General discussion

  • Creator
  • #2297027

    How do you guarantee e-mail security?


    by debate ·

    Do you agree with Jonathan Yarden that the only way to guarantee e-mail security is to not use e-mail at all? How does your organization approach e-mail security? What protection does it use? Share your comments about guaranteeing e-mail security, as discussed in the Dec. 8 Internet Security Focus e-newsletter.

    If you haven’t subscribed to our free Internet Security Focus e-newsletter, sign up today!

All Comments

  • Author
    • #2686502

      E-mail insecurity

      by pinger2k ·

      In reply to How do you guarantee e-mail security?

      I think we all agree that SMTP protocol is inherently insecure. 😉

      But just because email security is not guarantee doesn’t mean we shouldn’t use it.
      What it means is we shouldn’t use email for to communicate sensitive or confidential information.

      If confidentiality of information is important, PGP should be used as Jon suggested.

      However, if the organization is handling confidential information most of the time, it should consider an enterprise version of PGP.

      Just my 0.02 cents.

      • #2686498

        Post card

        by mansonc ·

        In reply to E-mail insecurity

        Email is really as open as using a postcard.
        Would you send confidential business information on one?

        At least the postcard is anonymous and cannot be tracked & intercepted in the postal system, well, not as easily as email can be on the internet.

        • #2686462

          Agreed, the story was VERY appropriate, tho

          by zadok0552 ·

          In reply to Post card

          I am using this story to educate my customers. I can talk and talk, but when it shows up in print, well…

          I believe the author intended for us “security pros” to, once again, inform users that email is not secure. I especially like your post card metaphore. Mind if I use it when describing the problem to my customers?

        • #2684925

          Acceptable Risk

          by govzgeek ·

          In reply to Agreed, the story was VERY appropriate, tho

          After having reviewed the comments up to the time of this message, I believe this is nothing more or less than another case of acceptable risk. Nothing is 100% secure, whether it’s an email, a network, or my ‘ex’ getting ready to go out to dinner. What is the risk you or your customer is willing to take based on resources involved and expected outcome? How many government or corporate networks have NO physical connection to the outside? How many of these are housed within ‘dampened’ rooms? -Can’t really say, but I’ve seen a few. On the other hand, how many systems are ‘plugged-in’ via ADSL or cable modem without ANY firewall or basic security patches in place? -Too many –we’ve all seen our firewall logs and the thousands of hits we take 24/7.

          The driving question is simple: What level of risk is acceptable to you or your users. We all know ANY transmission can eventually be decrypted. We’ve read the horror stories of ‘leaked’ email, subpoenaed email, and stolen data.

          Just like the physician telling you not to eat that Philly cheese steak pizza, smoke that cigarette, or inhale that spray paint; we should inform our customers of the issues; showing how the process of sending, relaying, and receiving email (not too in-depth tho). The better you can explain the situation to people with varying levels of understanding, the better your chances of success.

          Having gone through the technology ‘hierarchy’, I’ve been fortunate to experience it from different levels: -as the young technician warning people of the issues (otherwise known as beating my head against the wall), -as the sage (biting-my-tongue), well-paid consultant coming in (AFTER the fact) to ‘fix’ the disaster (without being able to fix the underlying problem), and finally, -as the director who sets policy based on input from what? -Best Practices of other leading government technology organizations, my peers, and finally (possibly the most important source), -That young technician who thinks they’re beating their head against the wall.

          Great article! I would like to add that ANY email policy should include some aspect of education so the users can understand the rationale. Otherwise, it will continue to be abused/ignored until someone gets caught or security is breached. There’s NOTHING like learning the hard way… remember Melissa.W? I think December 14th, 1999 will be etched in my mind forever (that’s the day my most computer savvy user infected the White House Chief of Staff’s system) and everyone but our legal department called to ask why all their word documents had been reset to 0bytes (our legal office insisted on WordPerfect -of course they were safe because Corel wasn’t a target).

          Sorry for the feckless meandering -I guess my adderall wore off. Once again, thanks for all the great inputs! I’ve enjoyed reading them all.

    • #2686495


      by remrose45 ·

      In reply to How do you guarantee e-mail security?

      it is impossible.., just to avoid virus., is just the same as you don’t use internet.

      • #2684874

        Impossible — I agree

        by anniemae46 ·

        In reply to impossible

        Always have a backup — very simple; sure, that does not solve the problem of data falling into the wrong hands, but it can minimize the damage.
        I agree, we must encourage common sense (how long has WORM.KLEZ been on the top list?!) and effort in keeping systems secure, but we should not back away from efficient communication. If you become a target for someone with time and money they will find a way to access confidential information regardless. What about laws? Could those help to protect us?

