Brian Dejno, Systems Security Professional
Since its inception many years ago, email usage continues to grow and evolve far beyond what was originally envisioned by it creators. It is now common for even the smallest business to host its own email system. As with all areas of business, there are some underlying risks involved in using email and hosting that system internally.
When examining risk from a security prospective, there are three areas that must be addressed: Confidentiality, Integrity, and Availability (or C,I,A). Confidentiality refers to protecting information from being revealed to unauthorized parties. Integrity deals with keeping data accurate and preventing unauthorized modification, and finally, Availability, refers to the ability to access data without obstruction or delay. Each risk can affect one or more of these areas. The following sections will help to identify the key areas of risk for email usage, highlight which areas are being affected, and provide methods to mitigate/reduce the risk level.
Mail Server Varieties
- POP3/IMAP Servers (MDaemon and Exchange) – POP3 and IMAP servers are very versatile servers that are intended to be operated in a trusted environment. These types of servers generally maintain their own account database (excluding Exchange) and thus user accounts and passwords are only valid on the email system itself. The primary vulnerability associated with these server types is that, by default, the authentication process takes place in clear text or an unencrypted state. A potential attacker, listening on the internal network, could sniff the mailbox authentication sessions and capture usernames and passwords resulting in Account Compromise. Steps can be taken to mitigate this risk by encrypting the entire communications session via a secure socket layer (SSL), similar to the type of secure connection available on the web via HTTPS. It should be noted that once the communications channel is encrypted, that the antivirus plug-in will no longer be able to scan incoming emails. Ultimately it is a choice of the lesser of two evils, or which method reduces risk to an acceptable/manageable level.
- RPC (Exchange) – The typical Microsoft Exchange implementation will be configured to only allow email clients to communicate via a Remote Procedure Call (RPC). The RPC communications is a Microsoft proprietary communications session that has secured the authentication and communications sessions between the client and server.
- Web Email (MDaemon, Exchange, Yahoo, etc.) – Web email allows for greater flexibility in where you can access mailboxes and send and receive emails. In the generic, non-business related, form, web email is generally offered as a free service (i.e., Yahoo, Hotmail, Gmail, etc). Allowing access to these email applications can present some level of risk to the organization as it opens up an avenue for non-public or sensitive information to be transmitted outside the organization. Typically, this risk can be simply managed through security awareness training, but could be further mitigated by blocking access to these web sites from inside the network. The second type of web email would be for access to employee’s company mailbox. This access could be either internal or external and in either case should be protected by a HTTPS session.
- Malware Entry Point (C,I,A) – The types of malware have changed a lot over the previous years. Today it encompasses any and all types of malicious software (viruses, worms, Trojans, adware, spyware, etc.), and using a messaging system creates an entry point for these types of software to infiltrate an organization. In order to control the threat of malware entering an organization, it is recommended that, at a minimum, an organization implement an antivirus solution at the perimeter of the network as well as on the email clients desktop.
- Server Compromise (C,I,A) – All hosts on the Internet are constantly being scanned and probed for available services and vulnerabilities. In order to reduce the risk of server compromise, it is recommended that an organization proactively maintain system patch levels and maintain a software assurance program with the software provider to ensure the availability of the latest software release.
- Confidential Information Leakage (C) – The risk of information leakage is best managed through an effective employee training program; however, in some cases training is not enough. In most cases organizations do not have the visibility to know what information is leaving the network. Some organizations may even require confidential information to be exchanged between business partners. In these cases egress (outbound) content filtering and encryption are the most effective controls to further mitigate this risk.
- Account Compromise (C, I) – Keeping a user’s account information confidential is one of the primary concerns with the email authentication process, and understanding this process for various email systems will help understand how to control/mitigate its vulnerabilities. If a user’s account is compromised, an attacker could have access to customer information stored in the mailbox and could possibly spoof emails from the compromised account.
Email has infiltrated our daily lives and will continue to expand to new areas making it more accessible and more critical to daily operations. Evaluating your current email system and understanding the risks associated with the technology are the first critical steps in assessing threats and vulnerabilities. Once the risks are identified, formulating the policies that govern its usage, implementing perpetual employee awareness training, and assigning additional technical controls can be put in place to mitigate these risks to an acceptable level.