E-mail Security Governance E-mail Encryption and Authentication as a Business Enabler

How to Easily Secure Your E-mail System and Comply with HIPAA, Sarbanes-Oxley, and GLBA Regulations

While recent government regulations vary in scope and purpose, the need to protect and ensure the integrity of information is universal. Much of the information germane to business today is assimilated and communicated over messaging platforms such as e-mail. As a result, the need for a comprehensive approach to the secure delivery of e-mail affects almost all organizations, regardless of industry or size. As with many management challenges, the unknown is the most significant cause for concern. In the case of e-mail and messaging security, the most ominous threat is often the lack of ability to measure information flowing in and out of the corporate e-mail network.

E-mail has traditionally been sent “in-the-clear,” meaning that e-mail headers and contents have been readily accessible to anyone with the ability to monitor network traffic. Traditionally, encryption technologies have been sufficiently difficult to implement that many businesses chose to sacrifice security in the name of user-friendliness given an application as mission-critical as e-mail. For example, some encryption and authentication technologies require ubiquitous adoption by each entity attempting to communicate, and few have ever agreed on which technologies are best or most efficient. Many businesses, committees and users have been attempting to standardize such use for well over a decade.

Over the last few years, however, regulations have been enacted that require the business and technology communities to generate and implement secure e-mail solutions. Easy-to-use encryption and authentication are now readily available. The new challenge for the enterprise is to determine where and how to implement these new solutions to ensure compliance with new regulations. Understanding how each regulation affects e-mail security and delivery is important to understanding the pressures all IT managers will be under in the months and years to come.

E-mail Security Issues for Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 took effect in June of 2004 and requires CEOs, CFOs, independent auditors and audit committees to certify the accuracy, confidentiality, privacy and integrity of financial statements -- and the effectiveness of internal controls and procedures for financial reporting and disclosures. The most relevant sections of Sarbanes-Oxley to e-mail security are sections 404 and 802.

• Section 404 deals with internal controls, and requires organizations to implement controls over the release of information to individuals or organizations outside the company’s network.
  
• Section 802 addresses records management, and how long and in what manner documents (including e-mail) should be retained.
  

Sarbanes-Oxley does not detail specific steps organizations should take to comply with these regulations. Rather, it requires that companies implement programs that ensure the secure flow of information, and then to be able to document the success and deficiencies of those programs. There exist some programs that are commonly used as a basis for implementation.

Corporations and business partners of companies affected by Sarbanes-Oxley, are required to ensure that sensitive information remains secure. Similar to HIPAA solutions, “Insider information” should not be accessible outside of the perimeter of a company’s network. Encryption policies should be enforced whether a busy executive remembers to encrypt a message or not. Rogue employees should not be capable of transmitting sensitive financial information outside the network. Detailed reports should be available to auditors showing how the system has successfully protected the network and archived relevant communications. All of this can be handled swiftly with an e-mail governance policy and a central implementation mechanism. Without a mechanism in place, these requirements create a tangled web of complicated transactions and increased risk.

Unlike HIPAA, however, Sarbanes-Oxley often creates a need for organizations to prevent end-user encryption of information because encrypted information cannot be filtered for inappropriate content or trade secrets as it moves through the e-mail servers and onto the Internet. E-mails should be sent to the server as clear-text, and only once the content has been cleared for release should it be encrypted according to the organization’s policies.

The need to enforce centralized content policies, as well as the need to provide detailed reports to audit committees, requires server-level control and administration. The servers should be flexible in terms of encryption technology in order to maximize the utility of e-mail, while at the same time the network should be defended from external attacks

E-mail Security Issues for HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 21, 2003. The act is designed to protect the confidentiality, integrity, and availability of Protected Health Information (PHI) for individuals. PHI is defined as information that includes any individually identifiable health information. Healthcare organizations that must comply with HIPAA regulations are known as Covered Entities (CEs). CE’s include hospitals, insurance providers, employer health plans, physicians, business partners, and contractors working with healthcare providers.

The primary rule within HIPAA that affects e-mail is the Security Rule. Exposed PHI within e-mail is considered a risk that will surface during a HIPAA risk assessment. Covered Entities are required to perform a HIPAA risk assessment and then to adopt appropriate safeguards depending upon the outcome of the assessments they perform.

Healthcare organizations have reacted to the new rule in a variety of ways, and with varying degrees of effectiveness. The efficiency of e-mail offers an attractive means to transmit healthcare information from one organization to another; however the need to secure each transmission of PHI has created complications as secure e-mail solutions are new and not fully implemented at many sites that transmit and store PHI.

