E-Mail Use Policy E-Mail Use Policy

By: Joe NarvaezBy: Joe Narvaez

OverviewOverview

The PolicyThe Policy

The Threat of:The Threat of: Information leaksInformation leaks Malicious or offensive content Malicious or offensive content Virus attacksVirus attacks SpamSpam

PreventionPrevention

The Policy The Policy (Offered by SANS)(Offered by SANS)

Prohibited UseProhibited Use• The Companies email system should not be used for the The Companies email system should not be used for the

creation or distribution of any disruptive or offensive creation or distribution of any disruptive or offensive messages, including offensive comments about race, messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs, political beliefs, Or pornography, religious beliefs, political beliefs, Or national origin.national origin.

Personal UsePersonal Use • Non work related email should be saved in a separate Non work related email should be saved in a separate

folder from work related mail. Sending chain letters or folder from work related mail. Sending chain letters or joke emails from a company email account is prohibited.joke emails from a company email account is prohibited.

The Policy The Policy

MonitoringMonitoring• Company employees should have no exceptions of Company employees should have no exceptions of

privacy in anything they store, send, or receive on the privacy in anything they store, send, or receive on the company’s email system. The Company may monitor company’s email system. The Company may monitor

messages without prior notice.messages without prior notice.

Enforcement Enforcement • Any Employee found to have violated this policy may be Any Employee found to have violated this policy may be

subject to disciplinary action, up to and including subject to disciplinary action, up to and including

termination of employment.termination of employment.

The Threat of. . . The Threat of. . . Information LeaksInformation Leaks

• Organizations often fail to acknowledge that there Organizations often fail to acknowledge that there is a greater risk of crucial data being stolen from is a greater risk of crucial data being stolen from within the company rather than from outside.within the company rather than from outside.

• Various studies have shown how employees use e-Various studies have shown how employees use e-mail to send out confidential corporate information. mail to send out confidential corporate information. Be it because they are disgruntled, revengeful, or Be it because they are disgruntled, revengeful, or because they fail to realize the potentially harmful because they fail to realize the potentially harmful impact of such a practice impact of such a practice

30% of 800 employees surveyed admitted that they 30% of 800 employees surveyed admitted that they had sent confidential informationhad sent confidential information

Ten percent admitted receiving e-mail containing Ten percent admitted receiving e-mail containing confidential information.confidential information.

The Threat of. . .The Threat of. . . Information InterceptionInformation Interception

• Unsecured e-mail can fall prey to malicious Unsecured e-mail can fall prey to malicious software tools such as sniffers, which automatically software tools such as sniffers, which automatically lie in wait for interesting information relayed lie in wait for interesting information relayed through their system as e-mails are transferred through their system as e-mails are transferred from sender to recipient. from sender to recipient.

• Unknown to e-mail senders, sniffers are placed in Unknown to e-mail senders, sniffers are placed in the path of all e-mail messages going through a the path of all e-mail messages going through a

computer.computer. • When analyzing email message we can get lot of When analyzing email message we can get lot of

information about its sender. Such as information about its sender. Such as IP address, IP address, geographic location, time zone, language geographic location, time zone, language preferences, computer LAN name, email preferences, computer LAN name, email software used.software used.

The Threat of. . .The Threat of. . . Malicious or Offensive ContentMalicious or Offensive Content

• It is important for employees to recognize that often It is important for employees to recognize that often times the email that they send is making a first times the email that they send is making a first impression to the receiver, representing their companyimpression to the receiver, representing their company

• E-mails sent by staff containing racist, sexist or other E-mails sent by staff containing racist, sexist or other offensive material could prove very troublesome, not to offensive material could prove very troublesome, not to mention embarrassing – and expensive!mention embarrassing – and expensive!

Antitrust case against Microsoft Corp.Antitrust case against Microsoft Corp. Chevron had to pay $2.2 million to settle a lawsuit Chevron had to pay $2.2 million to settle a lawsuit

resulting from an e-mail message bearing sexist resulting from an e-mail message bearing sexist contents.contents.

• Offensive e-mails can cause considerable damage to the Offensive e-mails can cause considerable damage to the work environment simply by generating an unpleasant, work environment simply by generating an unpleasant, hostile or unprofessional atmosphere.hostile or unprofessional atmosphere.

