The Silent Threat of Outbound E-mail

Status: First Published in Internet Security Advisor

You are probably familiar with the sounds that e-mail programs make when they fetch messages. These days, "You've Got Mail" is almost a cultural icon, reflecting the phenomenal popularity of e-mail, which still leads web surfing as the number one online activity. So it is ironic that sending messages is typically a silent operation, unheralded by digital bells and whistles. In this article we consider the risk that outgoing e-mail poses to your organization and look at some of the defensive measures you can take, thus complementing April's cover story on e-mail, in which Bill Simpson examined the threats posed by in-bound e-mail.

Consider the Evidence

Most companies have secrets. Stealing those secrets is one of the fastest ways for a competitor to gain a competitive advantage. But apart from being unethical, stealing a competitor's secrets is risky. Consider what happened in one of the largest industrial espionage incidents to come to light in the last ten years. In 1992 about twenty cases of confidential documents belonging to General Motors were physically shipped to Volkswagen headquarters in Wolfsburg (many of them allegedly transported aboard a Volkswagen corporate aircraft, via the Spanish residence of J. Ignacio Lopez de Arriortua, then Vice President at GM in charge of Worldwide Purchasing, later hired by VW).

According to the court complaint filed by GM, Volkswagen equipped a facility at Wolfsburg with computers, copiers and a shredder, to enter the information into Volkswagen's systems and then shred the paper copies. To understand what this has to do with e-mail security, ask yourself what mechanisms your company has in place right now to prevent somebody like Lopez from e-mailing 90,000 pages of confidential data to a competitor. Using compressed file attachments and a corporate T1 connection it would not take long to move that amount of data through e-mail. Today's corporate mole is spared the risks of paper cuts, hernias, and detection that come from photocopying and hauling mass quantities of documents. His accomplices on the outside have not data entry costs and no need for a shredder.

The fact is, in most American companies today, large data transfers via e-mail still arouse little suspicion. Only a small percentage of outgoing e-mail is scanned to prevent the unauthorized transmission of valuable corporate secrets. But those secrets can be extremely valuable. In the Volkswagen case, GM forced VW to pay $100 million in damages, and buy $1 billion worth of GM parts. Secrets can also be very compact. Over ten years ago, American Airlines sued Northwest for the alleged theft of confidential data, mailed on a floppy disk to Northwest's head office in Minneapolis by an American Airlines employee, who went to work for Northwest shortly thereafter. According to American Airlines the value of the data was around $30 million.

The Ins and Outs of E-mail Threats

"An increasingly common vehicle for hackers to obtain access to internal networks" is how Borderware's Bill Simpson described e-mail in the April issue of Internet Security Advisor. Incoming e-mail is a vehicle for outsiders to plant Trojan horses, viruses, and worms on your internal systems. At best, these intrusions represent unauthorized access and abuse of network resources. At worst they pave the way for more sophisticated intrusions that compromise corporate data.

In this context, e-mail can be said to facilitate allowed path attacks. This term was coined by my colleague, David Brussin, to describe attacks which take advantage of the requirement, inherent in all networks, to allow some data to be communicated between nodes of the network. In other words, a network is not a network if some data is not communicated. An allowed path attack subverts the data which the network allows to pass through it. This is why Bill Simpson called e-mail "a gaping hole in your firewall."

There are a number of ways to reduce the threat from incoming e-mail, including the store-and-forward relay technology which Bill Simpson described. However, the technological solutions to in-bound e-mail threats do not necessarily reduce the threats from out-bound e-mail. Additional measures may be needed, and non-technical steps may have to be taken before any technology you apply to the problem will yield meaningful results.

E-mail in Perspective

When we talk about defending against e-mail threats, it is important to understand the staggering dimensions of e-mail. For a start, people still use e-mail more than they surf the web. Among Americans who use the Internet at least once a month, 94 percent use for it e-mail, versus 89 percent who use it to surf the web (Cyberdialog). This situation is predicted to continue. In 2003, about 61 percent of the adult population will still be primarily e-mail users, versus 57.9 percent primarily web users (eMarketer). One reason is the amount of time the "average" American worker now spends reading, writing, and forwarding e-mails. The Gartner Group estimates this to be four hours per day, with some companies using e-mail for as much as 75 percent of their corporate communications.

In the US, one research company estimates the number of users at 96.6 million, aged 14 and older, or 43.8 percent of the total population of adults and teens (Jupiter). This is not far from the "best guesstimate" of Messaging Online, which put the number of e-mail users at 58 percent of the total US population at year-end 2000. The same organization put the total number of mailboxes in the world at 891.1 million, at the end of 2000, a 67 percent increase over the previous year.

