One of the challenges for businesses when they provide email access to their staff is how to let staff use email productively while also managing the risk of information leakage.

Although information leaks can occur over many different mediums, leaks over email remain a serious concern for some businesses.

Fortunately Exchange Server 2010 includes features to help organizations manage the risk of information leaks via email.

Using Message Classifications

Message classifications provide a mechanism by which end users can classify individual email messages.  These classifications are completely customizable and can be used for just about any purpose, even non-security related ones.

Custom classifications can be created by the email administrators and distributed to end users for use within Outlook.  These could include message classifications such as “Confidential” and “Public” to convey the level of security associated with the email content.

One of two approaches could then be taken to enforce their usage.

1. Have email messages created with the most confidential classification by default, requiring the end user to deliberately lower the classification to send external emails.
2. Have email messages created with no classification by default, and require users to choose at least one before sending.

Message classifications can be used in conjunction with Transport Rules for enforcement.  For the two examples above Transport Rules could be created to:

1. Reject messages sent to external recipients that are classified as “Confidential”
2. Reject messages that are sent to external recipients with no classification set

Protecting Customer Information

Another use of Transport Rules is to assess emails based on their content.  If certain text patterns are found within an email message the Transport Rule can reject the message from being sent to an external recipient. Continue reading Preventing Information Leaks with Exchange Server 2010

A Reuters blog today likened social networking to Jurassic Park. While this is probably the first time anybody has connected dinosaur-related themes to Web 3.0 technologies like social networking, in this case it was probably accurate.

The premise of the note was that social media sites are like Michael Crichton’s fictional dinosaur park—really, really cool technology, but not much in the way of security and safety precautions. This is a problem that cannot be ignored any longer. Like the elephant in the room—or in this case, the tyrannosaurus in the room—it’s too big to look the other way, and it’s not going away any time soon. Social media is here to stay, and with something on the order of a third of Internet users taking advantage of it, security managers have to get on with the business of creating a workable policy.

Why should businesses be concerned about social networking sites? It is after all, something that people play with on their own time (or at least, should play with on their own time), and doesn’t really have anything to do with the business. Or does it? The fact is, social networking is no longer just social. There are two factors at work here that warrant attention. First, on the other side of the office, mostly unbeknownst to the IT and security people, the marketing department is making very good use of social networking as a corporate marketing and communications tool. Companies use Twitter to keep customers and partners apprised of new releases, updates, special promotions and other information. They use LinkedIn to meeting other people interested in making deals, and they even use Facebook to make corporate pages meant to drive traffic to the main site. Most corporations now also have blogs, and even interactive forums where customers can participate in discussions with company staff and other customers. Yes, all those things were originally designed “just for fun,” and the creators of these social tools very likely had no idea that their creations would wind up in so many corporate toolboxes. Yet, here they are. Continue reading Social media security problems

20 percent of accounts could be compromised in 5000 attempts.

A recent study of some 32 million pilfered passwords has exposed some revealing lessons on how computer users choose their watchwords.

The analysis conducted by the iMperva Applications Defense Center discovered that 60 percent of users picked passwords from a limited set of alpha-numeric characters. What’s more, 50 percent of the watchwords were names, slang, dictionary words or trivial passwords, such as 123456 or “Password.”

What distinguishes this study from similar research in the past is that, rather than being based on user surveys, this analysis is based on a database of actual user passwords, which were stolen by a hacker and posted to the Internet as plain text.

“The shortness and simplicity of passwords means many users select credentials that will make them susceptible to basic, brute force password attacks,” the researchers wrote in their white paper.

“Ironically,” they added, “the problem has changed very little over the past 20 years. In 1990, a study of Unix password security revealed that password selection is strikingly similar to the 32 million breached passwords.”

When scrutinizing the purloined passwords, the researchers used standards published by NASA for the creation of strong watchwords. Here’s how the words fared against those benchmarks.

NASA recommends that passwords be at least eight characters long. The researchers found that nearly half (49.4 percent) of the filched watchwords contained seven characters or less. What’s more, more than 30 percent of them were six characters or less. By comparison, more than 28 percent of the passwords in the mix were greater than eight characters in length.

Continue reading Survey identifies worst password practices

As often happens with electronics trends, the proliferation of a consumer device soon results in that gadget knocking on the door to the enterprise.  That’s the case with smartphones. The trend started with the Blackberry, was supercharged by the iPhone and will continue to grow with phones running Google’s Android operating system.

