18 (1999) 409-418
Internet E-mail Risks and Concerns
This paper outlines the risks an organization may be exposed to purely by virtue of granting its staff access to Internet E-mail from the PCs on their desks. It suggests possible countermeasures for each risk that should be put in place before implementation, and an E-mail use policy for the organization. Keywords: Internet, ing, firewall, E-mail
spoofing, flamviruses, policy.
It is rapidly becoming the norm for organizations to grant their users access to the Internet from the PCs on their desks. While the risks of granting access to the Web are well known, even restricting users’ Internet access just to E-mail leaves organizations vulnerable to a surprising number of significant risks. The benefits of Internet E-mail are so obvious that granting access is a matter of course. However, Internet E-mail also greatly increases an organization’s exposure to sources of security breaches, in the form of tens of millions of unknown, uncontrolled users and systems worldwide, including the world’s best attackers of IT security, with almost unlimited resources, often deployed indiscriminately. Even small risks become significant when multiplied by such numbers. Hence access security is crucial. Many other risks that probably already exist are increased by the ease of use of Internet E-mail compared with other media, the ease of making large mistakes at the press of a button,
and the worldwide reach of E-mail. On the positive side, the implementation of controls over Internet Email reduces some of those same risks. As well as the damage that third parties may cause, Internet E-mail enables users within the organization to cause damage to third parties, some of which may rebound on the organization in the form of damaged trading relationshipst legal liabilities, and bad publicity. Even if there is no legal liability, a security breach could cause embarrassment, if security weaknesses or poor practices were thereby exposed to the outside world. The organization will, for example, be clearly shown as the source of all E-mail messages originating within it. There is thus great potential for cost. md for embarrassment of the user, his department, the IT department, ll~a~lagelllent, and the organization as a whole, if there is a serious security breach. It is therefore essential to have reasonable assurance that all risks have been reduced to an acceptable level before implementing Internet E-mail. The risks may be classified as follows: 1. 2. 3. 4.
Hacking Viruses,Trojan Horse software Unauthorized software Offensive text or pictures
0 1999 Elsevier Science Ltd. All rights reserved.
Internet E-mail Risks and Concerns/Chris Nelms
5. Excessive message volumes 6. Junk mail 7. Unauthorized disclosure of sensitive 8. Forged messages (‘spoofing’) 9. Legal liabilities lO.Other The main
However, if there is a physical link to the Internet, it is never certain to keep out the expert and determined hackers that use it.The only way to be completely safe is to have no link at all.
Penetration of E-mail by other users
Enabling them to read messages intended for others, and send messages in other users’ names. Possible countermeasures include:
2. Configure the link so as to keep the organization’s systems invisible to other Internet users.
a. Network address translation, which makes it more difficult for users outside the organization’s internal network to log on as if they were internal users.
1. Set up a fn-ewall to control systems and the Internet.
3. Use software tools to block messages with software and other selected file types (e.g. video files) attached. 4. Scan the incoming and viruses, obscenities etc.
5. Define a clear user policy that specifies what users may and may not do. (See Appendix for a specimen policy). The risks of Internet detail below.
Hacking This can take three different
Penetration of the organization’s systems from outside It is not enough to rely on the organization having no known enemies. Such targeting is not necessarily deliberate. Some software does the equivalent of walking along the street trying doors until it finds one that is not locked. Possible countermeasures include: a. Setting
up a firewall.
b. Configuring the router linking the organization’s systems to the Internet so that the organization’s network is invisible to the outside world.
b. To counter the threat from within the tion, the usual password access controls applied to E-mail; i.e., users should have al passwords, at least 6 characters long, automatically every 30 days, with re-use ous passwords prevented. User accounts locked after three failed login attempts. C.
The E-mail use policy should for secure password procedures.
organizashould be individuchanged of previshould be
d. If there is a requirement for highly secure communication, encryption and authentication systems exist which give assurance of a message’s origin, and that it has not been read or altered en route. However, this does have to be separately set up with each business partner or location, so it is only likely to be feasible for certain routes that are known to require regular, secure, communications.
Penetration of third parties’ systems by the organization’s users This would termeasures
require technical include:
a. Configure the router linking the organization’s systems to the Internet so that third parties’ systems are invisible to the organization’s users. b. Forbid
in the E-mail
Computers & Security, Vol. 18, No. 5
Exercise tight control over software loaded by users, to prevent the loading of illicit hacking and communications software. This can be done by implementing security software that detects and prevents the loading or running of unauthorized software. A less sophisticated and effective alternative is to run audit software regularly to check for unauthorized software.
However, as with hacking by third parties, there is probably no absolute guarantee against an expert and determined internal user hacking third parties’ systems.
Viruses, Trojan Horse Software etc.
the system will always be vulnerable to the latest viruses that have not yet been added to the database. It is possible to receive unsafe HTML and Java applets via E-mail. (These are executables normally associated with files downloaded from the Web). Good E-mail security software can be configured to block unsafe HTML and Java apple&. It would be possible to block E-mails with any attachments at all, at least from certain users, or from all but specific trusted users. However, since the facility to attach files to messages is one of the main benefits of E-mail, and following such rules imposes an ongoing administrative overhead, this is unlikely to be an acceptable control.
Receipt of viruses, Trojan Horse software This can take the form
Transmission of viruses, Trojan Horse software
Virus infection from files attached to messages. Infection can of course come from either an executable file, or from a document or spreadsheet infected with a macro virus.The latter are particularly likely, since this is one of the commonest uses of E-mail messages. Mail bombs (messages that explode of copies when opened).
Messages that execute automatically opened.These can contain viruses, orTrojan software that corrupts or deletes files. The possible
a. Use E-mail security software to scan all incoming E-mail messages, and the files attached to them, for known viruses etc. A good package will not be fooled by simple tricks like renamirfg executable files to look like documents, or compressing a file. The software should be configured to put suspect files into ,I ‘quarantine’ area for checking before release. Where virus scanning relies on a database of known viruses, it is of course important to keep the database up to date by applying the regular updates available from the supplier. Obviously,
Apart from the damage to the organization’s reputation, and its relations with the recipient, it is possible that in future recipients may sue ior damages for negligent transmission of viruses. The possible countermeasures are the same as for inconling messages, as good E-mail security software can be configured to scan both outgoing and incoming messages and their attachments in the same way.
Import of unauthorized software This could consist of pirated software, software not approved by the IT department, animated pornographic pictures, or hacking tools. Under the UK Copyright, Designs, and Patents Act 198X section 107, the penalties for breach of copyright are up to two years’ imprisonment. Under section 1 IO, where committed with the consent or connivance of an officer of the company, the officer is liable to the same penalty. The possible countermeasures include using good E-mail security software to block messages with executable files attached being received by any except authorized IT department users. There is still a risk that IT department users will abuse this facility, but the risk is little greater than the existing rick of
Internet E-mail Risks and Concerns/Chris Nelms
importing unauthorized software on disk. A less effective alternative would be to forbid the import of software in the E-mail use policy.
Export of unauthorized
Apart from the legal penalties the organization may face for breach of copyright, it could seriously embarrass the organization if it were found to be the source of pirated or pornographic sofiware.This can be countered in the same ways as the import of unauthorized software, by blocking messages with executables attached, unless they have been sent by authorized users in the IT department.
Offensive Text or Pictures This covers a wide range of possibilities, as people may be offended in a large number of ways: pornography, racism, obscenities, insults, extreme political or religious views, libel, gossip, threats, and violence, to name but a few.
Receipt of offensive text or pictures In the UK, under the Race Relations Act 1976 and the Sex Discrimination Act 1975, an employer can be liable for statements amounting to racial or sexual harassment unless it can show that it took all reasonably practicable steps to prevent it. Under the Protection from Harassment Act 1997, the employer may be liable for any harassment carried out by Email. In the US in 1996, two black employees brought a $60m racial discrimination lawsuit against Morgan Stanley over racist E-mails. In the US, a number of lawsuits have been filed alleging racial discrimination, sexual discrimination, etc. on the basis of E-mail messages. Of course, this risk already exists to a degree if the organization has an internal E-mail system. There seems to be no easy answer to this. As described above, E-mail security software can be configured to stop all incoming messages with executables attached, except for users who need to receive it, e.g. the IT department. This would block offensive moving pictures, but not still pictures or text. It is also possible to use E-mail security software to block messages with
images attached, from all or selected users. (How many users have a business requirement to receive images?) This could also prevent excessive use of disk space in storing images. As regards offensive text, it is possible to scan the content of incoming text using good E-mail security software. Lexical analysis can be used to screen out messages containing more than certain numbers of suspect words, e.g. obscenities, terms of abuse/familiarity/intimacy, certain parts of the body, bodily functions, and other words unlikely to be used in a normal business context. This is unlikely to be 100% effective, and it would take resources to compile and maintain the word list, and check and release all quarantined messages. There is also some chance of holding up innocuous messages.
