Friday,27 December, 2024

Subscribe to Newsletter

HOME
  NEWS
  Knowledge Center
 
Knowledge Center

The ISO 17799 The Definite Guide For Security Geeks
In this part of the ISO series we will discuss the eights section of the standard, the section (Communication and Operations Management) focusing on corporate email.

Email did come a long way till it became the 2nd human communication method after phones. The control 8.7.4 deals with email security and its associated risks.

To cut a long story short the standard list the below as the main risks that should be address by any given organization:

1) Vulnerability of messages to unauthorized access or modification or denial of service.

2) Vulnerability to error, e.g. incorrect addressing or misdirection, and the general reliability and availability of the service.

3) Impact of a change of communication media on business processes, e.g. the effect of increased speed of dispatch or the effect of sending formal messages from person to person rather than company to company.

4) Legal considerations, such as the potential need for proof of origin, dispatch, delivery and acceptance.

5) Implications of publishing externally accessible staff lists.

6) Controlling remote user access to electronic mail accounts.

Let’s tackle them one by one, for the first and fourth point there is always a valid risk that the email content or originating address is tampered. Several encryption and message signing techniques can be used to sort those issues.

For the second and third point, email disclaimers which states how the organization legally stand from the issues of incorrect addressing or using the corporate email address for personal communication should be enough. Disclaimers are automatically added as footer in most business emails.

As for the fifth point most organizations cleverly opt for not publishing the staff lists or directories for the huge risks associated with such an action, for instance social engineering and addressed SPAM. Others with highly populated and diverse office locations like IT giants IBM allow publishing the staff directory but as a visitor you are only allowed to query a limited number of contacts per day.

The sixth and final point will be in my opinion the talk of the next couple of years.

For a main reason and that’s “staff mobility”, from what I have seen in the past couple of years this word has been the magical key for sweet talking the management into approving several IT budget areas and its here to stay. I totally agree that it’s a value adding feature to allow instant access to the business email anywhere, any time, but what about the associated risks.

By allowing and encouraging remote access we have given regular staff the right and technical means to fully access the company or the “government “mail infrastructure from their homes, cyber cafés, black berries, PDAs and now any regular cell phone.

For the home and cyber café end users all the familiar internet risks are valid (ex: key loggers, back doors …etc). As for the wireless access methods, a whole new world of risks was unleashed.
Handhelds are for sure more prone to theft due to their small and light form factor, and users can always just forget the mobile in a coffee shop and leave.

So what about the information (emails, contacts, attachments, company calendars) stored on these devices.

By design all off those machines have a company user name and password stored on the device making the device the smallest ever LAN connected machine thus bypassing all the security systems, because it’s a trusted device used by a trusted legitimate user who is already logged on, if a hacker gets his hand on such a device, then “voila” he is in.

By design some of the "Popular" methods like Microsoft windows mobile powered devices store the information(mails, contacts, etc ) in plain, un-encrypted data formats.

Also by design several business class wireless OTA “Over The Air” technologies like Motorola’s Good technology (www.good.com) and the globally addicted RIM’s Blackberry use the operator (Third party ) servers to pass on the emails, several experts say that it is very insecure to trust a third party with a copy of all your company emails and contacts. Recent news assured those claims for instance it was recently published that the French government wants to ban Blackberry e-mail devices, because of worries of eavesdropping by U.S. intelligence.



Rate This:

Posted by ROOT Technologies


Poll
What is your favourite search engine?
Google
Yahoo
Bing

Most Viewed
  Riverbed Launches Industry’s Most Complete Digital Experience Management Solution

  Credence Security to Address Growing Market for GRC Solutions in Middle East Through Partnership with Rsam

  New Mimecast Archive Cloud Capability Streamlines GDPR Management for Email

  Planning and Scheduling Software–Helping Manufacturers Keep Their Customers Happy

  Farsight Security and Infoblox Provide Zero-Hour Protection Against Cyberattacks Due to New Domains

  Fujitsu Launches High-Security Biometric Authentication Solution for Active Directory IT Environments

  Rackspace Wins 2017 Red Hat Innovator of the Year Award

  ServiceNow Survey Shows 2018 as the Year of Automation for Routine Enterprise Work

  4 Tech Hacks to Faster Customer Onboarding

  New Mimecast Report Detects 400% Increase in Impersonation Attacks