All of which means the worldwide volume of messages is huge, over 7 trillion in 1999, up from over 4 trillion in 1998 (Electronic Messaging Association). US message volume will reach 432 billion by 2003, up from 132 billion in 1999 (Jupiter). A lot of the growth will be from advertising and other forms of commercial e-mail. US companies are projected to spend $496 million on e-mail advertising by year-end 2000, a 177 percent increase from 1999 (Jupiter). Permission-based commercial e-mail message volume is forecast to increase 60 percent by year-end 2000 to 64 billion, accounting for 12 percent of total volume. By 2005, the volume of e-mail marketing messages per user is predicted to be forty times what it is today (Forrester). END OF SECTION

Low Tech, High Yield

The first step in preventing valuable data from being e-mailed out of the company is for the company to put a value on the data. While it might strike you as obvious which data are valuable and which are not, the distinction needs to be formalized and made official. There are three steps to this process, some of which your company may have taken already. First, an information security policy needs to be in place which explicitly values company data. Second, a classification system must be established. Third, all company data must be classified. Although the popular meaning of "classified" is "secret," the proper meaning is simply "placed into a class." That class can be "Top Secret" or "Not for Public Distribution" but it can also be "For Public Distribution." Here is an example of a classification system from Fictional Bank, Inc., a fictional company:

1. FICTIONAL BANK PROPRIETARY
Use pursuant to Company instructions.

2. FICTIONAL BANK PROPRIETARY (RESTRICTED)
Solely for authorized persons having a need-to-know pursuant to Company instructions.

3. FICTIONAL BANK PROPRIETARY (REGISTERED)
Solely for authorized persons having a need-to-know and subject to cover sheet instructions.

Company policy requires all company documents to be labeled with one of these three classifications. This ensures that all company documents, however innocuous, are identified as belonging to the company. More sensitive documents are marked level 2, with level 3 being the most sensitive. Penalties for mishandling company documents are correspondingly more severe, the higher the level of classification.

Companies that have not yet implemented a classification system such as this have a tendency to dismiss it as an information security fantasy, or a bureaucratic nightmare. It is neither. A system exactly like the one above has been in use at a Fortune 100 company for several years. As a result, that company is much better equipped to deal with several realities of the current business climate:

1. Regulation: recent and pending rules and legislation require many companies to classify a lot of their information, such employee medical data (HIPAA) and customer financial data (GLB).

2. Layoffs: there is a strong tendency for employees to take company information with them when they leave, whether they planned the move or were forced to leave, either for misconduct or as part of a program of layoffs. Given the current economic climate, this factor represents an elevated threat.

3. Accidents: with so much information traveling across so many connections, mistakes can and do happen. If data is classified by default it automatically has a base level of protection, should it accidentally get into the wrong hands.

Of course, instituting a classification system takes time and resources, not least of which are training efforts directed at managers and employees. But the payoffs are significant, particularly when you start to implement security technology in the your efforts to reduce the threats inherent in out-bound e-mail.

Applying the Technology

Let us assume that your company has information security policies in place that require classification and also spell out acceptable use policies for corporate e-mail. In other words, employees have been told what they can and cannot send out via e-mail. They have also been informed that company e-mail is monitored for compliance with policy. The company is now ready to implement content filtering for out-bound e-mail. There are several ways of doing this. For example, a product like Baltimore Technologies' MIMEsweeper can be installed between the company's Internet connection and the mail server (see diagram). MIMEsweeper is actually a family of products that work with different e-mail servers, such as MAILsweeper for SMTP, MIMEsweeper for Domino and MAILsweeper for Exchange.

Once installed, MIMEsweeper is given a set of rules for what to allow and what to deny, with respect to both in-bound and out-bound e-mail (note that some companies already have a content filtering program like this installed, but are currently checking only incoming e-mail, looking to block viruses and executable attachments). MIMEsweeper and other content filtering programs such as Symantec Mail-Gear, do a lot more than look for viruses. You can have them scan and block messages based on address (to and from), subject, body content, and attachment content. For example, suppose your company is developing a new project, code-named "RX9." You can prevent people from sending out any messages that include "RX9."

If someone does send a message that contains RX9 it will be intercepted and held by the content filtering application, which then alerts the system administrator. Optionally, the sender will get an automated response from the administrator stating that there was a problem with the message. This response can be customized and as specific or generic as you see fit. Once alerted to a blocked or quarantined message, the system administrator can review it and decide what action is needed. That action might range from reminding the user of the company policy on e-mail content, to referring the matter to the legal department. If it is determined that the message was blocked in error, it can be released from quarantine and sent (for example, if someone referred to their Mazda RX7 having a dead battery and causing them to be late to work, but typed RX9 by mistake).