    • #2686492

      Confusion on security?

      by dave howe ·

      In reply to How do you guarantee e-mail security?

      The author seems to confuse traffic analysis (and physical security at the endpoints) with message content security.

      On the whole, as a business email user I don’t care if someone knows that company A (a customer) sends me email, or that Company B (a supplier) does the same. The *content* of that message is obviously of high importance, but the traffic is not.

      As a private person, I care a little more about traffic analysis – what business is it of some random observer who I talk to? but for this there are ways and means. I can conceal as much as I need to – for instance, by subscribing to a privacy-protective email service such as Hushmail, or by use of the anonymous remailler network, or simply by (ab)using a open proxy server to relay my TLS mail connection directly to the recipient’s ISP.

      PGP (and indeed, even such lowly packages as the 7-zip compression program) can effectively and cheaply protect content at rediculous levels of strength – and while it is true that traces may remain at the endpoints if myself or my correspontent are careless, it is *more* likely that one or both of us would insecurely dispose of a paper missive than that the automated (and free!) swap and freespace erasers would fail in such a way as to not remove all trace of deleted mail once the machine is rebooted.

    • #2686480

      E-mail Reality

      by rmcintire ·

      In reply to How do you guarantee e-mail security?

      Although I agree with most of what John Yarden has to say regarding e-mail security, there is one sticking point in his argument – the conclusion.
      To propose a “Don’t use e-mail” approach as a solution to security seems a bit extreme, and in many cases not viable.
      We all know that e-mail is clear text and not very secure. And I’m sure that many are aware of e-mail server log entries and the vulnerability to sniffing anywhere betwen e-mail point A and point B. And, in an absolute sense, John’s position is correct – if you can’t risk detection of e-mail correspondence, the safe route is to find an alternate means of communication. But, before we go all cloak-and-dagger, let us consider the reality of the situation. Many companies have gone to great lengths and expense to drag their users into the modern world of office communication. It is a world wherein the paper-based memo typed by a secretary has been replaced by an e-mail typed by the manager. It is an enabling paradigm that improves productiviity in the workplace. Users have embraced this form of commununication and made it their own. And now we say to them, “your communication is not secure”? Now that we have our users on-board, we sink the ship? It appears that we, as IT professionals are contradicting ourselves, which does little for our credibility.
      If we preach too much security to our users, won’t they hesitate to use e-mail at all? Rather than that, shouldn’t we work toward a more universally secure e-mail transport? Why not just implement currently available e-mail security solutions?

      Although I believe you can never be too vigilant with security, in this case I believe its all about the approach. And shouldn’t it be incumbent upon us as IT professionals to provide secure solutions to our users, so that they need not concern themselves with the security of their e-mail communications?

      Robert McIntire

      • #2686449

        Re: Email Reality

        by zadok0552 ·

        In reply to E-mail Reality

        I agree – “…it’s all about the approach.”

        I have agonized about installing encryption in email clients for customers who are “upper level managers.” It is they (managers) who supposedly would have the most sensistive information that could show up in their email. Frankly, I just don’t believe that they able to handle the change to “secure solutions.” I know of 1 manager out of 5 who would even agree to discuss any changes to his/her email procedure (Yes, one has to be trained on PGP before one can effectively use the encryption.) There is VERY little chance that I could convince one of these busy managers to deploy PGP unless I frightened them by using this story. Even after reading the story, they (the managers) will place encryption so low on the priority list that it will never happen.

        So, I will frighten them on a quarterly basis and hope that, as a result, they wil take care to screen their email content before they push the “send” button.

    • #2686469

      Other side of the fence

      by todd ·

      In reply to How do you guarantee e-mail security?

      I can relate to the Article. What John is saying is… we all need to use more common sense when sending e-mails.

      I like the postcard theory… would you be telling your mistress how much you love her if you know the card could easily be read by her husband.. 🙂

      One member suggested using encryption was enough because they did care if one person knew about him talking to other vendors competitors etc…
      Yet I can say I know of “literally” a million dollar deal that was cancelled because it was discovered that a supplier was going to become a vendor also, putting the distribution company in direct competition with their customers. It was an e-mail from a manufacture left laying around that ?let the cat out?.

      I had arguments with superiors, because they print out all emails and file them away. When I asked why they did this, they said it was to cover their backsides. I pointed out that without the email data from the server, it wouldn’t ‘prove’ anything. Anyone could forge a printed e-mail.

