Gates: Momentous security memo

For computer security experts, January 15 marked the anniversary of a red letter day. It was the 10th anniversary of the day that Microsoft decided to get serious about security.

On that day in 2002, a memo from Bill Gates to Microsoft employees declared the company would be entering a new era, an era of “Trustworthy Computing.”

“In the past,” Gates wrote, “we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software.”

“So now,” he continued, “when we face a choice between adding features and resolving security issues, we need to choose security.”

Gates’ commitment to security came when the Windows world was reeling from two monster malware attacks from the previous year Code Red and Nimda. Code Red exploited buffer overflows to attack Internet Information Services (ISS) running under Windows Server. It infected an estimated 300,000 PCs.

Unlike Code Red, Nimda was a worm that used multiple attack vectors to rapidly infect computers connected to the Internet. The technique was extremely effective and within 22 minutes of its release on September 18, 2012, it became the most widespread malware in the world.

It’s with that backdrop that Gates emailed his memo to his employees. One group of workers was particularly glad to see their boss’s missive: the company’s malware fighters.

“It’s not an understatement that the memo felt, to me, like the arrival of Gandalf and Eomer at Helm’s Deep in the film The Lord of the Rings: The Two Towers at a moment of great despair; at last we were getting some relief and might survive” Christopher Budd, who worked on security issues for 10 years at Microsoft, wrote in Betanews.

“In a single movement, Gates enshrined security, privacy and reliability as central, aspirational ideals,” Budd observed. “Like all ideals, there have been better and worse times in realizing them, but their central importance was never open to question. That memo eliminated the resistance that made our work so hard and gave us the power to do the right thing for customers.”

Budd asserted that the memo gave the security and privacy factions in the company the power to stand toe-to-toe with those primarily concerned with revenue and growth. He wrote:

“In a way, it represents a statement of conscience for the company and we used it as such, with success.”

Since the memo was issued, Microsoft has made security an important part of its product development cycle. That’s led to security features like library randomization and BitLocker drive encryption in Windows 7 and Secure Boot, a way in Windows 8 to foil BIOS attacks. It has made Windows Server IIS as secure as its open source competitor, Apache, too.

It has also lifted Microsoft’s browser, Internet Explorer, from a security nightmare to one of the most secure ways to surf the Web today. A 2010 report from independent software tester NSS Labs found:

“Internet Explorer 9 was by far the best at protecting users against socially-engineered malware.”

Unfortunately, it’s hard to change a bad security reputation forged over many years and IE’s user share has fallen from its once dominant position of more than 90 percent to under 50 percent of all users.

Microsoft’s Trustworthy Computing Program Turns 10

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gestures can replace passwords in Windows 8.

Why it has taken Microsoft so long to make password security more than an afterthought when it introduces a new operating system is anybody’s guess. Nevertheless, with Windows 8 it is making an effort to help users manage their passwords in an efficient and secure way.

Everyone has dozens of accounts they need for which they need to memorize passwords. Most people, though, only commit a few passwords to memory and just reuse them over and over again. A study in 2007, for example, found that the average Internet user had 25 accounts that required password access, but they only used six passwords to access their accounts.

Security pros decry the multiple use of passwords but there are plenty of sites on the web where if your password fell into the wrong hands, the consequences would be trivial. Reusing passwords for those sites should be acceptable. There are sites where unique passwords are a must, though, such as banking or credit card payment sites.

With Windows 8, Microsoft is addressing several nettlesome issues that discourage people from creating and using strong passwords. In the upcoming version of Windows, user names and passwords are stored in a secure location called the Credential Password Vault.

The latest version of Microsoft’s web browser, Internet Explorer 10, is designed to automatically access the Vault for your credential information, but other browsers and applications will eventually be able to access the area, too.

What’s more, if you have or obtain a Windows Live ID, you’ll be able to synchronize the Vaults across all your devices. Not only does that remove the annoying situation of trying to remember credentials for a site when you’re away from the device where you created those credentials, but it can provide a safety net should the password information on any one device be corrupted.

Synchronization appears to be pretty robust too. Microsoft says it can take place behind a firewall. However, websites can block the storage of credentials used to access them. Some banks do that. In that case, synchronization will not work because your credentials won’t be stored in your Vault.

Another intriguing aspect of the Credentials Password Vault is that it can also store security keys. Typically, those keys involve the use of hardware tokens to authenticate a person’s identity. The Vault, however, is designed to work with something called the Trusted Platform Module, which is being incorporated into more and more computers these days. The Vault and the Module, which acts as a virtual security token, can team up to perform the same function as token-based key pair system.

For tablets or computers with touchscreens, Windows 8 has an even neater password option. It allows you to take a photo of your choice and use it to access your slate by performing a series of gestures on it.

Although some security experts are skeptical of the method, and even Microsoft acknowledges that smudges on a screen could compromise the gesture password, the approach has the potential to be more secure than ordinary password schemes. Microsoft estimates that there are 398 trillion five gesture combinations that could be applied to a photo, compared to 182 million combinations for a five-character password and nine trillion combinations for an eight character one.

Windows 8 Offers New Password Features

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

BYOD can give administrators a headache.

More and more organizations are finding their employees using personal devices to access company data. Without some measure of control, those workers can create serious security problems for their employers.

As much as some administrators would like to block the use of personal devices in the workplace, that’s unlikely to happen for a number of reasons. For example, many employees are already using their own devices at work, as a recent survey by IDC shows. That poll found that 95 percent of workers use one personally purchased device on the job.

In addition, businesses are demanding more and more productivity from their workers, and that’s what they can get by allowing employees to use their own gadgets for work. One study by iPass, for instance, showed that employees using personal devices worked 240 more hours a year.

Not many companies would want to part with that kind of productivity, and they’re not going to, according to a Gartner analysis. To do so, that report noted, corporations will be embracing the practice by placing their apps on their workers’ devices. In fact, by 2014 Gartner predicts that 90 percent of all employee-owned devices will have corporate apps running on them.

Other cultural and technology trends are also making opposition to the Bring Your Own Device futile. Hardware makers are finding they need to produce products with a consumer bent if they want to stay in business.

Virtualization and cloud computing encourage access to corporate technology resources whenever worker wants to access them and with whatever they want to access them with.

Meanwhile, as the line between work and non-work becomes more and more obscure, the case for creating a clear line of demarcation between work and home devices becomes weaker and weaker.

To address issues created by the use of personal devices in the workplace, companies have begun to adopt BYOD policies. Before adopting such a policy, here are some questions an organization might want to consider.

• Should data be classified to determine what can and can’t be downloaded by personal devices?
• What happens to company data on a personal device when an employee leaves the company?
• What happens if a personal device is lost or stolen?
• Do personal devices need to be configured in any special way?
• How can an acceptable password policy be implemented on a personal device?
• What forms of encryption should be acceptable?
• What personal devices are acceptable for use with corporate resources?
• Should employees be allowed to jailbreak or root their devices, as doing that may make the device more susceptible to security risks.
• Should employees be required to sign the BYOD policy before they’re granted access to the company’s network?

Some of those questions were considered by Unisys when it formulated its BYOD policy. Among the requirements of that policy is that Unisys has the right to confiscate a device if it’s needed for litigation purposes.

That policy requires employees to accept a digital certificate to be installed on their personal device. It authenticates the device to Unisys’s systems, and it allows the company to analyze access behavior. Knowledge of that behavior can be used to identify abuse of access privileges.

