Is your Exchange environment the weakest link in your information system? All the compliance requirements and vendor
marketing babble being pushed on us lately might make you think so.
"You have to encrypt Exchange email in transit" many experts claim. If you don't, they say that you're out of compliance and your business is at risk.
When looking at the known data breaches, an online clearinghouse of information on electronic security breaches, you won't read much about rogue insiders or external hackers gaining access to sensitive email in transit. Information almost always covers email exposure at the host level. Sensitive email messages are usually compromised when passwords are cracked, missing patches are exploited and sensitive information is recovered off a lost or stolen mobile device. You'll also see breach stories about unprotected email that was being sent accidentally, potentially exposing the entire system.
The question remains: Do you automatically encrypt every Exchange email -- just in case? That's a hard sell. It's also hard to do if any of the email is sent to more than a handful of third parties. Encrypting everything internally is one thing; implementing the technologies to encrypt email to and from third parties is another beast altogether.
Those writing security and privacy laws and regulations would disagree. The mantra is that everything is at risk. Those law writers often state that sensitive information protected by encryption is exempt from any compliance requirements, but fail to talk about the real risks. Based on what I've seen, the real information risks have little to do with data in transit. But that doesn't mean that email in transit is not at risk.
Anyone can download the free Cain & Abel password cracker/network analyzer tool to capture email passwords within minutes on the network. The same can be done when Exchange users communicate via an unsecured wireless network.
The fact is, information at rest is much more vulnerable than information in transit. Rather than capturing a snapshot in time of a relatively small number of email communication sessions, the real payoff for attackers is to go after email as it lies dormant -- typically behind a weak password, a Windows or Exchange server with a missing patch or on a mobile device such as a laptop or BlackBerry with no real security controls.
Instead of focusing solely on encrypting every email message that enters or leaves the building, take look at the bigger picture. Focus the highest payoff tasks first -- the most urgent weaknesses on your most important systems. Make sure you pay attention to the security basics that are often taken for granted. You'll likely find that things such as weak access controls, patch management, content filtering, data retention, contingency planning and mobile security are a much higher priority than encrypting email in transit.
Once you have everything down and your Exchange environment continually turns up clean in vulnerability assessments and audits, it may then make sense to take things to the next level with encryption. That is, if you can find a way to get your business partners on board, without breaking your business processes and ticking off your users .
If you look at the information you have and how it's processed, you may end up learning that only a handful of messages sent on any given day are at a higher risk than others. If that's the case, consider encrypting those server-to-server email sessions using SSL/TLS in Exchange. You may also consider a third-party solution such as those offered by vendors like PGP or MessageLabs. These solutions let you create rules and automate the email-encryption process when certain content or recipients are discovered in outbound messages.
I recently came across a situation in which an IT director was chomping at the bit to implement this type of security control in the Exchange environment, but couldn't get the business managers to outline the specific business rules and criteria. Nothing was done about it, even though a risk was uncovered. Be sure to get all the right people, especially executive management, on board when trying to implement new security controls and measures.
If you decide to encrypt Exchange email, focus on information security and business risks, rather than just approaching it from a compliance perspective. People often get those priorities mixed up. Make it clear to management that encryption doesn't equal 100% security. Sure, it beefs things up, but there's almost always a hacking tool, an inexperienced user or weak business process waiting to negate its benefits.
|ABOUT THE AUTHOR:|
| Kevin Beaver
Kevin Beaver is an information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, he specializes in performing independent security assessments and helping IT professionals enhance their careers. Kevin has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). In addition, he's the creator of the Security On Wheels information security audio books and Security on Wheels blog providing security learning for IT professionals on the go. Kevin can be reached at email@example.com.