From its early beginnings to the present day, insecure emails have consistently caused trouble for their senders and recipients in a variety of ways.
LtCol. Oliver North was nailed when an incriminating email that he thought was buried came back to haunt him. More recently in the U.K., former Government special advisor Jo Moore and the Prime Minister's wife Cherie Blair have both come under fire from 'private' email correspondence that ended up being plastered all over the papers. Most recently, a senior Scottish MP had to call in detectives after a computer hacker used her parliamentary email address to send porn and cheap loan offers over the internet.
Unprotected emails (which constitute the vast majority of all emails sent) are extremely easy to intercept, modify, spoof and turn to almost any criminal purpose possible. In many cases, cybercrimes such as these require no technical expertise whatsoever.
According to Diligence Information Security, over 70 percent of IT security breaches are committed by the staff of the company involved and may be as simple as sitting at someone else's desk and reading their emails. The hackers range from disaffected employees trying to damage their employers to cybercriminals operating covertly within a company as part of a calculated piece of corporate espionage.
There are thousands of these cases every year but few come to light because of the victims' embarrassment and willingness to hide their vulnerability. This is one of the reasons why the U.K. Government's digital crime fighting force, the National Hi-Tech Unit, recently said it is prepared to grant business victims full anonymity if they come forward, in an effort to jumpstart investigations into the growing cyber crimewave.
The more traditional external hack is only marginally harder to execute than sitting down at someone's desk and turning on their computer. All the tools needed in order to intercept and alter another person's emails are freely available to download from the internet, accompanied by simple step-by-step instructions of what to type.
To prove the point, the BBC's Today program recently demonstrated how a 12-year old boy could use these techniques to break into Tony Blair's inbox and 'spoof' emails from the British Prime Minister ordering other ministers to perform various tasks.
There are three main types of email security breach.
- Confidentiality: An email is anonymously read by an unauthorized person while in transit. Neither the sender nor the recipient is aware that this has happened.
- Integrity: The contents of an unprotected email are anonymously modified while in transit and then passed onto the recipient as if they were the original message, without either recipient or sender being any the wiser.
- Authenticity: Emails can be easily and anonymously forged so that messages appear to be from a certain person. These could then be sent to somebody without either the person whose name was forged, or the recipient, ever discovering that the message was not genuine. This form of hacking is known as spoofing.
Email may be easy to break into, but a wide variety of effective and affordable solutions are available to combat the threat. These are based on cryptographic technology, which scrambles data against unauthorized disclosure and ensures the integrity, authenticity and legitimacy of the electronic communication.
There are two essential parts to securing email: encryption and digital signatures.
Put simply, encryption is the electronic equivalent of putting a letter in an envelope. This protects confidentiality and confirms for the recipient that the message has arrived in its original state without having been seen by an unauthorized person. Good encryption software ensures that information is only decrypted when needed and deleted safely when no longer required, the equivalent of sending a sensitive letter through the shredding machine.
The digital signature is akin to signing and sealing a letter by hand. It maintains the integrity, authenticity and non-repudiation aspects of an email in much the same way as a personal hand-written signature is proof of authorship of a letter. In fact, digital signatures are an even greater guarantee of authenticity than their handwritten counterparts as they cannot be forged.
An email that has been digitally signed also ensures that the message cannot be repudiated or considered invalid (i.e. denied by the sender). This functionality is particularly useful when transactions are being ordered and authorized via email.
Costs vary, but effective products may be obtained at the sort of price tag that puts cryptography well in the range of small to medium sized enterprises as well as larger corporates.
The availability and affordability of cryptography, added to the frequency of email security breaches, makes it mystifying why so few companies currently take effective precautions. The answer to the low take-up so far of email security lies in misconceptions and corporate complacency.
There is a widely held belief that encrypted email messages negate other areas of security because they are able to by-pass anti-virus and content-checking software. This theory is fuelled by the fact that hacking and virus attacks are regularly combined, as evidenced by 2001's Code Red worm that debilitated 12,000 web servers worldwide. The other aspect of this theory is the notion that if emails are encrypted, IT staff won't be able to scan messages for viruses and inappropriate content.