The certificate gives an employee access to email and calendar functions on the system. Access to other functions can require additional authentication.

Another requirement of the policy, and one most administrators will find desirable, is the installation of a program on the device that enables all data to be remotely wiped on a unit that is lost or stolen.

What Should Be in Your BYOD Policy?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Users of practically every supported version of Windows, whether desktop or server, 32 bit or 64 bit, and even the low attack surface Windows Server Core should immediately review Microsoft Security Bulletin MS11-100 and begin testing and deployment of this patch as soon as possible. The patch, covered in KB2638420 addresses four vulnerabilities in the Microsoft .NET Framework, including 1.1 SP1, 2.0 SP2, 3.5 SP1, 3.5.1, and 4. Three of the four were privately reported, while the last one has been publicly disclosed.

In a worst case scenario, an unauthenticated attacker could send a specially crafted request to an unpatched server, and gain elevated privileges which could then execute remote code on the impacted server. Exploiting this vulnerability requires that the attacker be able to register an account on an ASP.NET site, and know an existing username. Of course, when so few follow recommended practices and rename the Administrator account, or use common accounts like Admin, Guest, etc., this doesn’t present too high a bar for any site that allows user registrations.

In all, four separate CVEs are addressed by this update, including:

1. Collisions in HashTable May Cause DoS Vulnerability – CVE-2011-3414
2. Insecure Redirect in .NET Form Authentication Vulnerability – CVE-2011-3415
3. ASP.Net Forms Authentication Bypass Vulnerability – CVE-2011-3416
4. ASP.NET Forms Authentication Ticket Caching Vulnerability – CVE-2011-3417

KB2638420 replaces several earlier patches that were released to address some of these vulnerabilities. The first, involving collisions in HashTable, can lead to a denial of service, which can be just as significant an impact to users as any other kind of attack. Exchange admins running Edge Transport Servers and/or Client  Access Servers exposed to the Internet should be aware of this and deploy this security patch as soon as possible. All Exchange server roles require the .NET Framework 3.5 SP1 and are therefore vulnerable, so all Hub Transport, Unified Messaging, and Mailbox servers should also be patched.

As with all patches, you should test this in your lab environment before deploying to production, and follow your appropriate change control processes, but that does not mean you should wait until after the New Year to start evaluating this patch. Microsoft released it out of band (instead of waiting for the normal patch Tuesday in January) because this does address a publicly disclosed vulnerability, and the combined impact should a server be successfully exploited is so critical. When patching Exchange, apply this patch to your server roles in the following order:

1. Edge Transport
2. Client Access
3. Hub Transport
4. Mailbox
5. Unified Messaging.

Microsoft Releases Critical, Out Of Band Update

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Despite the claims of one CEO of a major global high tech company, many workers believe their internal email is important enough to scrutinize when they should be kicking back and being jolly during the holiday season.

In a poll of some 1000 people with full-time jobs in the United Kingdom, surveyors found that nearly half of the workers (46 percent) intend to check their office email either frequently (15 percent) or intermittently (31 percent) during yuletide. About a third of the sample (34 percent) said they’d totally resist the temptation to check their email during their stay at home during the festive period.

Younger workers (18-24 year olds) were more likely to check their email during the holidays that older ones (50 years old or older), according to the survey conducted by OnePoll and sponsored by SecurEnvoy, a firm specializing in two-factor authentication without tokens.

While 21 percent of the respondents said that there was no expectation or compulsion by their employers to have them check emails while at home, 20 percent felt they’d be at a competitive disadvantage at the office if they failed to do so. Nevertheless, nearly half (46 percent) of the respondents told the pollsters that if they were contacted by their employer during the holidays, they’d be “very angry” (28 percent) or “really annoyed” (18 percent).

No doubt, along with any office nuggets in their inboxes, employees will find one of these scams making the rounds right now:

• Offers for free screen savers never seem to lose their appeal to scammers or their allure to victims, who want to give their computer displays a festive look during the holidays.
• Gift cards have become popular with gift givers, as well as with Net grifters. Typically, they’ll offer a gift card from a popular store at a discount. That’s because the card has been stolen or is bogus. Gift cards are best purchased directly from the store that issues them.
• An assortment of deals, special offers and discounts tied to the season. While these may have the appearance of legitimacy—scammers have become very adept at mimicking the official mail of banks, retailers and such—these missives usually contain malicious links aimed at conning personal information from a target or infecting their computer or smartphone with malware.

While many workers are thinking of checking email during the holiday out of a concern, either real or imagined, for keeping their jobs, few are thinking about protecting themselves or their companies from cyber criminals. Nearly half (46 percent) of the survey sample polled by OnePoll admitted that they don’t use any kind of security on their mobile phones, not even a simple personal information number (PIN), even though they acknowledged that they’d be reading emails on them that could include sensitive information and unencrypted documents.

“If you’re accessing the corporate network to retrieve emails, using a password or hardware token that’s left next to your PC just isn’t adequate,” warned SecurEnvoy CTO Andy Kemshall. “Should Santa, his elves or someone a little more sinister drop by and liberate you of your token or copy your password, they could be stealing vast amounts of critical company data,”

Cell phones can be a great alternative to passwords and custom tokens for accessing corporate systems because unlike custom tokens, most people always keep their phones with them and are diligent about keeping tabs on them. They’re even a better alternative if access to them is protected by a PIN or password.

Santa Checks His List; Everyone Else Their Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

For those of you who haven’t heard of Loggly, Loggly is cloud based service for complete application intelligence for app developers.  Loggly uses log data to collect, analyze, troubleshoot and monitor your applications. They are a heavy user of Amazon’s Web Service hosting, and recently experienced a truly stellar outage of massive proportions. You can read about that on a Loggly blog post here which I encourage you to do. However, I am not here to talk about lessons learned about hosting and availability, and putting eggs in consolidated baskets. Nor am I planning to talk about on premise versus hosted, and the perceived dangers of the cloud. It’s what happened to Loggly and how they went unaware of the impending freight train heading their way that I want to discuss, because there are some great lessons to learn from that little subset of their blog post.

Here’s the bit that prompted this post:

Originally we stated we had not received reboot notices from Amazon, but the truth is that (4) of the staff here, myself included, received two separate vague notices, one from about 10 days ago, and another from 3 days ago, which stated ‘some or all’ of our instances were scheduled to be rebooted.  These notices were found in our spam folders on Gmail, placed there with a very large red notice reading: “Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information.”

In summary, AWS did send notice in advance, but those notices went unread. One of my favourite John Wayne movies is “Big Jake” and one of my favourite quotes comes from that movie. It is quite appropriate here, if somewhat shortened for context.

Anything goes wrong, anything at all…your fault, my fault, nobody’s fault…it won’t matter

And the fact is that it won’t matter at all that AWS notifications to Loggly got flagged as spam and therefore filed in the next best thing to the bit bucket. It doesn’t matter that Loggly is using Gmail, which strikes me as somewhat strange for a business, though perhaps they meant Gmail for Domains. It also doesn’t matter at all that whatever AWS sent in those email notifications, it caused some spam filter somewhere to flag the messages as spam, and even worse, as a potential phishing message. What matters is notice of reboots were sent, they weren’t read, and full outage resulted. Oops.

