Q&A: E-mail Security Threats and Countermeasures
by Mirko Zorz - Monday, 9 June 2008.
David Vella is the Director of Product Management at GFI with experience in quality assurance, network administration and software development. In this Q&A he provides insight into e-mail security threats.

What are the most significant e-mail security threats and how do you deal with them?

E-mail security threats can be classified in to categories: inbound and outbound. Inbound threats come into the shape of viruses and malware, spyware, attachment spam, spam e-mail that redirect users to phony websites, phishing scams, e-mail exploits and so on. To deal with these threats, companies need to take the following steps:
  • Install anti-spam and anti-phishing software. An effective product will use various technologies to deal with spam and its derivatives such as image spam, MP3 spam, Excel spam and NDR spam, for example.
  • Install anti-virus software at server level and implement strict content filtering policies across the organization. The use of multiple anti-virus engines is recommended.
  • Educate employees on the use of e-mail and how to treat suspicious e-mails. The basic message should be: if you donít know who sent the e-mail and you were not expecting any attachments donít open it. Getting this message across will reduce the risk that an employee will open a link or divulge information he or she should not give out.
  • Employees should be told not to use their work e-mail address for personal business, to open accounts on social networking sites etc. By restricting the use of work e-mail addresses to business communications, you can lower the risk that corporate e-mail addresses will find their way onto spam lists.
Outbound threats are the result of e-mail being used intentionally or through error to distribute documents and other information that is not intended for public release due to its confidential nature or commercial value.

Companies should not ignore the threat posed by insiders. Data leakage of important and confidential information can occur if an employee mistakenly sends an e-mail to the wrong person, or intentionally e-mails the material to third parties for personal gain or with malicious intent. This threat can be greatly reduced if companies implement content filtering policies that restrict what can be sent out by e-mail.

In your opinion, should we encrypt all business e-mail?

Encryption is but one tool to protect business e-mail. While it will protect the contents of an e-mail from prying eyes and those who are not authorized to review that content, it will not protect the company from insiders sending out confidential material without permission (unless steps to prevent this are already in place). Encryption alone is not the solution.

Besides encryption, what are the essential steps anyone should take in order to make sure their e-mail communication is safe?

Content filtering is a must for companies that want to ensure that all outbound messages do not contain information within the e-mail body or as an attachment that should not be divulged. Companies should install a software product that provides content filtering on two levels.

a) Attachment checking: Attachment checking rules enable administrators to quarantine attachments based on user and file type. For example, all executable attachments can be quarantined for administrator review before they are distributed to the user. It also allows administrators to allow only one department to send out a particular file type. For example, databases can only be e-mailed out by Finance and Management. Any other person sending out a db file will be flagged by the system and the administrator can take appropriate action.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th