Mail Anyone? - SANS Internet Storm Center

Mail Anyone?
When you are doing a Business Impact Analysis or a Risk Assessment, you will often find that email, be it internal or external, is one of the systems that people think they cannot live without. They might even be right. Email systems are being used as communications tool, storage system, social calendar, gossip line, attack vector, etc. The expectation that an email has been received, read and is being acted on, within minutes of it being sent, is much higher than it was a few years ago. Woe if for some reason the message is delayed. Now there are lots of reasons why emails can be delayed, but I want to have a look at how people manage their email as the content management system is often the point where things go wrong and not necessarily because of technology. Typically organisations have something that filters all the inbound and often outbound email. Known viruses are blocked, SPAM is blocked and depending on a number of rules, emails are blocked based on content. What is blocked depends from organisation to organisation and that is probably there one of the main issues starts. What should you block inbound? Known viruses and SPAM are easy, but there is so much more around in PDF, excel, word, exe, scr, pif, cmd, com, bat, URLs, undesirable images, etc. So should all attachments be blocked, regardless of what they are? It probably depends on your risk profile. Certain organisations, as we’ve seen with the Tibetan issue, are more likely to receive targeted malicious content and they may need to implement something as strict as blocking every attachment. Dealing with blocked messages also varies from organisation to organisation. In some, the answer is just no, others allow users to release emails themselves and rely on the users’ integrity to not release emails that should not be sent or received. Some ask staff to contact the helpdesk or security group when a message needs to be released. Another choice is for the security group to regularly check blocked emails and release messages that are business related. Outbound messages are often allowed out without some sort of verification, however in quite a number of countries companies can be held responsible for the activities of their employees, so it an important control point. Outbound messages should be treated at least, if not more strenuously as inbound email. So if you have been tasked with reviewing your mail content management here are some of the things that you should be asking: Are rules applied in the order you are expecting them to be applied in? How often are the rules reviewed? Is there a process in place to test mail rules before they are accepted in production environments? How are exemptions requested and documented? Do users with exemptions have a carte blanche? Or are their activities subject to further scrutiny? E.g. exempt mail is archived and spot checked. Do exemptions expire? What is being blocked and for what reason? Do you have any visibility on the number and types of messages blocked and released? Do you apply your rules consistently? E.g. if you are blocking video or offensive language inbound, you should apply the same outbound. Who releases messages, what is the process? Are SPAM and AV filter/signatures regularly updated? How do you know? Do you have a process in place to allow users to report SPAM, viruses etc that managed to sneak past? Are users aware of how they should request exemptions, urgent release of messages? If personal emails are not permitted is access to webmail services allowed/controlled? Is the mail infrastructure you are looking at the only way in or out for email? Does the product you have allow you to implement the rules you need? Is all of the above backed up by policy? A few of the things to look out for. If you have additions, let me know. Cheers Mark - Shearwater	Mark 392 Posts ISC Handler Mar 30th 2008
Thread locked Subscribe	Mar 30th 2008 1 decade ago