20 Email Security Secure Email Encryption: Protect Communication with Personal Certificates An IceWarp White Paper October 2008 www.icewarp.com
21 Background Email has become the preferred method of communication in many sectors. While it constitutes an easy and cost efficient messaging solution, businesses must take care to protect the data they transmit both in the body of the message and in any attachment it carries. Many businesses believe that deploying effective antispam and antivirus solutions offers sufficient protection; however, there are threats to data security that extend well beyond malware. A compromised client machine Sender s machine Recipient s machine The email server (either primary server or ISP relay server) Via a malicious Administrator (secure machine / compromised person) Via a hacker (compromised machine / compromised person) Via malicious 3rd party relay used by recipient Via hosted email service Interception via a LAN/MAN/WAN Local Area Network (office) traffic exposed to co worker s machines Metropolitan Area Network (ISP) A compromised employee at the company s ISP Someone working with the ISP (foreign malicious government organization) Wide Area Network Non secure public locations kiosks hotels connection via a customer's business location Wireless Wi Fi (public/private Broadband Wireless WiMax
22 Sensitive content includes: Trade secrets Client lists Marketing plans Personnel records Proprietary business information Production processes Confidential memorandums Confidential financial data Confidential consumer information, including credit card information, social security numbers, etc. Intellectual property Email Hijacking On September 17, 2008, the email account of vice presidential candidate Sarah Palin was compromised by a hacker who was able to reset her password after answering some basic security questions. While other security measures should have been established in order to prevent the actual breach, the hacker would not have been able to view the content of the messages had they been encrypted. Corporate Espionage As stakes get higher in global business, many corporations use unscrupulous, even illegal methods of gaining the upper hand on competition. The Society of Competitive Intelligence Professionals (SCIP) found that corporations spent an estimated $2 billion in 2004 alone, spying on and acquiring information from the competition. These hardball practitioners frequently elicit the services of ex military personnel and government agents trained in spying. In fact, these mercenaries are not dumpster divers, but highly skilled experts in information technologies. The cost to companies is steep; it is estimated that in 1999 alone, companies lost more than $45 billion to the theft of trade secrets and other valuable corporate data. Experts are uncertain how that figure might vary today, but it is generally conceded that the number has gone up, not down.
23 Accidental Exposure Some information leaks are inadvertent. It is entirely possible that the careless slip of a finger can lead to the exposé of enormous trade secrets and cost a company billions of dollars. In January 2008, a Philadelphia attorney mistakenly emailed confidential information to the New York Times reporter Alex Berenson, instead of co counsel, Bradford Berenson. The email discussed drug manufacturer Eli Lilly & Company s confidential settlement talks with the government that involved $1 billion. Upon receipt of the missive, the Times reporter felt compelled to go public with the information rather than withhold it. Though the sender of the email made a simple, understandable and all too common mistake, considerable damage was done. Had the email been encrypted, though, the reporter would never have known what he was looking at. Statistics According to a 2007 study conducted by Forrester Consulting, nearly one in five outgoing email messages (18.9%) contains content that poses a legal, financial or regulatory risk. Survey respondents indicated that a large percent of that amount contains confidential or proprietary business information. In 2008, Forrester Consulting found the following: 44% of surveyed US companies investigated a suspected email leak of confidential or proprietary information in the course of 12 months 23% of surveyed US companies said that their business was impacted by the exposure of sensitive or embarrassing information in the course of 12 months 26% of surveyed US companies terminated an employee for violating email policies in the course of 12 months
24 57% of surveyed US companies said that it is important or very important to reduce the legal and financial risks associated with outbound email in 2009 26% of surveyed US companies stated that confidential or proprietary business information is the most common form of inappropriate content in non compliant email Regulatory Compliance The United States government recently created a number of laws that require corporations to take substantial measures at assuring the security and privacy of email correspondence. The Sarbanes Oxley Act In response to a handful of corporate scandals, the United States government implemented the Sarbanes Oxley Act of 2002, mandating that businesses take strong measures to secure the flow of information via email. Sarbanes Oxley does not detail the specific steps a business should take to ensure for message security and privacy, but the kind of encryption detailed in this paper constitutes a very pronounced step towards compliance. HIPAA (Health Insurance Portability and Accountability Act) HIPAA came into effect in 2003 and established standards for the electronic data exchange of individual information for the purpose of protecting the confidentiality and security of healthcare data. Penalties for noncompliance can reach $25,000 and imprisonment for up to ten years.
25 GLBA (Gramm Leach Bliley Act) GLBA mandates that firms develop, implement and maintain administrative and technical safeguards to protect the security of customer information. Penalties for noncompliance can reach $100,000 Moving Forward with Secure Email Encryption It is clear that businesses depend on email security. The cost in fines, litigation, damaged reputation, and lost revenue is high yet it is astonishing that most companies pay little to no attention to security. Nearly 1 out of 5 outgoing email messages (18.9%) contains content that poses a legal, financial or regulatory risk. Forrester Consulting IceWarp s goal is to make its customers more conscious of security, and to show them how to better safeguard their system using IceWarp Server. Many people do not realize that their email messages can remain stored on multiple servers. A message s path from the sender to the recipient often involves numerous servers, routers and firewalls, and can be stored at each point for days, weeks or even years.
26 This increases the likelihood that the contents of the message, or its attachment, will be compromised without the knowledge of either the sender or recipient. Administrators of any given relay point may never have ill intent; however, should their system be compromised by a hacker, message data can be easily mined. Penalties for Security Non Compliance: HIPAA: up to $25,000 GLBA: $100,000 per violation However, encrypted messages are protected even if an unauthorized party accesses it. Security with Webmail or a Mail Client Those who wish to stay as safe as possible while communicating via email, must use secure email certificates. Secure certificates work similarly to SSL server certificates, but are applied to email messages themselves. With secure email certificates, one can encrypt all correspondence to and from designated recipients. It will still be possible to send unencrypted email to addresses that do not enforce rigid security measures. There are many benefits to sending secure email: Senders no longer have to worry about unauthorized people gaining access to private messages Attachments are also protected by secure email certificates Personal information in an email will be shielded from any hacker who gains access to the server Most email clients support security certificates and those that do not are not widely used. IceWarp Server provides a secure environment for all communication entering and leaving the server. Users can assign all IceWarp services to SSL ports. (Upon installation, services are defaulted to industry standard ports.)
27 Setting Up and Sending Secure Email First, the user must register with Certificate Authority (CA), and receive a personal certificate from them. This example uses www.comodo.com. The user must follow the instructions to register www.comodo.com, complete the necessary steps in order to generate the certificate, and import it into the browser, the email client and webmail. Fill out the Comodo registration page: Figure 1 Once the user has filled out all fields and completes the Subscriber Agreement, the application will be processed and a confirmation email will be sent to the specified account. Figure 2
28 At that point, the user will receive a message containing the certificate, which will then automatically import to the preferred browser. The user may also choose to download the certificate from the email and manually import it to the browser. See figure 3. Figure 3 Once the certificate is installed in the browser, the user will need to export it along with the private key. The following example uses Internet Explorer 7. The user must open Internet Explorer, go to [Tools, Internet Options, Content] and click on the [Certificates] tab. See figure 4. Figure 4
29 Then the user should click on the newly installed certificate (UTN User is the Comodo certificate) and choose to export the certificate with its private key. See figure 5. Figure 5 As shown in figure 6, the user will then be prompted to save the certificate as a PFX file (Personal Information Exchange), making sure to include all certificates and all extended properties. Figure 6 The user will then be prompted to create a password for this file. See figure 7. They must make sure to document the password as they will need it later when exporting the private key. Figure 7
30 The user must choose a file name and a path to store the file. At this point, the user can take the exported PFX file and import it into most modern email clients that support message encryption. Figure 8 Importing to IceWarp WebMail In order to send encrypted and signed messages using IceWarp WebMail, the user will need to take the current PFX file and export the contents to a.pem file, which must then be pasted into the webmail security section. The user must download and install OpenSSL from http://www.slproweb.com/products/win32openssl.h tml. Once installed, the user must go to the OpenSSL/Bin folder and open the OpenSSL.exe program. Figure 9
