Security Manager's Journal: Move to hosted email opens new vulnerabilities

I took somebody's word for something, and I didn't subsequently check it out to my own satisfaction. Result: big trouble. Lesson: always verify.

Trouble Ticket

At issue: It turns out that corporate email can be forwarded to external accounts.

Action plan: That's not supposed to be allowed, so audit the email system to see if anything else has changed.

I learned that lesson last week, when one of my security analysts notified me that our data loss prevention (DLP) tool had detected an incident involving some source code leakage. When we initially set up our DLP rule for such events, we got a lot of false positives, so we partnered with engineering, which provided us with strings of characters (commented out in the code) that would indicate the leakage of our most sensitive source code -- the algorithmic portions of the code that sets our products apart.

The trigger for this particular event was a senior software engineer in India sending a snippet of code from his corporate Microsoft Exchange email account to his personal Gmail account. When confronted, the engineer told us that he had set up a rule to auto-forward all of his corporate email to his personal account. He did this, he said, because he hasn't been issued a corporate laptop and he wanted to work from home.

There were other options, but he didn't know about them. He was unaware, for example, that he could access his corporate email from home via Outlook Web Access (OWA), or that he could access some applications via the corporate clientless SSL VPN portal.

Tip of the Iceberg?

This was all interesting, but it begged a question: Why was it even possible to auto-forward to an external account?

And now to my failure to verify. We recently migrated from an on-premises Microsoft Exchange environment to Microsoft's Office 365 hosted Exchange. During the architecture review, I was assured that all of our security settings, including the one preventing auto-forwarding, would migrate to the hosted environment. So much for assurances. Now I was worried. Email is probably our No. 1 repository of sensitive data, including sales forecasts, customer and personnel data, prerelease financial information and, of course, source code.

To rectify the oversight, I initiated an audit of the Office 365 deployment, and we uncovered several other configuration differences from the previous Exchange deployment. For one thing, the deployment was supporting POP and IMAP, enabling employees to use third-party email clients and apps that could give them email access from mobile devices while bypassing Microsoft ActiveSync and the security policy that we apply to mobile devices to enforce the use of device passwords, enable device timeout and support remote wiping.

Another discovery was that employees could use the Microsoft Outlook application on any PC, on or off the corporate network. When Exchange was on-premises, the only way a remote user could access corporate email was via VPN. This increase in availability is bad, because once email is pulled down to a client, it remains there, even after the user exits Outlook. Using OWA is preferable, since it's browser-based; once the browser is closed, all email is removed (as long as the user clears the cache and any temp files).

What will help? Mobile device management might, and we hope to deploy that next year. Then there's the use of machine certificates, which can be issued to corporate PCs for validating authorization to access the Outlook client. We could do that while still providing some flexibility related to OWA and mobile devices, via ActiveSync. We've also spoken to Microsoft about this, and we'll be investigating our options with Office 365 a bit further.

One thing's certain: The email team's never-ending list of action items just got a good deal longer.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DLPMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts