WHITE PAPER
Email security

This white paper provides useful background information on email security issues. It will help you examine the security threats facing your corporate email system and determine what kind of email security solution your company needs.




Corporate email: A mission-critical application

Email is well-established as a prime means of communication for business purposes that is quicker and cheaper than more traditional methods. Yet it brings with it the necessity to make one's corporate messaging system as secure as possible.

Email-related threats to network security

A variety of different elements weaken your corporate email system and while some are widely known - such as email viruses - others tend to be ignored. Emails carrying offensive messages or confidential corporate information can create immense inconvenience and expense for a company that has not equipped its mail server with the appropriate tools. The same goes for spammers who use the email system at work to send thousands of unsolicited email messages. And what about the vast damage and time-loss caused by email viruses, which seem are making ever more frequent appearances these days?

Some companies lull themselves into a false sense of security upon installing a firewall. This is a wise step to protect their intranet, but it is not enough: Firewalls prevent network access by unauthorized users. But they do not check the content of mail being sent and received by those authorized to use the system, for instance. More targeted measures are needed to counteract this and other security loopholes in a corporate network.

The threat of information leaks
Organizations often fail to acknowledge that there is a greater risk of crucial data being stolen from within the company rather than from outside.

Various studies have shown how employees use email to send out confidential corporate information. Be it because they are disgruntled and revengeful, or because they fail to realize the potentially harmful impact of such a practice, employees use email to share sensitive data that was officially intended to remain in-house.

FBI statistics, for example, reveal that among Fortune 500 companies, most data thefts in 1998 were by internal users. Again, research results carried in PC Week in March 1999 report that, out of 800 workers surveyed, 21-31% admitted to sending confidential information - like financial or product data - to recipients outside the company by email. Ten per cent of those surveyed disclosed that they had received email containing company-confidential information.

The threat of emails containing malicious or offensive content
Emails carrying sensitive information, or unsolicited mail messages sent out by corporate users are not the only problem a company has to tackle with regard to employees' email use. Emails sent by staff containing racist, sexist or other offensive material could prove equally troublesome, not to mention embarrassing - and expensive!

This factor hit the headlines during the much-publicized antitrust case against Microsoft Corp., when the US government presented as evidence the contents of emails written by top Microsoft executives describing plans to topple competitors. On a similar note, Chevron recently had to pay $2.2 million to settle a lawsuit resulting from an email message bearing sexist contents.

Under British law, employers are held responsible for emails written by employees in the course of their employment, whether or not the employer consented to the mail. The insurance company Norwich Union was asked to pay $450,000 in an out-of-court settlement as a result of emailed comments relating to competition.

Besides, offensive emails can cause considerable damage to the work environment simply by generating an unpleasant, hostile or unprofessional atmosphere.

The threat of viruses
Viruses are a major email security hazard that companies simply cannot afford to ignore. Over 11,000 different computer viruses exist to date and some 300 new ones are created each month. Their effects range from negligible to bothersome to destructive.

The extent of the problem is so great that today many companies have even begun to prohibit the use of email attachments, as this is where viruses are often embedded. Unless forewarned, users are generally unaware that they have received a virus until they open the infected attachment. By this time, it is too late: the virus is activated and starts to take over, completely infecting the hard drive and the messaging network.

The danger of viruses transmitted through macros, another common form of virus transmission, is that they allow the user to continue working and sharing documents. This way, the virus spreads faster, infecting more and more users. One such macro virus, known as Melissa, reared its ugly head on March 26, 1999. Melissa forced organizations the world over - among them Microsoft and Intel - to suspend all email transactions. This may well have been an effective response to the new viral onslaught, when timely action was taken - but it also signified incalculable productivity loss, despite stemming data loss. As a result, Melissa left a huge dent in corporate coffers: "It is responsible for millions of dollars worth of damage", an April 1999 issue of InfoWorld reported.

Other fiercely destructive viruses followed fast on Melissa's trail, such as the Chernobyl (CIH) virus and the Explore Worm, both of which wipe out files, resulting in data loss. Again, companies like Microsoft, Intel, Boeing and Forrester Research were reported in the press as having shut down their mail servers when hit by the Explore Worm outbreak in June 1999. And, as if all this were not enough, anti-virus researchers predict that more damaging email viruses are yet to come.

The threat of spam
About 90 per cent of email users receive spam - or unsolicited commercial mail - at least once a week, a survey conducted by the Gartner Group shows. The research results, issued in June 1999, revealed that almost half those surveyed were spammed six or more times a week. The study surveyed 13,000 email users.

Although the U.S. Congress and state legislatures are seeking to ban spam, and the Federal Trade Commission sues spammers whose junk mail deceives consumers, unwanted mail is on the increase.

As well as consuming bandwidth and slowing down email systems, spam is a frustrating time-waster, forcing employees to sift through and delete mounds of junk mail. It also proves irritating and offensive to recipients who feel their privacy has been invaded. However, there is a third aspect to spam: it constitutes a security hazard.

Spammers can use a corporate mail server to send out their unsolicited messages, often bringing trouble upon the unwitting organization. Virgin Net recently underwent such an experience when one of its subscribers apparently used its network to send out 250,000 junk messages. As a result of this individual's actions, Virgin Net was put onto the Real-time Blackhole List (RBL), an undesirable listing which leads other ISPs to reject mail coming from that company.

Protecting against security breaches

Corporate security policy
The security menaces are many, but effective solutions do exist. The first step to enhance security recommended by cyber-security consultants is the formulation of a corporate email policy document. This is used to inform all members of the organization which messaging practices are deemed unacceptable.

Without being overly restrictive, such documents should provide guidelines and procedures to be followed by employees in their use of email at the workplace. Examples of the kinds of email messages that could prove detrimental to the organization should be supplied. The overriding point to be emphasized is that by adopting this policy, the company and its staff stand to gain by benefiting from messaging security that is as watertight as possible.

Next, the organization must acquire new security tools to help enforce these regulations, informing all users that this measure is being taken.

Security software
Corporations may choose from a selection of email security packages. Some solutions are created to tackle a particular menace alone while others contain a convenient bundle of tools to deal with the various hazards. It is up to each organization to select the software that best suits their needs.

As always, price is bound to be one of the determining factors in making the right choice. Another essential characteristic to seek is a product that is as transparent to the user as possible. A package that installs on the existing corporate email system and is easy to use means that a company can enjoy the security benefits offered immediately upon installation. This section examines the different email security features available on the market, either separately or as part of a solution.

Preventing information leaks
A content checking tool is a must to prevent users from sending out confidential or sensitive corporate information via email. This tool automatically scans the contents of each message being mailed.

To be effectual, this tool should link to a quarantining feature that isolates emails with suspect content and prevents them from being sent unless an authorized person within the organization has approved the message.

Content checking
Likewise, a content screening tool is necessary to prevent corporate users from sending or receiving malicious, offensive, or inappropriate emails. This should be coupled with a tried and tested quarantining feature that bars emails with suspect content from being sent or received unless an authorized person within the organization has approved the message first. (For more information, please see Protecting your network against email threats: How to block email viruses and attacks.)

Combating viruses
A reliable virus scanner screens all incoming and outbound messages and attachments for email viruses and worms.

Of course, it is not enough for a package to detect a virus. A good security tool must be able to block the infected documents or clean them before the email reaches the addressee. Additionally, the anti-virus solution should notify the recipient and/or network administrator of the email-borne virus. This way, viruses are stopped in their tracks before they do any harm and senders can be alerted that their systems are infected.

Eliminating spam
An efficient anti-spam tool will pick up words and phrases that usually appear in unsolicited commercial emails and block the unwanted message from entering the system. While preventing inconvenience to recipients, this saves the corporation time that employees would otherwise have wasted reading and deleting junk mail - paid work time that could be better applied.

Advanced anti-spam features include the detection of incorrect 'From' headers and addresses in the email body, typical spam practices, as well as the facility to be programmed to block emails containing any phrases the company chooses. Another essential ingredient is the ability to prevent spammers from using the corporate system to send out vast quantities of mail, a practice known as mail relaying.

Also effective against spam is a quarantining feature that deters email messages with dubious content from going through. This feature acts as a kind of clearinghouse, allowing an authorized person to approve the filtered messages before they are sent or received.

A powerful solution that arms your Exchange Server 2000

GFI MailSecurity for Exchange/SMTP
Your only true defence is to install a comprehensive email security solution to safeguard your mail server and network. GFI MailSecurity for Exchange/SMTP provides email content checking, exploit detection and anti-virus for Exchange/SMTP. it can be deployed at the gateway level, or at information store level (based on the Exchange 2000 VS API).

Key features include: Multiple virus engines - Don't depend on 1 only; Email content & attachment checking - Quarantine dangerous emails; Exploit shield - Email intrusion detection & defence; Email threats engine - Analyses & defuses HTML scripts, .exe files & more. Other features include:

  • Automatic removal of HTML scripts
  • Automatic quarantining of Microsoft Word documents with macros
  • Detects attachment extension hiding
  • Rules-based configuration
  • Apply rules to AD users or groups
  • Approve/reject quarantined mail using the moderator client/email client/public folders
  • Lexical analysis
  • Seamless integration with Exchange Server 2000 through VS API
  • Anti-spam (gateway version)
  • Great value

An evaluation version can be downloaded from: http://www.gfi.com/mesindex.htm

About GFI

GFI has six offices in the US, UK, Germany, France, Australia and Malta, and has a worldwide network of distributors. GFI is the developer of FAXmaker, Mail essentials, GFI MailSecurity and LANguard, and has supplied applications to clients such as Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion 2000 (GEM) Packaged Application Partner of the Year award.

For more information
Please email sales@gfi.com or contact one of the GFI offices.


© 2002 GFI Software Ltd. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. FAXmaker, Mail essentials, GFI MailSecurity and LANguard and the FAXmaker, Mail essentials, GFI MailSecurity and LANguard logos and the GFI logo are either registered trademarks or trademarks of GFI Software Ltd. in the United States and/or other countries. Microsoft, Exchange Server, VS API, Word, and Windows NT/2000/XP are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product or company names mentioned herein may be the trademarks of their respective owners. GFI. http://www.gfi.com info@gfi.com 1-888-2GFIFAX / +44 (0) 870 770 5370

back to top