|
By Simon Heron
It has been a problem we have had for a while: how to make email more secure. It is definitely something that continues to be a discussion point and so it should be. The information that is sent across the Internet is increasingly of a sensitive nature.
Currently, people rely on obscurity to keep their data safe. But with progressively more intelligent search engines available (www.autonomy.com springs to mind) that can churn through vast amounts of data -- let alone email -- and make sense of it, it is something that needs to be addressed.
We are seeing encryption being provided already in client-side solutions like S/MIME and PGP, but these rely on individual users to manage it. As any IT manager will tell you, this is far from perfect. Some cloud producers like Mimecast and Webroot are now building this into their proprietary systems. This is great for their users and their correspondents, but requires the end user to decide what to encrypt.
However, another approach is to let the gateway device encrypt what it can. So by using STARTTLS, for instance, this is already possible and an increasing number of MTAs support this. Using opportunistic encryption, STARTTLS-enabled devices can make an encrypted connection if the remote end is set up to accept it.
The problem, as ever, is getting everybody to adopt it. Anecdotal data suggests that anywhere from 20% to 60% of email servers are capable of implementing this: so one-fifth of all email could be sent encrypted over the Internet if people chose to implement it.
So the question is, why don't we? I tend to believe that the reason is that we have gotten used to unencrypted email. It is the dead body in the room -- at first it was a concern, but we have gotten used to the smell now and we just naturally avoid it.
Really, STARTTLS is easy to implement, but how to fit it into your day? If you have a managed service you can just delegate and get on with your real work; not so easy if you have to bone up on it and then deploy it.
Once a certificate has been purchased, which requires a yearly subscription, it's pretty much free if you have the right software implementation, and if it is opportunistic then you only gain when a remote end is capable of it.
It should be mentioned that while the destination is effectively authenticated by the TLS certificate, the author is not.
So it is not a solution to spam, hoaxes or the like -- but just being able to know that your email is more secure across the Internet should be a huge motivator.
Don't Block IM -- Control It
We've just released the latest in our 'securing social media' series of guides for IT managers, this time on how to secure instant messaging (IM) services. We are often asked by IT managers whether they should ban IM completely.
It's pretty hard to do that these days, with the number of business using platforms like Skype, which have in-built IM functions, or who use Facebook (also with inbuilt IM) or other chat services to contact customers or remote workers.
Securing IM is actually pretty simple, and doesn't have to cost the earth.
The biggest threat (as with so many things) is from employees clicking on malware-infected Web links, shared over IM.
The most important things IT managers can do to reduce the risk are:
- Control which IM platform employees can use and make sure they update it when new releases are available -- they often include security updates.
- Set user guidelines and educate employees about the risks, such as never clicking on links, controlling who's on your contact list, logging off at the end of a session and not sharing personal details.
- Keep security (anti-virus and firewalls) updated to protect against the inevitable times when an employee will inadvertently click on a bad link.
- Set your security to secure all outgoing communications, including IM, as well as incoming communications. If you just block an application, it will often find a way through a firewall -- either using 'tunneling' software, or by searching through all available ports until it finds one open. If you configure firewalls to block all outbound connections except those to secure proxies, this forces all Web access (including IM) through a gateway security system.
IM is too widely used for companies to ignore it these days. I hope that the guide will be useful -- we welcome feedback on it, and the others in the series.
Copyright © 2008 To Present - Information-Security-Resources.com
Simon Heron is an Internet security analyst with Network Box (UK) Ltd, a unified threat management company.
Only registered users can write comments.
Please login or register. |