So here’s where I think the fix lies. With Amazon. NOT THE BLAME, just the fix, and this is the lesson I want us all to take away from what happened to Loggly and with the perspective that as a service provider, we should do better for our customers.

1. Establish a single email address to send out service notifications from.
2. Ensure it is monitored and checked regularly for replies, NDRs, etc.
3. Encourage customers to use a D/L for our notifications that helps ensure key personnel within our customers’ orgs receive all notifications.
4. Monitor the popular DNSBL services to make sure we’re not listed by mistake.
5. Follow up on any NDRs to make sure customers are able to receive notifications.
6. Test that by making new customers receive and acknowledge they have received a test notification email.
7. Make sure that the email address is properly formatted and from your domain.
8. Use valid SPF and DKIM and ensure that alert emails are sent from a compliant system.
9. PGP or GPG sign all messages sent from this account to provide further authenticity.
10. Keep links and additional content that could be misinterpreted as spam to a minimum.
    Okay the above make a lot of sense, and are probably already being done by most of you, but here’s where we as service providers should take things to the next level.
11. Maintain an email account on the popular services (Hotmail, Gmail, Yahoo, AOL, etc.) and send notifications to those accounts regularly to test for deliverability.

That last step is where I think Amazon should take a closer look, and any of us who are service providers should too. I like Gmail, and I trust Gmail, and if they find something in an email that makes them flag it as a phishing message (indicated by the Loggly blog post when they copied the “Warning: This message may not be from whom it claims to be. Beware of following any links in it or of providing the sender with any personal information”) then there is something in that email that set off all the alarms, failed the sniff tests, and was probably just a bad idea not really adding any value to the notification. Maybe the source address was different from the reply to (and in a different domain) or maybe the notification had links to a number of obsfucated URLs. Whatever the reason is, if I had seen a message in my spam folder that was flagged like that, I would have ignored it too.

When we, as service providers, need to notify our users of important things, like maintenance windows, changes to our terms of service, our outages, we need to make darn sure that users get them.

What about you? Have you ever missed a key notification because it fell victim to a false positive, or do you have any better ways to keep communications open with your customers?

Lessons Learned from the Loggly Outage

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

This morning I noticed the flashing red light on my Blackberry alerting me to a new message. Since this device is connected to my work email account, I decided to give it a look to see what was so important that it couldn’t wait until Monday.

I was lucky that I did check it. The new message was actually from my personal email account and the contents of the message contained only one link and other people were also sent the same message.

I realized immediately that my personal email account was sending spam. I was upset with this because working with email and security, I write and train others on best practices. Not only this, but I follow them as well. I make sure that:

• I use strong passwords and phrases
• I change my passwords frequently
• I don’t use the same password over and over
• I update my anti-malware software regularly
• I run anti-malware scans regularly (ironically, I had just run a scan the day before)
• I am careful about what sites I visit
• I am careful about clicking links in emails
• I am careful about what I download, even checking the MD5 hashes when available.

However after I realized what had happened I didn’t make the classic mistake of denial that this could happen to me. After all, people much smarter than me have had their systems compromised. Driven by a classic saying in computer security, “The only way to ensure that a computer is 100% secure is to unplug it from everything and seal it up in a box,” I moved ahead with fixing the problem.

Steps taken

When I opened up my personal email account there were over 100 mail delivery subsystem errors and Out of Office replies waiting for me.

At first I thought that my email address had possibly been spoofed. After all, most of the sites I write for include it as a way to contact me so I am sure it comes up quite often when people are mining the Internet for email addresses.

However looking at a few of these messages I noticed that the spam messages were being sent to every address that I had ever sent an email to, not just my contacts. What this said is that:

A) My email address had not been spoofed.

B) It wasn’t malware that was abusing my contact list. This was the result of my account credentials being compromised.

It may appear that the first step anyone should take in this situation is to change the password immediately. Not entirely true.

Most passwords are captured from a keystroke logger installed on your computer. If you go ahead and change your password, you are simply letting the attacker know what your new one is.

Instead, I went ahead and attempted to update all of my anti-malware definitions. Since I had just run a scan the day before, there was nothing to update. The next step was to run all of these scans again.

The three scans from Malwarebytes Anti-Malware, TDSSKiller Antirootkit utility and Ad-Aware all came up clean so I went ahead and changed the password on my account. Even after I changed the password, more delivery error messages came up but looking at the headers, these were delayed as the original message sent from my account occurred between 6:48 AM and 6:54 AM so everything looked clean.

Digging deeper

Once I was sure that everything was cleaned up, curiosity got the better of me and I decided to look a bit deeper into the emails that were being sent out from my address.

To make sure I didn’t infect my computer once again, I created a virtual machine and loaded it up with my three favorite anti-malware tools and ran a scan using each just to ensure the new “computer” was clean.

Then I clicked on the link just to see where it went. Of course, the link was spoofed and redirected to cretep.ru registered out of Russia advertising for an herbal Viagra clone, Viagrow. Of course, by their claims it had been featured in Men’s Health, Maxim, MSN, Esquire and other media outlets.

After closing out the site, I fired up all of the anti-malware software to see what really happened when I visited this site. The first scan found two installations of PUP.FunWebProducts and one installation of Adware.MyWebSearch.

Even as the so-called experts when it comes to email, we have to realize that as threats escalate in sophistication we too are vulnerable. Following the best practices and taking the proper measures to secure our email accounts certainly help, but there is no way that any of us can assume that our accounts are 100% safe.

Yes, My Email Account Was Compromised

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

How about a quick show of hands? How many of you, reading this, administer a corporate email system? Hmmm, looks like practically all of you, except for that guy in the back of the corner wearing the yellow t-shirt. Okay, not sure why you’re here, but I appreciate you reading nonetheless. Okay, next question. How many of you have a password policy that makes you change your corporate  password every month, for example?

You hear that? That’s the sound of crickets chirping as practically each and every one of you tries to avoid eye contact with everyone else, because most of you probably haven’t changed the password to your personal email account since you first set it up. Now consider how many things are tied to that email account. Password resets for your bank accounts, your credit card accounts, your Facebook, Twitter, and blog accounts; personal email accounts are treasure troves of information for attackers. A compromised personal email account is the perfect information source for an ongoing attack against a user because so many other accounts can be compromised without the victim being aware. And the majority of users will not change their password unless a system prompts them to.

Which is why Google has started a campaign to get users of its popular Gmail service to start changing their password. A new banner will appear at the top of the Gmail web page on accounts with passwords that haven’t been changed in an unspecified, but likely, long time.

The link takes users to a page that offers advice for good password management, including

1. Using a unique password for each unique account.
2. Using a complex password.
3. Advice for creating a password that is difficult to guess.
4. Updating password recover information, and
5. Tips for storing passwords when your memory just isn’t good enough.

And after all, with dozens if not a hundred or more unique accounts, who can keep unique passwords for each and every account in their head?

Google has also led the industry by offering two factor authentication to users at no charge, using SMS messages to their cell phones to provide the second factor, and offers it as an additional way to secure accounts on this same page. Whether you choose to take advantage of this or not, or even whether or not you use Gmail, changing your password for your personal email account is something that is probably long overdue.

They even included a pretty good, very short, video that talks about how to create strong passwords. It lasts less than a minute, is easy for non-techies to follow, and is completely neutral. Here is a link to that video. As soon as you have changed your password, write up a nice little blurb to include in your weekly security tips to your users, reminding them to change the password on their personal accounts too. Remember this bit of security advice my dentist taught me years ago:

“passwords are like toothbrushes; you don’t want to share them with anyone, and you need to change them often.”

Google States What Needs To Be Said

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Small and medium-sized businesses face many of the same threats that large companies do when it comes to their email systems. Some of the common problems that email administrators face are:

• Spam delivered via email
• Viruses and malware delivered via email
• Email messages that contain inappropriate content
• Information leaks.

So in addition to steps taken to secure the company’s network and desktops, a strategy to secure the organization’s email system is also a necessity.

Yet while small and medium sized businesses face the same threats as their larger counterparts, they rarely have the same resources to fight back.

Of course the first step for any organization, regardless of size, is to make sure that they have a reliable spam filter in place.  More often than not, a content filter will be part of this solution as it makes finding illicit email messages much easier.

For some, this is where most email security strategies stop. For those who do put additional measures in place to help mitigate the threats facing email, now is a perfect time to review these policies to see if they effectively protect your email from attack.

1. Review your archiving system

One of the most commonly overlooked aspects of email security is the archiving system that stores email messages in the event that they need to be accessed at a later date.

Look over your current archiving (or backup and recovery) solutions and policies to make sure that they are consistent with industry and regulatory requirements. Also, ensure that they are in line with your company’s culture.

2. Review malware protection

Enterprise anti-malware solutions make definition and signature updates easy to maintain. If your company has a solution in place that pushes updates out to desktops, remote computers and mobile devices, then make sure everything is running the way it should be.

One thing that organizations fail to check for is newly added devices, especially mobile devices. Check to make sure that every computer that connects to your network and email is properly secured by your anti-malware solution.

It is also important that you, or someone in your organization, review any software or appliances in place to fight malware, spam and other attacks to see if they are still relevant. As threats evolve, it is important that the tools used to fight them are up to date as well.

3. Review email policies for relevance

At one time email was considered the biggest threat when it came to information leakage. With social media, mobile communication devices and instant messaging becoming more infused into business it is important that the policies used to govern communication are relevant with the communication tools used in your organization.

Review policies with every department to see how communication tools are used and identify where they are vulnerable. Once this is determined, you can work with these tools to best secure them from the specific vulnerabilities they present.

4. Update computer systems

Making sure that your anti-malware and anti-spam tools are up-to-date is part of the solution, but not all of it. You still have to make sure that everything that connects to your network and runs your software is updated as well.

Desktop and laptop operating systems should be up-to-date and fully patched. The same should be said for your server operating systems.

Once these are current make sure that a schedule and policy is put in place to keep your software current.

5. Educate again

Educating users is always part of an effective security strategy but, like everything else, training has an expiration date.

When was the last time your users were trained on how to identify and address email threats like spam, phishing scams or malware? Is the information they were provided with current or is it so outdated that you still reference the Michelangelo virus?

If you have made changes to any policies, or plan to after reading this, then your training needs to be updated to reflect them. While you are at it, you should also make sure that any other information you are passing along to your co-workers is relevant as well.

In any organization, there are too many variables so no one can say that their email system is 100 percent secure. However, taking the time to eliminate as many possible vulnerabilities as you can will certainly bring the level of risk down significantly.

5 Tips for Better Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Organizations that want to see that their employees have the tools to get their jobs done often allow them to use their own devices to do it. While that policy can set the teeth of many administrators on edge, it’s fast becoming a fact of life in the workplace.

One of the prime culprits behind the popularity of BYOD—Bring Your Own Device—is Apple’s iPhone. Not only did it become a favorite among the rank and file workers in many companies, but also among the top brass in many of them, too. That made it difficult for IT departments to keep the smartphones from invading their domains.

Now all kinds of smartphones are slipping by the door, many of them ill-suited for a corporate environment. They can be insecure. They can also be a headache to support. The iPhone, though, while conceived as a consumer device, has an edge on its competitors in an enterprise environment. That’s why administrators should be in Apple’s corner when the BYOD wave breaks over their organizations.

Granted, Research In Motion’s Blackberry smartphones are among the most secure in the world, which is why they’re the favorites of law enforcement, military and intelligence agencies, but RIM hasn’t been able to keep up with the technology breakthroughs made by its competitors, like Apple and Google, so it has been losing its adherents even in corporate markets where it was a darling for many years. A recent outage where some customers lost Blackberry service for up to three days hasn’t helped the platform’s image either.

One of the iPhone’s strongest suits is its robust support of Microsoft Exchange ActiveSync policies. In fact, outside of phones that run Windows Mobile, which are dwindling since Microsoft moved to its Windows Phone 7 platform, the iPhone supports more ActiveSync policies than any other mobile.

The iPhone ecosystem is also built to make recovering a phone’s contents, as well as moving its contents to a new phone, easy. Apple’s new iCloud service automatically backs up a phone’s apps and data to the cloud. In addition, iTunes, the software used to sync a phone with another computer, keeps a copy of a phone’s contents locally.

The iPhone’s support of ActiveSync compares starkly with Android smartphones, where VPN connections are hampered by no support of PEAP-secured WiFi in versions 2.x and 3.x of the operating system. In addition, on-device encryption and complex passwords are unsupported by 2.x.

Some administrators, though, are less concerned about security with all these alien devices than with providing support for them. That’s where the iPhone can really shine. Its intuitive interface makes it not only easy for its operators to use, but for support people to troubleshoot.

A study released during the summer, for instance, showed that it costs, on average, $4 more per person to support an Android or Blackberry user than its costs to support an iPhone operator. One of the biggest factors contributing to those increased costs was support call referrals.

Support organizations are usually organized into levels. If one level can’t solve a caller’s problem, it booted to another level staffed with more expertise. What the study found was that 37 percent of Blackberry support calls had to be referred to another agent. For Android calls, it was far worse: 77 percent.

So administrators, when BYOD starts invading your bailiwick, you may want to become a cheerleader for the iPhone, not only because it’s more secure, but a lot easier to support.

Why the iPhone should be the BYOD of choice for administrators

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Most email administrators don’t have celebrities like Scarlett Johansson on their networks, but that doesn’t mean they don’t host some pretty juicy targets for cyber robbers.

Hollywood hotties can grab headlines for a hacker, but anyone in a corporation’s chain of command whose identity can be compromised and exploited to filch trade secrets, bank account numbers, and the like, is just as worthy a target for crackers, if not more so. After all, exposing some embarrassing pix about a starlet may earn a hacker some fame, but cajoling bank account credentials from a “suit” can earn him a fortune.

While an Internet invader attacking a corporate network hunts different quarry than one focused on entertainers, their trade craft works in both realms. That was apparent in a presentation made by the Assistant Director in Charge of the FBI’s Los Angeles Field Office when he announced the capture of the infamous “Hollywood Hacker” earlier this month.

The alleged hacker, Christopher Cheney, 35 of Jacksonville, Fla. used a brew of online searching, social engineering and account manipulation to break into the email accounts of Scarlett Johansson and Christina Aguilera and posting information from them, including nude pictures of Johansson, on the Internet.

In his presentation to reporters, U.S. Attorney Steven Martinez displayed a chart titled “Operation Hackerazzi: Anatomy of a Hack” that broke down the steps used by Cheney to crack the accounts of more than 50 victims.

The hacker started his campaign by gathering information about his prey from online public sources. Although the government didn’t identify those sources, they are, no doubt, the same sources any miscreant would consult to obtain that kind of info on someone in any organization—Facebook, LinkedIn and online forums.

Using the information garnered from the Internet, the hacker then breached his target’s email account. Again, the government was stingy with details, but the information was probably used to craft a social engineering pitch—some kind of persuasive phishing message, for example—or a direct attack on an account, using the information to guess the subject’s password.

Once an account was breached, the hacker locked out the account’s owner by changing their password. That gave the hacker unfettered control of the account for a short period of time. During that time, he could communicate with the contacts in the target’s address book without the account holder knowing about it. He could also mine the target’s files for nuggets of information. In Cheney’s case those nuggets were risqué personal pics of celebrities, but in corporate environments, it would be contracts, strategy memos, new product specs, and the like.

After discovering that their passwords no longer worked, targets reset them. Did the temporary lockout set off any alarms in their minds? Maybe, but most likely they just considered it a computer glitch and went on their merry way, until the material clipped from their accounts started appealing on the Internet.

What’s more, the hacker planned for the inevitable repossession of the account by its owner. He accessed the account settings while in possession of it and modified them so all email was forwarded to one of his email accounts. In that way, he could still monitor what was happening in the account.

Meanwhile, the hacker took the contact information stolen from the account to harvest new targets.

What lessons can you learn from the “Hollywood Hacker?” Here are a few:

• Create secure passwords and don’t share them with anyone no matter how persuasive their reasons may be for knowing them.
• Create secure challenge questions—ones with answers that can’t be discovered on the public Internet.
• Do not use the same password for multiple accounts because discovering one can tip over all your accounts like a house of cards.
• Periodically check your mail account settings and sent mail items for suspicious activity.
• Don’t store sensitive information on a smartphone or computer unless it’s encrypted.

Assistant Director in Charge of the FBI's Los Angeles Field Office

Lessons Email Administrators Can Learn from ‘Hollywood Hacker’ Bust

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Whenever a new cool technology is introduced into a consumer smartphone, for every “wow” it sparks from an early adopter, an “ouch” is elicited from a system administrator. That appears to be the case with Siri, the “personal assistant” in the latest model of Apple’s iPhone, the 4S.

The 4S was introduced on October 5 and has proven to be extremely popular, with four million units sold during the first weekend it was available to consumers. Some of those consumers, however, are going to find that their shiny new toys are going to be mobilis non gratus when they try to connect them to their corporate networks. That’s because some organizations consider the smartphones a security risk.

At the root of the problem is Siri. It allows you to use your voice to issue commands and posit queries to the phone. For instance, you can say, “Where can I eat pizza around here?” And Siri will respond with a map with nearby pizza joints tagged on it. Or, without any training, you can ask it to call someone from your address book while you’re driving your car so you don’t have to touch the phone.

Sounds cool, doesn’t it? It’s so cool that Apple couldn’t resist turning the feature on by default. So when you take the 4S out of the box, Siri is on when you power up the mobile. What’s worse—and the real rub for administrators—is that Siri continues working even when the phone is locked with a password.

Ordinarily, when an iPhone is password protected, when you turn the phone on, a lock out screen appears. To get past that screen, you need to enter your password. With Siri activated, though, the lock out screen appears, but you can still give the phone voice commands. You can send email and text messages. You can access the phone’s address book and calendar. And you can make phone calls.

The only thing you can’t do is search the Net. Try to do that and Siri’s female voice will inform you that she will not ferret the Web when the phone is locked.

While Apple wasn’t about to disable a shining achievement like Siri from an out-of-the-box 4S, doing so is pretty easy. You drill down through settings>general>passcode lock and turn off “allow access to Siri when locked with a passcode.” That, though, reduces the utility of the phone, since part of Siri’s value is it allows you to perform functions with the phone without touching it. If you have to type in a pass code, you’ll definitely have to touch it.

However, the fact that Siri can be turned off is irrelevant to administrators. That’s because they need to compel devices that connect to their networks to be password protected. If a phone full of corporate secrets is lost or stolen, they don’t want to be wondering if it was password protected or not.

That’s not the case with the iPhone 4S. An administrator can never know when or if Siri’s passcode override has been turned off by a user. The possibility will always be lurking that Siri will be used to compromise an errant phone. Until administrators can access a phone’s Siri settings, the way they can access passcode settings through the Microsoft Exchange interface Apple supplies with its iPhones, the 4S will remain a pariah in many security-conscious organizations.

iPhone’s Siri Could Pose Threat to Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Back in May of 2011, the Exchange Team Blog announced that Exchange 2010 SP2 would be coming in the second half of 2011. Now that we are firmly within that second half, SP2 should be just around the corner, and now’s the time for you to start getting ready for the inevitable testing and pre-deployment work that will come with this service pack release. What’s that, you say? Testing? Pre-deployment work? This isn’t just a Windows Update deployed patch? Hardly! Any service pack to any operating system or server is a major event, and the deployment of this service pack will be a major undertaking for every company running Exchange 2010, from the single server installs to the largest of organisations.

And why would anyone want to take on a service pack? Well long-term supportability comes to mind; so does ensuring you are up to date with the latest patches, bug fixes, and security enhancements. But if that is not enough, check out this impressive list of features* that SP2 will be bringing to Exchange 2010.

1. Outlook Web App Mini
   This will be a browser based version of OWA designed for phones that are web-capable, but not as “smart” as Windows, Droids, or Apple iPhones. It will be largely text based, and provide access to mail and the GAL.
2. Silent cross-site redirection for OWA
   This will make the task of redirecting OWA clients to another site silent (no user prompt) and will also support SSO. The short is that you can have a single OWA URL that you publish for your users, even if you have OWA implementations distributed geographically, and your users can all use the same URL.
3. Hybrid Configuration Wizard
   The cloud is where it’s at, and Exchange coexistence is a great solution for many organisations looking at Office 365 or other hosted solutions. The wizard will take 40+ manual steps to deploy this, and condense them down to 6.
4. Address book policies
   Companies that need to segment their address books into geographic, organizational, or other grouping will be able to do so, which is both more efficient, and more secure.
5. All of the patches that have been included in the various roll ups (1-4.)

*subject to change

Now that you know why you will want to deploy SP2, it’s time to consider the how. One of the most significant things to be aware of, and to plan for, is that this will require schema updates to your Active Directory. Yes, that’s right; you will need to extend the schema to support SP2. With year-end activities approaching, and the sorts of enterprise wide change windows that tend to close at this time of year, you might want to get the schema extension change request submitted now so that you can apply it as soon as the bits are released so you can spend time testing SP2 before the end of the year.

Knowing that SP2’s release is coming, and that it will need schema updates, let’s you start planning now for how you will deploy this in your environment. If any of the features being added will address urgent business needs, you will want to have time allotted in December for testing and deployment. If not, you can wait until January. Whatever the case may be, now you know.

Get ready for Exchange 2010 SP2

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Administrators of Novell’s flagship messaging and collaboration product Groupwise should move quickly to apply the latest security patch from Novell, which addresses multiple vulnerabilities that could lead to code execution.

The Groupwise Internet Agent (GWIA) is responsible for all SMTP connections with external mail systems, and it was discovered recently that this agent has three distinct memory corruption issues that can be exploited when the GWIA parses rule variables in weekday, weekly, and yearly vcalendar messages.

There is currently no known exploit in the wild for any of these three vulnerabilities, but the first one was assigned a CVE last year, and the other two just last month. CVE-2010-4325 contains more information on the Weekday RRULE vulnerability, while CVE-2011-2662, and CVE-2011-2663 are reserved and awaiting updates. Novell has released three security advisories around these issues:

Security Vulnerability – GroupWise 8 Internet Agent Weekday RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Weekly RRULE (VCALENDAR) Vulnerability

Security Vulnerability – GroupWise 8 Internet Agent Yearly RRULE (VCALENDAR) Vulnerability

Novell has also released Hot Patch 3, which addresses all three of the vulnerabilities. If you are running that already, your server is not vulnerable to any of the three vulnerabilities. If you are not, you should test HP3 in your environment as soon as possible and deploy it to your systems. Systems running earlier versions of Groupwise are also vulnerable, but no patch will be released for these unsupported platforms.

Researchers determined that successfully exploiting any of the three vulnerabilities could result in the server executing arbitrary code with system level privileges. Even a failed exploit could lead to a denial of service condition that would require the server to be rebooted. The attack can be launched by sending a maliciously formatted iCal calendar file to a user of the system by anyone external to the system.

Sebastien Renaud of VUPEN Security is credited with discovering one, while the other two are credited only to an anonymous researcher at Verisign’s iDefense Labs and an anonymous researcher at TippingPoint’s Zero Day Initiative.

While my posts tend to focus more on Microsoft Exchange than any other email platform, and I’m sure most of us are in the habit of checking our email early on patch Tuesday every month for the latest security patches from Microsoft, it is crucial that we do not overlook other vendors’ software that is sitting on our network. Whether we are using a third party application that runs on Windows, a distro of Linux, or network hardware, we as admins must pay attention to the security bulletins that come out from our vendors, and stay on top of necessary security patches. If you do not already have a patch management program in place, take a look at these three blog posts on patching:

1. What should be included in your patch management policy?
2. A Patch Management Strategy for Your Network
3. 6 Tips for a Successful Patching Process

and then consider a good patch management application for your network. Look for one that can address not just the operating system, but also the applications that run on your network, and that can scan for network hardware firmware as well.

Novell Patches Critical Issue in Groupwise

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

<sarcasm> Okay, sit down, I have some shocking news for you. TLS has been hacked, broken, smashed to bits. The technology that secures almost all of the secure Internet traffic we rely upon daily has been cracked. We’re all doomed, our bank accounts are going to be plundered, and ecommerce will come to an end. We might just as well all return to the trees; we made a good go of it, but society as we know it is done.</sarcasm>

In all seriousness though, the latest blow to the technologies that help to secure significant amounts of traffic on the Internet was delivered this week by Thai Duong and Juliano Rizzo, two security researchers who plan to demonstrate proof of concept code at the Ekoparty Security Conference in Buenos Aires, Argentina, that can actually decrypt TLS 1.0 traffic. It is a proof of concept, not a zero day exploit already developed into a Metasploit plug-in, so there’s no need to panic quite yet.

TLS 1.0 is one of the most commonly used encryption protocols for securing traffic, including HTTPS, SMTP/TLS, and secure versions of POP3 and IMAP. We use it whenever our clients access our email servers using any secure protocol including web mail, and when we send TLS protected mail between our systems and our partners.

Defined in RFC 2246, it was proposed as a replacement for SSL 3.0, which is actually still widely used today. TLS 1.0 is a Cipher-block chaining protocol, where a block of plaintext is XOR’d with the block of ciphertext that precedes it. BEAST uses a type of cryptologic attack called a “known plain-text” attack to figure out the encryption, exploiting a vulnerability in TLS 1.0 that has long been theorized as a problem with the protocol.

TLS 1.1 and 1.2 both exist as successors to TLS 1.0, and neither are vulnerable to this same flaw, but have not been widely implemented in part because the flaw in 1.0 wasn’t real, at least, not until now. Internet Explorer can use both, but they must be enabled. SChannel in Windows 2008 and 2008R2 can use them as well, but again, must be enabled. The easiest way to do this domain wide for Windows users is to use a group policy to enable “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, but don’t do that just yet. This can have some undesirable effects on a typical PC. Read this KB article and test carefully before making a system-wide change like this, and then keep in mind that Chrome, Firefox, and most other browsers cannot use TLS 1.1 or 1.2 at the time of this writing. Even with Windows software, this setting is advisory only. It enables them to use TLS 1.1 and 1.2, but it doesn’t force them to. Many websites using HTTPS only implement TLS 1.0, and clients will be able to fall back to that.

The duo’s proof of concept application is called BEAST, for Browser Exploit Against SSL/TLS, and apparently does to a very effective job of decrypting authentication cookies used by websites to grant users access to secured content that requires authentication. Apparently the attack works like this: a bit of JavaScript is injected into a user’s browser session when they visit a compromised website or click on a link that takes them to a site set up to deliver the code; it then works with a network sniffer to capture encrypted cookies passed between the client and a server, which it is then able to decrypt.

To exploit a system, an attacker must first deliver the JavaScript to the browser, and then must have a sniffer in place to capture the packets. A well patched system, running current antivirus, and protected by mechanisms like a proxy server, should be difficult to attack. If an attacker can do all of that to a user, they can probably do anything else they want already, which means they probably already own the victim’s computer.

The good news is that the exploit for this vulnerability, and the proof of concept application, were both developed by good guys. By demonstrating that this sort of attack possible and practical, it will likely motivate developers of browsers and web servers to deploy TLS 1.1 and 1.2 capable versions of their software. Google has already released a patch that, while still using TLS 1.0, defeats this particular attack, and the developers of OpenSSL and the Network Security Services libraries used now have real reasons to implement the stronger protocols.

So, what can be done to help mitigate this? Follow the points below:

1. Keep up-to-date on all vendor patches, both for your operating system and all applications you use.
2. Keep antivirus software up-to-date, use real-time scans, and perform scheduled full scans regularly.
3. Close all browser sessions, and use a fresh session with no other open tabs whenever you need to browse to a secure site, like your bank, credit card, webmail, etc.
4. Close that browser completely when you log off.
5. Consider disabling JavaScript in your browser.
6. Consider using a sandboxed version of a browser.
7. Watch for, and implement, updated libraries for encryption as soon as they are available from your vendors.

In researching for this article, I came across a handy website that can show you just which protocols your browser uses to secure an HTTPS session. It uses a self-signed certificate, so be ready to get a warning dialog, but check out https://www.mikestoolbox.net/ to see some interesting information about your browser, and to test any changes you make to supported encryption protocols.

Keep Calm and Carry On

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The lives of email administrators would be a lot rosier if their systems could be sure of the origin of an email, and if the name on the “from” line in a message was actually from the person who sent it. Add to that a way to assure authentic connections to websites accessed by their users, and there will be a host of happy faces in IT land.

If those things were possible, spam and messages bearing malicious payloads could be easily turned away. Spear phishing attacks—attacks targeted at a specific set of individuals within an organization—could be blunted. Diversions to dangerous websites could be averted.

Sounds like éclairs in the ether? Not necessarily. There is a technology that’s now being implemented on the Internet that, while no magic bullet, could, when widely adopted, foil many kinds of attacks based on hackers hijacking the domain names behind websites. It’s called DNSSEC.

DNSSEC, a standard that took 18 years to develop, is considered by some as the best method now available to authenticate DNS queries. Those queries are used by a web browser to communicate with a website. To some extent, those queries are protected now at websites using SSL. The problem with SSL is that it doesn’t protect the query while it’s traveling from the query’s author to the website. That enables a hacker to alter the information in the query’s data stream.

With DNSSEC, when a query is sent to a website, the answer to it is returned with a digital signature. That signature can be compared to an authentication database for the entire Internet to assure the authenticity of the website answering the query. If a hacker tries to hijack a website and redirect its traffic to an outlaw outpost, the tactic would be exposed to visitors because answers originating from the hacker’s website would not contain the digital signature identifying them as authentic.

The technology also addresses another kind of attack on how the Internet resolves queries to websites. Called DNS poisoning, it occurs when a hacker inserts malicious code into a DNS server. Say a request arrives at the server to go to google.com. Ordinarily, the server would take that address, convert it to the IP address for google.com, and send the web surfer on their way. If the DNS cache is poisoned, however, when that conversion takes place, the Webster is redirected to a malicious site. Once again, though, with DNSSEC in place, that malicious site would be exposed once it tried to communicate with the visitor’s browser because that communication would lack proper authentication.

What’s good about DNSSEC is that it can be used beyond just authenticating website traffic. That Internet-wide authentication database created by the technology could also be used to authenticate email certificates. Those certificates would go a long way in reducing spam, muzzling phishing attacks and enabling private email—email that’s encrypted and can only be decrypted by its intended recipient. In order for that to happen, however, DNSSEC needs to be adopted throughout the cyberspace food chain—from those at the top of the domain structure to the ISPs to the browser and client makers.

Email Admins Can Benefit from New Secure Domain Technology

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

It doesn’t matter if your company uses email to communicate corporate secrets, confidential financial information, or just an invite to the annual picnic; people who weren’t intended to see the message shouldn’t be able to.

To prevent prying eyes from having the opportunity to read your corporate emails encryption is usually the first choice among email administrators who understand security. However, according to a study done by Princeton University titled “Secrecy, Flagging, and Paranoia: Adoption Criteria in Encrypted E-Mail” there are still many barriers to companies implementing email encryption:

• The belief that encryption is not needed because a company is too small
• Encryption flags a message as being important or secret
• Encryption solutions are too complicated for users
• Email encryption solutions are too hard to implement and set up
• Using encryption makes the company look paranoid
• Receiving encrypted messages can be annoying

To quote one respondent of the study, “normal people don’t encrypt normal email messages.”

Lack of understanding

It seems that with so many responses like this, most people have a lack of knowledge when it comes to email encryption.

So let’s start with when someone would want to use encryption. Ask yourself, “Does it matter who reads this email?” For any messages where the answer is no, encryption isn’t necessary.

But if you answer yes, the messages should be secured. Considering 99 percent of all email still travels over the Internet without being secured, it would be safe to assume that there are messages in that 99 percent where the answer to our question would be yes so an understanding of email encryption is certainly warranted.

Types of encryption

There are hundreds of encryption solutions available for home and corporate users. Some are extremely hard to break; others can be broken rather easily by someone who knows what they are doing. Others still have been completely untested. These solutions generally fall under one of two types of encryption: Symmetric or Asymmetric.

Symmetric Key Encryption

A basic definition of symmetric key encryption is where both parties share a single secret key. This works best to prevent casual viewing or the accidental disclosure of sensitive information.

It works by the user typing their email message and, using the shared secret key, encrypting it into cipher text. The cipher text message is then sent to the recipient(s) where the same shared secret key is used to turn the encrypted message back into plain text for reading.

Symmetric key cryptography commonly relies on algorithms such as AES, Twofish, RKZIP, DES, Blowfish and IDEA.

Asymmetric Key Encryption

Also called public-key cryptography, asymmetric encryption requires two separate keys. One is used to encrypt the plain text of the message, called the public key, and another, called the private key, will decrypt the cipher text. The way it works is that a public key and private key are created and mathematically linked to each other. The public key is then published so anyone with access to this key can send encrypted messages to the holder of the private key, which is not shared.

This is very different than the single shared key or symmetric encryption and no longer requires a secure exchange or the single shared key as necessary with symmetric encryption.

The asymmetric method works when the email sender writes the message in plain text and encrypts it using the public key. The encrypted message, now in cipher text, is sent to its intended recipients. The recipient needs to use the sender’s private key to decrypt the message back into plain text so it can be read.

The algorithms that asymmetrical encryption relies on are RSA, PGP, DSA and Diffie-Hellman.

To add an additional layer of security to public-key encryption, some senders use a digital signature as well. The digital signature signs a message with the sender’s private key. Recipients use their public key to verify that the sender is who they claim to be. Not only is the confidentiality of the message now protected, but the authenticity as well.

You can see where this could be used to help fight phishing scams, especially when an internal email address is spoofed to compromise user credentials or steal information.

Even if you decide that encryption should be added to your existing layers of email security, end-users still have to buy in or they will continue to send plain text messages that are not protected. In part two, we will look at some of the stigmas that are associated with using email encryption and how you, as an email administrator, can overcome them with your users.

Understanding Email Encryption (Part 1)

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

So you have been tasked with securing your organization’s email services.

There are quite a few guides available on the Internet and in different computer bookstores that can take you through the basics – and if you are ahead of the game you may have already done your homework.

So you have looked at your email server, or servers, and taken the recommended steps of:

• Installing a commercial email security solution,
• Updating the server’s operating system,
• Patching all required software,
• Turning off all unnecessary services,
• Configuring your email server to sit behind the external firewall,
• Encrypting your email storage,
• Setting a back up schedule,
• Testing the recovery portion of your back up,
• Training your users on your company email policies.

Confident that your email services are now secure, you can roll up your sleeves and attack the next item in the pile of projects that is sitting on your desk, right?

Not just so fast. Unfortunately, there is still quite a bit of work to do.

What am I missing?

Like any other computer service, email requires many different users to share information with the email server or cluster of servers. Each user connects via a desktop computer, a laptop, tablet, or smart phone; as result, there is a two way communication going on between them where data is exchanged. Can you see where we are going with this?

That’s right. Even if the servers that drive your company’s email are secured, there still remains that one variable that is often the root of so many security problems – the user.

If just one of those many users connects to the company’s email servers with an unsecured or infected device, it could mean disaster for your organization’s email. Considering the fact that email is still the preferred method of business communication and you could have some serious problems on your hands.

Securing the endpoint

Your company can buy the top of the line security tools, train users until they can recite policies in their sleep and keep everything under a watchful eye, but all it takes is one zero-day vulnerability to be exploited on a device that a user connects to your network with and you can consider yourself compromised.

You see, attackers know that the weakest point in any organization is the user and his or her computer. Servers are often guarded with firewalls, intrusion detection and prevention devices, and diligent operators. The low hanging fruit is the user so that is where the attackers concentrate.

Training is always considered the best way to enforce security in an organization. The thought is that if people are aware of what the threats are and what they can do to stop them, then most attacks can be mitigated. We know that’s not the case. Training and education works, but only so much. Instead of being looked at as the solution, it should be considered a part of a larger plan to stop threats against your email. Other elements of the overall strategy should include:

Check your computers for malware

No solution is going to stop 100 percent of all malicious software from infecting computers on your network. However, having a solution in place that constantly scans your network devices for malicious software is a crucial part of your overall security because believe me, something is better than nothing. However, this means running anti malware software that will be automatically updated. Even better, make sure you can configure the solution so that users can’t opt to postpone the updates.

Update the OS and all software

After you have tested the updates and patches published for your computers’ operating systems and software, make sure that they are installed. Most patches are released to fix problems and plug up exploits found in the software code. Not updating your machines leaves them open to attack.

Update the browser

As email moves to the cloud, it is essential that the browser used in your organization is updated as regularly as any other software. This includes any plug-ins or extensions used by the browser. Even if you are still hosting mail services yourself, websites continue to grow as a method of delivering malware to computers, using a secured browser is essential to protect users from being infected by seemingly harmless sites that they visit.

Email security is not easy. As with any other portion of your infrastructure’s security, it takes diligence, knowledge and skill. However email security cannot be avoided because it is simply too hard of a task to complete. You can certainly look into solutions that help ease the workload and make up for any deficiencies when it comes to this job.

Secure Your Desktop – Protect Your Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When you don’t understand something that your job requires you to know, the most logical thing to do is research the topic and learn as much as you can about it. For many people who find security as part of their job description, learning as you go is the only option available. Yet despite the fact that there is so much information readily available to us, misconceptions regarding email security still confuse many professionals tasked with maintaining the confidentiality, integrity and availability of email services.

Blocking executable files will stop malware from being spread among users

Filtering all attachments that include .exe or .msi, was once a common way to keep users from sending infected files to one another through email. This is still considered by many to be a best practice for securing email systems, however as more tech savvy workers entered the workforce, they found ways around this. Generally, people will simply change the extension on a file and send it in an email attachment to a co-worker, friend, or family member. The recipient simply downloads the file and changes it back to the correct file extension. If that file has malware attached to it, the recipient will become infected when the file is opened and that could spread to other machines on your network.

Another scenario that dates this method of securing email, and is much more common, is when a user receives an email with a link in it. This link takes the user to a seemingly harmless website that is hosting drive-by downloads that install malware onto a computer when the person visits the site. No action on the part of the user is necessary other than clicking on the link.

Email security solutions need to address both of these scenarios in order to truly offer protection.

Attackers target large companies because that is where the rewards are greater

We often hear about how large financial institutions are hit by attackers where the number of users whose confidential information is stolen tops up to millions; or maybe it’s an attack against a huge government organization like the Oak Ridge National Lab attack that makes the headlines. At the same time, we almost never hear of a mom and pop store where the same thing happens. That’s because it’s not sensational. A small business being breached doesn’t warrant enough interest from the major networks but that doesn’t mean it never happens. It actually happens more frequently to small and medium sized enterprises than it does to the big corporations.

Large companies often have the budget to better secure email systems against attack where smaller companies often rely on security by obscurity as their solution and attackers know this. Whether they are looking for the lower hanging fruit, or simply trying to hone their skills, SMBs are frequent targets of email security attacks.

Finding security products that are geared towards SMBs is essential not only because they are affordable, but because they are tailored to the needs of these organizations.

Email encryption is only for healthcare and financial institutions.

It is true that these two industries are required by certain regulations to encrypt email messages, while other industries have nothing that says encryption is necessary it still is good practice to make sure your emails aren’t sent in plain text across the Internet.

There are many reasons why a smaller company would want to protect information sent via email. You could be sending confidential information about employees, details about an investigation, sensitive company financial data, strategies for growing your business… the list is endless. But no matter what the reason for keeping a lid on the contents of your message, if it is not encrypted then anyone with the know-how can capture and read these emails.

Email stored behind your firewall is more secure than email stored in the cloud

Cloud security is one of the most hotly debated topics when it comes to email security. Moving email services to the cloud will certainly take security and control out of your hands and put that responsibility on your cloud provider. But that doesn’t always have to be a bad thing.

If you research cloud providers and find one that takes security seriously and is open to answering questions about your email and data, then odds are their staff will be better able to handle security than a small IT department where the staff wears many different hats.

Cloud providers also have multiple data centers to handle back-up and recovery, as well as multiple layers of security.

Getting the right information when it comes to security can be rather difficult. There are many supposed “experts” who make a great deal of money selling snake oil to companies whether it is in the form of a security solution or education. The key is to read as much as you can and always look for the counterpoints when it comes to finding the best solution. If you spend enough time doing your homework up front, you will spend less time in the future dealing with mistakes.

Misconceptions About Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

When looking at solutions on securing email, many people don’t take into consideration the type of business environment they work in. All too often, after spending a great amount of time and money, small to medium-sized enterprises find out that what works for a company the size of Bank of America doesn’t quite work for them.

To better help SMBs find solutions scaled to their needs when it comes to email security, I have compiled a list of 5 tips that address the risks and restraints that they face.

1. Get the right solution

Email security can come in any number of packages. Security solutions can be software based, deployed through an appliance or even in a hosted environment. Each type has a variety of advantages, but there may be some disadvantages based on your company size or industry so it is important that you weigh your options carefully.

It is also important to look to solutions that can provide the protection your company needs at a cost that works. Too many times people are under the impression that security appliances are seriously out of reach for most small to medium sized businesses. This isn’t the case. There are many solutions that organizations find affordable and feature rich.

Make content filtering a standard practice

Content filtering needs to be a two way street. Of course, you want to filter out inappropriate content from being received by employees and certain types of attachments need to be blocked to prevent the spread of malware and expose vulnerabilities. However how often do you consider filtering what leaves your business via email?

Many industries nowadays are highly regulated and sending sensitive, or even financial, information out through email can not only bring compliance issues to your business, but it may also give competitors an edge. Filtering what users send out can be just as important as filtering what they receive when it comes to securing your company’s email.

Practice recovery as well as backup and archiving

Do you brush just half of your teeth? Then why would you only test half of your backup and recovery solution? Many companies find out, only when it is too late, that their backup and recovery solution was not configured properly or that there is some sort of problem.

This can be alleviated by regularly testing the recovery portion of your backup. By simply setting up a server (or virtual server) on which you can replicate your email system you can frequently test the validity of your backups in a way that will not disrupt your current email process.

Create fair policies that management will enforce

One of the biggest mistakes that SMBs make when it comes to email security is to take an overly aggressive approach. Without the manpower and resources to fine tune security policies, it becomes easier to just restrict anything that could be a perceived threat. This becomes especially true in small IT departments because they are tasked with so many other responsibilities.

When creating policies, it is important to bring other departments to the table so that these policies do not restrict anyone from getting their work done efficiently and effectively. Involving others at the management level also helps them better understand the reasons behind email policies and the ramifications for not following them. Gaining this support will help when it comes time to enforce these policies and discipline those who violate them.

Educate your staff

When it comes to security, it is a common misconception that bigger, state of the art, expensive solutions provide the best protection. Even though this isn’t true, SMBs often feel that they are at a disadvantage when it comes to email security because they cannot afford to deploy such solutions.

What many SMBs don’t see is that they have a distinct advantage over their larger counterparts when it comes to educating end users. When you have a smaller number of employees to train you have the advantage of being able to spend more time with them to make sure they understand the material you are delivering. You also have the opportunity to be readily available to answer questions or address any concerns or issues that your users may have.

Developing a solid training series for email security can also help free up time for IT departments that find themselves tasked with too many responsibilities because users who are informed and educated require less oversight and less attention.

5 Essential Tips for SMB Email Security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators