email

E-Mail, Viruses, and The Security Perimeter

February 6, 2012

As technology moves on, E-mail subsystems have become key communication methods that not only provide simple E-mail but also a method of  “Work Flow” solution. This can be seen in Lotus Notes, Microsoft Exchange and Novell’s GroupWise, to name but a few. These solutions are commonly known as “GroupWare”.

The objective of GroupWare solutions is to provide Communication, Collaboration and Co-ordination.  It is extremely important that the strategy of these solutions is well implemented and fully understood, otherwise, the very nature of such communication abilities effectively enables the distribution of malicious software across the whole enterprise. This unintentional extension and breakdown of security perimeters and the subsequent compromise of data confidentiality is an issue that should be most carefully assessed.

Most organisations are currently looking at, or certainly should be looking at, their existing E-mail subsystems. Generally, we have found that even the largest corporations are still utilising small Workgroup-based E-mail Solutions, designed primarily for PC use, typically Microsoft Mail, Lotus CC:Mail, and so on.

These small Workgroup E-mail subsystems are becoming increasingly difficult to monitor and control. Tools do not yet exist that can effectively analyse these proprietary E-mail databases, in terms of their storage, forwarding, and data exchange capabilities between themselves and other E-mail systems or client applications.

Through e-mail is almost universal, keep communicating in person with bosses and clients. Critical attributes, like sincerity and confidence, can be conveyed only through body language and tone. So rely on e-mail for brief memo’s on non-negotiable topics. For example, if you’re seeking a promotion, use e-mail only to schedule a one-on-one meeting with your boss. Note: e-mail can also be a valuable tool in documenting vital correspondence.

The Threats

E-mail/GroupWare is an inherently complex environment that combines client/server technology, mobile users, heterogeneous networking, and electronic messaging between disparate messaging subsystems, all across LAN/WANS and the Internet. The impact of a virus in a corporate environment is damaging enough but the impact of a virus or other malicious object sent from our system to one of our customers could obviously be quite devastating.

The threat of virus and malicious software compromises in small Workgroup E-mail subsystems is largely ignored until such time as an incident actually occurs. If the issue has been addressed at all, then generally the detection mechanism is installed only at the receiving desktop, which is somewhat akin to an “after the horse has bolted” approach.  Potentially, at this point, the whole organisation has been compromised.

Needless to say, an attack can take many forms, from E-mail containing Trojan Horses to E-mail with infected file attachments, executables or documents with macro viruses or with embedded malicious objects. The exact nature of threat should always be identified prior to specifying for a solution.

E-mail / Groupware Security Strategies

To address the complex tasks involved in protecting E-mail/Groupware environments, we must first define E-mail business requirements, ascertain the risks, threats and vulnerabilities, and build an appropriate security policy. We should then design an E-mail data flow that ensures all aspects of security are catered for, confidentiality, integrity, availability, terms which of course encompass the detection and countering of threats not only at the data centre, but also at the electronic front door. This ensures not only a reduction in security incidence, but just as importantly, a containment of such incidents, thus enabling effective and rapid response and recovery.

In policy terms, the simplest form of prevention would be to not allow the use or the means of introduction of a virus threat in the first place.  Obviously this is a somewhat idealistic approach, but as a strategy statement it should stand, and given such principles, a useful and plausible policy could be assembled. With sound and well thought out design for data flow, and the use of Anti-Virus techniques at the gateway,  we could ensure not only significant risk reduction, but could also prevent such vulnerabilities from compromising LAN security in the first place.

One definition of security could be to close the door on the threat, preventing it altogether. Another, possibly more realistic definition, would be to ensure that if security has been breached then at least such damage should be immediately detected and summarily contained. This follows the formal procedures of Security Perimeter Establishment and Incident Containment.

With any security definition we must first recognise every entry point into our system. Once this has been achieved we can define security perimeters following which incident containment can be achieved. The analysis of data flow is key to understanding how to contain an incident and where to strategically place security tools, be they for prevention, detection or eradication.

Provision and Recommendations

The way forward would be to conduct a formal site survey and risk analysis of the existing E-mail Infrastructure, including all Internal Post Offices (PO), external LAN/WAN PO replications, PO proprietary gateways, remote user connections and external Internet connections.

Such analysis would identify existing security perimeters and identify all risks and vulnerabilities, thus enabling us to document pertinent sections of existing Security Policy documentation, and design a more effective hierarchical security perimeter.

Once the security perimeters and the data flow is in a workable and manageable format, it will be possible to design the E-mail/IP gateway detection, prevention and eradication strategies, and place these tools tactically within the E-mail infrastructure.

As a final note, such site survey and organisation-wide risk analysis would require full support from all departments and individuals involved in the control, management and purchase of our parochial E-mail systems, not to mention support from audit and higher management.  But perhaps most significantly, it would also require a recognition of the need to address E-mail security in the first place, and a “champion” or appointed security officer, vested with sufficient authority to present and follow through the initiative internally.