31 The user must move the PFX file into the /openssl/bin folder and then from the OpenSSL, prompt run the following command: pkcs12 in cert.pfx out newcert.pem nodes. They will then be prompted for the password previously established. See figure 10. Figure 10 After supplying the password, they will see the.pem file just exported, as illustrated in figure 11. The user must open the.pem file and copy the contents. Figure 11 They must go to webmail, click on [Tools, Options, Security, Certificate], and paste the contents of the.pem there. Once pasted, the certificate information will be translated and provide the following, as illustrated in figure 12. Figure 12
32 Once this is completed, users will need the authenticated certificate of another party with whom secure correspondence is desired. Upon receipt of the authenticated certificate, the user must add the contact into the WebMail address book, if it is not already entered. Once added, the user must click on it and open the Properties window, navigate to the [Other] tab, and paste the certificate information. See figure 13. Once completed, all messages transmitted between this account and its certified contacts will be encrypted. Figure 13
33 With the certificate installed you can then choose to send signed and encrypted messages by default by going to [Tools, Options, Default] and checking the boxes for [Sign] and [Encrypt] Figure 14 Webmail also provides the ability to only sign and encrypt certain messages. Users do this by composing a new message and going to the [Options] tab in the message. There they check the [Sign] and [Encrypt] boxes to have that action taken only for that specific message. Figure 15
34 Secure Email Setup for Outlook These instructions are specific to Outlook 2007. In order to send and receive signed and encrypted mail with Outlook, the user will need to do many of the same steps indicated above. To provide for the transmittal of encrypted email, the account and contact certificates must be imported. These steps outline the process: The user must open Outlook and navigate to the [Tools, Trust Center, E Mail Security] tab. Here they can enable the client to encrypt and sign all outgoing mail. If this is not selected by default, the user will need to verify each time a message is sent. See figure 16. Figure 16 The user must now click on [Import/Export], as shown in figure 17. They can then choose to import the PFX file exported above. The password assigned to this file must be specified, and a Digital ID must be selected. For example, John Doe.
35 The certificate can now be sent to anyone. This is done by composing a message, signing it with the Digital ID and attaching the certificate. Figure 17 If the option was defaulted earlier, the Digital ID will automatically sign the message; if the option was not set as a default, it will automatically sign the message, but will not encrypt it until you receive the recipient certificate back.
36 Figure 18 Once the user receives a signed message, they will see a new header showing the signer s name, and a red ribbon to the far right of the message. See figure 19. Figure 19 By clicking on this and going to [Details] they will see [Message Security Properties]. See figure 20. Figure 20 The user should click on [Signer] and then [View Details]. When the new window opens, they should click on [Certificate]. The View Certificate window will appear. Figure 21
37 The user should click on [Details] and then choose the option [Copy to File]. This will start the Certificate Export Wizard as shown in figure 22. Clicking on the export wizard will reveal a list of export options. Figure 22 The user should export the certificate as DER encoded. If they experience problems importing it, they should then go back and export the certificate as Base 64. Upon receipt of the recipient s certificate, it must be imported. This is done by adding it as a contact into the Outlook address book, if it is not already added. Figure 23 Once the contact entry appears, the user should go to [Certificates] as shown in figure 23. The user must click on the [Import] option and point to the path of the.cer file just exported for this contact. Outlook will indicate if there is anything wrong with the certificate. If not, it will automatically apply it to the contact. Hereafter, all communication this contact will be encrypted. This means that not even the system administrator can read a protected email or its attachments.
38 Figure 24 shows a message that is not encrypted: Figure 24 Figure 25 shows an encrypted message: Figure 25 Nothing outside of the headers would be readable. The [Content Type] would also be visible, as on any encrypted message.
39 Afterword Those who take the necessary precautions will remain free from the threats posed to unencrypted mail. Threats in the form of hackers, spammers, Identity theft, or even a disgruntled employee are of no concern when messages are encrypted. On average, these certificates have a life span of 5 10 years. The time it takes to set it up will ensure years of security.