'Utegate' another reason for CIOs to check their e-mail

E-mail is a tool that’s widely used, but also highly abused -- and faking an e-mail message can be as easy as “editing a Word document”

Security experts are warning that CIOs may need to revisit their e-mail security following the recent fracas around the “Utegate” affair.

The affair, which involved a faked e-mail used to discredit the prime minister, opposition leader and treasurer, has highlighted deficiencies in e-mail security, according to Andrew Gordon senior manager enterprise and partner at MessageLabs.

Gordon says CIOs need to first remember that e-mail was originally not written with security in mind and needs to have security actively applied to it.

“When e-mail, and simple mail transfer protocol (SMTP), were created a couple decades ago, it was to promote free communication between academics and within government; it was always ‘simple’ mail transfer, not ‘secure’ mail transfer protocol,” he says.

Eddie Sheehy, CEO at e-discovery software provider Nuix, says from a CIO’s perspective e-mail is a tool that is widely used, but also highly abused.

“When somebody writes an e-mail it is sent from one person, through an e-mail server, and then to another person,” he says. “That e-mail is located in three locations, and possibly more if there is an archiving environments involved. On virtually any one of those locations, the e-mail can be extracted, adapted, then on-sent. The receiver of the adapted e-mail has no reason to know that e-mail has been changed, and anyone can do this.”

Sheehy says CIOs also need to be mindful that once an e-mail has been deleted, it hasn’t ceased to exist -- It just means that the headers of the file have been removed; the contents of the file are still there.

James Turner, an advisor on security at research firm IBRS, says that the catch with e-mail is that is has become an accepted, and even essential, component of many work flows.

“For example, not long ago a medium sized Australian organisation got totally burnt by accepting an e-mail order from overseas [as] the payment was a series of credit cards which turned out to be all stolen,” he says. “For most business people, an order coming from an unknown source, via e-mail, for a sizable order should be raising alarm bells. E-mails are easy to fake -- but only to people who don’t know this.”

While many security technologies now exist to better manage e-mail -- transport layer security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME) and send a policy framework (SPF) -- CIOs need to be mindful that faking an e-mail, at least in physical form, can be as easy as editing a Word document, MessageLab’s Gordon says.

“It’s very simple -- all you need to do is cut and paste Internet header information into a word document,” he says. “It’s a representation of an e-mail, but when it is printed out there is no real ability to forensically detect whether it is real or not.”

Back in the electronic domain, there is more CIOs can do, Gordon says. Firstly, CIOs need to be mindful of compliances mandates, such as Sarbines Oxley, which will dictate whether they need to encrypt or authenticate at the server-level all e-mail sent outside the organisation.

Page Break

Secondly, CIOs need to forget about trying to deliver encryption or authentication down to the desktop level, Gordon says.

“That’s the last thing a CIO wants to do as whether you have 10 or 10,000 machines, every time you have to touch the desktop, it is going to cost you money and IT resources,” he says.

“Educating end-users about the risks helps, but do they really know when to click that authentication or encryption button? You really need to have your IT infrastructure make that decision for them based on pre-defined set of rules.”

To avoid e-mails being sent under someone else’s credentials, CIOs should look to enforce strict lock-down rules for any time a user left the vicinity of their own PC, Gordon says. Regularly updating acceptable use policies every 6-12 months also helps.

“On the e-mail side, It’s hard to blame someone for an e-mail they have received, so it’s really when e-mails are sent within and outside the organisation that they should be monitored, especially for data leakage prevention,” he says.

“On the Web side, many organisations have opened up the Web to their users in the last year of so -- particularly for social media use -- but now we are seeing people wanting to lock that down again to reduce bandwidth costs used in streaming media and flash-based video.”

SIDEBAR: MessageLab’s top 5 tips for protecting business from spoofed e-mail attacks

  1. Consider whether you need to encrypt all e-mail sent between your organisation and your business partners or you need to protect specific e-mails containing sensitive data including social security numbers, key words, or credit card numbers.

  2. Manage your organisation’s e-mail and Web liabilities with clearly written Acceptable Usage Policies supported by comprehensive and policy-based monitoring.

  3. Educate your staff about the risks.

  4. Deploy e-mail authentication technologies.

  5. Adopt a security solution to catch spoof e-mail threats like phishing attacks at the internet before they reach your corporate network.