The reality, however, is that anti-virus software and cryptography are fully compatible. Anti-virus software can be hampered by encryption when it is installed on a network server. When the installation is made at the desktop level, the two sets of software are completely complimentary. By adding a firewall to the mix, users can have complete protection against whatever the internet can throw at them.
The issue of corporate complacency is harder to answer. It is generally accepted that, aside from its people, a company's most valuable asset is its intellectual property. On that basis, the failure to secure the emails carrying that IP is even more baffling.
What is clearer is the legal position from national and international governments. According to both the U.K. Data Protection Act and ISO/IEC 17799 (BS7799), the recognized international standard for information security, protecting the confidentiality of electronic information is essential. Despite this legislation, only 49 percent of businesses in the U.K. have the procedures in place to comply with the Data Protection Act and only 15 percent of people responsible for IT security are aware of the requirements of BS7799.
The answer to the complacency issue can be found in the findings of the Confederation of British Industry (CBI)'s 2001 cybercrime survey. While 73 percent of companies acknowledged that cybercrime was rising, only 42 percent felt it would increase in their own business.
In layman's terms, the take-up of email security is being blighted by a widespread outbreak of 'it won't happen to me' syndrome. It took several high-profile virus outbreaks before companies adopted anti-virus software en masse. The same may well be true with email security, though forward-thinking companies may choose to plan ahead before disaster strikes. The truth is that sending emails unprotected prevents a company's security policy from being fully effective. Insecure emails are a gaping hole and a problem waiting to happen that no amount of anti-virus software or firewalls is able to fix.
The legal position on email security as far as the U.K. is concerned is as follows.
The Data Protection Act (1998) makes clear that specific steps must be taken to secure certain types of information: "The Act contains eight Data Protection Principles. These state that all data must be: Processed fairly and lawfully; Obtained and used only for specified and lawful purposes; Adequate, relevant and not excessive; Accurate, and where necessary, kept up to date; Kept for no longer than necessary; Processed in accordance with the individuals rights (as defined); Kept secure; Transferred only to countries that offer adequate data protection."
Given that emails which have apparently been deleted can still be dredged from the hard drive of a user's PC (à la Oliver North), the safe-deletion function offered by email encryption provides the most practical method for ensuring that information relating to out-of-date records is properly disposed of.
If it is also taken for granted that unprotected emails are inherently insecure, it therefore follows that any information contained within email is insecure.
BS7799 (first published in 1995; revised in 1999) is a comprehensive set of controls outlining best practices in information security. It serves as a single reference point for identifying the controls needed for most situations where IT systems are used in industry and commerce. The international version of the directive is ISO/IEC 17799:2000.
To ignore or contravene these best practice guidelines would leave a company open to liabilities under law or from contractual obligations. For example, the unwitting disclosure (because of an unprotected email) of somebody else's trade secret or material given under a non-disclosure agreement would be considered gross negligence.
Many experts believe the take-up of email security will be driven by insurance and damages claims against companies failing to secure emails. Enhanced security would become not only a legal requirement but also a financial advantage (lower insurance premiums).
More emails are now sent each day than letters. According to the U.K. Office for National Statistics, 9.7 billion emails were sent in the U.K. during the last year. Only a tiny fraction of these were protected from hacking attacks.
Despite the current state of unprotection, there are signs that awareness of the need to secure emails is rising. Most encouragingly, Microsoft, the world's largest email service provider, and so often the target for hackers, has started to market email security to U.K. businesses via its bCentral web site.
According to industry analysts IDC, the IT security market in Western Europe will grow from $1.9bn today to $5.9bn in 2006. With firewall and anti-virus protection now in place in most companies, there is reason to believe that email security could, at last, be one of the primary recipients of this spend.
Vanessa Chandrasekaran is executive vice president of the internet security specialist company Indicii Salus (www.indiciisalus.com).
Indicii Salus Ltd is exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk