The IT industry will never eradicate security threats to email systems, and organisations should take a holistic approach to securing their communication systems to the level where they believe risk is manageable, according to panellists at the recent Inbox email conference in the US.
“Spam will be solved on the third Tuesday of when viruses will be solved,” joked John Thielens, CTO of Tumbleweed, an antispam and antivirus software vendor. “It will never be solved but there are a lot of products that are highly effective to the point of manageable risk,” he says.
At a panel session on email accreditation and reputation, Thielens told audience members that reputation services have taken off rapidly. These services profile the sender’s behaviour to determine the likelihood that a message is legitimate or spam. The sender’s reputation is determined based on multiple criteria, then assigned to categories or lists.
In most cases, reputation services look only for negative information. “There’s still no standard to do positive reputation,” says panelist George Scholssnagle of OmniTI Computer Consulting. “It’s exciting what [other vendors Habeas and Return Path] are doing. They’re not just identifying people who are bad, but identifying things that are good. That’s how you ensure those things pass through.”
Last month, Habeas said it would give ISPs and email security vendors free access to SenderIndex, its collection of information on more than 60 million IP addresses and domains, which also has details about good senders. SenderIndex is expected to be available at the end of June. Habeas hopes that other reputation services vendors will also share their information on the list as well.
Habeas marketing vice president JF Sullivan says it’s beneficial for organisations to deploy multiple reputation systems to ensure broad coverage. “The coverage I have versus other black lists is less than 6%. There are bad senders that other [reputation services] don’t see, so an aggregate of multiple systems is good for you,” he says.
At a panel discussing email encryption, Verizon director of product and platform services Kaushik Pillamarri described a Verizon desktop-to-desktop email service that encrypts sent email. The email remains encrypted as it sits on the recipient’s desktop waiting to be opened. If the recipient is a not a subscriber to the Verizon service, the service prompts the sender to nominate a shared password that the recipient would know, such as the location of their last meeting. The recipient is asked for that password before he or she can open the email.
Chris Apgar, president and principal analyst of Apgar and Associates, which provides security consulting to healthcare organisations, says that when dealing with email messages with sensitive content, IT managers should ensure that the information is encrypted while the messages are in transit or sitting somewhere waiting to be opened. “[With] anything that is outward facing, you need to make sure that the server is hardened and the data is encrypted.”
Apgar says that even if organisations use tools to scan outgoing email messages to select sensitive content to encrypt — a method that may not catch all sensitive data — it is better to send an empty encrypted email than rely on users to remember to hit the ‘send as secure email’ button.