The Threat of. . .The Threat of. . . VirusesViruses

• Viruses are a major e-mail security hazard that Viruses are a major e-mail security hazard that companies simply cannot afford to ignore. Over 15,000 companies simply cannot afford to ignore. Over 15,000 different computer viruses exist to date and some 500 different computer viruses exist to date and some 500 new ones are created each month. new ones are created each month.

• The extent of the problem is so great that today many The extent of the problem is so great that today many companies have even begun to prohibit the use of e-companies have even begun to prohibit the use of e-mail attachments, as this is where viruses are often mail attachments, as this is where viruses are often

embedded.embedded.

• An infected PC may not crash immediately. The virus An infected PC may not crash immediately. The virus may first raid your email address book and email itself to may first raid your email address book and email itself to

everyone it can. And everyone it can. And then then destroys your data.destroys your data.

The Threat of. . . The Threat of. . . SpamSpam

• A recent survey shows that about 90 per cent of e-mail A recent survey shows that about 90 per cent of e-mail users receive spam – or unsolicited commercial mail – at users receive spam – or unsolicited commercial mail – at least once a week.least once a week.

• As well as consuming bandwidth and slowing down e-As well as consuming bandwidth and slowing down e-mail systems, spam is a frustrating time-waster, forcing mail systems, spam is a frustrating time-waster, forcing employees to sift through and delete mounds of junk employees to sift through and delete mounds of junk mail (loss of productivity).mail (loss of productivity).

• Spammers can use a corporate mail server to send out Spammers can use a corporate mail server to send out their unsolicited messages, often bringing trouble upon their unsolicited messages, often bringing trouble upon the unknowing organization.the unknowing organization.

Prevention Prevention

Information LeaksInformation Leaks• A content checking tool is a must to prevent users from A content checking tool is a must to prevent users from

sending out confidential or sensitive corporate sending out confidential or sensitive corporate information via email. This tool automatically scans the information via email. This tool automatically scans the

contents of each message being mailed.contents of each message being mailed. Information InterceptionInformation Interception

• Use encryption to protect your email messages.Use encryption to protect your email messages. PGP and S\MIME encryptionPGP and S\MIME encryption (used to encrypt (used to encrypt

message body message body only)only)

SSL encryption SSL encryption (encrypts email traffic in the (encrypts email traffic in the whole) whole)

• Use Network Intrusion Detection SoftwareUse Network Intrusion Detection Software

Prevention Prevention

Malicious or Offensive ContentMalicious or Offensive Content • Likewise, a content screening tool is necessary to Likewise, a content screening tool is necessary to

prevent corporate users from sending or receiving prevent corporate users from sending or receiving

malicious, offensive, or inappropriate emails.malicious, offensive, or inappropriate emails.

• To reinforce this preventive approach, companies To reinforce this preventive approach, companies should invest in a tool that automatically adds a should invest in a tool that automatically adds a legal disclaimer to the end of every message sent legal disclaimer to the end of every message sent out by the organization.out by the organization.

Prevention Prevention VirusesViruses

• Obtain A reliable virus scanner that screens all incoming Obtain A reliable virus scanner that screens all incoming and outbound messages and attachments for e-mail and outbound messages and attachments for e-mail viruses and worms.viruses and worms.

• Open attachments as well as emails with precaution Open attachments as well as emails with precaution Look out for:Look out for:

Email addresses you don't recognizeEmail addresses you don't recognize The subject contains The subject contains hook lineshook lines like "Hi! Here's the like "Hi! Here's the

document you wanted" or "Can you check this for document you wanted" or "Can you check this for me?"me?"

The text body of the message is extremely short, but The text body of the message is extremely short, but the message size is very large (between 100KB and the message size is very large (between 100KB and 500KB);500KB);

Executable attachments (.exe, .com, .vob)Executable attachments (.exe, .com, .vob)

Prevention Prevention

SpamSpam• Use an efficient anti-spam tool that will pick up words Use an efficient anti-spam tool that will pick up words

and phrases that usually appear in unsolicited and phrases that usually appear in unsolicited commercial e-mails and block the unwanted message commercial e-mails and block the unwanted message from entering the system. from entering the system.

• Also effective against spam is a quarantining feature Also effective against spam is a quarantining feature that deters e-mail messages with “spammy” content that deters e-mail messages with “spammy” content from going through, storing the spam in a special from going through, storing the spam in a special locationlocation