Email threats: Educating your SMB customers

SMBs face a plethora of challenges in securing email, most of which go unrecognized by management. VARs and consultants involved with SMBs are faced with solving these security issues, while educating management as to the need for the solutions supplied.

The problem originates with management's lack of knowledge about the true threat model that must be applied to email. They may see spam showing up in their employee's inboxes and consider that to be the only problem. The threats, both internal and external, may well be unrecognized. Let's identify the basic threat taxonomy, which you can then use when selling email security projects.

External threats include spam, spoofing/phishing and man-in-the-middle (MITM) attacks. Spam can be dealt with by denial of delivery (quaranting messages on a local server) until verified. The verification process usually involves comparing the derived signature of the email against a blacklist, which may be supplied by a trusted third party. An email appliance/firewall can perform this sort of service, including the local quarantine.

Spoofing may not be as simple to eliminate. Spoofing a sender (also done in MITM) may be detected if the sender uses DomainKeys Identified Mail, which has an encrypted header before the message. But not all domains use this feature. Spoofing is usually teamed with a phishing effort that redirects a link in a message to an attacking site. While a security hygiene regimen might include checking

    Requires Free Membership to View

all outbound links for consistency, this is less likely to happen in an SMB. Consultants might wish to implement the automatic checking of outbound http requests from within an email, so that at the very least a log of the true target may be obtained.

MITM can be similar to a phishing effort, but usually does not include a simple re-direct link. In MITM, all of the content – including headers -- of the email can be bogus (though somewhat based on the original sender's message). The reply-to header may be a mis-direct, for example, so that the attacker gets the replies. Again, header analysis may be a consultant's choice here as a method of mitigation.

Internal threats can be as damaging as any external one. Consultants must analyze how a customer conducts business in order to identify its unique internal threats. Weak email passwords that can be easily broken or parsed may be one such threat. Passwords should be strong and changed regularly, and the method for informing end-users of those changes be carefully constructed so as not to be compromised.

One threat that must always be considered is the subversion of an IT employee. Especially in SMBs, IT staff members may be underpaid and overworked; and thus amenable to monetary lures from competitors. Who better to send copies of a company's emails to a competitor than an IT person? The solution a consultant may consider to this problem is end-to-end encryption for sensitive documents, sent through a VPN. That way, should a sensitive email be intercepted and resent—by anyone in the transit chain—it won't provide any useful information. This kind of approach is best suited to management level employees who routinely discuss sensitive business matters.

Email is not just text transmissions any more. It is the flow of information that supports and makes a business possible. A VAR or consultant has to appreciate this reality, and make sure their customers do, too.

About the author
Larry Loeb has been online since the world revolved around {!decvax}. He's been in many of last century's dead tree magazines about computers, having been a Consulting Editor to the late, lamented BYTE magazine, among other things. You can reach him at larryloeb@larryloeb.com.


This was first published in November 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.