

Online/Portable Storage

There is hardly a person with an office job who hasn’t found themselves working on something that they needed to take home to complete. When they reach for that trusty USB portable hard drive they remember it is sitting on their desk at home still plugged into their laptop.

Email becomes a quick replacement as you can simply attach the document, spread sheet, etc to an email message and send it to yourself. Problem solved. Of course you would want to be extra careful when doing this with content that is considered sensitive or confidential.

File Transfer

Sending files to other people, or even yourself, can be tricky in the workplace.

Many companies block executable files from being attached to email messages to prevent malware from being spread via email.

However many employees have realized that they can get around this by changing the file extension from .exe to something that is permitted, like .docx. The recipient then needs to simply rename the file extension when they download it.

Setting Reminders

While most email clients have some sort of calendar that allows us to set reminders, we don’t always have access to them.  We may remember something late at night that we need to remind ourselves to do when we get to the office in the morning. If you can’t get to your calendar, you can always send a reminder to your work email. That way, when you are sifting through your morning emails you will remember what it is you have to do.

The same can be done in reverse.

Saving Hyperlinks

Bookmarking interesting or useful websites is great if you only use one computer. Using a solution like Evernote or Thirsty solves this, if your company allows these services through the firewall that is.

Then there are those who copy links and paste them into an email message. Sending this email to themselves almost assures them of the fact that they will be able to find these web sites at another time.

This little email hack is applied to just about anything found online. Sites, videos, presentations, etc. are all saved by cutting and pasting into email messages.

Of course, all of these tricks just add to the scourge of email pollution that companies like Atos are trying to get rid of. But hey, if they make your employees work easier, and better, and they don’t violate any acceptable use policies, is there really any harm?

5 Creative Uses For Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There’s an appealing logic to the notion that as technologies focused on a problem improve, the problem will diminish. That’s not always the case, however, and it may not be so when it comes to plugging email leaks.

Technologies don’t develop in bubbles. While improvements in Data Loss Prevention (DLP) technology are advancing, so are other technologies, technologies and trends that can offset or undermine those improvements.

“You might think the constant progress of technology means more innovative DLP methods will be coming down the pike to prevent sensitive data from being leaked through email and other communications channels,” security expert Jim Rapoza wrote in a white paper published recently by InformationWeek Reports. “But technology is advancing in ways that will make preventing data loss a much tougher task.”

One trend that will make controlling data leaks through email harder than ever is the use of consumer technology in the workplace.

“Many companies are increasingly dealing with the demands of employees (and upper management) who want to use their own devices for business tasks,” he wrote.

“This lets workers take advantage of the latest smartphones and tablets—systems that are likely generations newer than the company could provide—but also adds considerable management headaches, especially in terms of security,” he explained.

Even for administrators who can persuade the brass in their organizations that consumer devices should be kept out of the workplace, enforcing that policy may be more trouble than it’s worth.

“You can ban these devices from your company,” Rapoza wrote, “but chances are good that employees will use them anyway—which only increases the possibility of data leakage.”

As Rapoza explained in his paper, there are a number of ways to control data loss through email, although they can be undermined by the introduction of consumer devices into the office.

For example, encryption can be used to ensure that only the sender and recipient of a message can read it. A drawback to encryption, though, is that a sender and recipient have to coordinate their efforts on a message. That can be cumbersome, although there are systems that automatically manage the exchange of encrypted email within an organization.

Rights management is another way to prevent leakage. It allows rules to be imposed on how a message can be shared, viewed or distributed. You can prohibit a message from being forwarded to someone or shut off “reply to all”. You could bar the message from being sent to an external email address, too. The problem is that rights management may not work on some personal devices brought into work by employees.

Email gateways are another means of staunching leakage. Since they analyze email traffic, consumer devices don’t pose a problem to them. Gateways can be set up to look for content—words, phrases, attachments—that flag errant emails. One drawback to gateways, though, is false positives, which can be annoying to both administrators and their flocks.

And for organizations that need the full metal jacket treatment to prevent leaks, there are Full DLP systems, which combine encryption, rights management and gateways with network and storage policy management and next generation firewalls. That kind of protection is typically priced at six-figures and is costly to maintain on an annual basis to boot.

Plugging Email Leaks Becoming Tougher Than Ever

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Or is it? In a move that will have technology professionals first aghast, and then scratching their head, and finally a little jealous, Thierry Breton, the Chief Executive Office of the French information technology company ATOS has enacted a policy of “zero email”, in essence, banning internal email.

With more than 74,000 employees in 42 countries and 2010 revenues of $11.5 billion, this is not a small statement or a simple change in corporate culture.

Stating that his company’s employees receive on average two hundred emails per day, Thierry estimates that only twenty could be considered useful, thirty-six are considered spam messages, and the rest are so much noise generated internally that could as easily be handled using an Intranet portal, instant message, or phone call. ATOS is increasing its internal use of instant messaging applications, and the use of an internal “Facebook-like” portal.

Breton is no stranger to being a stranger to email. The former French finance minister took over as head of ATOS, and has not sent an email, since he started in November 2008. In a statement announcing the policy in February, Thierry said

“We are producing data on a massive scale that is fast polluting our working environments and also encroaching into our personal lives”. “At [Atos] we are taking action now to reverse this trend, just as organizations took measures to reduce environmental pollution after the industrial revolution”.

ATOS expects that by 2013, more than half of all digital content will come from updates to existing content.

ATOS uses Microsoft Corporation’s Office Communicator for instant messaging, which enables user to user and multi-party instant messaging, video conferencing and application sharing. They also use a wiki type approach to information sharing, easily enabling all users to create or contribute data online to their internal portal.

A statement from ATOS spokesperson Caroline Crouch to ABC News emphasized that this policy is focused on internal emails, and that external email with customers and partners will continue as normal.

Considering the amount of time I personally spend on email every day, and how much of that is “broadcast” type data that could be placed on the intranet home page, I am starting to see a certain appeal to this. Even with the widespread deployment of SharePoint, too many users still look at email as a file transfer system, forwarding Word docs to me even after I put them in a document library and send them a link to view and edit the file within SharePoint. We use Microsoft Lync (the latest version of Office Communicator) and a WordPress theme called P2 for a lot of our internal communications, but they are currently enhancements to, rather than replacements for, email. Certain teams (following IT’s example) are using private Twitter accounts for some team communications and manager-to-team broadcasts, and we’re always looking at other means to improve communications, but we’ve never looked at eliminating email (and, as an email admin, I hope we never do!)

Of course, there are security considerations to take into account, especially when using external services, and we’re also trying to narrow down on platforms to reduce the number of different systems we have to maintain. So far, we have a lot of interest, but no clear direction one way or the other.