Many encryption technologies require the user to become familiar with the use of plug-ins and other specialized “client-side” encryption software. Encryption keys must be securely traded between partners, patients, providers, and other network members. More and more employees are involved in transmitting PHI over the internet now than ever before. The increase in the number of employees transmitting PHI has caused administrative costs to increase as the need to train employees in proper use of encryption technologies also increases.

As the complexity increases, so does the probability that not all e-mail containing PHI will be encrypted. Doctors, who are always pressed for time, may not take the extra few minutes required to encrypt an e-mail. The clerk handling outbound messages for a nurse may not understand which information requires encryption and which does not. Furthermore, many healthcare administration workers have not been trained on the identification of PHI and subsequent proper handling.

The uncertainties and potential liabilities have led some organizations to go so far as to outlaw all PHI in e-mail. Instead of solving the problem, however, these decisions generally force employees to find alternative, and usually insecure, methods of transmitting PHI via e-mail in order to accomplish their jobs. This leaves organizations vulnerable to lawsuits based, at best, on non-compliance with HIPAA and, at worst, exposed PHI. The liability is tremendous – leading many insurance providers to be extremely hesitant to provide coverage in the IT space unless sound security practices and compliance can be proven.

The same problems arise with client-based encryption technologies that require the user to be trained or to take extra time to accomplish his or her task. The effect is an increase in likelihood that PHI will be transmitted through an insecure channel as rushed or untrained employees break policies set up to protect information.

Another issue faced by organizations is a lack of technological standards. Some organizations may be employing technologies such as S/MIME or PGP encryption, while others utilize secure connection technologies such as TLS or HTTPS. The effect is that any two organizations, each complying with HIPAA regulations in their own way, may be unable to communicate electronically due to a lack of standardization within the industry.

The solution to each of these issues is to move the encryption responsibility from the individual user to a specialized server, and to utilize a system that can select from a number of encryption technologies depending on the recipient’s technological capabilities. The server should be capable of applying encryption policies based on heuristics determined by the security officer, administrator, or business rules. Individual users should be able to specify that a message be encrypted, but the encryption should automatically be applied where appropriate regardless of user involvement.

Beyond encryption issues, CE's need to maintain system integrity, and availability of information. At all times, the network should not be at risk of downtime due to hacking attempts, Denial of Service (DOS) attacks, spam attacks, phishing, social engineering, or viruses.

E-mail Security Issues for Graham-Leach-Bliley Act

The Graham-Leach-Bliley Act (GLBA) was signed by Bill Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions, partners and contractors to protect consumer’s private financial information. It is similar in purpose to the HIPAA regulations governing the use and transmission of information in the healthcare industry. It also imposes many of the same challenges on the financial industry as those faced by the healthcare industry.

As with organizations affected by HIPAA and Sarbanes-Oxley regulations, financial institutions are faced with the need to protect confidential data, comply with regulations, keep the network operational and secure, and operate on a budget. The consequences of a failure to perform in any of these areas could result in imprisonment of company officers and fines. It could also have devastating effects on the business itself – potentially causing existing and potential customers to lose faith in the company’s ability to service their financial needs.

As with healthcare organizations and corporate entities, the need to establish centralized policy-based governance over the transmission, encryption, and archival of sensitive information requires a secure server-based solution. The solution should be capable of interfacing with all of an organization’s business partners regardless of the partner’s technological capabilities, and it should be transparent to the user in order to maximize the efficiency and utility of e-mail and encourage adoption of acceptable means of corporate communication.

Conclusion

The trend is clearly in the direction of more complex security regulations and an increasing concern by consumers and investors over an organization’s ability to protect privileged information. Fortunately, this increasing awareness of the general public and government agencies has coincided with a rapid development of the technologies required to meet these demands. CipherTrust has led the e-mail security industry in developing comprehensive solutions to e-mail borne threats such as spam, hackers, phishing, DOS attacks and more.

CipherTrust’s IronMail provides the first true balance of security and usability that will enable businesses to protect the confidentiality and integrity of information as required while ensuring that employees can continue to use e-mail easily as a central communication medium. IronMail enables e-mail security governance with ease, solving a problem that has plagued the industry for 15 years.

Others merely claim it. IronMail does it. We invite you to try it. Click here to schedule a FREE online demonstration of IronMail.

CipherTrust manufactures the leading Enterprise E-mail Security appliance, IronMail. To learn more about how IronMail can help your organization filter spam, block attacks, and prevent fraud, download our white paper, "Controlling Spam: The IronMail Way."

