Insecure messaging comes with a host of dangers including data loss, theft and leakage, compromised systems, downtime and loss of productivity. Unfortunately, secure messaging is no longer as straightforward as keeping the latest virus from entering an organization via e-mail. At Information Security Magazine's Security Decisions conference Jim Reavis, president of Reavis Consulting Group, outlined ten steps for a holistic secure messaging strategy. Here are the highlights.
- enforceable policies that users understand. Policies should clearly communicate acceptable and appropriate usages with clear definitions and examples. Users should know what is good behavior and what is bad behavior, Reavis said.
- Build your messaging architecture to allow for granular rules control. "We need agility in our networks and messaging systems," said Reavis. By compartmentalizing you can improve incident response and provide limited service during an incident.
- Develop a formalized computer emergency response team (CERT) and incident response plan specific to messaging incidents. A specialized messaging response team should focus on containment, disinfection, remediation and rebuilding systems.
- Create an awareness program to strengthen your last line of defense – your users. Include courseware such as PowerPoints or Flash to reinforce policy and educate about threats and safe practices. Tell users what to do in case of an incident and where to go for help. Make it easy for users to report incidents via the company intranet. If the reporting procedure is difficult or makes users feel dumb, they won't report.
- Maintain a baseline and continuous measurement system of your network. "If you don't understand how your network operates, you don't understand your business," Reavis said. This includes network traffic analysis, e-mail and IM logging and trend analysis.
- Increase your organization's use of encryption. While encryption is virtually unbreakable, most organizations only encrypt 1% of all messages, Reavis said.
- Proxy all connections, including peer-to-peer applications such as instant messaging. You can also do e-mail encryption by proxy, Reavis said. An encryption proxy sits on the network between the e-mail server and the Internet. The proxy manages keys, encrypts messages and gives the recipient the option of a secured SMTP message or Webmail.
- Deploy multiple layers of virus/spam protection. There are five possible antivirus scanning points: e-mail client, e-mail server, antivirus gateway, network layer antivirus appliance and a managed security service provider. Reavis recommended using three of these five points and using two different vendors.
- Deploy best-of-breed solutions. "This is where the industry is right now. Integrated suites are very immature and don't provide adequate security," Reavis said.
- Finally, take an integrated team approach to securing your organization's messaging systems.
This was first published in October 2003