Sending offensive text or pictures Apart from the possible legal liabilities, it would embarrass the organization if it were identified as the source of such material. The possible automatic countermeasures are the same as above. In addition, the E-mail use policy should forbid the sending of offensive text or pictures.
Excessive Message Volumes Receipt of high volumes of messages This could result in clogging up all E-mail. This may include ‘flaming’ (the deliberate sending of messages by individuals acting in concert).The messages may be generated by a piece of malicious software, possibly the payload of a virus. Or it may be caused by a hardware or software malfunction. Whatever the cause, the effect is the same: the E-mail system is clogged up, causing a good deal of time to be wasted in getting rid of unwanted messages. There is not a great deal that can be done until after the event, so it is necessary to be ready to act quickly to put in place one or more of the following countermeasures: a. Block the addresses the messages come from they come from a small number of addresses). b. Use
Computers & Security Vol. 18, No. 5
messages by scanning unique to the repetitive
all messages messages.
c. As a last resort, short of severing the Internet connection, change the organization’s Internet address, amend all stationery that contains it, and inform all business partners. None of the it is unlikely organizations.
above totally removes the threat, but to be an ongoing problem for most
Sending out too many messages
b. Warn users of mailing lists in the E-mail use policy, and advise them how to get messages from them blocked by the IT department if they become a nuisance. C.
In selecting an Internet Service whether subscribing generates other subscribers.
Provider, inquire junk mail from
software to scan incoming d. Use E-mail security messages for words or phrases characteristic ofjunk mail, like “unbeatable offer”, and quarantine them. Again, this implies using resources to check quarantined messages.
This may be caused by: e. the deliberate action junk mail or irritating ing the traffic volume
of users, e.g. in response to messages, thereby exacerbatproblem.
Users accidentally causing cc-ing of messages. A hardware
Sending excessive junk mail
The E-mail use policy should excessive messages by users.
[While irrelevant to E-mail, one way of avoiding junk mail from Web sites that request the user’s details before allowing access, is to set up a corporate dummy user to enroll on such sites].
Junk Mail Attracting excessive junk mail This could clog the system and waste users’ time, by getting on too many mailing lists. A recent survey found that three quarters of E-mail users received up to five junk messages per day, with a significant minority receiving far more than this. While junk mail is a threat normally associated with the Web, where sites may request the user’s details without revealing that they are to be added to a mailing list, E-mail users can also get on mailing lists unaware of the consequences. The possible countermeasures include: a. Set the router that connects the system to the Internet, or the E-mail security software, to block messages from known sources ofjunk mail.
This could cause irritation to business contacts. The E-mail use policy should forbid this, ~u~lrss it is company policy to send junk mail.
Disclosure of Sensitive
Internet E-mail offers a number of ways of disclosing sensitive information, which could cause either financial loss or embarrassment to the organization.
Deliberate export of sensitive data files The ability to attach files to E-mail messages makes it even easier to send sensitive information out of the organization than smuggling it out on a diskette. It also means that as well as the odd document or spreadsheet, it is possible to export a small database that would fill whole boxes of diskettes. Naturally the Email use policy should forbid this, if only to enable offenders to be disciplined. The automatic controls available include:
Internet E-mail Risks and Concerns/Chris Nelms
a. Blocking messages with attached files over a certain size (e.g. 20Mb) which could indicate the wholesale export of data. b. Use E-mail security software to scan messages words and phrases that suggest the disclosure confidential data.As mentioned before, it would laborious to define the word list and check quarantined messages.
for of be all
Interception of outgoing messages, or access on receipt by someone other than the intended recipient The organization cannot rely on access controls such as controls over passwords and unattended PCs at the addressee’s end, and messages sent over the Internet may be intercepted and read in transit.The E-mail use policy should point out the lack of security, and the need for caution in sending sensitive data. As mentioned previously, it may be practical to set up encrypted links with selected business partners. This does require the other party to use the same encryption software, and would therefore not be quick or cheap to implement.
Receiving messages purporting to come from someone other than the actual sender There is no assurance that third parties have secure password access controls. It is also possible to use technical means to falsify the source of a message. Spoofing could lead to the repudiation of messages that were acted on in good faith. Possible countermeasures include: The E-mail use policy should remind users not to take messages at face value, and to seek appropriate confirmation. Good E-mail security software can be configured to look for signs of spoofing, and add a warning to messages that look as if they may have been spoofed. Where there is an ongoing requirement for assurance that messages from a particular source or sources are genuine without further confirmation, it may be worth using an authentication system to give assurance of a message’s origin, and that it has not been altered en route.
Misdirection of messages
Being made to appear to be the source of a message
It is fatally easy to click on the wrong user name or group name. Every E-mail user has tales of the messages he has received that were meant for someone else. While essential to urge caution in addressing messages in the E-mail use policy, the only real control is message encryption.
It is possible to be made to appear to be the source of a message that is only being relayed, either as an attempt to discredit one’s organization, or to give a message a false appearance of respectability or authenticity. Good E-mail security software can be configured to prohibit mail relay.
Forged Messages (‘Spoofing’)
Sending messages purporting to come from someone else As mentioned under ‘hacking’ above, weak password access controls can enable internal users to log in and send messages in the names of other users.The E-mail use policy should warn users to keep their passwords secret and hard to guess, and remind them that they will be held responsible for misuse of their user IDS.
Because of the friendly, conversational nature of Email, users tend to treat it like a conversation. They tend to forget that it is a written communication sent in the name of the organization, and that they should not write anything that they would not write in a letter. In fact the law of vicarious liability is clear: a company can be liable for the acts of an employee which are done in the course of employment, even if the act is unauthorized and contrary to company policy. The possible legal liabilities fall into a number of groups.
Computers & Security, Vol. 18, No. 5
Because of the nature of E-mail, there is an increased risk that users will provide inaccurate data, have their messages forwarded to unintended readers, disclose personal data, seem to state an official company position, issue what amounts to inaccurate advertising material, or otherwise commit the company. It is even possible to enter into contracts or send significant messages by accident or on impu1se.A company may be bound by obligations entered into by an employee at the click of a button, even if that employee is not actually authorized to act on its behalf. It can happen in various ways: the user clicks on ‘send’ accidentally before the message is ready; or on impulse without having thought through the implications; or clicks on ‘reply to all’ or an incorrect name or user group and the message goes to the wrong recipient, who acts on it. It is far easier to make mistakes of this kind with E-mail than with paper letters, and letters can be retrieved from the mail trav.
In the UK, in July 1997, Norwich Union paid A-l50 000 in costs and damages to Western Provident Association in an out of court settlement, after admitting that staff had used E-mail to libel the rival insurer simply by spreading rumours, in many cases merely by clicking on messages to forward them. In 3996, Asda was successfully sued for E-mail libel. Now, under the Defamation Act 1996, the company is not liable if it was not the author, editor or publisher of the E-mail; or took reasonable care.The Norwich Union case related to internal E-mail, but could be applied to Internet E-mail.
There is also a tendency to use poor spelling and grammar in E-mail to save time. Like dress-down Fridays, while acceptable within the organization, it may not be the image that the organization wishes to present to the outside world - and it could be dangerously unclear. AF a minimum, the E-mail use policy should point out that E-mail must adhere to high professional standards. E-mail software may be used to attach a standard legal disclaimer to each message. A common form of wording is: “This E-mail contains information which is confidential. It is intended solely for the addressee. Access to this Internet Email by anyone else is unauthorized. If you are not the intended recipient of this E-mail, any disclosure, copying, distribution, or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful”. This facility may also be used to append company details. In the UK, companies are required to state certain details such as their addresses on all communications on company stationery. However, there appears as yet to be no definitive statement of how this should be applied to E-mail message<.
The only real control is for the E-mail use policy to warn users to apply professional standards to E-mail messages.
Breach of confidentiality The unauthorized disclosure of confidential information sent by E-mail may give rise to the employer being liable for breach of confidentiality and damages. The UK Data Protection Act 19% will enable data subjects to claim for damage caused by disclosure of their personal data. Again, the only control is to warn users to in sending E-mail messages.
Disclosure of ‘private’ E-mails Supposedly ‘off the record’ comments in E-mails may be forwarded to a wide audience, or may have to be produced in court by Court order. In the Norwich Union case in 1997 (see above) Western Provident obtained a court order for the preservation and delivery of hard copies of all the allegedly defamatory E-mails. In the US, the court required production of Microsoft’s self-incriminating E-mails, in its anti-trust battle with the US Justice Department over Windows 98. Obviously deletion of the E-mail is no protection, as it may still exist on a backup tape. The E-mail use policy should point nal or external, is totally private
out that no, inter-
Internet E-mail Risks and Concerns/Chris Nelms
Breach of the UK Data Protection
An organization may only obtain, process, and disclose personal data in accordance with the Data Protection Principles and in the manner described in its entry on the Data Protection Register. Its registration must cover all likely new disclosures and processing of personal data. There are severe penalties for breach, both to the organization and its officers. In implementing E-mail, the register entry should be checked, and updated if necessary to cover E-mail.
Breach of software copyright This is dealt above.
Harassment This is dealt with above.
hardware or software
Once E-mail has been in use for some time, the organization is liable to become dependant upon it. The should be made for system normal provision resilience and backup facilities, e.g. duplication of critical system components, and the Internet Service Provider should guarantee a certain percentage of uptime. Users should also be reminded to ensure that they have the phone numbers, fax numbers, and addresses of all contacts.
Denial of service through exceeding capacity
As well as monitoring traffic volumes and disk space utilization, it may be possible to configure the E-mail security software to ‘park’ messages over a certain size, say lOMb, for transmission outside working hours.
Waste of time and resources for personal purposes
Conclusion By now the message of this paper should be clear. While the benefits of Internet E-mail are immense, an organization should not allow these to seduce it into implementing it before appropriate controls, including a user policy, have been put in place.
Appendix: E-Mail Use Policy
Other Denial of service through failure
While the E-mail use policy should state that the organization’s IT facilities should only be used for business use, this rule is likely to be honoured more often in the breach than in the observance.The automatic attachment of a legal disclaimer and company details may discourage private use, just as users are more likely to use plain photocopier paper than company letterhead for their private correspondence. As with phones, some personal use is probably inevitable. In theory, it might be possible to scan the words used in messages to detect private use, but it is unlikely that the resources saved would recoup the cost of preventing personal use.
using the facility
General Comments 1. Users can only expected to follow good practice if there are written rules. These should be distributed to all users when Internet E-mail is implemented, and if possible put on a shared area of the systems for reference.The other side of the coin is that the organization has a better justification for disciplinary action if misconduct is in breach of a written policy. 2. A policy is key to reducing the organization’s potential legal liabilities, and to compliance with BS7799, the Information Security standard. In order for it to be effective in these, the organization must be able to demonstrate that: a. It is well-publicised. As well as keeping it on a shared area of the systems, management may wish to make each staff member sign and return a copy before granting access to E-mail. b. Staff are aware that the policy forms part of their employment contracts, and that breaking the policy is a disciplinary offence, and why.
Computers & Security, Vol. 18, No. 5
Staff actions giving rise to any claim are therefore contrary to company policy 3. Since Internet E-mail is likely to be closely integrated with the internal E-mail system, the policy has been worded to cover both. 4. For the policy to be effective, senior management must own and issue the policy, and be seen to do so.
This policy applies to both Internet and internal stated. Breach of these E-mail, except where rules is a disciplinary offence (and in some cases illegal). 1. Please note that messages may be read by unintended persons in a number of ways, even after deletion. They may even have to be produced in Court. Bear this in mind in deciding whether to use E-mail for sensitive information, or private or personal data or messages. Consider the use of code words in place of names. 2. If you see a message that is not meant it as confidential.
for you, treat
3. Since /qunizafion nume] has no control over the security of third parties’ Internet connections, or the Internet itself, you cannot be sure that mescome from the purported sages you receive sender, and have not been amended in transit. They should therefore not be accepted as legally binding, or acted upon, without appropriate confirmation. use Internet
5. You must not Internet E-mail
Use a password-pro-
7. Do not try to access systems or data which not authorized to use.This includes other connected to the Internet.
you are systems
8. Do not fill large amounts of disk space with unnecessary data (including saved E-mail messages) or graphics.
4. You should poses only.
more than a few minutes. tected screen saver.
send confidential information without authorization.
6. To prevent others sending or receiving messages in your name a. Keep your E-mail password secret. b. Do not use easily-guessed passwords such as family names. c. Do not leave a logged-in PC unattended for
9. Change your E-mail password regularly. You may use the same password for more than one system. 10. [O~u~~i~ution name] may be legally liable fbr what you do or say using Internet E-mail. just as it is for letters. Despite the informal, conversational writing style common in E-mail, you should apply the same professional standards to an Internet E-mail message that you would apply to a letter on /oyarizafion rmne/ letterhead, particularly if the subject matter is of significance to /oyur~irahw I~HC/. In both cases you are writing to third parties in the name of [oprization name/. Specifically: a. Do not make statements that could be interpreted as the off&l /qatlizaticw 11aw/ position, or committing [oya~zizaficw HUYIW/, unless you are authorized and intending to do so. b. Obtain the same authorization to send an Email as you would for a letter. c. Ensure information provided is accurate. d. Do not use poor spelling and grammar in messages to other organizations. Avoid defamatory statements, rumours, and gossip, about individuals or companies. Only disclose personal data if the organization’s l)ata Protection Registration permits. Get clearance from Corporate Comnlunications L1epartment before issuing \I-hat amounts to advertising material or press releases. 11. Beware of giving your E-mail address if it could be used to send you junk E-mail. The resultant network trafiic could inconvenience other users as well as yourself. If you find yourself unable to stop junk mail, ask the Help Desk to block it.
Internet E-mail Risks and Concerns/Chris Nelms
12.Do not send out junk pyramid messages.
mail, chain messages, or
13.Beware of causing irritation by excessive copyingin of extra persons on messages. 14.Do not respond to irritating mail or junk mail just to retaliate. Responding to junk mail confirms your address for future junk mail. 15.Do not send or keep offensive text or pictures (e.g. pornography, racism, sexism, obscenities, insults, sarcasm, profanity, extreme political or religious views, confrontational statements, incitement to unlawful activity etc). 16.Observe the etiquette of Internet WRITING IN CAPITAL (“SHOUTING”) is bad manners.
E-mail. E.g., LETTERS
17.Do not send messages that could be seen as harassment (racial, sexual, or otherwise).
20.Report significant breaches of any of the above rules, from either within or outside the organization, to /individual/department name]. It may be possible for IT to take remedial action, or prevent a recurrence. All E-mail messages you send are tagged with both your name and that of /organization name], and you will be held responsible for any misuse of your ID that affects the organization. It is therefore in your interests to control the use that is made of your B-mail ID. If you are unsure whether any use of E-mail you currently make or, plan to make, follows these rules, contact [individual/depavtment name].
Optional addition: I hereby agree to abide by the points as listed above. Signed .................................................................... Dated.. ......... /. ...... /. .........
18.Do not rely on Internet E-mail for uninterrupted service. Note the postal addresses, phone and fax numbers of all contacts, in case E-mail goes down.
Print name.. ............................................................
19.Take care in entering addresses to ensure mail goes to the right person.Take particular care when using any facility to suggest possible names based on what you have typed, or selecting names from lists.
Chris Nelms M.Sc, B.Sc(Econ), FCA, CISA is the Computer Audit Manager of MEPC plc, a leading UK property company. He has 15 years’ experience m computer audit, and has been a regular contributor to a number of computer audit and security journals.The views expressed m this article are not necessarily those of MEPC pk.