'Utegate' another reason for CIOs to check their e-mail
- 24 June, 2009 15:25
- Comments 1
Security experts are warning that CIOs may need to revisit their e-mail security following the recent fracas around the “Utegate” affair.
The affair, which involved a faked e-mail used to discredit the prime minister, opposition leader and treasurer, has highlighted deficiencies in e-mail security, according to Andrew Gordon senior manager enterprise and partner at MessageLabs.
Gordon says CIOs need to first remember that e-mail was originally not written with security in mind and needs to have security actively applied to it.
“When e-mail, and simple mail transfer protocol (SMTP), were created a couple decades ago, it was to promote free communication between academics and within government; it was always ‘simple’ mail transfer, not ‘secure’ mail transfer protocol,” he says.
Eddie Sheehy, CEO at e-discovery software provider Nuix, says from a CIO’s perspective e-mail is a tool that is widely used, but also highly abused.
“When somebody writes an e-mail it is sent from one person, through an e-mail server, and then to another person,” he says. “That e-mail is located in three locations, and possibly more if there is an archiving environments involved. On virtually any one of those locations, the e-mail can be extracted, adapted, then on-sent. The receiver of the adapted e-mail has no reason to know that e-mail has been changed, and anyone can do this.”
Sheehy says CIOs also need to be mindful that once an e-mail has been deleted, it hasn’t ceased to exist -- It just means that the headers of the file have been removed; the contents of the file are still there.
James Turner, an advisor on security at research firm IBRS, says that the catch with e-mail is that is has become an accepted, and even essential, component of many work flows.
“For example, not long ago a medium sized Australian organisation got totally burnt by accepting an e-mail order from overseas [as] the payment was a series of credit cards which turned out to be all stolen,” he says. “For most business people, an order coming from an unknown source, via e-mail, for a sizable order should be raising alarm bells. E-mails are easy to fake -- but only to people who don’t know this.”
While many security technologies now exist to better manage e-mail -- transport layer security (TLS), Secure/Multipurpose Internet Mail Extensions (S/MIME) and send a policy framework (SPF) -- CIOs need to be mindful that faking an e-mail, at least in physical form, can be as easy as editing a Word document, MessageLab’s Gordon says.
“It’s very simple -- all you need to do is cut and paste Internet header information into a word document,” he says. “It’s a representation of an e-mail, but when it is printed out there is no real ability to forensically detect whether it is real or not.”
Back in the electronic domain, there is more CIOs can do, Gordon says. Firstly, CIOs need to be mindful of compliances mandates, such as Sarbines Oxley, which will dictate whether they need to encrypt or authenticate at the server-level all e-mail sent outside the organisation.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
- Bookmark this page
- Share this article
- Got more on this story? Email CIO
- Follow CIO on twitter
-
The 30 best Safari extensions -- so far
-
Apple and Google disagree over licensing of essential patents
-
Monash Uni reduces IT teams after consolidation project
-
FTC warns makers of background checking apps
-
QLD govt demands answers after pay glitch
-
Eight threats your antivirus won’t stop - Why you need endpoint security
News headlines are a constant reminder that malware attacks and data loss are on the rise. High-profile incidents that make big news might seem out of the ordinary. Yet businesses of every size face similar risks in the everyday acts of using digital technology and the Internet for legitimate purposes. This paper outlines eight common threats that traditional antivirus alone won’t stop, and explains how to protect your organisation using endpoint security. -
Chapter 2: Protecting Enterprise VoIP Services
The enterprise network is a complex system, and implementing VoIP brings a new level of complexity into the mix. In addition, security threats are real and many and assuring QoS delivery is a technical challenge. In deploying VoIP, you’re integrating voice technology with the critical data infrastructure. Building process and documentation controls into network operations provides the information about the corporate nervous system to manage a secure operating environment. You use this information to build a layered defense into the network. By gathering knowledge and applying it to defend the network in depth, you can deliver secure, reliable, available VoIP service across the enterprise. -
Web 2.0 in the Workplace Today
More than a decade after the term ‘Web 2.0’ was coined, many businesses are still nowhere near to taking full advantage of the collaborative technologies the term refers to. Undoubtedly, confidence is growing in relation to using tools such as Facebook, Skype, Twitter, and indeed many more organisations are using such technology now compared to even just a couple of years ago. But the fact remains that a worrying amount of businesses seem to be operating a ‘lockdown’ approach – an approach that I’m sure many Board-level staff know is simply not good for business in the long-term.
-
Lpic-1
-
Photoshop Elements All-In-One Desk Reference for Dummies
-
Abstractions for Distributed Applications and Systems
-
Information Nation
-
Department of Defense Sponsored Information Security Research
-
Objects, Abstraction, Data Structures and Design
-
Windows Vista Security
-
Wrox SQL Server 2005 Set
-
Computer Security Handbook, Fifth Edition, CD ROM
Get exclusive access to Invitation only events CIO, reports & analysis. 
Comments
Anonymous
Typically useless CIO article that doesn't address the real problem.
I sign all my emails with GPG. Anyone who receives an email from me can verify it actually came from me.
Post new comment