IT administrators take huge e-mail security gambles everyday, according to e-mail security expert Rand Wacker....
Yet, most don't know they're putting their systems at risk.
In working with many businesses, Wacker has seen IT managers make the same e-mail security mistakes time and time again. Wacker is senior consultant at Emeryville, Calif.-based Sendmail, Inc., an e-mail administration software vendor. To help history stop repeating itself, he outlined businesses' 10 most common e-mail security faux pas and suggested ways to avoid them.
1: Leaving your MTA open as a promiscuous relay
Relay is the default configuration on many mailers. Your relay service should only be available to mail destined to your domain(s) and users, or hosts, who need to send mail through it. Because senders and recipient addresses can be spoofed, it's wise to also subscribe to a domain or IP address "blacklisting" service such as MAPS, ORBS or an equivalent RBL service.
An "Open Relay" is an e-mail message transfer agent (MTA) that will deliver any mail for any sender. Spammers seek out these servers as a free ride for their spam messages. Servers are overloaded, especially when their mail queues fill with undeliverable mail and bounces. The result is often an overloaded mail server that stops serving the user it intended.
2: Using insecure e-mail clients that execute code as part of displaying a message
3: Running old versions of software
Running old versions of software with known security issues, such as buffer overrun exploits, can be a cause of e-mail security mismanagement. A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold. Often, forgetting to update software after an exploit is published is an issue. Buffer overflows easily crash systems and are clever spots in which to hide executable programs.
4: Not keeping passwords in check
Another big e-mail security faux pas is passwords that are never changed and/or have crackable strings. Using one's birthday, spouse's name, or social security number is easy to for hackers to figure out. Sending passwords via non-secure e-mail is also a frequent goof. If you can guess a user's password in 100 tries, you need to re-educate them.
5: Not using encryption
Not using encryption (SSL) or strong authentication, such as Authenticated POP (APOP) methods on your POP/IMAP server can cause serious problems. APOP encrypts your password before it travels over the Internet. By default, e-mail clients submit passwords in clear text. It is unthinkably easy to sniff for user and password information, then reconfigure any e-mail client to impersonate that user.
6: Relying on public e-mail
Public e-mail is the snail-mail equivalent to postcards. Users should regularly be made aware that all non-encrypted transmissions (either SSL or S/MIME) can, and are, being collected and read. Relying on public e-mail as a means of relaying sensitive business information without secured relay or VPN access for dialups will expose your system.
7: Ignoring warnings about security exploits
The CERT Coordination Center, SecurityFocus and SlashDot.com, for example, are three of the top places to find security-and vulnerability-related information. Similarly to number eight above, your dedicated e-mail management staff member must understand that hackers read SlashDot.com, SecurityFocus and CERT. So, he should, too.
8: Not having a staff member dedicated to e-mail management.
A big mistake companies make is not having someone on staff whose duties specifically include making sure new patches are applied enterprise-wide. Once security vulnerabilities are public, the attack recipe is written. Attacks are often trial-and-error-based. Trials can easily find unpatched security holes.
9: Misusing mail server configuration options
Some MTAs support hundreds of features, including many that lock down read/write permissions on files, subdirectories and executables. These features, and this recommendation, are born from countless everyday cases when software was blamed for administrators carelessly "leaving the keys in the lock" to mail server. If you don't want this to happen, don't ignore file, directory, and executable access permissions without understanding the consequences.
10: Providing information that allow servers to be profiled
Internet-exposed servers are regularly probed by hackers for vulnerabilities. If you don't want your company to be vulnerable, don't configure a server to offer information about itself in welcome messages or capability lists.
FOR MORE INFORMATION