Stay up to date on all E-mail security issues by signing up for the IronMail Insider Newsletter.

CipherTrust is the leader in anti-spam and email security. Learn more by downloading our free whitepaper, “Securing the E-mail Boundary: An overview of IronMail” or by visiting www.ciphertrust.com.

Download Fraud Eliminator to Protect Yourself Click Here

UK Based Phishing IQ Test
Some time ago I posted a link to an American Phishing test. I'm pleased to tell you that there is now a UK Phishing Test using UK examples that might make rather more sense to us than the American one. Phishing, for those who don't know, are fake emails that supposedly come from banks etc. that are designed to get us to give out personal details, which can then be used to get money out of accounts and so on. No-one would fall for them, surely? If you're sure you're too clever then try the test and see how well you do!

Gmail Takes the Phun Out of Phishing
Google isn’t allowing itself to be put in the same situation as other e-mail providers in regard to phishing attacks. In October of last year, they implemented Yahoo’s DomainKeys e-mail source verification ( a month before Yahoo did, but that’s Google for you). Now they’re using a proprietary engine to tag suspicious messages coming in to Gmail accounts. When a Gmail user opens a suspected phishing message, the software displays a large red dialog box… Direct and Related Links for 'Gmail Takes the Phun Out of Phishing'

Netcraft: 5,600 Phishing Sites Since December
miller60 writes "Netcraft has tracked and blocked 5,600 known phishing sites since the December launch of its anti-phishing toolbar, which it has now updated with a risk rating feature that warns users about new sites with phishy characteristics, based on trends observed in known phishing scams. It has also started a service that makes the full list available of phishing sites as a continuously updated feed for service providers and companies to use in mail servers and web proxies." One bad sign: the phishing attacks I see are getting (on average) more professional in their phrasing -- it used to be easy to toss out the trawlers based on their spelling alone.

Netflix Fixes "Phishing" Security Threat
Christopher tipped me off to a Bugtraq Mailing list thread about a possible Netflix security problem involving "Phishing." This is the Wikipedia definition of phishing: In computing, phishing is the act of attempting to fraudulently acquire through deception sensitive personal information such as passwords and credit card details by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information. It is a form of social engineering attack. Here's a link to an example of a phishing e-mail. This is an example of phishing HTML code: https://www.netflix.com/redirect.jsp?target=http://dummy.site.com/ This was just a warning and...

14,411 phishing attempts in April 2005
In April 2005, the number of phishing attempts rose to 14,411, says Anti-Phishing Working Group. A drop in unique phishing e-mails was reported, down to 3,930, from 4,100 in March 2005. Number of phishing Web sites hosted in China increased to 2,854 active phishing sites reported in April 2005 (22% of total). 26.3% of phishing [...]

Anti-Phishing Working Group Creates Phishing Scam Database for Members (2 June 2005)
In hopes of becoming a clearinghouse for phishing data, the Anti-Phishing Working Group has created a database of phishing scams that can be used to share information with other Anti-Phishing Working Group members; there is also an XML form that can be used to submit attack data.......

Strange "Barclays" phishing attempt
When I get these things, I usually just delete them immediately, but this strange message from “Barclays” caught my eye and I began to play with it. At first, it just seems like an obvious phishing attempt. Dear Barclays Member,This email was sent by the Barclays server to verify your email address. You must complete this process by clicking on the link below and entereing in the small window your Barclays Membership number, passcode and… Direct and Related Links for 'Strange “Barclays” phishing attempt'

Strange "Barclays" Phishing Attempt
When I get these things, I usually just delete them immediately, but this strange message from “Barclays” caught my eye and I began to play with it. At first, it just seems like an obvious phishing attempt. Dear Barclays Member, This e-mail was sent by the Barclays server to verify your e-mail address. You must complete this process by clicking on the link below and entereing in the small window your Barclays Membership number, passcode,… Direct and Related Links for 'Strange “Barclays” Phishing Attempt'

John Doe Lawsuits Filed Against Phishing Operators
“Microsoft filed 117 “John Doe” lawsuits against phishing site operators in an effort to curtail the identity theft scams. “We must work together to stop these con artists from misusing the Internet as a tool for fraud. Microsoft provides consumers with the information and technology that will help protect all of us from this pervasive and destructive threat, and has filed legal action today against some of these individuals,” Aaron Kornblum, Internet safety enforcement attorney… Direct and Related Links for 'John Doe Lawsuits Filed Against Phishing Operators'

Download Fraud Eliminator to Protect Yourself Click Here