Points of exposure Email There is a gaping hole in every organisation that exposes them to untold risk: email. Indicii Salus reports on the dangers of unprotected emails and reviews how best to safeguard their confidentiality, integrity and authenticity. Email is one of the most simple and effective communication tools available. It is quick, convenient and cheap, but unless used properly, fundamentally insecure. It is as public as a postcard and leaves a written record long after it has been erased, meaning that any skilled or knowledgeable person can recover a long-forgotten or buried email message from deep inside a networked system. There is no doubt that in a business environment the use of email and the Internet poses a threat to a business’s ability to protect company intellectual property and other confidential information. The Office for National Statistics’ Internet Access report (2002) demonstrated that, for UK users, email was one of the Internet’s most widely used and valuable applications, with 71 per cent of users accessing email on a regular basis.1 The overwhelming majority of those users, however, fail to adequately protect their email system from possible attacks. In an article published in May 1999 by BBC News Online, it was reported that research group Information Data Services (IDS) had urged employers to draw up clear ‘cyberliability’ policies in the wake of several high-profile industrial tribunals on the use of electronic media at work. It is clear that the government needs to set out definite guidelines and regulations for the safe use of email.

The events of 11 September 2001 brought new challenges to the protection of privacy in the modern age that led governments worldwide to extend control over individuals through the law and technology. It is unquestionable that email security is the next big IT security issue – a fact that gives rise to the following question: if a company’s most valuable asset apart from its workforce is its intellectual property, why are so many businesses failing to take the crucial steps towards protecting that property in its electronic form when it would be both simple and cost-effective for them to do so? Given the strictly monitored methods that are applied to the treatment of hard-copy letters and other documents, it is highly illogical for electronically transmitted information to be treated in the haphazard and insecure fashion that typifies common business practice regarding the use of email. There is no truly viable reason why the majority of businesses are failing to take the crucial steps to protect their intellectual property, especially when it is considered that emails have now replaced letters as the most widely used form of business communication in the UK. Emails – which are as legally binding as paper letters – need to be signed securely, subject to document controls, delivered safely, protected from interception or intrusion, and generally treated with the same respect as paper-based communications. To treat them in what amounts to an offhand fashion would be asking for trouble. The main challenge to be met by IT security professionals is to overturn corporate Britain’s complacency in the face of clear but avoidable threats to the confidentiality of electronically transmitted information. Support for the IT industry has ultimately come from the government with the implementation of the Data Protection Act (1998) and the BS 7799 standard, which has strong repercussions for anybody wishing to communicate using email. IT security experts would obviously understand the issues surrounding treatment of the Internet in greater depth than the average man in the street, but the need to extend this awareness to all Internet users is now critical. Letters have been used as a form of communication for thousands of years, so there is no wonder that people have learnt how to deal with them safely. For the Internet – and consequently email – there has been far less time for users to absorb the underlying principles and implications surrounding its use.

The main points of exposure within the process of sending unprotected email are:

1. Confidentiality The information sent is vulnerable to being anonymously read by any unauthorised person whilst in transit. Hack-attacks of this kind are very easy to perform by almost anyone who has the will to do so. A good analogy for this type of email hack is the postman who allows another person to read other people’s postcards before delivering them to the rightful recipients.

2. Integrity The contents of an unprotected email can also be anonymously modified while they are in transit and then passed onto the recipient as if they were the original message, without either the recipient or sender being any the wiser. As an extension of the analogy given in point 1 above, an individual could forge alterations to the postcard before allowing it to be delivered by the postman.

3. Authenticity Emails can be easily and anonymously forged so that messages appear to be from a certain person. These could then be sent to somebody without either the person whose name was forged or the recipient ever discovering that the message was not genuine. This form of hacking is known as spoofing. In this case a forger would write and sign a postcard in somebody else’s name before sending it to the chosen victim.

Consequences Cyber-criminals – and it is known that the majority of them operate covertly within their own company – go about their business for a variety of reasons. These range from an intention to gain a competitive edge (corporate espionage) to the desire to exact revenge or to further a political cause. It is painfully simple for an employee to check the emails of another employee and it should come as no surprise that, according to current research,2 over 70 per cent of IT security breaches are committed by an organisation’s own staff, although employers seldom take adequate steps to safeguard their confidential correspondence from internal spies. Whatever the case may be, the consequences are often severe and the majority of victims who have had their email attacked try to cover up the situation for fear of the embarrassment (or other undesirable scenario) that might ensue if the vulnerability were to become publicly known. There are well-documented cases in the media about what can happen when emails are left lurking unprotected for anybody to unearth, for example, the case of Jo Moore, whose confidential emails to Transport Secretary Stephen Byers were leaked in the wake of 11 September 2001, to the great embarrassment of both herself and the government. Another well-known case happened on 3 November 2000, when an anti-Israeli hacker attacked the website of one of Washington’s most powerful lobbying organisations, the American–Israeli Public Affairs Committee (Aipac). The attacker, the self-styled ‘Doctor Nuker, founder of the Pakistan Hackerz Club’, published critical emails downloaded from Aipac’s own databases, as well as credit card numbers and email addresses of Aipac members.

Reasons to address the threats While horror stories abound, the average business or private user of email might feel they have nothing much to hide and are unlikely targets for hackers. Unfortunately, there is no room for naiveté of this kind: 1. The Data Protection Act (1998) makes it clear that specific steps must be taken to secure certain types of information: 2. ‘The Act contains eight Data Protection Principles. These state that all data must be:  processed fairly and lawfully;  obtained and used only for specified and lawful purposes;  adequate, relevant and not excessive;  accurate and, where necessary, kept up to date;  kept for no longer than necessary;  processed in accordance with the individual’s rights (as defined);  kept secure;  transferred only to countries that offer adequate data protection’.3 3. Given that emails that have apparently been deleted can still be dredged from the hard drive of a user’s PC (and Oliver North would testify to this), it stands to reason that the safe-deletion function offered by email encryption solutions is the most practical method for ensuring that information relating to out-of-date records is properly disposed of.4 4. The basic right to privacy is something to which everybody is entitled, but basic rights can be taken for granted until such times as they are forcibly taken away. The ability of hackers to cause chaos is a real and present danger that should not be ignored by anyone, even if they consider their own emails to be totally innocuous. At some stage most Internet users send information by email that they would rather keep as private correspondence between themselves and their chosen recipient; so why would those users chance their credibility or reputation by sending an email in an unprotected format? Recent EU directives on data privacy a urge companies to protect the data that they deal in as it makes its way across cyberspace. 5. BS 7799, first published in February 1995 (revised in May 1999), is a comprehensive set of controls comprising best practices in information security and is meant to serve as a single reference point for identifying the controls needed for most situations where IT systems are used in industry and commerce.

The international version of the directive is ISO/IEC 17799: 2000. These standards constitute the benchmark against which all companies will be measured, and it has been suggested that an organisation’s BS 7799 status should be included in its annual returns/annual report.5 To ignore or contravene the best practice guidelines laid out by BS 7799 and ISO/IEC 17799: 2000 would leave a company open to various liabilities from other laws or from contractual obligations. For example, the unwitting disclosure (because of an unprotected email) of somebody else’s trade secret or material given under a non-disclosure agreement (NDA) would be considered gross negligence.   3 This excerpt is background information taken from the Data Protection Act Shop’s website at: www.data-protection-act.co.uk. 4 The overall security of email is likely to be of greater immediate concern to certain types of organisation, especially those in the public sector. The health service, for example, has an urgent need to guarantee the privacy of patient records during communications, and thus has a greater awareness of both the Data Protection Act itself, the risks posed by insecurity, and the methods that can be used to achieve the required level of protection. 5 Information taken from the www.securityrisk.co.uk website, which provides advice on BS 7799 compliance. Some people believe that the future of security enforcement lies with insurance and that companies will be liable for damage caused by faulty products or procedures, regardless of any broad disclaimer statements they might have made.

Companies would then insure against such claims, and premiums would vary depending on implementation of security features. Enhanced security would, therefore, become not just a legal requirement but also a financial advantage (due to lower insurance premiums). It is clear that there is a widespread lack of awareness regarding secure emailing practices. In both public and private sectors a security policy is the most basic discipline in information security; but almost 75 per cent of businesses do not have any such clearly defined policy. Only 49 per cent have documented procedures to ensure compliance with the Data Protection Act (1998). As mentioned above, the recognised international standards for information security management are BS 7799 and the related ISO/IEC 17799: 2000, but only 15 per cent of people responsible for IT security are aware of their content.