CHICAGO -- Throwing money at a problem doesn't guarantee that it will go away. Sometimes the answer is to throw around a little common sense.
At the recent Enterprise Messaging Decisions 2004 conference, Kevin Beaver, founder and principal at Kennesaw, Ga.-based Principle Logic LLC, offered some plain-spoken advice to IT professionals on how to protect against messaging-system vulnerabilities without busting their budgets.
Beaver discussed common mistakes that IT managers make when protecting messaging systems, why such systems are insecure and how attacks are typically carried out.
"Many businesses haven't realized the level of confidential information that flows through these [e-mail] systems," Beaver said. "And they believe that malware protection and encryption are all that's needed."
If only things were that simple.
In reality, there are many reasons why holes in messaging systems need to be filled. For one, some protocols, such as SMTP, were created more than 20 years ago, when security wasn't a big deal. And, of course, virus signatures and engines are out of date. Beaver suggested checking for e-mail header disclosures, enforcing SMTP authentication and closing open relays.
"This brought some things to the fore," said Kelly Dickeson, who runs the e-mail systems for 12,000 users at Toronto-based cable company Rogers Communications Inc. "E-mail firewalls are intriguing. SMTP protocols are old, so it makes sense that there would be more to offer with firewalls now."
Spam is another big vulnerability, on many levels. "Spam has great potential for malware attachments, and it increases the chance of your own systems being blacklisted," Beaver said. Not to mention the bandwidth and storage space it takes up. "You don't want to divert security resources for more important issues," he added.
The quick solution? Use a mix of filtering methods and filter mostly at the server perimeter. Protection must not only be at the desktop, but at the server level too. This saves time and resources.
For Alvita Moss, a network engineer for the 36th District Court in Detroit, Beaver's session was an eye-opener. "Spam has become a huge issue for us," Moss said. "We have a large user environment. I don't have time to run around to 500 clients, so server-based solutions make sense. Management just wants to send mail. They don't want to be bothered with the details."
But attention to detail is what can make or break an e-mail system. Too often, Beaver said, companies have hosts that are more vulnerable than they should be. They must allow inbound and outbound traffic, but firewalls offer limited protection. "Other applications running on new hosts can open new holes and create stability issues," Beaver said.
The solution to such a problem is to use dedicated servers, such as Web servers for Web access. An administrator can also make the e-mail server the most hardened server in the shop, and they should never rely solely on e-mail firewalls for security. Host security is still a necessity.
Another detail that is often overlooked is a weak administration process. Miscommunication among human resources managers, IT managers and security is a common problem when an employee leaves a company. The result is that e-mail accounts of former employees are left enabled, which can easily compromise an entire e-mail system.
"Who's watching the watcher?" Beaver said. "Implement a policy for adding and removing users, and separate e-mail, network and security duties so that there is no breakdown in communication."
In general, the most common-sense solution to protecting your company from e-mail vulnerabilities is to make sure messaging systems remain on your security shortlist. Perform regular testing as you would on Web servers, file servers and operating systems, and don't let e-mail be your organization's Achilles' heel.
TechTarget is the organizer of Enterprise Messaging Decisions 2004 and owner of the family of Web sites that includes SearchDomino.com.