Ready to Start Your Career?

CISSP Study Guide: Email Security

Cybrary's profile image

By: Cybrary

December 15, 2022

Securing Emails

E-mail is one of the most commonly used Internet services. Its infrastructure is a system of e-mail servers that use the Simple Mail Transfer Protocol (SMTP) to acquire messages from clients and to send those messages to other email servers, and e-mail clients that use Post Office Protocol version 3 (POP3) or Internet Message Access Protocol (IMAP) to transmit and retrieve e-mail to and from the e-mail server. These protocols give us the efficiency we’ve become used to when sending and receiving email, however, they’re not secure and don’t have the adequate mechanisms to ensure confidentiality, integrity, and availability.

There are methods to incorporate secure email messaging. A security policy is a critical measure to sustain email security. The e-mail security policy must define acceptable use policies for e-mail, specifying the activities that can and cannot be performed over the organization’s email infrastructure. This permits the transmission of work-focused messaging but curtails transmission of personal email. As well, illegal, immoral, or offensive content can be prohibited, and can include personal business email.

Access control over email will ensure that users have access to only their inbox and email archive databases. The mechanisms and processes used to control the organizations’ email infrastructure should be clarified. End users don’t necessarily have to know the mechanics of email management, but they need to be informed of the policies that define what is considered private communication. End users also should be informed as to whether email should be saved and stored in archives for future reference; and if email is subject to review for violations by an auditor.

Email Security Issues

POP3, IMAP and SMTP are the protocols that support e-mail. These protocols don’t provide security nor do they provide encryption, source verification, or integrity checking. Because encryption methods aren’t provided for transmitted e-mail, the interception and access to e-mail is a real risk.

E-mail protocols don’t offer confirmation of a valid sender or source of a message. Thus email address spoofing is a process that can be readily learned. E-mail headers can be altered at their source and during transmission. It is also possible to deliver email directly to a user’s inbox on an e-mail server by directly connecting to the email server’s SMTP port. Integrity checks aren’t incorporated in email messaging to ensure that a message was not altered during transmission.

Additionally, email itself can be used as an attack method. Culprits most commonly use attachments to send malicious code, such as viruses, worms, and Trojan horses. Mailbombing is another method. DoS or denial of service attacks dispatch large quantities of email messages to a user’s inbox or through a STMP server, flooding the system with messages and can result in storage capacity consumption or processing capability utilization.

Lastly, SPAM mail is perhaps the most mild version of email attack but creates a headache for the recipient and is an abuse of system resources both locally and over the Internet. Though there are SPAM blockers it’s difficult to completely eliminate spam as the source of the messages is usually spoofed.

Email Security Solutions

There are several protocols, services, and remedies that can be implemented to add security to an existing email infrastructure including: S/MIME, MOSS, PEM, and PGP.

Secure Multipurpose Internet Mail Extensions (S/MIME): implements email authentication through X.509 digital certificates and privacy through Public Key Cryptography Standard (PKCS) encryption. Two types of messages can be created using S/MIME: signed messages and enveloped messages. A signed message offers integrity and sender authentication. An enveloped message offers integrity, sender authentication, and confidentiality. All major email vendors support S/MIME.

MIME Object Security Services (MOSS): utilized for authenticity, confidentiality, integrity, and non-repudiation for e-mail messages. It uses Message Digest 2 (MD2) and MD5 algorithms; Rivest, Shamir, and Addleman (RSA) public key; and Data Encryption Standard (DES) to support authentication and encryption services. Privacy Enhanced Mail (PEM): an e-mail encryption mechanism that is used to allow authentication, integrity, and confidentiality. It uses RSA, DES, and X.509.

Pretty Good Privacy (PGP): an asymmetric public-private key system that uses the IDEA algorithm to encrypt, decrypt, and digitally sign files and e-mail messages. It is not standard but is widely supported on the Internet. Benefits of PGP:

  • PGP creates your key pair, which is your public and private key.
  • PGP allows you to store other users’ public keys on a local key ring.
  • The sender uses the recipient’s public key to encrypt messages.
  • The recipient uses his or her own private key (or secret key) to decrypt those messages.

Electronic Monitoring for Privacy

Another area relating to privacy practices is keystroke monitoring, e-mail monitoring, and the use of surveillance cameras, badges and magnetic entry cards. Important issues in electronic monitoring are that the monitoring process is conducted in a lawful manner and is implemented in a consistent fashion.

Organizations that monitor employee e-mail should inform them that email is being monitored. This can be done by the use of a pronounced logon banner or some other applied notification. Additionally, the organization should make certain their monitoring process is applied uniformly with explicit terms defining acceptable usage of the e-mail system, as well as back up procedures for email archiving, and should not provide a guarantee of e-mail privacy. These should be outlined in the organization’s email usage policy.

Schedule Demo

Let's build your cybersecurity career together

Accelerate in your role, prepare for certifications, and develop cutting edge skills with the most in-demand training in the industry.

2,000+learning activities led by highly experienced cybersecurity professionals