ATOS’ new policy does have a certain appeal to it, if you can change the cultural approach to email, and provide enough guidance to uses about when to go to email, or when to go to other technologies for internal communications. I’d envision the following:

• File sharing of any type: SharePoint
• Simple question and answer, informal updates, dialogs that are in near real time but do not require a “paper trail:” Instant Messaging
• Short broadcast type updates: Private Twitter feeds (or SMS)
• Longer broadcast type updates: Blog posts on SharePoint
• Collaborative discussions: WordPress with P2 or SharePoint wiki
• Formal internal communications, more involved questions, private updates: email
• External communications: email

What about you? Do you see any appeal in reducing the volume of email internally? Do you use any other type of communications internally already, like instant messaging, wikis, etc.? What works for you, and what tips can you share with the other readers?

No Email at Work? Inconceivable!

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Like so many of you out there, I upgraded my Apple device to iOS 5 recently, and with that I found that I could get a free email account in the iCloud, an @me.com email address. My immediate response was to go “heck yeah!” and sign up for it. I did, added it to my other devices, and only then did I stop to think for a moment about what I did. That made five, yes, that’s right, FIVE email accounts that my phone would check every so many minutes to interrupt my day with yet another notification that I must check to see what someone sent me. That’s now FIVE email accounts I have to worry about filtering for spam, and securing with unique usernames and passwords, and that I will have to search through when, six months after reading an email and remembering only vaguely what it was about, need to find it again.

But wait, there’s more. How many instant messaging accounts do you have? I have one on each of the main public services. Since my Gmail account is already in the five above, that means I have a Yahoo, a Hotmail, and an AIM account that are capable of receiving email. I also have LinkedIn, and Facebook; each of those is a place that I can receive email, though they don’t have email addresses associated directly with them. I own a few different domains that I’ve registered through Google, so each of those comes with a Google Apps email whether I use it or not. So now I am up to fourteen different mailboxes that I could actually use today. Who knows how many are out there that I haven’t thought about in years, whether on Gmail, or Hotmail, at college, or in various other systems. And I’m pretty sure I have an email address on my personal cell phone, my work cell phone, and as a part of my Internet connection from my ISP.

So I ask myself and you, gentle reader, this very serious question… How many mailboxes do you really need?

This question is distinctly different from how many email addresses to you really need. With aliases, purpose built addresses, addresses you want to use to register for a service and hope to never need again, and all the various distribution lists you might want to have, you might need tens or dozens of email addresses.

What I want to know is how many mailboxes does someone really need, where a mailbox should be considered as something on a distinct system, requiring a distinct set of credentials, and that you will check on a (semi-)regular basis. It can be a web-mail, or POP3, or IMAP system, or something more enterprise targeted like an Exchange or Notes system. Please, leave a comment and let me know how many you have – you can leave as much or as little detail as you wish, but please give me at least the number of personal, and of professional mailboxes you have.

There is more to this post than just an attempt at justifying the ridiculous number of mailboxes that I have by trying to see how many of you are just as bad; I want you to consider whether or not any of those mailboxes you have left out there in the world might be:

a)      A resource drain on someone’s system

b)      A treasure trove of lost information

c)       A security risk.

If you think any of those might be the case, I encourage you to go clean them up. My own homework for this week is to do just that – clean up and close mailboxes that I can get rid of, review the messages that are in there to see if anything is worth keeping, and to forward messages from any that I need to keep in service to a “live” mailbox so that I am more aware of what might be hitting them, like requests to confirm things, password resets to other services; you get the idea.

It’s Time to Stop the Madness

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Administrators of Novell’s flagship messaging and collaboration product Groupwise should move quickly to apply the latest security patch from Novell, which addresses multiple vulnerabilities that could lead to code execution.

The Groupwise Internet Agent (GWIA) is responsible for all SMTP connections with external mail systems, and it was discovered recently that this agent has three distinct memory corruption issues that can be exploited when the GWIA parses rule variables in weekday, weekly, and yearly vcalendar messages.

There is currently no known exploit in the wild for any of these three vulnerabilities, but the first one was assigned a CVE last year, and the other two just last month. CVE-2010-4325 contains more information on the Weekday RRULE vulnerability, while CVE-2011-2662, and CVE-2011-2663 are reserved and awaiting updates. Novell has released three security advisories around these issues:

Security Vulnerability – GroupWise 8 Internet Agent Weekday RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Weekly RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Yearly RRULE (VCALENDAR) Vulnerability

Novell has also released Hot Patch 3, which addresses all three of the vulnerabilities. If you are running that already, your server is not vulnerable to any of the three vulnerabilities. If you are not, you should test HP3 in your environment as soon as possible and deploy it to your systems. Systems running earlier versions of Groupwise are also vulnerable, but no patch will be released for these unsupported platforms.

Researchers determined that successfully exploiting any of the three vulnerabilities could result in the server executing arbitrary code with system level privileges. Even a failed exploit could lead to a denial of service condition that would require the server to be rebooted. The attack can be launched by sending a maliciously formatted iCal calendar file to a user of the system by anyone external to the system.

Sebastien Renaud of VUPEN Security is credited with discovering one, while the other two are credited only to an anonymous researcher at Verisign’s iDefense Labs and an anonymous researcher at TippingPoint’s Zero Day Initiative.

While my posts tend to focus more on Microsoft Exchange than any other email platform, and I’m sure most of us are in the habit of checking our email early on patch Tuesday every month for the latest security patches from Microsoft, it is crucial that we do not overlook other vendors’ software that is sitting on our network. Whether we are using a third party application that runs on Windows, a distro of Linux, or network hardware, we as admins must pay attention to the security bulletins that come out from our vendors, and stay on top of necessary security patches. If you do not already have a patch management program in place, take a look at these three blog posts on patching:

1. What should be included in your patch management policy?
2. A Patch Management Strategy for Your Network
3. 6 Tips for a Successful Patching Process

and then consider a good patch management application for your network. Look for one that can address not just the operating system, but also the applications that run on your network, and that can scan for network hardware firmware as well.

Novell Patches Critical Issue in Groupwise

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Late last month we reported on the vulnerability in TLS 1.0 in Keep Calm and Carry On and over at our sister blog AllSpammedUp.com in  “Holy [Insert Expletive Here]! Et Tu, SSL?”. Security researchers Thai Duong and Juliano Rizzo developed an application, called the BEAST which demonstrated the ability to capture authentication cookies protected in transit using TLS 1.0. BEAST, which stands for Browser Exploit Against SSL/TLS, was demonstrated by the pair at the Ekoparty Security Conference, and apparently caught the attention of several vendors since the vulnerability that BEAST exploits has been known for years. Remember, we care about this both because webmail uses HTTPS, and many of our email protocols can be secured with TLS 1.0. BEAST may only attack web browser traffic today, but the flaw is in TLS, which means it affects everything that uses TLS.

BEAST uses a combination of JavaScript and a network sniffer to capture traffic, but can only decrypt traffic protected by TLS 1.0. Successors that are not vulnerable include TLS 1.1 and 1.2, which have limited support in most browsers as well as with most web servers. But now that the world has seen a practical attack against this vulnerability, major software companies are starting to devote resources to fixing this problem.
TLS 1.0 is broken; there is not a patch to fix its flaw. The best remediation is to stop using it, and to start using its more secure successors in the .1 or .2 version, but with so many incompatibilities in browser and webserver, this is easier said than done. The response from vendors has been mixed, with no clear and comprehensive fix in place yet, but here is what we’ve learned so far*.

Microsoft

Microsoft released Security Advisory 2588513 and has announced that they are working on an update that will disable TLS 1.0 in client operating systems, and enable 1.1 and 1.2. This can be done now manually, but may be beyond the typical home user and significant work for corporations with thousands of PCs. By making these changes in the operating system (instead of in Internet Explorer) any browser will be protected. They have also published a blog post that details how Windows admins can set TLS 1.0 to favour the RC4 cipher over the vulnerable CBC cipher in TLS 1.0. While not disabling the vulnerable cipher completely, this will protect the majority of clients, most of which will support this encryption suite. They also have automated ‘Fix it’s on that blog post, and a link to deploying this through a GPO.

Google

Google’s current version of Chrome does not support TLS 1.1 or 1.2, but the company has released both a dev and a beta version of their Chrome web browser designed to circumvent the vulnerability in TLS 1.0. It is likely this will move to the general release soon.

Mozilla

Mozilla maintains that their browser cannot be exploited by BEAST because of the way Firefox handles connections that originate in the browser, but they are also urging users to disable JavaScript.

Opera

Opera started to implement only TLS 1.1 and 1.2 in the latest release of their browser, only to find that it was incompatible with thousands of websites that can only use TLS 1.0. In a blog post they have shared the efforts that they are taking to find an appropriate work around that doesn’t require changes to websites, or that introduces incompatibilities with them.

Symantec

As the parent company of Verisign, one of the largest Certificate Authorities, Symantec is looking at ways they can leverage their leadership in the market to encourage other vendors to respond.

It appears that at this time, there is no easy way to fix this problem, but again, take heart in the following.

BEAST is proof of concept code; there is no indication that there is currently any “in the wild” attack that takes advantage of the vulnerability in TLS 1.0 using CBC.

Most experts agree that to successfully use BEAST, a significant degree of compromise would already have happened, or in other words, an attacker would already be on your network, able to inject JavaScript into your browser, and sniff your network traffic. If that is the case, you have more problems than compromised cookies.

Disabling JavaScript may not be a palatable answer, but is an effective one.

Closing all browser sessions before opening a new browser to access a secure website directly, and the closing that browser before accessing any other sites with another fresh browser session, is an effective protection.

We will continue to monitor developments and will post another article on this issue if anything significant is announced.

*Apple’s support site was down at the time this post was written, and I could find nothing specific elsewhere to indicate anything is being done around Safari or iTunes.

Vendors respect the BEAST

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

You’d have to have spent the last two years of your professional career living under a rock to have not come across “the cloud”. The cloud – this; the cloud – that; the cloud, the cloud, the cloud… Cloud computing promises to be the next sea change in information technology, as more and more Somethings as a Service (*aaS) hit the market, with every player from Microsoft and Google all the way down to JoeBob’s Hosting trying to get in on the action.

Email services look to be the most common, some of the easiest to move to the cloud, and certainly of the most interest to readers of this blog. My colleagues Jeff Orloff and Paul Mah have both written some great articles around this topic already. Today, I want to talk about cloud based email services from a different point of view; that of the email admin who thinks the cloud will make his or her job go away.

There are all sorts of euphemisms for jobs coming to an end; downsizing, right sizing, smart sizing, outsourcing, off shoring, and many others. I’ve been involved in a few of these. Sometimes I was the last man standing, other times I was the rat leaving the sinking ship, and once I was the deer in the headlights who never believed it would happen to him. All of those situations sucked, and I don’t want to promise you that no one will lose their job because their company moved their email to the cloud. What I do want to do is help you realize that:

a)      Moving your company’s email to the cloud DOES NOT mean your company doesn’t need email admins. Your boss is a fool if they think they can get rid of the entire email team.

b)      If you are an in house Exchange shop today, you will want to keep some in house Exchange servers even after the cloud move is complete. It’s called hybrid mode, and it offers significant advantages to a company, and it means you still need email admins.

c)       Overworked shops might find the cloud to be just the relief they need.

d)      There are several new skillsets a company needs to have in-house to support a cloud based service. There are opportunities to take your skillset to the next level and be just as critical tomorrow as you are today.

e)      Cloud migrations can take months; sometimes more than a year. Sure, an SMB can move their email in a weekend to the cloud, but an enterprise with thousands of users and gigabytes of email will take much longer, starting with remediation.

Your company will still need email admins

Managing a cloud based service requires admins who can take care of user needs, client needs, provisioning, set up, backups and restores, and to be the contact between the users and the service provider. Cloud providers take care of the care and feeding for an email system, and are on the hook for BCP/DR, but they don’t talk to end users and they don’t provision accounts.

Hybrid mode

Keeping some Exchange servers on premise lets you move mailboxes from the cloud back to your own servers, which lets you keep access to the mailboxes of former employees without paying the monthly costs to keep that mailbox in the cloud. Some companies are deciding to move only the regular users to the cloud, while keeping key personnel and executives’ mailboxes on-prem…in essence outsourcing the basic users to free up space and resources while keeping the VIPs in house to provide more personal service. You may also find add-ons like archiving are better kept in-house, which means you need email servers (just not as many as before).

Taking some of the load off

Again, that hybrid model offers a lot to consider. Moving the regular users’ mailboxes to the cloud not only reduces the number of servers you need, it frees up the diskspace your power users need for their multi-gigabyte mailboxes. Cloud providers are great, but they are not, and never will be, able to offer the executives the personal hand holding they expect when they have problems, need their Crackberries reset, or can’t find that critical email. You may find yourself going home earlier, and not getting as many late night calls.

Skillsets

To keep a company’s email running smoothly during and after a migration to the cloud, you will need to understand licensing, cost models, federated services, vendor management, and can also polish up your customer support skills. In every large org I have ever dealt with, the vendor management folks are some of the highest paid in all of IT. Dealing with a cloud provider is not a bad way to break into that tax bracket. Plus, most email admins know some networking and AD stuff; both of which are important and might let you move to another team. Working on a cloud migration can make you very marketable to those who offer cloud based email services. Consider also the security aspects of using a cloud provider – security has been one of the top ten most sought after skills in IT since the late 90′s and cloud security is a hot topic you can get hands-on experience with as you go through a new migration.

Time

Even if none of the above appeal and you are convinced that your job is on the chopping block, there is no need to jump ship day one. Cloud migrations will take significantly longer than anyone expects until they get into the project planning. For the duration of that project, you are one of the most important persons in the room. Have an honest conversation with your management, knowing that you are in a position of power. They need you to make the migration successful, and you have every right to know whether you are targeted for a new role or not post migration. I have seen email admins get very generous severance packages in return for staying with a project.

Don’t automatically assume that the words “the cloud” are another euphemism for “time to job hunt”. Look at it from all angles, never underestimate your own importance to the project, and make the most of it. You can find that every cloud really does have a silver lining if you keep your wits about you.