What’s worrisome about these devices is that they run applications… far too many applications that any IT department could vet for security purposes. Jupiter Research, purchased by Forrester research in 2008, estimates that by 2014, 20 billion apps will be downloaded annually to smartphones.

That is a nightmare in the making for network administrators, who see legions of unknown programs touching their enterprises. Such apps already exist for the iPhone to directly access enterprise programs like SAP and Oracle. And with more apps on the way, the potential for them to spread malware or facilitate unauthorized access to precious data is a sobering thought for gatekeepers.

One way to get a handle on mobile devices invading an enterprise is to impose tough policies on employee use of their mobiles when performing office tasks. Monitoring policy compliance manually, though, can be an overwelming task for overtaxed IT departments. There are automated systems for ensuring compliance, but they can be expensive to implement.

There are also some drawbacks to keeping a tight rein on smartphone use. By limiting an employee’s choices on how he or she must work, a policy could adversely impact the worker’s productivity. Then there’s the problem with exceptions to the rule. If someone higher up on the corporate food chain than an IT gatekeeper wants to use a particular application, whether it’s risky or not, an exception to its use will likely be made.

Continue reading Protecting the enterprise from mobile devices

USB devices can be a convenience and a curse.

Devices that plug into the USB ports on a computer are convenient to use, but they can be a security headache, too. What security-conscious system administrator hasn’t contemplated the grim consequences of gigabytes of sensitive data inappropriately stored on a thumb drive walking out the front door of his or her company in the shirt pocket or purse of an employee? What security specialist hasn’t cringed at the thought of a compromised USB device being plugged into his or her network where it can infect the system with a virus, Trojan or worm?

One way to identify problems associated with USB devices is to follow their leavings. Among the leavings left behind by USB devices when they’re attached to a computer running Windows are their serial numbers. Although not all USB devices have serial numbers, most do, and they can be used to perform some basic computer forensics, as Adrian Crenshaw pointed out in a recent posting in his Irongeek.com blog.

For example, if the ownership of a USB drive linked to malicious activity is in a dispute, a scan of the suspects’ computers would reveal which one the device had been connected to. Chances are the operator of the computer containing the serial number of the device in its Windows registry will be the culprit in the case.

If the source of a virus is linked to a USB device, comparing the serial numbers of the devices connected to the system at the time the infection began to spread could help identify the compromised hardware and even identify the point of initial infection.

Continue reading Follow the serial numbers

The end of the year is upon us, and for most of us this means time off from work to celebrate Christmas with our families and take a much needed break.  But before we shut down our computer and head out the door there are a few extra things that email admins need to think about.

Patches and Security Updates

Before taking an extended break is a good time to double check that your email servers are up to date with the latest security updates.

This includes updates for the server operating system, the email server application, and any other components on the servers such as backup agents, faxing software, and antivirus agents.

Even if your patching is automated it might pay to manually apply the latest updates now so that any problems that arise can be dealt with while you are still at the office.  You don’t want to get a phone call while you’re relaxing because the server was knocked offline by an automated update.

Backups

A lot of businesses use the end of the year to take a full backup of systems to store as a long term archive.  This is best performed while you are still available to assist with any issues and make sure that the backup is 100% successful and can be relied upon later for recovery if necessary.

At the same time some businesses halt their backups over the holidays if no staff will be present to change backup tapes.  For Exchange servers it is important to ensure that enough transaction log space is available for the server to run without backups for a week or more.

Support Calls

Nothing is worse than getting phone calls on your holiday for simple questions or problems.  If the business is still operating over the Christmas period and you might get phone calls from the Help Desk or on call staff then you can save yourself from being bothered by putting the right documentation and systems in place. Continue reading Christmas Checklist for Email Admins

Better security is changing iPhone's image in IT departments.

While the iPhone’s “cool factor” has made it a hit among status conscious corporate executives, the mopho has been greeted with skepticism from the rank and file in the IT trenches. From their point of view, competing products like Research in Motion’s Blackberry and smartphones built on Microsoft’s Windows Mobile platform offer better security for their organizations. With the introduction of the latest version of the iPhone’s operating system, version 3.0, and iPhone Configuration Utility, version 2.0, IT resistance to letting Apple’s handset into the corporate tent seems to be weakening.

What has bugged IT folks in the past about the iPhone? For one thing, user profiles can’t be managed over-the-air as they can with a Blackberry and Blackberry Enterprise server or Motorola Good for enterprise servers. Another irritant is there’s no way to ensure that corporate policies on email, encryption, etc. have been installed or updated on the phones. What’s more, it’s difficult to preconfigure the units with settings for email, VPN access and such.

