sending e-mail across the Internet or other suspect networks uncovers a system’s security risks, even if the system is protected by a firewall.
We must understand these risks to ensure that our security policy describes how to minimize these risks.
Email is like any other form of communication. It is important to exercise judgment before emailing any confidential information. Because the email goes through many systems before it arrives, it is very likely that someone will intercept and read your email. Therefore, you may want to use security measures to protect the confidentiality of your email.
Common Email Security Risks
Here are some of the risks associated with using email:
A flood (a denial of service attack) occurs when a system becomes overloaded with multiple email messages. An attacker could easily create a simple program that sends millions of email messages (including empty messages) to a single email server in an attempt to flood that server. Without proper security, the target server could suffer a denial of service attack as its storage disk is filled with useless messages. The system may also stop responding because all system resources are involved in processing mail from the attack source.
Spam (spam email) is another common type of email attack. As the volume of e-commerce services offered over the Internet has grown, we have received a flood of unwanted or unsolicited business emails. This is spam, which is sent to e-mail users on a broad distribution list, filling everyone’s e-mail box.
Confidentiality is a risk when sending email to another person over the Internet. This email goes through many systems before it reaches the intended recipient. If messages are not encrypted, hackers can intercept and read your emails anywhere in the transmission path.
Email Security Options
To prevent the risk of flooding and spam, the email server must be properly configured. Most server apps give procedures for dealing with these types of cyber attacks. It is also possible to work with an Internet Service Provider (ISP) to ensure that the ISP provides some additional protection from these attacks.
The additional security measures required depend on the level of confidentiality required and the security features provided by the email application. For example, is it sufficient to keep the content of email messages confidential? Or do you want to keep all information associated with emails (such as source and destination IP addresses) sufficiently confidential?
Some applications have integrated security features that give you the protection you need. For example, Lotus Notes® Domino® provides some integrated security features, including encryption of entire documents or individual fields of documents.
To encrypt mail, Lotus Notes Domino creates unique public and private keys for each user. A message can be encrypted with a private key so that it is readable only by those who have the public key. The public key must be sent to intended message recipients so that they can use the public key to decrypt encrypted messages. If someone else sends you encrypted mail, Lotus Notes Domino will decrypt the message for you using the sender’s public key.
Information on using these Notes® encryption features can be found in the program’s online help file.
If you wish to provide greater confidentiality for e-mail or other information flowing between branch offices, remote clients, or business partners, you have several options.
If the e-mail server application supports Secure Sockets Layer (SSL), it can be used to create a secure communication session between the server and the e-mail client. SSL also provides support for optional client authentication when writing client applications to use SSL. Since the entire session is encrypted, SSL also ensures data integrity during data transmission.
Another option available is to configure a virtual private network (VPN) connection. Various VPN connections can be configured with the system, including connections between remote clients and the system. When using a VPN, all traffic flowing between communication endpoints is encrypted, which ensures data confidentiality and data integrity.