Inside Every Cloud Is a Silver Lining

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In Understanding Email Encryption Part 1 I covered not only why encrypting email is important, but also the two different types of email encryption: asymmetrical and symmetrical.

There was another section that briefly mentioned some of the barriers that impede buy-in from management when it comes to an encryption solution. But these were only touched upon.

Unfortunately when it comes to making a pitch for encryption, those who understand the need for it are an easy sell. Those who either don’t understand it or see the need for it often cite one or more of these stigmas that are attached to email encryption as reason to avoid it.

Should you find yourself being stonewalled when giving your reasons for email encryption, here are a few points you can make to counter any disbelievers.

Of course the consequences that come from disputing your boss in front of others is something that encryption can’t protect against, so use them at your own risk.

Encryption makes us look paranoid

In the previous post I quoted a survey respondent as saying: “normal people don’t encrypt normal email messages” when asked about adopting encryption for email.

The problem is that society does tend to raise an eyebrow at those who act paranoid. Let’s be honest here, they are outright ridiculed.

And no one wants to be made fun of. But that is playground thinking. As a customer, client or employee I want to know that my personal or confidential information is being protected. Email encryption can make me look silly if I am sending a joke to a friend and I use DES cryptography, but if account information is being sent from my bank I want to see a bit of protection put in place.

One way to counter this is to ask, “would you rather someone think you a bit paranoid, or would you rather be in the news like the Oak Ridge Laboratory, CitiGroup, Sony, Target, Chase, etc.”

Encryption is too complicated for most users

15 years ago, email was too complicated for most users. There was a time when the telephone was complicated technology.

And yes, there was a time when cryptography for email messages was quite a bit of work but now it is rather simple and solutions operate seamlessly with your company’s email client.

Outlook offers two separate methods of encrypting email messages. You can encrypt a single message, using 3DES by going to the Message tab in the Options group and click on the Encrypt Message Contents and Attachments button.

After that you simply write your message and send it on its way.

Encrypting all messages can be done as well but that requires all recipients to have your digital ID to decrypt the contents.

Still, that doesn’t seem too difficult now does it?

Encryption is too expensive for us

Another stigma is that encryption is for large companies, not small or medium sized businesses – this isn’t entirely accurate.

Sure, an organization can spend a good deal of money on an expensive appliance that requires add-ons and plug-ins. But you don’t have to spend that much.

With Software as a Service models, even the smallest company can purchase a service contract for only what they need. Be it one user or a thousand.

There are even companies that cater these services to smaller organizations specifically to keep costs within reason.

Software as a Service solutions can also help negate the belief that encryption will be too much of an undertaking for your IT staff as well. Since the company is buying the service, there is nothing for the IT people to set up, configure, troubleshoot, monitor, etc.

Encryption, like any other technology, has changed over the years. But so has the need for it. There was a time when email wasn’t such a lucrative target for attackers. There was a time when regulations mandated certain security baselines be put in place. There was a time when using encryption required a Master’s Degree in Computer Engineering. But all that has changed. Let your company know it’s about time their mentality regarding protecting email messages does as well.

Understanding Email Encryption (Part 2)

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

It doesn’t matter if your company uses email to communicate corporate secrets, confidential financial information, or just an invite to the annual picnic; people who weren’t intended to see the message shouldn’t be able to.

To prevent prying eyes from having the opportunity to read your corporate emails encryption is usually the first choice among email administrators who understand security. However, according to a study done by Princeton University titled “Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted E-Mail” there are still many barriers to companies implementing email encryption:

• The belief that encryption is not needed because a company is too small
• Encryption flags a message as being important or secret
• Encryption solutions are too complicated for users
• Email encryption solutions are too hard to implement and set up
• Using encryption makes the company look paranoid
• Receiving encrypted messages can be annoying

To quote one respondent of the study, “normal people don’t encrypt normal email messages.”

Lack of understanding

It seems that with so many responses like this, most people have a lack of knowledge when it comes to email encryption.

So let’s start with when someone would want to use encryption. Ask yourself, “Does it matter who reads this email?” For any messages where the answer is no, encryption isn’t necessary.

But if you answer yes, the messages should be secured. Considering 99 percent of all email still travels over the Internet without being secured, it would be safe to assume that there are messages in that 99 percent where the answer to our question would be yes so an understanding of email encryption is certainly warranted.

Types of encryption

There are hundreds of encryption solutions available for home and corporate users. Some are extremely hard to break; others can be broken rather easily by someone who knows what they are doing. Others still have been completely untested. These solutions generally fall under one of two types of encryption: Symmetric or Asymmetric.

Symmetric Key Encryption

A basic definition of symmetric key encryption is where both parties share a single secret key. This works best to prevent casual viewing or the accidental disclosure of sensitive information.

It works by the user typing their email message and, using the shared secret key, encrypting it into cipher text. The cipher text message is then sent to the recipient(s) where the same shared secret key is used to turn the encrypted message back into plain text for reading.

Symmetric key cryptography commonly relies on algorithms such as AES, Twofish, RKZIP, DES, Blowfish and IDEA.

Asymmetric Key Encryption

Also called public-key cryptography, asymmetric encryption requires two separate keys. One is used to encrypt the plain text of the message, called the public key, and another, called the private key, will decrypt the cipher text. The way it works is that a public key and private key are created and mathematically linked to each other. The public key is then published so anyone with access to this key can send encrypted messages to the holder of the private key, which is not shared.

This is very different than the single shared key or symmetric encryption and no longer requires a secure exchange or the single shared key as necessary with symmetric encryption.

The asymmetric method works when the email sender writes the message in plain text and encrypts it using the public key. The encrypted message, now in cipher text, is sent to its intended recipients. The recipient needs to use the sender’s private key to decrypt the message back into plain text so it can be read.

The algorithms that asymmetrical encryption relies on are RSA, PGP, DSA and Diffie-Hellman.

To add an additional layer of security to public-key encryption, some senders use a digital signature as well. The digital signature signs a message with the sender’s private key. Recipients use their public key to verify that the sender is who they claim to be. Not only is the confidentiality of the message now protected, but the authenticity as well.

You can see where this could be used to help fight phishing scams, especially when an internal email address is spoofed to compromise user credentials or steal information.

Even if you decide that encryption should be added to your existing layers of email security, end-users still have to buy in or they will continue to send plain text messages that are not protected. In part two, we will look at some of the stigmas that are associated with using email encryption and how you, as an email administrator, can overcome them with your users.

Understanding Email Encryption (Part 1)

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

So you have been tasked with securing your organization’s email services.

There are quite a few guides available on the Internet and in different computer bookstores that can take you through the basics – and if you are ahead of the game you may have already done your homework.

So you have looked at your email server, or servers, and taken the recommended steps of:

• Installing a commercial email security solution,
• Updating the server’s operating system,
• Patching all required software,
• Turning off all unnecessary services,
• Configuring your email server to sit behind the external firewall,
• Encrypting your email storage,
• Setting a back up schedule,
• Testing the recovery portion of your back up,
• Training your users on your company email policies.

Confident that your email services are now secure, you can roll up your sleeves and attack the next item in the pile of projects that is sitting on your desk, right?

Not just so fast. Unfortunately, there is still quite a bit of work to do.

What am I missing?

Like any other computer service, email requires many different users to share information with the email server or cluster of servers. Each user connects via a desktop computer, a laptop, tablet, or smart phone; as result, there is a two way communication going on between them where data is exchanged. Can you see where we are going with this?

That’s right. Even if the servers that drive your company’s email are secured, there still remains that one variable that is often the root of so many security problems – the user.

If just one of those many users connects to the company’s email servers with an unsecured or infected device, it could mean disaster for your organization’s email. Considering the fact that email is still the preferred method of business communication and you could have some serious problems on your hands.

Securing the endpoint

Your company can buy the top of the line security tools, train users until they can recite policies in their sleep and keep everything under a watchful eye, but all it takes is one zero-day vulnerability to be exploited on a device that a user connects to your network with and you can consider yourself compromised.

You see, attackers know that the weakest point in any organization is the user and his or her computer. Servers are often guarded with firewalls, intrusion detection and prevention devices, and diligent operators. The low hanging fruit is the user so that is where the attackers concentrate.

Training is always considered the best way to enforce security in an organization. The thought is that if people are aware of what the threats are and what they can do to stop them, then most attacks can be mitigated. We know that’s not the case. Training and education works, but only so much. Instead of being looked at as the solution, it should be considered a part of a larger plan to stop threats against your email. Other elements of the overall strategy should include:

Check your computers for malware

No solution is going to stop 100 percent of all malicious software from infecting computers on your network. However, having a solution in place that constantly scans your network devices for malicious software is a crucial part of your overall security because believe me, something is better than nothing. However, this means running anti malware software that will be automatically updated. Even better, make sure you can configure the solution so that users can’t opt to postpone the updates.

Update the OS and all software

After you have tested the updates and patches published for your computers’ operating systems and software, make sure that they are installed. Most patches are released to fix problems and plug up exploits found in the software code. Not updating your machines leaves them open to attack.

Update the browser

As email moves to the cloud, it is essential that the browser used in your organization is updated as regularly as any other software. This includes any plug-ins or extensions used by the browser. Even if you are still hosting mail services yourself, websites continue to grow as a method of delivering malware to computers, using a secured browser is essential to protect users from being infected by seemingly harmless sites that they visit.

Email security is not easy. As with any other portion of your infrastructure’s security, it takes diligence, knowledge and skill. However email security cannot be avoided because it is simply too hard of a task to complete. You can certainly look into solutions that help ease the workload and make up for any deficiencies when it comes to this job.

Secure Your Desktop – Protect Your Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When you don’t understand something that your job requires you to know, the most logical thing to do is research the topic and learn as much as you can about it. For many people who find security as part of their job description, learning as you go is the only option available. Yet despite the fact that there is so much information readily available to us, misconceptions regarding email security still confuse many professionals tasked with maintaining the confidentiality, integrity and availability of email services.

Blocking executable files will stop malware from being spread among users

Filtering all attachments that include .exe or .msi, was once a common way to keep users from sending infected files to one another through email. This is still considered by many to be a best practice for securing email systems, however as more tech savvy workers entered the workforce, they found ways around this. Generally, people will simply change the extension on a file and send it in an email attachment to a co-worker, friend, or family member. The recipient simply downloads the file and changes it back to the correct file extension. If that file has malware attached to it, the recipient will become infected when the file is opened and that could spread to other machines on your network.

Another scenario that dates this method of securing email, and is much more common, is when a user receives an email with a link in it. This link takes the user to a seemingly harmless website that is hosting drive-by downloads that install malware onto a computer when the person visits the site. No action on the part of the user is necessary other than clicking on the link.

Email security solutions need to address both of these scenarios in order to truly offer protection.

Attackers target large companies because that is where the rewards are greater

We often hear about how large financial institutions are hit by attackers where the number of users whose confidential information is stolen tops up to millions; or maybe it’s an attack against a huge government organization like the Oak Ridge National Lab attack that makes the headlines. At the same time, we almost never hear of a mom and pop store where the same thing happens. That’s because it’s not sensational. A small business being breached doesn’t warrant enough interest from the major networks but that doesn’t mean it never happens. It actually happens more frequently to small and medium sized enterprises than it does to the big corporations.

Large companies often have the budget to better secure email systems against attack where smaller companies often rely on security by obscurity as their solution and attackers know this. Whether they are looking for the lower hanging fruit, or simply trying to hone their skills, SMBs are frequent targets of email security attacks.

Finding security products that are geared towards SMBs is essential not only because they are affordable, but because they are tailored to the needs of these organizations.

Email encryption is only for healthcare and financial institutions.

It is true that these two industries are required by certain regulations to encrypt email messages, while other industries have nothing that says encryption is necessary it still is good practice to make sure your emails aren’t sent in plain text across the Internet.

There are many reasons why a smaller company would want to protect information sent via email. You could be sending confidential information about employees, details about an investigation, sensitive company financial data, strategies for growing your business… the list is endless. But no matter what the reason for keeping a lid on the contents of your message, if it is not encrypted then anyone with the know-how can capture and read these emails.

Email stored behind your firewall is more secure than email stored in the cloud

Cloud security is one of the most hotly debated topics when it comes to email security. Moving email services to the cloud will certainly take security and control out of your hands and put that responsibility on your cloud provider. But that doesn’t always have to be a bad thing.

If you research cloud providers and find one that takes security seriously and is open to answering questions about your email and data, then odds are their staff will be better able to handle security than a small IT department where the staff wears many different hats.

Cloud providers also have multiple data centers to handle back-up and recovery, as well as multiple layers of security.

Getting the right information when it comes to security can be rather difficult. There are many supposed “experts” who make a great deal of money selling snake oil to companies whether it is in the form of a security solution or education. The key is to read as much as you can and always look for the counterpoints when it comes to finding the best solution. If you spend enough time doing your homework up front, you will spend less time in the future dealing with mistakes.

Misconceptions About Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When looking at solutions on securing email, many people don’t take into consideration the type of business environment they work in. All too often, after spending a great amount of time and money, small to medium-sized enterprises find out that what works for a company the size of Bank of America doesn’t quite work for them.

To better help SMBs find solutions scaled to their needs when it comes to email security, I have compiled a list of 5 tips that address the risks and restraints that they face.

1. Get the right solution

Email security can come in any number of packages. Security solutions can be software based, deployed through an appliance or even in a hosted environment. Each type has a variety of advantages, but there may be some disadvantages based on your company size or industry so it is important that you weigh your options carefully.

It is also important to look to solutions that can provide the protection your company needs at a cost that works. Too many times people are under the impression that security appliances are seriously out of reach for most small to medium sized businesses. This isn’t the case. There are many solutions that organizations find affordable and feature rich.

