the security of sending emails

[gib88]

Hello,

Our project manager has asked us to answer some security question for a few prospective clients. One ofthe questions is: If the client provides data via email, what security considerations should be made?

Consider the 'data' to be an attachment.

The main question on my mind is: is it possible for third parties to 'spy' on emails in transit? So if I send an email with an attachment, under what conditions would it be possible for a third party to see that email, and the attachment, and can they copy the attachment for themselves?

Are there any other security issues to be considered when sending emails with attachments?

 

[crazyman143]

most email servers use 'opportunistic' encryption meaning that if the servers on both the sending and receiving end support encryption, it'll be used. But if not, the email gets transmitted in plain text. In such cases the email and any attachements could be seen my third parties on the internet.

Generally emails are also stored on servers (user's mailboxes) in unencrypted format. So if that server is comprimised, the emails can be seen by others.

Thats why email isn't really considered a secure form of communication. There are methods of sending secured email such as PGP but that's complicated. For some added security, you could add your attachments to password protected zip files and then send those. 7-zip will encrypt a zip file and require a password.

 

[~mr mixx~]

That's what I was going to say Crazyman.....just add the attatchment into a zip file and add a password.

 

[iPwn]

If overly concerned about security, download and install AxCrypt (1.7!! I would stay away from the 2.0 update). Encrypt the file and ask the client to download and install the old version too. Whatever you encrypt the file with, send the key via some other means, e.g. text message, fax, snail mail.

 

[root]

hmmm... this is for your work.
get a consultant it, a proper company that is accredited to setup secure systems...

I often find (as I work in IT) that when a company starts talking about "security", what comes soon after is a tightening of that, (i.e enforcing that security or failing to transmit.) auditing that security, testing that security, updating that security etc...

when you talk about emails, what starts as mails with password protection quickly escalates to secure/encrypted, with offsite backups and non-repudiation software in place.


to know if the server you have even supports encryption you will want to know what the name and version of your email server is. (or what service you have, and what tier of service you have.)

 

[gib88]

Thanks for the feedback everyone.

 

[cb600fshornet]

Having a password protected zip is a good start, but I'd personally shy away from sending confidential data over email, and use a secure FTP server of some kind with controlled access.

If you must use email, it's better if each sender has their own unique certificate. This goes some way to ensure not that the data is secure, but at least you can be confident in the recipient and the sender (ie, you're not being sent false data by somebody pretending to be someone else)