Concerted Measures

As you might expect, content filtering programs include extensive logging capabilities. These are valuable tools in the effort to reduce e-mail abuse. Frequent offenders can be identified and documented. However, before acting upon violations it is important to understand some limitations of the technology. For example, how sure can you be that a message from jdoe@fictional.com was actually written by Jane Doe, the employee to whom that e-mail address is assigned? The answer will depend upon other elements of your information security program, such as the level of authentication required to access systems. To understand what this implies, consider two scenarios. In scenario A, a company that uses the following technology:

1. Photo-bearing electronic employee ID badges with proximity readers to time stamp movement through the building.

2. Mandatory ID badges for visitors.

3. User names, passwords, and fingerprint readers to log on to the company network.

4. Token-based digital signatures to sign e-mail.

In this scenario it is going to be relatively hard for someone to impersonate Jane Doe and relatively easy to prove that Jane Doe really sent the message. Conversely, it is easier for an innocent Jane Doe to prove her innocence in the above scenario than in scenario B:

1. Open door policy for visitors, no sign-in required.

2. Non-electronic employee ID badges with no photographs.

3. Generic user names for network log on, with the same password on every workstation.

4. No digital signing of e-mail.

Companies who recognize themselves in scenario B are clearly running a huge risk. In addition to the potential for employees to divulge sensitive information via e-mail with impunity, the company risks huge losses from liability lawsuits. Consider what would happen if an employee sent a client a document that was infected with a virus, which proceeded to cause damage to the client's systems. Apart from the prospect of losing the client, there is the possibility that the client could sue to recover damages. The best defense in a case like this would be to show that all appropriate measures had been taken to prevent such an occurrence, something not possible when the reality is scenario B.

Conclusions

A content filtering application can be implemented on an existing e-mail server, or on a separate, dedicated box. Mirapoint's new Message Director is a standalone box, preconfigured with content filtering software. An alternative approach is to deploy content filtering at the ISP level. Both Mirapoint and Baltimore provide versions that ISPs can use to offer content filtering as an added value service to their clients.

Like firewalls and other security product, content filtering needs to properly configured and managed. Even then it should not be relied upon 100 percent. Like firewalls and virus scanners, content filtering is not foolproof. Someone who is determined to abuse the system may find a way to do so. That said, it should be noted that some of the U.S. government's most paranoid agencies have found content filtering to be a valuable tool in enforcing their information security policies.

Unfortunately, you will find that successfully detecting an attempted violation of security policy seldom feels like a cause for celebration. Whether you are an intelligence agency or a corporation, detecting an employee who is trying to disclose secrets or distribute pornography or malicious code often marks the beginning of a complex and unpleasant process. So be sure you have response mechanisms in place. These should involve not just system administrators and security people but also legal, HR, and upper management (some of the issues raised can be highly sensitive and mishandling can have serious negative impacts).

And we should point out that the Fictional Bank illustration simplified many variables. For instance, in the RX9 example, the company might want to allow certain people to discuss RX9 but not others. The content filtering application should be able to handle that distinction, applying different rules to different users. You might be wondering if RX9 is that sensitive, why not encrypt messages about it? That certainly makes sense, but how will the content filtering application handle encrypted content. Well, Baltimore Technologies has a module called SECRETsweeper that is designed to decrypt out-bound messages and check their content before allowing them to be sent.

Finally, all of this may sound rather draconian if you and your company have so far enjoyed a laid-back attitude to corporate e-mail. Indeed, employees may have developed an assumption of privacy with respect to their e-mail. However, the reality of business today is that companies cannot afford not to know what employees are sending out in e-mail. If you want to allow employees to use email at work for personal use, consider allowing them to use separate web mail accounts such as Hotmail and Yahoo. But resist anything which commingles company mail with personal mail, and insist on the right to police the boundaries of your network and enforce policies put in place to protect your productivity, your reputation, and your digital assets.

Sidebar: What You Need

[Prerequisites to content filtering of out-bound e-mail

1. Information security policies which declare company information to be of value and spell out the responsibility of employees to protect it.

2. Appropriate use policies for company e-mail which let employees know what they can and cannot send out in e-mail.

3. Documented penalties and procedures for dealing with violations of policy and a consistent program of enforcement.

4. Training and awareness programs which ensure that all employees are aware of items 1 through 4.

5. Access controls and authentication procedures to ensure you can match the electronic identity of a policy violator with the appropriate employee.

Sidebar: What You Gain

[Benefits of content filtering of out-bound e-mail]

1. Better protection of company secrets.
There is a pretty good chance that you will prevent most of the actual attempts at unauthorized disclosure of company information via e-mail. Plus a very good chance that overall awareness of, and compliance with, company rules on data protection will improve.

2. Defense against liability claims and other lawsuits.
Company secrets are just one of several categories of "harmful emissions" caused by out-bound e-mail. Employees can create company liability by sending e-mail that involves slander, libel, racism, sexism, and so on. They can also create liability by sending out viruses and other malicious code which infect other companies or lead them to be compromised.

3. Deterrence and prevention of e-mail abuse.
If employees know that e-mail content is filtered for compliance with policy they will be less apt to use it for frivolous and personal purposes.

4. Detection and prosecution of e-mail abuse.
If anyone does violate policy the company will be in a good position to detect and prosecute, thanks to content filtering (prosecute meaning take remedial action, not necessarily bring charges).

Companies and Products Mentioned

Baltimore Technologies Content Security Division (MIMEsweeper)
http://www.us.mimesweeper.com/home.asp

Mirapoint Message Director
http://www.mirapoint.com/md/index.asp

Symantec Mail-Gear
http://enterprisesecurity.symantec.com