Security experts are warning that CIOs may need to revisit their e-mail security following the recent fracas around the “Utegate” affair.
The affair, which involved a faked e-mail used to discredit the prime minister, opposition leader and treasurer, has highlighted deficiencies in e-mail security, according to Andrew Gordon senior manager enterprise and partner at MessageLabs.
Gordon says CIOs need to first remember that e-mail was originally not written with security in mind and needs to have security actively applied to it.
“When e-mail, and simple mail transfer protocol (SMTP), were created a couple decades ago, it was to promote free communication between academics and within government; it was always ‘simple’ mail transfer, not ‘secure’ mail transfer protocol,” he says.
Eddie Sheehy, CEO at e-discovery software provider Nuix, says from a CIO’s perspective e-mail is a tool that is widely used, but also highly abused.
“When somebody writes an e-mail it is sent from one person, through an e-mail server, and then to another person,” he says. “That e-mail is located in three locations, and possibly more if there is an archiving environments involved. On virtually any one of those locations, the e-mail can be extracted, adapted, then on-sent. The receiver of the adapted e-mail has no reason to know that e-mail has been changed, and anyone can do this.”
Sheehy says CIOs also need to be mindful that once an e-mail has been deleted, it hasn’t ceased to exist -- It just means that the headers of the file have been removed; the contents of the file are still there.
James Turner, an advisor on security at research firm IBRS, says that the catch with e-mail is that is has become an accepted, and even essential, component of many work flows.
“For example, not long ago a medium sized Australian organisation got totally burnt by accepting an e-mail order from overseas [as] the payment was a series of credit cards which turned out to be all stolen,” he says. “For most business people, an order coming from an unknown source, via e-mail, for a sizable order should be raising alarm bells. E-mails are easy to fake -- but only to people who don’t know this.”
While many security technologies now exist to better manage e-mail -- transport layer security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME) and send a policy framework (SPF) -- CIOs need to be mindful that faking an e-mail, at least in physical form, can be as easy as editing a Word document, MessageLab’s Gordon says.
“It’s very simple -- all you need to do is cut and paste Internet header information into a word document,” he says. “It’s a representation of an e-mail, but when it is printed out there is no real ability to forensically detect whether it is real or not.”
Back in the electronic domain, there is more CIOs can do, Gordon says. Firstly, CIOs need to be mindful of compliances mandates, such as Sarbines Oxley, which will dictate whether they need to encrypt or authenticate at the server-level all e-mail sent outside the organisation.