Make content filtering a standard practice

Content filtering needs to be a two way street. Of course, you want to filter out inappropriate content from being received by employees and certain types of attachments need to be blocked to prevent the spread of malware and expose vulnerabilities. However how often do you consider filtering what leaves your business via email?

Many industries nowadays are highly regulated and sending sensitive, or even financial, information out through email can not only bring compliance issues to your business, but it may also give competitors an edge. Filtering what users send out can be just as important as filtering what they receive when it comes to securing your company’s email.

Practice recovery as well as backup and archiving

Do you brush just half of your teeth? Then why would you only test half of your backup and recovery solution? Many companies find out, only when it is too late, that their backup and recovery solution was not configured properly or that there is some sort of problem.

This can be alleviated by regularly testing the recovery portion of your backup. By simply setting up a server (or virtual server) on which you can replicate your email system you can frequently test the validity of your backups in a way that will not disrupt your current email process.

Create fair policies that management will enforce

One of the biggest mistakes that SMBs make when it comes to email security is to take an overly aggressive approach. Without the manpower and resources to fine tune security policies, it becomes easier to just restrict anything that could be a perceived threat. This becomes especially true in small IT departments because they are tasked with so many other responsibilities.

When creating policies, it is important to bring other departments to the table so that these policies do not restrict anyone from getting their work done efficiently and effectively. Involving others at the management level also helps them better understand the reasons behind email policies and the ramifications for not following them. Gaining this support will help when it comes time to enforce these policies and discipline those who violate them.

Educate your staff

When it comes to security, it is a common misconception that bigger, state of the art, expensive solutions provide the best protection. Even though this isn’t true, SMBs often feel that they are at a disadvantage when it comes to email security because they cannot afford to deploy such solutions.

What many SMBs don’t see is that they have a distinct advantage over their larger counterparts when it comes to educating end users. When you have a smaller number of employees to train you have the advantage of being able to spend more time with them to make sure they understand the material you are delivering. You also have the opportunity to be readily available to answer questions or address any concerns or issues that your users may have.

Developing a solid training series for email security can also help free up time for IT departments that find themselves tasked with too many responsibilities because users who are informed and educated require less oversight and less attention.

5 Essential Tips for SMB Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering.

By implementing the following tips into your security plan you can help protect against these, and the many other threats that your organization may face:

Create email policies to regulate the communication of confidential information

Email communication has become second nature in the workplace. It is quick, easy and it gives us a record of our conversation so we can refer back to any information at a later date. However, if the conversation contains sensitive information like login credentials, financials, personal information, and the like, then it can be extremely valuable to anyone who may harvest those emails.

By simply setting up, and enforcing, policies that restrict certain information from being sent via email you can mitigate the damage done if emails are exposed. At the very least, your policy should state that user logins and passwords (and/or PINs) not be communicated via email.

Teach users to encrypt their messages

One of the best analogies I have seen to describe the need for encrypting emails is one that compares email to a postcard. Basically, anyone who comes across it can read the contents if they want. This can be stopped by encrypting emails to prevent eavesdropping.

Encryption is a hard thing for many people. It requires additional steps, training and, in some cases, third-party software (such as PGP) yet it is really the only way to keep your messages private in transit.

Encryption shouldn’t be limited to sending and receiving messages alone. Any email that is stored on a hard drive (think personal folders), a network drive, backup servers or archive systems should also be protected from any prying eyes.

Get rid of old email

A long time ago, storage space was a precious resource. Nowadays inboxes can be easily scaled to hold enormous amounts of data. Unfortunately that provides a greater possibility that an attacker will find something valuable.

Email should be moved, or deleted, when their life cycle is up. Make sure to check with any regulations regarding discovery and archiving before getting rid of the old stuff, but if you combine this with encryption you will be taking great strides to protect older emails.

Practice good network security habits

Make sure that desktops are continually scanned for malware that could possibly expose email login credentials, filter Internet content to protect against malicious websites, understand how to properly use a firewall and update server and client software as needed.

In addition to the employing technology to help secure your email systems you should also consider human factors as well. One of the ways that people first discover that their systems have been compromised is by noticing an anomaly. Be on the lookout for log-ins that just don’t seem right whether it be the IP address, the time of day or even the length of time.

This can be one of the most tedious tasks to undertake when it comes to security but it is by far the most important.

Put the right solutions in place

In many small and medium-sized enterprises, the email administrator alone cannot be as vigilant as he or she would like. Even in organizations where there is team of professionals dedicated to security use necessary security tools to help them do their jobs. Smaller companies need to understand this as well.

By employing technologies that help manage email, backup and recovery, archiving and security, you are plugging the little holes that provide that chink in the armor most attackers are looking for.

No one said that email security is going to be an easy task, but it is one that cannot be ignored just because it’s too hard or it costs too much.

Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The recent spike in security breaches resulting from meticulously planned and executed spear phishing attacks may have forced email administrators to start thinking of topics that they may never have considered previously, such as the repercussion of a hacked Exchange Server account, or the reasons why hackers would be interested in attacking your email server.  Indeed, you may have already read Securing Your Microsoft Exchange 2010 Server, and have duly implemented the various hardening measures that I’ve linked to in that article.

Moving ahead though, you may be wondering if your Exchange Server is truly protected against malicious attacks.  Beyond waiting for a hacker to successfully break in, is there anything that the diligent administrator can do to reduce the chances of a successful break in?  I had the opportunity to attend an EC-Council Certified Ethical Hacker course recently, and one indelible lesson I gained would be how proper penetration tests can facilitate better security.  The rationale is simple – if you can break in, then so can hackers.  Today, I want to highlight some very simple penetration testing strategies that cash-strapped businesses can perform on their Exchange Servers to get a better pulse on their security readiness.

Obviously, permission must first be obtained from the relevant management prior to any penetration testing – preferably in writing.  Also, the usual caveat emptor about the dangers of tinkering with malware applies; there is also the very real possibility of Trojans hidden within typical tools used by hackers.  Finally, I would strongly advocate hiring a properly qualified and professional penetration team, which has the added benefit of a detailed report on any findings with recommendations for improvements.

Port scan

One of the simplest ways to establish the presence of malware or illicit server software would be to do a port scan on your Exchange Server.  While simplistic, this is nevertheless one of the first steps that a hacker will perform when targeting your organization, and could potentially reveal flawed configurations or the presence of unwanted (and forgotten) software services.

An extension of this idea would be to scan for the presence of SMTP (Port 25) listeners on your internal network, the presence of which could indicate the presence of unauthorized software or zombie computers running spamming software.  A basic and very well-known network and security scanner would be the free NMap, though many commercial variants exist that are capable of more detailed scans such as detecting common misconfigurations.

Sending malware to yourself

An easy way to test the capability of one’s malware filter or gateway antivirus scanner would be to deliberately send malware to an account on your server.  This may range from executable files, hiding them within archives, or malformed PDF files or Word documents – you essentially employ the same tricks that spammers and hackers are known to use.  Obviously, administrators should take pains to send infected email attachments only to unused accounts or one that has been set aside for the purpose of testing.

It should also be noted  that many of the recent attacks rely more on phishing or social engineering that push users into clicking a link to a malware-laden website as opposed to sending malware as an email attachment.

Brute Force Password Hacking

A brute force password attack entails repeatedly logging into an account with various combinations of passwords, and is a strategy employed by hackers looking for soft targets on the Internet.  Unlike cracking an actual password hash file or database, attempting to break in via brute forcing the password as part of a penetration test is a lower risk proposition, and viable if care is taken not to disrupt the access of legitimate users.

Moreover, this is a good way of weeding out easy-to-guess passwords that may be used by some employees, and is an activity that be conducted when server and network utilization is lower (such as over the weekend or overnight).  Dictionary files in your company’s native language can be compiled relatively easily, or downloaded from various repositories on the Internet.  Finally, there is no need to find a tool dedicated to breaking into Exchange Server either, since any password brute force tool that supports POP or IMAP can be made to work.

Are you aware of any simple penetration testing strategies that can be used to test the robustness of an Exchange Server deployment?  Feel free to highlight them in the comments section below.

Simple Penetration Testing Strategies for Your Exchange Server

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Getting your co-workers to adhere to policies that govern the use of email in the workplace can be tough. Despite your best efforts, email is still used to send jokes, chain letters, pictures, slide shows and other inappropriate content.

For whatever reason, people don’t quite get that not only are email policies in place to protect them and the company brand, but there are consequences for violating these policies. Unfortunately, the only time when people begin to comprehend just how serious email policies are is when it is too late.

To better help your co-workers and employees understand why it is important to adhere to email regulations and company policies, here are a few real life examples that you can use to get the point across:

Sarah Palin

The mistake: Using personal email to conduct business.

Nothing of note was found when her official email archives were released to the press recently but remember back when her personal Yahoo! account was cracked? She had to answer questions regarding the use of her personal email to conduct state business instead of her official account that is subject to laws and regulations regarding public records.

Mark Foley

The mistake: Sending inappropriate messages while intoxicated.

The congressman from Florida was caught up in an email scandal when he sent a message to a former Congressional page requesting a photo. Although the email was sent from his personal account it did open up the floodgates and it was found that he had also sent suggestive text messages to the same young man. Foley later explained that he had a drinking problem and that the messages were all sent when he was intoxicated. After all this surfaced he was told to either resign or he would be expelled from the House of Representatives.

Neal Patterson

The mistake: Expectations that emails are private communications and bad etiquette.

Whenever a paper trail exists there should be no expectation that the communication will remain private. In 2001 Neal Patterson, CEO of the Cerner Corporation, learned this when an email he sent out to his senior staff was leaked.

The email, which berated and threatened managers by stating, “As managers, you either do not know what your EMPLOYEES are doing or you do not CARE. In either case, you have a problem and you will fix it or I will replace you,” caused a 22 percent drop in the company’s stock.

Climate Research Unit, England

The mistake: Confirming a cover-up using email.

Much of the research from the CRU is used by the United Nations for its global climate reports so when an email surfaced from Phil Jones, the head of the CRU, that read, “I’ve just completed Mike’s [science journal] Nature trick of adding in the real temps to each series for the last 20 years and from 1961 for Keith’s to hide the decline,” you can imagine what happened to the credibility of this group.

Galleon Group

The mistakes: Fake emails to cover up security fraud.

Galleon founder, Raj Rajaratnam told employees to create a fake email trail to make it appear to the SEC that some of his recent stock purchases were based on price rather than inside information he had received.

“You just have to be careful, right?” Mr. Rajaratnam told the former Galleon employees in a taped conversation. He later explained that he would send an email asking about a stock “so that we just protect ourselves.”

He was found guilty on 14 counts of conspiracy and securities fraud and faces sentencing on July 29^th.

Lee Abrams

The mistake: Sending offensive content via his company’s email system.

The chief innovation officer of the Tribune Co. resigned in 2010 because he sent an email memo with a link to a video that he thought was funny. Some of the people who received the email didn’t quite see it in the same light. In fact, they found it offensive and complained. Originally, Abrams was suspended by the company indefinitely but later left his position.

As you can see, and hopefully your co-workers understand, that when it comes to the inappropriate use of email the intent isn’t taken into consideration. Even something that the sender views as harmless often carries the same consequences as something done maliciously.

Email Scandals That Should Make Us Think Twice

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

This list displays some of the most common mistakes that are made when it comes to email security and a brief description of what you can do to prevent them.

Leaky emails

There are many times when sensitive information is passed along via email. If everything is encrypted properly you, and your users, often assume that it will only be seen by the appropriate people. Unfortunately this isn’t always the case. Too many times a recipient may answer an email with sensitive information and hit the reply all button without checking to see who will be receiving the email.

The fix: Put a policy in place that addresses sensitive emails and reply to emails. However a policy alone isn’t enough. Make users aware of the policy through training and keep a record that all users were trained/informed of the policy and repercussions of not adhering to it.

Trusting others

When we receive emails from family, friends and business colleagues we often blindly open them without much concern. Especially if they are contacts we communicate with on a regular basis. However malware can easily be spread through emails by attachment or embedded code and links.

The fix: HTML in emails should be blocked if this is a concern, as should the ability for your users to receive attachments that are scripts or executable files.

Passwords that are easy to guess

Remember when Sarah Palin’s personal email account was breached? It was because her password was easy to guess using information the attacker found on her Wikipedia page. Companies often list information on corporate sites that provide attackers enough information to guess passwords as well.

The fix: Enforce strong passwords or password phrases for all users. Also, make sure that people don’t give up information that may be used to guess their passwords when providing bios.

Ignoring malware protection on the desktop

While scanning all emails for malware needs to be done, the desktop should not be ignored. And all too often it is. Malware definitions are outdated, software is not configured to run properly or protection is completely left to the user.

Even if you have a policy that enforces strong passwords, a keystroke logger can easily give up even the most complex password combination.

The fix: Email administrators should work closely with IT security to make sure that the desktop and network security isn’t lax so passwords are tougher to expose.

Failing to check on backups

Some companies and industries are required, by law, to back up and archive emails for a set period of time. Others are not required to do so. Regardless of the laws, every person and company should be in the practice of backing up emails. Emails often provide important records and information that could be lost.

But what happens if you need to restore your emails and find that something went wrong? Maybe the backup was incorrectly configured or the backup location was insecure. In any event, the inability to restore emails from a backup can render the entire solution useless.

The fix: Frequently test the ability of your backup solution, and staff, to restore emails.

These five tips may seem basic and simple. But that is the point. Working in IT we often gravitate towards the more complex issues and ignore simple techniques and solutions until it is too late. By taking the time to do the little things when it comes to security, we build an even stronger foundation for all the bells, whistles and technologies that really impress us and our bosses.

5 Simple Mistakes When it Comes to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Developments in cloud based computing have shown quite a bit of excitement and promise, especially when it comes to small to medium sized businesses. Those who evangelize the cloud will often cite the many benefits of moving to a cloud based email service. The litany of favorable reasons to examine moving email services off site that are oft quoted fall into line with the reasons used to move to any new technology:

• Ease of scalability
• Ease of software updates
• Email access anywhere
• Better disaster recovery
• Ease of implementation
• And of course, reduced costs

So when a vendor, or even someone in your own organization, throw these at management looking to save money and increase productivity then it seems like the question moves from why should we move to the cloud? to why has it taken us so long to move our email to the cloud?

Is it really that easy?

Cloud based email services make a whole lot of sense for many organizations. By doing a bit of research, you are certain to find at least one case study on how moving your email to the cloud helped someone in your specific industry. Yet even with good reasons and plenty of research to support this decision, nothing should be done without considering every angle because over the years if we have learned one thing, when it comes to IT nothing is risk-free.

So what does an interested SMB need to consider when all the arrows point to moving to the cloud? Let’s take a look.

1. Control

When your email resides on servers that are housed at your location, you are responsible for configuring the software, maintaining the hardware, updating and patching the server(s), cooling the room, etc. But you also have complete control over your email and backups. Moving to the cloud means you are giving up control and possibly ownership. This lack of control can lead to real world problems. For instance, if your organization has a one year deletion policy, is your cloud provider able to adhere to that? Conversely, if you have a no delete policy can this be achieved as well?

A rarer occurrence, but one that has much harsher repercussions is the event that an investigation needs to take place. Will emails be available for forensics when needed? If so, will there be any issues with the chain of custody and proving that the investigation was tamper proof?

2. Availability

Unless you have been living under a rock you are well aware of the attacks against Gmail over the recent months. The decision to move email services to a cloud provider should always be based on how well the provider can ensure that mail servers will deliver an acceptable percentage of uptime. Of course it’s one thing to say that you guarantee 99.9999 percent uptime and quite another to deliver so when a cloud provider makes a claim regarding availability, make sure your IT team speaks with the sales engineers, not just the salesperson, to see what exactly is in place to eliminate things like interruptions and denial of service attacks.

3. Security and Spam Protection

One of the biggest draws to the cloud for email is the fact that the provider will take care of security and anti-spam. Again, this is something that you are entrusting to the provider and giving up control over. If you are unhappy with the amount of spam that gets by the filters, or if the false positive rate is higher than an acceptable rate you can’t simply switch to a different solution.

This should be at the forefront of any discussions you have with potential email service providers. Find out what solutions they have in place and research them just as if you were buying the protection for your own servers.

4. Cost

Of course cost is always the number one reason SMBs look to the cloud. It is hard to find anyone who will say that a cloud based solution isn’t less expensive in the long run than running, securing and maintaining your own email servers. However the numbers may not always equal the level of service you expect. Costs may not always be transparent. A cloud provider may charge extra for business grade anti-spam protection. Perimeter security or virus scanning may also require additional costs. Finally, storage is never a one size fits all solution so this will always present itself as a variable.

The cloud is definitely a solution worth looking into for a number of reasons, however as a smart business move it would be equally prudent to look at all of the considerations as well prior to signing any type of contract.

4 Considerations for Cloud Based Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Malware

According to Secure List malicious files were found in 3.18% of all emails sent during the month of February showing a rise in .43% when compared to January’s numbers of this year. While this may look insignificant, the Radicati Group estimates that 294 billion emails are sent every day so that equates to almost 10 billion malicious emails sent on a daily basis.

While this doesn’t represent the numbers seen in the early days of commercial email when email messages were the primary methods used to spread malware, it does show that this trend is rising again. And if there is an increase over time then it can only mean that this method of spreading malware must be working on a significant enough level for attackers to use it in such numbers.

As we know, malware can be sent to users as a malicious attachment that infects a computer when the file is opened or through a link that takes the user to a malicious web site when the link is followed. The ten most common malicious programs spread through email are as follows:

1. Trojan-Spy.HTML.Fraud.gen
   This malicious program uses spoofing to trick victims into visiting a fraudulent web page under the premise that the email is coming from a bank, store or financial institution. Once there anyone who enters private account information will most likely fall victim to theft whether it be identity or financial
2. Worm.Win32.Mydoom.m
   Mydoom, once the quickest spreading worm, falls into the number two spot and opens a backdoor that listens on TCP port 1034, which is used primarily by ActiveSync, and will send itself to email addresses it finds on the host using its own STMP engine. This can be used in concert with other malware further infect computers.
3. Worm.Win32.Mabezat.b
   Mabezat was commonly spread through removable drives and network shares but can also be spread through email attachments. Its payload will single out files with certain extensions and encrypt them then demands payment to have the files restored.
4. Trojan-Banker.Win32.Banker.bgsd
   This is a new addition to the Banker family of Trojans that is used to steal financial information such as passwords, usernames and account information by scanning the keylog and sending information it finds back to the attacker.
5. Worm.Win32.Agent.gnd
   According to Microsoft’s security portal, “Malicious files detected as variants of Win32/Agent can have virtually any purpose.” Commonly these are used to terminate security software and open a backdoor on the computer to allow future attacks.
6. Worm.Win32.NetSky.q
   NetSky’s code originally had comments that insulted the authors of the Bagle and Mydoom worms. For those infected, NetSky will email itself as an attachment to email addresses it finds on the host computer and can be used to perform other actions. Most notably, NetSky was used to launch Denial of Service attacks against certain peer to peer file sharing websites.
7. Trojan-Spy.Win32.SpyEyes.ffc
   SpyEyes is another Trojan that in addition to opening a backdoor will steal confidential information by capturing keystrokes and makes use of the form grabbing technique to steal user authentication information. This Trojan also uses a rootkit to help hide any malicious activity from the user.
8. Worm.Win32.Bagle.qt
   Bagle is a mass mailing work that can also be spread through peer to peer networks. It will open a backdoor on the host computer allowing the attacker access and control of the infected machine.
9. Trojan-Ransom.Win32.PornoBlocker.efo
   Like Mabezat, PornoBlocker is another form of ransomware. This malicious program takes control over the victim’s computer and locks the screen to prevent access. The victim is told to send an text message via SMS to a premium number for the code to unlock the desktop.
10. Trojan-Banker.Win32.Banker.bghb
    This is another variant of the Trojan-Banker family and performs the same actions as mentioned earlier under Trojan-Banker.Win32.Banker.bgsd.

While these malicious programs are indicative of the ones most frequently spread over a certain period of time they do provide us with three things of note:

• Email is still a viable method of transporting malware
• Malware spread through email can be used to launch further attacks against an organization’s network through backdoors
• Malware that is used for identity and financial theft can be applied to theft of confidential and proprietary information at a corporate level

As mail administrators, we can expect to see these programs and their continued variants being sent to our addresses and it is up to us to work with our security teams to put effective tools in place to stop them.

10 Most Common Malicious Programs Sent By Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators