SMBs face a plethora of challenges in securing email, most of which go unrecognized by management. VARs and consultants involved with SMBs are faced with solving these security issues, while educating management as to the need for the solutions supplied.
 |
| Email Security Project Guide |
| Find more tips and strategies for securing your customer's email systems in our Email Security Project Guide, designed specifically for channel professionals. |
|
|
|
|
The problem originates with management's lack of knowledge about the true threat model that must be applied to email. They may see spam showing up in their employee's inboxes and consider that to be the only problem. The threats, both internal and external, may well be unrecognized. Let's identify the basic threat taxonomy, which you can then use when selling email security projects.
External threats include spam, spoofing/phishing and man-in-the-middle (MITM) attacks. Spam can be dealt with by denial of delivery (quaranting messages on a local server) until verified. The verification process usually involves comparing the derived signature of the email against a blacklist, which may be supplied by a trusted third party. An email appliance/firewall can perform this sort of service, including the local quarantine.
Spoofing may not be as simple to eliminate. Spoofing a sender (also done in MITM) may be detected if the sender uses DomainKeys Identified Mail, which has an encrypted header before the message. But not all domains use this feature. Spoofing is usually teamed with a phishing effort that redirects a link in a message to an attacking site. While a security hygiene regimen might include checking all outbound links for consistency, this is less likely to happen in an SMB. Consultants might wish to implement the automatic checking of outbound http requests from within an email, so that at the very least a log of the true target may be obtained.
MITM can be similar to a phishing effort, but usually does not include a simple re-direct link. In MITM, all of the content – including headers -- of the email can be bogus (though somewhat based on the original sender's message). The reply-to header may be a mis-direct, for example, so that the attacker gets the replies. Again, header analysis may be a consultant's choice here as a method of mitigation.
Internal threats can be as damaging as any external one. Consultants must analyze how a customer conducts business in order to identify its unique internal threats. Weak email passwords that can be easily broken or parsed may be one such threat. Passwords should be strong and changed regularly, and the method for informing end-users of those changes be carefully constructed so as not to be compromised.
One threat that must always be considered is the subversion of an IT employee. Especially in SMBs, IT staff members may be underpaid and overworked; and thus amenable to monetary lures from competitors. Who better to send copies of a company's emails to a competitor than an IT person? The solution a consultant may consider to this problem is end-to-end encryption for sensitive documents, sent through a VPN. That way, should a sensitive email be intercepted and resent—by anyone in the transit chain—it won't provide any useful information. This kind of approach is best suited to management level employees who routinely discuss sensitive business matters.
Email is not just text transmissions any more. It is the flow of information that supports and makes a business possible. A VAR or consultant has to appreciate this reality, and make sure their customers do, too.
About the author
Larry Loeb has been online since the world revolved around {!decvax}. He's been in many of last century's dead tree magazines about computers, having been a Consulting Editor to the late, lamented BYTE magazine, among other things. You can reach him at larryloeb@larryloeb.com.
