For the two decades that I have worked in email security as an IT analyst, System Administrator, Solutions Consultant, and Sales Engineer I always felt like I was fighting a losing battle. Email security issues were only addressed after they negatively impacted an organization. Why wouldn’t an organization want to spend money proactively on a solution instead of wasting money fighting fires after the problems have already occurred? It’s always been a problem of action and reaction rather than plan ahead and implement. I really shouldn’t be complaining because all these security issues have kept me gainfully employed for many years, but complain I must. I wanted to rant because there are so many common sense things that can be done to improve email deployments that are simply not being implemented into best practices.
If a company were to deploy reputation filtering it could eliminate 80-90% of all inbound traffic at the connection level with no false positives. Why would any gateway accept email from known spamming networks in the first place? Most gateways could deny all email from DHCP addresses if they had the IP ranges available. ISPs could block all outbound port 25 traffic from dynamic clients if they chose to do so. Many ISPs have already done this to prevent botnet attacks from being initiated from their networks. Rather than putting the responsibility on the receiving gateways we should push outbound spam blocking back to the ISPs and to the countries that are responsible for sending the spam in the first place.
If the spam networks could be disabled, then ISPs would be held accountable. Assuming only 10-20% of the email volume remains after reputation filtering, why then do email gateways scan email from people that don’t exist. It’s because no directory integration has ever been installed to drop email to illegitimate recipients. Some of the largest companies in the world are getting hundreds of millions of inbound email daily. They complain about spam and performance, but do nothing about it. The problem is simple enough to solve yet companies dare not integrate with a directory service because they may lack the directory expertise to unify their email addresses and aliases under a common meta-directory. Some employees use twenty different email nicknames (aliases) and their employers don’t want to mandate only 1-2 primary email addresses for fear of a missed email. I have seen many companies unify their email address schemes before and all it took was a top down executive decision to simplify their email addresses. Within a few months every employee was using their new email address with only a few legacy addresses left for backwards compatibility with email applications that may already be in place.
Data Leak Prevention (DLP) is the latest issue getting all the attention. Companies are setting aside tremendous amounts of money to setup entirely new infrastructures. This also requires training and a dedicated staff for the sole purpose of preventing sensitive data from leaking out of an organization. If I have learned one thing over the years it is to realize that DLP technology is just another application that will become part of the core messaging infrastructure. All the money in the world doesn’t stop someone from maliciously taking data, losing a laptop, sending data from their home networks, and infecting their PCs with malicious spyware and key loggers.
I remember a time when computer viruses were one of the top reasons for downtime and data loss. One simple email with a tiny executable attachment and entire networks were brought down in the blink of an eye. Companies responded to these virus threats by deploying antivirus software on their servers and desktops. This response created a new issue; email administrators realized that virus scanning software was putting a heavy burden on their servers. As the email volume continued to rise, servers became slower and slower. Soon thereafter the first standalone antivirus email gateway appliance was born. Gateway based appliances solved many different problems as viruses, spam, phishing and other malicious attacks were removed at the network edge. In parallel, outbound appliances that offered solutions for archiving, encryption, and web filtering were added to the mix. Over time most of these independent solutions merged into multi-purpose bi-directional appliances used for everything from inbound threats to outbound compliance. With all these apparent solutions, why then are there still problems? Answer the following questions about your messaging architecture:
- Are inbound connections managed with reputation services? If not, why are you allowing spammers to continually saturate your email gateways with absurd amounts of spam?
- Can recipient checks be performed against directories? If so, what vulnerabilities or limitations were created when this feature was implemented?
- Was inbound/outbound scalability and geographical redundancy part of the initial design? If not, are you prepared for long term growth and network failures?
- Has an email assessment been performed? If so, were the recommendations followed?
Even when the correct solutions are deployed, many times important features are not being leveraged or properly configured. Answer the following questions about your existing solution(s):
- Are you meeting regulatory compliance guidelines with regard to logging, auditing, reporting, encryption, signing, and archival requirements? Are you liable or personally responsible if sensitive data is leaked through email?
- Is your organization doing any mass mailing? If so, is outbound email signed using DomainKeys Identified Mail (DKIM)? How do you manage legitimate NDRs and backscatter?
- Can you verify that an external recipient has received their email? Are there any legal requirements that mandate message tracking?
- Since most information enters and exits via email, is data leakage prevention (DLP) technology integrated into your email solution? If so, does this require a completely separate infrastructure and what is the plan for long term maintenance?
- How do your instant messaging, web proxy, and email solutions work in unison to stop data leakage? Do your appliances support the
Internet Content Adaptation Protocol (ICAP)? How much extra manpower is required to maintain separate products?
Have you ever called technical support and found out that your maintenance has expired? Don’t forget that the technology needs to be kept up to date to be able to combat threats. When maintenance expires, chances are the updates stop too. Keep your software up to date with the latest release and certainly don’t blame the vendor if your software is several versions out of date and you experience problems. The power of a solution is only as good as the people and practices that are put into the deployment. Don’t deploy something halfway because it’s good enough for now; take the time to engage the experts in email security and do it right the first time.