      I can say, I even know of lawyers who use public, unsecured internet fax services to transmit contracts and other confidential information to each other.
      (Even after they were warned that said information could be viewed by unauthorized people.

      While I understand what Jon was saying? I would tell Jon, he?s wasting his time. Until someone gets caught using obtained information from the internet and people are show the potential problems that exist, no one is going to care. They figure their privacy is protected when it?s not.

      • #2686448

        Re: Other side of the fence

        by zadok0552 ·

        In reply to Other side of the fence

        Todd, I think that you have the most realistic (no, not Radio Shack :-)) view of this situation, so far. People just do not want to be bothered with us “geeks” who may appear as though we are just trying to justify new toys and procedures to safe-guard our jobs. I hate to say that, but it seems that is one of the hurdles that we face. I like the fact that the gov’t is now threatening to legislate if the private sector can’t get a handle on security. I’ll wave that in their (managers’) faces and see if I can break through the glaze that goes over their eyes when they have to talk to me about security and maybe spend a couple of bucks.

    • #2686428


      by oz_media ·

      In reply to How do you guarantee e-mail security?

      Yeah I know I rant and rave about GW all the time but that’s because it is awesome!

      I have configured two GW PO’s with 128 bit encryption AND PKI in a python script for select corporate users. IN five years, they have not had a single virus (knock on wood), SPAM is VERY minimal and a third party reading mail is made MUCH more difficult through PKI services on a 486 running Python.

      Cost to secure was VERY minimal, software is a little more expensive than Exchange but requires hundreds less maintenance and patch hours each year. Almost a fire and forget.

      as for NOT using email at all, that’s just paranoia. A friend of mine runs a business scanning executive cars and offices for bugs. He gets called to patking lots at all hours to scan a car that’s been parked for a few hours, just to make sure bugs aren’t travelling with the owner. When they get home from a two week excursion, they then have hime check thier house, phone, fax, internet cabling, electrical system and property for bugs and tracers.

      In 9 years he has actually found less than fifteen bugs, but it is some form of paranioa or peace of mind that keeps them calling for his services. Hey, for less than a $6,000.00 investment in equipment, it sure is a neat niche business.

      securing email should be done based on the importance of th information secured. If someone hacks MY email and gets my band BS and promo songs, I don’t care, usage is completely copyrighted anyway. If someone retrieves my TR login information or my SHAW login information, I my have a few additional things on my Shaw bill but nothing that will not be rectified with a quick call and certainly not something that will cost me money.

      If someone retrieves MY business information (keeping in mind, I’d never send credit card info or SIN#’s etc by email.) I don’t care, if they are a competitor then they can see that I’m gaining thier business, so what?

      In a banking situation, everything is PKI secured anyhow. In Military transmission, the military has it’s on encryption format and authentication system. Plus anything THAT important wouldn’t be sent by email.

      In closing I feel that if you’re are dumb enough to trasnmit sensitive information via email, you deserve what you get. Many companies I’ve seen go way overboard in security, who cares how many dreapes your company cleaned last week. I think people flatter themselves by adding ridiculous security to email when it is completely not needed and the information isn’t even wanted by anyone anyway.

      Security is relative, the white house has many guards outside, it needs it. How many guards are in front of YOUR property guarding YOUR house? You don’t need guards do you, having the Secret Service monitoring your lawn looks cool and sounds cool but that’s about it, perhaps even a enw reason for someonw to try and breach you and see WHY you need such security.

    • #2684991

      Good question

      by jimhm ·

      In reply to How do you guarantee e-mail security?

      Well – we have a very strongly supported email policies – we also have a content filtering software, where outbound messages are encrypted if need be and sent or if healthcare issue or financial issues.

      Then we dump it into tumbleweed………

    • #2684924

      You can’t guarantee email security

      by av . ·

      In reply to How do you guarantee e-mail security?

      I am a Net Admin at a law firm. We have an e-mail policy in place that confidential communications should not be done via e-mail. This is especially true for a law firm because of Attorney/Client confidentiality. Faxing is risky too.

      But policies only go so far. There is the element of human error to consider. Its so easy to click the send button or fax something to the wrong number. I’ve seen it happen many times. Everyone has received misdirected email or faxes.

      The preferred methods for handling confidential or sensitive documents is in-person meeting, by courier, Fedex or plain old certified mail.

      • #2684910

        Policy that matters!

        by silveries ·

        In reply to You can’t guarantee email security

        I agree with John and most of you. But all of us are talking about the drawback of the email system/SMTP protocol. But no body has provided any suggestions for its improvements.

        My suggestion is, with the PGP and encryption in place, utmost an intruder can only know the FROM: TO: and the SUBJECT: fields. So, if we can do something to hide this information, few of the security issues will be addressed. These days most of the email servers support Secure-SMTP. But, forcing the email server to use only secure-SMTP is merely impossible in the current situation. Still, we can force SSL enabled communication for the domains which we need. By doing this at least we are sure that the particular email which we wanted to be secure is ?SECURED?

        After all it?s the security policy which matters. Just a thought!


      • #2684847

        Use “Pull” technology to get confidential Email

        by jimhm ·

        In reply to You can’t guarantee email security

        HIPAA accepts the “Pull” technology for Healthcare and financial information on Email.

        Pull techology (like used in Tumbleweed) – when a confidential message – sends a clear text message to the reciever – that they have a message and provides an obseucre http link. The user clicks on that link – logs in with User-ID and password. The link is secured via SSL – the user can print but can not forward or send that message to another email address.

        If the users wishes to send a message back to the sender – they click a secured mail button – the message is created under SSL security – and the same process – it done there as well.

        Will Pull technology – there is no need to keep certifications – push plug-ins – or modify a end-users workstation. There are other Pull technology out there other than Tumbleweed.

        It works and is government approved – as a method. PGP and other Push – that require certification – once you reach a few thousand will require a larger and larger staff to support. Pull, doesn’t require that staffing – and the ROI is higher…

        Take a long …

    • #2684734

      If not E-Mail, then what?

      by gerra ·

      In reply to How do you guarantee e-mail security?

      I thoroughly enjoyed Mr. Yarden’s article on E-Mail Security (or the lack of it), but it brings to mind a question.

      As a person who has not had the opportunity to work on may of the security issues of which he speaks, I wonder what alternatives Mr. Yarden has in mind when suggesting that we stop using E-Mail. I know that that was not the true substance of his article, but I would welcome his views on alternatives in a follow-up article on the subject.



    • #2670630

      Best way to secure email

      by j-jireh ·

      In reply to How do you guarantee e-mail security?

      03004302 82FF6D11 13G01621 G002B396
      31C60D03 G0030200 01208600 140F6E00
      3C6B25G0 024FG002 2A0F6E00 3B6B2500
      34CC6D00 C2FC2586 01A07700 140F6E00
      3C6B25G0 024FG002 2A0F6E00 3B6B2500
      34CC6D00 C2FC2586 4F553D43 4F52502F
      4F3D4252 554E5357 49434B43 4E3D4269
      6C6C2041 76657279 2F4F553D 434F5250
      2F4F3D42 52554E53 5749434B 42560400
      312E3000 42430100 03424101 0030424C
      02007602 4E4E4F00 1B4B11A0 BC2EE3B0
      75C89B99 C0C6F2B4 8AD2D577 8E01D9B0
      23248785 84F7BD65 1286698D 5BD7A896
      A43FC35F 7F64A3BF F1459795 CF054896
      52E618D4 84619AE2 410FD230 64D18B69
      81B2DF0C 1B893345 4E030001 00014D41
      08008CCE 5C9C3877 75077E00 50555253
      4146628B 1AC45507 7A316419 A400ED74
      7065E0E1 3285A9A5 3F1A3CA8 4B23D5B6
      09BDA504 B1D72454 C2B93532 2B06BCE2
      EF890823 791F52D9 39A528A3 F046D136
      4D996325 93B09967 7D8C6920 F557727F
      27425604 00312E30 00424301 00034241
      01003042 4C02G001 024E4E40 00931302
      81D59F1B 85395002 EF6AF9C5 BECBBE5D
      70310092 CF82A4E0 0CB6B296 A0EF8D19
      EF1DCBA5 308B0C7D C175D94E CDB3AA37
      834F5006 38C37739 74C24D48 BA454E03
      00010001 4D410800 9D9QADD5 9427F4A2
      6F005055 52554146 0C1F6E6A 2ABF4623
      A863776D 324ABCBE F291FCB5 BAD11352
      F4BC5539 8DC446ED 2226344D E542E208
      145EB3FC 36D72ADD 216C2600 C9C1CCB6
      E61B2550 8244B79C 31BFD3A2 EBFA5615
      AD23FF94 4D85094

    • #2672821

      Overlooking the obvious

      by saint714 ·

      In reply to How do you guarantee e-mail security?

      … the best way to guarantee e-mail security is to not use e-mail.

      How curious that the simplest solutions always seem to elude us.

Viewing 10 reply threads