|  Hot
Topic
E-mail Security: Are You Safe?
by Philip Houle
In today's wired
environment, people are becoming more and more dependent on the Internet and e-mail
for doing business and staying in touch. At the same time, the issue of security
has become more important. Threats to the secure use of e-mail include identity
hoaxes, compromised messages, lost messages and malicious content.
Dangerous
Messages
Most of us likely receive e-mail and give little thought to challenging the validity
of its apparent source. In fact, it is relatively easy for anyone to send e-mail
and use a bogus identity. This technique is used extensively by people sending
out unwanted e-mail (SPAM) to avoid revealing their true identity. And the technique
could also be used to send messages that appear authentic, but in fact are hoaxes.
Without special precautions, e-mail messages travel over the Internet as text
messages that can be viewed, and potentially altered, by anyone intercepting them.
In addition, the Internet operates on a "capacity available" basis,
which means some messages may encounter substantial delays or, perhaps, may not
ever arrive at their intended destination. Since our experiences are that most
all messages seem to arrive in a very fast and reliable manner, it is easy to
forget that there may be times when things are different.
Finally, modern software provides for what is commonly called active content.
This means that the e-mail message contains a payload involving the execution
of code that causes things to happen on the recipient's computer. Examples of
this are messages that contain animation, etc. The obvious problem with accepting
active content is that some active content may be destructive or malicious —
a virus. Active content may be present even when no attachments exist on the message.
Active content risks are typically recognized as virus problems and most organizations
use various techniques to protect themselves from these threats.
Fraud Protection
So, what can be done about protecting yourself from bogus or altered e-mail? The
solution is to use secure e-mail. To do this, you must have a Digital Identification
(ID). A Digital ID involves use of a certificate authentication that will vouch
for your identity and your ownership of encryption keys, one private and one public.
In the world of the public Internet, you can try a certification authority, such
as VeriSign, that markets digital certificates.
A digital certificate can be used as a Digital ID card. Within the enterprise,
an authentication server can be established that establishes Digital ID cards
that can be used within the organization. For example, a trusted authority, such
as the human resources department, can load an employee's identity into the server.
This enables the employee to use secure e-mail. When secure e-mail is used, the
receiver of the secure e-mail can expect the message to have the same legal standing
as a signed document. Further, the content of the message will have been encrypted
to prevent alteration. The receiver will know that the content has not been altered
by anyone.
Although most popular e-mail clients and systems support secure e-mail services,
it appears that most organizations and most users of e-mail do not use the capability.
They seem to feel that any security threat is minor and that anyone interested
in creating mischief would not target them. However, many experts believe that
problems are more common then reported because organizations that have experienced
attacks do not report or publicize the incidents because of the negative image
it creates.
As e-mail becomes more and more a part of our individual identities, problems
of identity and security will become more important. Complex issues of privacy
and identify theft will become even more complex. The future should be most interesting.
Philip Houle is associate professor of information systems in the College of
Business and Public Administration
|
