News Stay informed about the latest enterprise technology news and product updates.

Don't let email be your Achilles' heel

An email policy expert offers advice on how to limit messaging system vulnerabilities without breaking the bank.

CHICAGO -- Throwing money at a problem doesn't guarantee that it will go away. Sometimes the answer is to throw around a little common sense.

At the recent Enterprise Messaging Decisions 2004 conference, Kevin Beaver, founder and principal at Kennesaw, Ga.-based Principle Logic LLC, offered some plain-spoken advice to IT professionals on how to protect against messaging-system vulnerabilities without busting their budgets.

Beaver discussed common mistakes that IT managers make when protecting messaging systems, why such systems are insecure and how attacks are typically carried out.

"Many businesses haven't realized the level of confidential information that flows through these [e-mail] systems," Beaver said. "And they believe that malware protection and encryption are all that's needed."

If only things were that simple.

In reality, there are many reasons why holes in messaging systems need to be filled. For one, some protocols, such as SMTP, were created more than 20 years ago, when security wasn't a big deal. And, of course, virus signatures and engines are out of date. Beaver suggested checking for e-mail header disclosures, enforcing SMTP authentication and closing open relays.

For more information

See why federal spam lawsuits will fall short of their goal.

Read about the recent rise in e-mail phishing attacks.

"This brought some things to the fore," said Kelly Dickeson, who runs the e-mail systems for 12,000 users at Toronto-based cable company Rogers Communications Inc. "E-mail firewalls are intriguing. SMTP protocols are old, so it makes sense that there would be more to offer with firewalls now."

Spam is another big vulnerability, on many levels. "Spam has great potential for malware attachments, and it increases the chance of your own systems being blacklisted," Beaver said. Not to mention the bandwidth and storage space it takes up. "You don't want to divert security resources for more important issues," he added.

The quick solution? Use a mix of filtering methods and filter mostly at the server perimeter. Protection must not only be at the desktop, but at the server level too. This saves time and resources.

For Alvita Moss, a network engineer for the 36th District Court in Detroit, Beaver's session was an eye-opener. "Spam has become a huge issue for us," Moss said. "We have a large user environment. I don't have time to run around to 500 clients, so server-based solutions make sense. Management just wants to send mail. They don't want to be bothered with the details."

But attention to detail is what can make or break an e-mail system. Too often, Beaver said, companies have hosts that are more vulnerable than they should be. They must allow inbound and outbound traffic, but firewalls offer limited protection. "Other applications running on new hosts can open new holes and create stability issues," Beaver said.

The solution to such a problem is to use dedicated servers, such as Web servers for Web access. An administrator can also make the e-mail server the most hardened server in the shop, and they should never rely solely on e-mail firewalls for security. Host security is still a necessity.

Another detail that is often overlooked is a weak administration process. Miscommunication among human resources managers, IT managers and security is a common problem when an employee leaves a company. The result is that e-mail accounts of former employees are left enabled, which can easily compromise an entire e-mail system.

"Who's watching the watcher?" Beaver said. "Implement a policy for adding and removing users, and separate e-mail, network and security duties so that there is no breakdown in communication."

In general, the most common-sense solution to protecting your company from e-mail vulnerabilities is to make sure messaging systems remain on your security shortlist. Perform regular testing as you would on Web servers, file servers and operating systems, and don't let e-mail be your organization's Achilles' heel.

TechTarget is the organizer of Enterprise Messaging Decisions 2004 and owner of the family of Web sites that includes SearchDomino.com.

Dig Deeper on Lotus Notes Domino Mailbox Management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchWindowsServer

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchDataCenter

SearchExchange

SearchContentManagement

Close