The most pervasive means of communication today for businesses and private citizens, Electronic mail or Email, was not designed with security in mind. Today, Email application is built into almost all smart devices from phones to computers to gaming and sensor devices. however, the Email message that this device send and receive is transmitted in plain text format in almost all cases. with ever-increasing cybercrime, sending plain text message that can potentially contain sensitive data is a risky undertaking. This weakness in security in Email systems, has made Email the primary attack vector for criminals. Cybercriminals use Email as simplest and cheapest method to ship their malicious payload to targets.
The three core principles when it comes to information security, Confidentiality, Integrity and Availability (CIA) holds true in Email security as well. However, there is one other principle to consider in Email security, Non-repudiation meaning that the sender of the Email could not later deny their motive to create or transmit the information or data contained in the Email.
Email is by far the most useful form of communication today both for business and social networking or personal communication. Therefore, Email is going to remain as the main media for fast, easy and cheap way of information exchange for operations management as well as to facilitate daily business transaction and this information being transmitted via Email often contain sensible data that could be lucrative to the eyes preying on network traffic. Secure Email means:
- There is guarantee that the message sent will be delivered to the addressed recipient
- There is no interference, change or disclosure while in transit
- The recipient is assured that the sender is indeed the person who he claims to be
- No one else has viewed the content or added malicious payload while in transit.
The main consideration that a firm should analyze in relation to Email security is that the level of sensitivity of the messages being transmitted via Email. If the Business to Business or Business to customer or Employee to Employee Email communications does not contain sensitive data, then the firm can save a lot on Email security spending. However, compliance to some regulations may require certain level of security to be employed by organizations to meet privacy protection policy requirements of their customers data.
One of the most common challenges to Email security is content filtering; unwanted and malicious attachments such as Viruses, spam, phishing attachments or messages, should be filtered out before the users open and get hacked. The other challenge is to secure the data or messages that flow from the sending client to sender’s mail server then to the receiver’s mail server and finally to the receiving client. Basically, securing Email requires securing the messages being transmitted. The transmission media including devices used to access Email clients ,Servers that store and/or transmit Email messages and the networks over which this transmission occur all need different level of security to make the system safe for message transmission via Email systems.
The main protocol used for the sending of information from sender’s client to sender’s Email server, and then that handles forwarding of this messages from sender’s Email server to receiver’s Email server is known as Simple Mail Transfer Protocol (SMTP), SMTP does not have inbuilt capability to ensure security to the Email message being transmitted. SMTP has many shortcomings to meet security requirements. There is no inbuilt encryption function in SMTP. It stores information about sending clients and if the SMTP server is compromised, then email can be read or copied with no further effort to decrypt since the message is in plain text and the sender information can be easily accessed. In addition, SMTP does not have any inbuilt way of authenticating the identity of the sender; hence it is prone to repudiation and phishing. Many organizations take backup of Emails from SMTP Servers and retain for a long time, hence, even if the messages were deleted, backup copy remains on the backup server for a long time which increases the risk of potential loss of sensitive data if the servers where to be compromised.
The POP3 and IMAP protocols used for pulling Email from receiver’s Email server to receiver’s Client are security risk in that they transfer the credentials used to authenticate to the mail server in plain text. That is the reason way latest corporate Exchange servers do disable this protocols by default and establish client access using MAPI /RPC protocols. To conquer all this shortcoming of the protocols used for transmission of messages via Email, modern Email systems implement additional security features by utilizing add on Security Protocols. When properly implemented and configured this add on Email security protocols provide varying security features such as symmetric/Asymmetric encryption, digital signatures and IP address verification. This capability significantly reduces the aforementioned issues with repudiation and phishing.
For content filtering, at the mail client and server or system level, implement malicious program scanning and Spam filtering tools, to keep out malicious programs from reaching end users and cause damage. User training should also be part of the Email security strategy where experts will conduct awareness training to give users all the necessary skill and tools to better prepare them to identify malicious mail content and attachments and send any suspicious email to the information security departments to investigate the origin and contents of those emails.
To secure the Email message itself, avoiding the transmission of clear text message is the first big step towards secure Email. To that end, a combination of cryptography and other transport layer security protocols can be implemented at different points in the Email transmission system. Cryptography or Encryption of the message ensures safety in case if Email message were to be intercepted in transit or due to a system issue or human mistake during sending, the message goes to the wrong inbox or recipient. To achieve this goal, the most commonly used solutions such as Pretty Good Privacy(PGP), GNU privacy Guard(GPG), Public key infrastructure (PKI), Digital Signatures provide the mechanism and Algorithm needed for securing Email messages in transit.
Pretty Good Privacy (PGP) is an open source application layer cryptography tool. It provides security to Emails by enabling authentication and helps to send messages confidentially. It uses private-public key Cryptography technology to provide secure Email message transmission. PGP encryption uses a fast encryption algorithm. When using this tool, the senders of Email message encrypt the message using the public key of the receivers to encrypt the message at their end and then upon arrival the receivers decrypt the message using their private key.
GNU privacy Guard (GPG) is implemented in a similar fashion as PGP and hence uses public-key cryptography. GPG also commonly known as GnuPG, uses a pair of private key which only the creator has, and the public key which would be shared to others or stored on key server for others to use to encrypt their messages addressed to the owner of the key. GnuPG uses, in addition to the primary keypair, subordinate keypair to simplify key management. The Cryptographic algorithm used is based on the PGP, with some modification or additional features.
Public key infrastructure (PKI) on the other hand, is a set of roles or processes used to facilitate public key management. In Email security, this provides the foundation to bind the pubic keys to identities or entities. It allows the distribution and use of public keys in a way that provides out of the box solution for different applications to implement cryptography.
Digital Signatures are used to sign Email messages with a digital signature that will be used to authenticate the creator or sender of the Email message. Although, digital signature uses key pairs to authenticate the sender of the message and to time-stamp the message or document, the way it works is different than PGP or GnuPG in that in Digital Signatures the private key is used to sign the message and the public key is used to authenticate the identity or originality of the signed message. Messages sent signed by one’s digital signature provides the same validity and authenticity as one signed by one’s own signature.
To conclude, Email security can be achieved when Email content is secure, Email messages are read and accessed by the intended recipient only and the devices that transmit, store and facilitate Email message reading and creating are secure. For optimum security, Email messages should always be encrypted once the creator hits send button on his client all the way through the system till it gets to the receiver’s client and should remain Encrypted till the receiver opens it for reading, in which case, the Email should be decrypted automatically. Recommendation is to use a mix of end-to-end encryption solutions such as PGP, GnuPG, Digital signatures and smart cards to digitally sign Emails.
Email servers store copy of Emails even if they were deleted. Software products used on client devices such as laptops, desktops, smart phone etc to compose and access Emails can be accessed if the devices are not well secured. Network devices that are used to transmit Email messages should be secure. Recommendation is to have a standard network and computer server security procedures such as identity management, firewall configuration and use of intrusion detection and prevention system etc. and it should be strictly implemented to make Email system secure.