Email Security

Securing email communications effectively is an important part of organizational information security programs. In order to secure email communications, an organization should have email security policy in place that have senior management support and approval. Some concepts to include in email security policy may include acceptable use policy (AUP), email management, email backup and retention policies, access control and privacy regulation, and so on issues. Furthermore, the security policy should be shared with personnel as part of initial and continuous security training programs. These security policies will help organizations to deal with common cyberattacks such as phishing, spam and other social engineering attacks.

Some techniques that organizations can employ to strengthen their email communications include the following:

• Deploy, run and update antimalware and endpoint security solutions
• Deploy filters to minimize spam and mailbombing problems
• Employ encryption to prohibit eavesdropping attacks and protect confidentiality of email messages
• Block malicious attachments and potentially risky filename extensions
• Enforce all incoming email communications to pass through antimalware scanning solutions
• Use digital signatures to combat masquerading attempts and tampering security threats
• Conduct security awareness training for all personnel

Essential email security goals include the following:

• Authenticate and verify the source of messages
• Maintain messages integrity
• Restrict access to messages to their intended recipients confidentiality
• Provide nonrepudiation services
• Verify the delivery of messages to intended recipients
• Access control
• Privacy

Some solutions that organizations can employ to address email communication security may include the following:

• Secure Multipurpose Internet Mail Extensions (S/MIME): An email security de facto standard that employs public key cryptography and digital signatures to enable authentication and confidentiality of email messages. An X.509 standard based digital certificates in email systems are used to provide authentication services. Moreover, there are two types of messages that can be formed using S/MIME standard, namely signed messages and enveloped messages. The signed messages are used to provide integrity, sender authentication and nonrepudiation of the send. Whereas the enveloped messages are to provide integrity, sender authentication and confidentiality of the messages.
• Pretty Good Privacy (PGP): A peer-to-peer public key cryptography based email system that employs various encryption algorithms to encrypt files and email messages between communicating parties. In addition, PGP uses RSA, International Data Encryption Algorithm (IDEA) and other cryptographic algorithms. Moreover, PGP encryption can be employed to protect files and other digital assets besides to email systems.
• Security Policy Framework (SPF): An organization can configure their SMTP servers for Sender Policy Framework (SPF) to protect itself against spam and email spoofing attacks.
• DomainKeys Identified Mail (DKIM): A means to assert that valid mail is sent by an organization through verification of domain names. Furthermore, DKIM adds a layer of nonrepudiation and authentication services that are particularly helpful in identifying and filtering out spoofed email addresses through public keys and digital signing mechanisms.
• MIME Object Security Services (MOSS): An email security standard that provides authentication, confidentiality, integrity, and nonrepudiation services for email messages in an organization. In addition, it employs MD2 and MD5 hashing algorithms, RSA based public key cryptography and DES to provide authentication and encryption or confidentiality services.
• Privacy Enhanced Mail (PEM): An email encryption technique that provides authentication, integrity, confidentiality and nonrepudiation services. Besides, PEM uses RAS, DES, and X.509 to secure emails.
• Forced Encryption: Forcing TLS for email encryption to provide assurance of email messages.