How do you scan encrypted e-mails for viruses or malicious
content? This is a dilemma facing many IT directors as the need for
confidentiality clashes with the need to protect the business from
attack and potential law suits.
Should security be compromised for the sake of functionality? And
what should we choose, encryption or virus scanning?
Clearly, there are requirements for encrypting e-mail. In 2001,
Euro MPs encouraged businesses to encrypt their e-mails to prevent
the Echelon program reading their messages. Sophos warned of the
dangers of this at the time, reminding users that encryption
prevents e-mails from being virus scanned. Most organisations have
the capability to provide encryption services to users today, but
often it is not without a cost.
It is not just virus scanning that proves difficult when e-mails
are encrypted, content scanning and e-mail retention will create
problems for security managers in the future. There is a growing
requirement to monitor or spot check e-mails for racist comments,
profanities, obscenity or any comment that might land the sender's
organisation in trouble.
Changing laws surrounding e-mail retention could also create
problems because encrypting keys may need to be retained with the
e-mail, rendering it less than secure.
Barriers to compliance
The nature of an encrypted e-mail means a third-party product,
compliance officer or security manager cannot look inside, examine
the contents, identify any harmful content and remove or disable
it.
I first encountered this problem in 1998 when working as head of
security for an investment bank in the City. Key staff needed to
send encrypted e-mail, but the security team were keen to ensure
that all outgoing mail was thoroughly virus-scanned by at least two
different anti-virus products, one on the user's desktop and one on
the mail gateway.
The encrypted messages could not be scanned on the gateway, so we
had to let them go through and risk infecting another bank with a
virus - that was our compromise.
Virus scanning e-mail at the desktop after a mail has been
decrypted is not always sufficient. Many companies have two or more
points at which they may scan e-mails (exchange server, mail
gateway and desktop). As mixed-supplier solutions are becoming
common, this demonstrates just how serious viruses are considered
in today's businesses.
With each new major virus outbreak we see one of the leading five
anti-virus suppliers release an antidote. It can be hours before
the others catch-up and offer the same, so it makes perfect sense
to reduce your risk by betting on two or more suppliers.
You can have encrypted e-mail without eliminating one or more of
your anti-virus checkpoints, but many organisations seem to be
avoiding the issue by not encrypting e-mail. This could be the real
reason why PKI (public key infrastructure) appeared to stall and
encrypted/signed e-mails are not as common as we expected them to
become.
Being unable to easily scan encrypted mails has been a problem
since encrypted e-mail first appeared. So why has this only just
become a major issue?
Virus infection via e-mail has increased dramatically in the past
two years, so much so that few users can survive without anti-virus
software. Three years ago it was rare to receive a virus via
e-mail, now they arrive daily - sometimes several in one day.
It is unfortunate that at the time encrypted e-mail became
accessible to everyone, viruses and Trojans via e-mail rose to
epidemic levels.
Encrypted e-mail was once something for only the technically
blessed. Using PGP (Pretty Good Privacy) in its early form - from
the Unix command line to create encrypted data and then include
that in an e-mail - was not done in the click of a mouse. The
dialogue with the intended recipient to exchange keys was also
"clunky" to say the least. With the introduction of digital
certificates (X.509), it was suddenly possible to conduct otherwise
complex tasks such as encryption or digital signing of data in
seconds.
Difficult choice
As a security manager, I would certainly not be expected to choose
between weakening my defences and stopping a user securing data for
transit over the internet, but that is what many businesses are
faced with.
There are solutions to the problem but on the surface they appear
to be highly complex. In simple terms, one solution is to take a
copy of an outgoing message, decrypt it and examine the contents.
If the message is free from a virus or inappropriate content then
the original encrypted message can be sent out.
For a solution like this to work, the two identical messages must
have been encrypted to include an additional decrypt key (ADK),
often used for compliance or data recovery purposes. The ADK would
be used by the system processing outgoing mail, but there would be
no capability for this system to re-encrypt mail as this would
generate trust issues.
One copy of the e-mail is decrypted and scanned, if it is clean,
the other copy is sent without being decrypted. This method would
still allow full end-to-end encryption.
For incoming messages the same process would apply, but a copy of
the recipient's key would either have to reside on the mail server
or the sender would have to encrypt messages with a key that the
mail server has.
Encryption at the gateway
Another solution would be to lose the end-to-end encryption
capabilities and move the responsibility for encryption to a key
system such as a mail gateway. This allows the encryption to take
place after all scans and content monitoring have occurred.
Unfortunately, this approach means that messages are in clear text
from the user's desktop and over the corporate Lan.
Symantec-owned PGP offers an enterprise solution to scan and
encrypt/decrypt messages within one software solution. Most other
anti-virus companies will offer some interoperability with one of
the solutions outlined earlier.
The final option is to use one of the many outsourced solutions
that are becoming available to decrypt, scan and process the
messages. There are some benefits to such a solution. Many are
web-based and have added bonuses such as spam filtering, but
outsourcing such a critical part of your operations can introduce
risk management issues.
I am certain that more and more businesses will face this challenge
over the coming months and I hope that they address it head on and
do not compromise their security either way.
Phil Cracknell is chief technical officer at IT security
company netSurity