Apple’s update of the iPhone’s configuration utility, which gives network administrators a rich set of policy controls, has addressed some of those concerns and may be why IT doubters are relenting on their staunch opposition to the hardware.

For example, password entry into a phone can be required. The composition of the password, when passwords should be changed, rules on reuse of passwords and the number of failed password attempts before a phone automatically wipes out all the data on it can all be controlled by an IT department.

Specific content can be blocked on the phones, although that’s not true for specific applications. A workaround for that situation is to install all necessary apps when the phone is issued, then turn off the ability to install any more programs. The problem with that approach, however, is a user won’t be able to upgrade the existing apps on the phone.

Continue reading Security skeptics less skeptic about iPhone

A Microsoft branded bulletin is offering bogus security updates.

A bane of Microsoft Windows users is the constant patching of the operating system to deal with security vulnerabilities. These frequent events are irritating, not only because they disrupt productivity since they often require a system reboot after they’re installed, but a user never knows how Windows will perform after it’s patched.

More often than not, a patch won’t disrupt the operation of a system, but once users have been burned by one of these updates, they’re forever on tenterhooks when they install them. A case in point: the recent flap over the “black screen of death” falsely attributed to November’s “Patch Tuesday.” Although reports of the glitch were incorrect, the reason they were given immediate credibility was that many Windows users have experienced behavioral problems after installing patches in the past so it was perfectly believable that the latest patches might have created unforeseen headaches for users.

Continue reading Fake security update targets Windows users

US-CERT has issued a vulnerability note that should worry anybody who relies on SSL VPN products to establish secure web sessions. SSL VPN is a very common method of establishing a secure connection between two remote sites over an Internet connection, where the user connects only through a standard web browser, without the need for any client software. It’s gained popularity because of its simplicity, and because of its clientless nature, it allows for easy, anywhere connectivity. It is commonly used in Internet commerce, and sometimes in cloud-based or remote email.

According to CERT though, many of the commercially available SSL VPN products bypass the security that exists in the web browser, and this could create a security problem. The problem revolves around the “same origin” policy enforced by standard web browsers, which enforce a rule that prohibits active content from accessing data from an external site. However, some of the SSL VPN products do take content from multiple sites, then present it as coming from the SSL VPN by rewriting the URLs that come from the VPN. It would be possible for example, for an attacker to lure a user to a rogue web page, gain access to the VPN session token, and alter content. It would be possible for such an attacker to, for example, use that malicious web page to launch an attack that could capture keystrokes from remote users.

The vulnerability is mostly theoretical, and whether you are vulnerable really depends on how you’ve configured your SSL VPN. It’s important not to take the SSL VPN warning as an indication that you shouldn’t use SSL VPN–such an indication would be unnecessary, and would have a dramatic impact on e-commerce as we know it.

According to CERT, there is no immediate solution to the problem, but there are three workaround solutions: (1) Limit URL rewriting to trusted domains, (2) limit VPN server network connectivity to trusted domains, and (3) disable URL hiding features. In limiting URL rewriting to trusted domains, most firewalls will allow policy rules to be set  to accommodate this neeed, so the VPN can only access specific domains.

Security is major barrier to adoption of cloud computing.

Security is playing a key role in the willingness of organizations to adopt cloud computing solutions, according to  a study recently released by Launchpad Europe, a business accelerator outfit based in London.

The study based on a survey of 105 IT security experts across the globe found that more than 50 percent of them identified security concerns as the primary reason their organizations were shying away from embracing the cloud.

Asked what their highest priority was when considering a cloud services provider, 37.9 percent cited security of the cloud infrastructure. Another 12.6 percent identified security procedures to protect their data centers as their highest concern.

The data collected by the researchers also suggests there is considerable doubt about whether those security worries can be met by a cloud vendor. Some 49.5 percent of the respondents told the pollsters their companies neither use nor plan to use the cloud in the next 12 months.

Other significant items when choosing a cloud vendor cited by the survey respondents were due diligence and track record of service provider (18.4 percent) and ease of migrating data from vendor’s service to a new service.

Among the companies participating in the survey who do have cloud deployments, 16.5 percent said they used public deployments; 16.5 percent, private deployments; 10.7 percent, hybrid; and 6.8 percent managed.

Continue reading Security tempers zeal for cloud computing