Describe about the Advanced E-Security For Basic Communication Protocol.
In this new digital world where internet has become an integral part of the individuals, e-mail is playing vital in providing a very easy platform for the communication purpose. It can be referred as exchange of information digitally. Most of the companies are paying for the extra advance information security however; they are also neglecting the basic security related to the communication. This negligence could lead to several security issues that might affect the data and information security and could possibly lead to the security breaches. Such intruders could be able to take advantage of the email vulnerabilities in manner to circumvent the cyber-defense system of the organization and could gain access to the sensitive data and information all about the operational activities of the organization. According to the findings it can be noted that about sixty percent of the organizations have not any plan for the security awareness training for the employees using e-mail for the operational activities. This report focuses on a research on the e-mail security in which problems related to the e-mail security has be proposed including the addresses that could be helpful in mitigating such problems. Pretty Good Privacy has been also addressed in this report that could be helpful in intruding the traffic system of information exchange.
E-mail (Electronic mail) can be defined as the exchange of messages stored in the system using telecommunication those are generally encoded using ASCII coded text. This also enables the users to share non-text files that include images, gifs, audio files, and others in the form of attachments that could be sent in binary streams (Petry et al., 2014). It was the very first use of the internet and now it has become one of the important tools for everyone for the exchange of information and has replaced letters.
Advantages of E-mail
There are many advantages of using e-mail that can be listed as:
Speed: This is one of the speedy modes for the exchange of information that typically took seconds or minutes to travel from address to another.
Convenience: It is much fast than making a call or getting engaged on conversation at certain topics or might face arguments from the facing individual (Badran, Pluye & Grad, 2015). This could be closed type conversation for the users.
Attachments: This is the best facility without any service charge that enables the user to exchange information or send a text between the users. As stated earlier it enables the users to send and receive picture, audio, and other files.
Record: using mail services allows the users to keep record of the conversation those are being shared between them.
Accessibility: E-mails could be accessed and stored in convenient manner in an email program that could be helpful in achieving, organizing, and searching the emails. This implies that messages stored in the email program could be accessible and read anytime anywhere via connecting to the internet (Rueben & Jakobson, 2013).
No limit for the space: It also provides the facility of storing unlimited space for writing and receiving new messages.
It can be said that acceptable-use policies are virtually universal today, even though the companies are neither explaining these policies with their employees nor attempting to inform them about what the policies are. It is all about training the employees about the e–mail policy and creating awareness among them about practicing these policies in the real situations (Ossullivann et al., 2017). Considering the facts related to the outbound email, it can be stated that training and policy should cover much broad topics related to what are the objectives that needs to be considered as a confidential information and which should not (Gu & Fang, 2012). Other objectives are: the appropriate information that should be included while sending outgoing e-mails and restriction for the personal use of the email. Regarding the policies for the usage of e-mail services, it can be recommended that companies should develop an independent policy for the encryption of the files and texts while exchanging between two users. There should be access of these encrypted messages to the limited users and should not be allowed for every employees to access these information. Pelland (2015) stated that “this can create a security risk. Auto forwarding means the email is sent to an account that isn’t under the control of the IT department”.
Basic Principles of E-Mail System
There are three basic principles of e-mail system that can be listed as:
Basic Communication Protocol
The transmission of e-mails is takes place through the means of POP3 and SMTP basic protocols including its expansion agreements. The structure model, command of SMTP protocol and interactive process has been defined by the RFC0821 (Herth et al., 2014). The three kinds of interaction state of the POP3 have also been defined by the RFC0821, which includes Authorization State, Update State, and Transaction State (Chhabra & Bajwa, 2015).
Syntax and Format Rules
The syntax and format rule of the information related to the e-mail system complies with the RFC1341 (MIME), RFC0882, and their extension protocols. All the three protocols define separate objectives related to the content descriptor domain, optional header file, and Message-ID by the RFC1341 (MIME) (Pandove, Jindal & Kumar, 2013). Standard form format of the exchange of textual content, detail information about the heading format, and single body format has been defined by the RFC0882 protocol.
It can be described as the detailed description in RFC1341 (MIME). The encodings are being pointed out by the content transfer encoding that has been divided into five kinds those can be listed as: 7 bit, 8 bit, base 64 and quoted -printable encoding and binary (Mohamed, 2014). It can be seen that 8 bit, binary and 7 bit encodings are completely different process even though, plain texts have been used by the data in manner to transfer during the process of receiving and sending mail (Stine & Scholl, 2013). On the other hand the main purpose of using base 64 and quoted-printable encoding has been to receive and send the contents of the mail with ASCII coded characters that could be represented as non-plain text.
Problems of E-mail Security
Besides so many advantages and wide use of e-mail service, there are many disadvantages of using e-mail service and the most emphasizing disadvantage is related to the security issues on the application of this service. Term ‘spam’ is being used for unwanted messages that includes harassing e-mail, advertisement emails, chain mails, reactionary e-mails etc (Ji, 2013). this could affect in many ways such as occupies space on the internet server, influences the speed on the transmission in the network, and increases the network load. Following are the certain emphasizing security issues those should be given concern:
Malicious Virus Attacks: such type of attack could give an unauthorized user access to the personal and sensitive information about the operational activities of the organization or a user’s information. Generally, the viruses spread by email are the one which are written with VBScript and on the other hand most cases are seems to be an attached file or folder in the email (Kim & Ha, 2016). This could be stated as an automated system as when the user opens the zip file or the attachment, the virus get activated and cross checks all the address book and start spreading to the software and to other systems using the same network that system is connected to.
E-mail Security Issues: the information or the files those have been not encrypted properly could be altered, manipulated and misused by an intruder or an unauthorized user (Durumeric et al., 2015). If the messages those have been not signed digitally, the sender will not be able to know whether the message is sent to the rightful person or not.
Spear Phishing: this can be stated as a trick that enables the intruders to collect credentials related to the personal access for the individuals and that could provide access to the network. These credentials could be used by the unauthorized user to enter the network and access to the information and data those are stored in the same network (Gersch, Massey & Rose, 2017). This increases security risk for the individuals using email for the exchange of information.
Mail Bomb: It could be referred to the same mailbox that had been used to sending a large number of email behaviors in a very short time (Al-Mashaddi & Albiech, 2017). There is not much space or limited pace for the mails in the mailbox that cannot afford too much mail that in result will automatically collapse.
Social Engineering: Despite of hacking into the system, an intruder could use the e-mail services as a medium to enter the network and access very sensitive information stored in the system (Pehlivano & Duru, 2015). E-mail spoofing is an example of social engineering attack that allows the intruder or a program to enter the system by pretending that it is an authorized user for the network or the system through falsifying the information of the sender that seems to be shown in e-mails in manner to hide the true origin.
Unauthorized Access: It could be made intentionally or unintentionally as some of the threat might not be attempted intentionally. There are the possibilities that authorized users might inadvertently send the sensitive or proprietary information through the e-mail that could led to the expose of information and brought the organization to legal or embarrassment action.
Contents with Malicious Coding: This attempt could be stated as the intentionally made event that could allows the access to an unauthorized user or blocks the users from accessing their own data and information saved into the system. Ransomware attacks are the example of similar activities. One of the popular examples is the ‘wannacry’ ransomware attack which was started with similar type of malicious injection via mail and affected globally (Xu & Chen, 2017). Other possibilities of malicious injection could be once the server of the mail is compromised, the intruder would be able to retrieve passwords of the user that might grant the intruder access to the other hosts on the network of the organization.
E-mail Security System
Classifying the security problems related to e-mail: It has been already stated earlier that it is one of the most popular for nowadays to exchange information. As the technology is evolving internet is replacing all the ‘pen and paper’ work and e-mail has replaced many ordinary communication systems. It can be represented as a decentralized system and the mails are being transferred by MTA (Mail Transfer Agent) to another agent of the mail transporting system (Hatman, 2016). These exchanges are based on certain different and critical route that reaches to the mailbox of the user after various turns and twists. Traditionally the mails were not encrypted that leads to certain security issues and many related threats that could be exposed easily during the process of information exchange. In this new world of technology much sensitive and personal information are being shared through the mails that raises the importance of securing the network in much advanced way.
Some of other issues related to the security can be described as:
Message Replay: There are the possibilities that message resend to the same recipient even after encrypting the information that could be a potential threat for the transmission system (Herath et al., 2014).
Information Disclosure: As stated earlier a good programmer can easily decode the subject and finds out what information is being transferred or shared between the two recipients.
Malicious paste: This has been also stated earlier how an unauthorized user can make the senders and receivers prey of his techniques (Singhala & Patel, 2017).
Functions of PGP analysis
PGP or Pretty Good Privacy can be described as the technical and academic communities those are currently being used for securing the mails standard and improving the security of the data and information that are being exchanged on the server. It can be characterized by the public key technology and one way hash algorithms in manner to sign on the contents of the mail and at the same time ensuring that the contents for the letter cannot be altered or manipulated by an unauthorized user (Hassouna et al., 2015). This has been made possible through using asymmetric and symmetric encryption technology in manner to ensure the privacy, security and confidentiality of the contents.
Following are the main functions of the PGP software:
The email or file as digital signatures: public key of signer can be used by the recipients in manner to sign authenticity for others. Files that are being stored are encrypted on the computer itself: the files those have been encrypted can only be decrypted by the user who has the certain cryptographic key for that encryption that would be a unique coding. Encrypting emails: this will work similarly as that of the encryption on files work and will enhance the security of the e-mail system (Wang, 2014). The most emphasizing fact related to the PGP means of message exchange are the signature on the e-mail and encryption that contributes in enhancing the security of the e-mail system. These signatures also help the recipient in understanding that the message has been received from a known and trusted sender. “It can help user manage Key and it can generate public / private key pair” (Mateescu & Vladescu, 2013).
In manner to ensure the integrity, availability, and confidentiality of the sensitive and personal information those are being shared using e-mail; it is necessary to put emphasis on operational, technical, and, management safeguards (Jang & Nepal, 2014). Following are the certain preventive measures that could be helpful in ensuring the security of the e-mail system:
Implementation of management controls
This includes the objectives related to the management security controls that include configuration management, security policies, risk managements, contingency plans, and change control. These processes could be helpful in managing the maintenance and effective operation for the security system of the e-mail system and also for the support of the network infrastructure (Lfinedo, 2014). In addition with these objectives, the organization should implement training and education programs as a part of the whole system with the objectives of ensuring that each individual and stakeholder is well introduced with the security issues and preventive measures. This should be managed on the regular basis and this will decrease the rate of threat to the security of the emails and the computers those store personal and sensitive information.
The management or the IT team should implement the system in very careful manner. The very most critical aspect that has been related to the successful deployment of secure e-mail system includes careful and strategic planning before configuration, deployment, and installation of the e-mail system (Schumacher et al., 2013). The security of data and information should be the prior object before implementing any system and risks and issues should be identified during the planning stage of any project or during the development life cycle. This will be helpful in ensuring the security of the e-mail system and minimizing the cost after the risks affect the organization.
Securing the Mail Client
It can be stated that the e-mail from the client side is suppose to have many risks in many aspects to the security of the server through which the mail is being operated. The availability of the proper level of security includes addressing numerous issues or risks and careful consideration of those risks. Upgrading and patching the mail client application can be considered and the most critical subject included in the secure installation, configuration, and usage of mail client applications (Kumar, 2014). Other aspects related to the security of the e-mail system include: enabling antivirus, configuration of the mail client security features that includes disable automatic opening of messages, anti-phishing features, and anti-spam, configuring mailbox access and authentication, and securing the host operating system of the client.
Securing the Transmission
It has been understood that most of the standard e-mail protocols send the messages, data, and attachments through email content and user authentication data without encrypting those files, which is a default set-up of the e-mail system (Aziz, Tarapiah & Atalla, 2016). This could be a gem for the intruders and the unauthorized users as such type of data or information could be easily compromised and provide them opportunity to easily decrypt those files and get access to them. It can be recommended that the organizations should at least encrypt the session for the user authentication even if there is the possibility that they have not received the actual encrypted data (Rowney, 2016).
Other approach related to the integrity and confidentiality of the message could be made in manner to deploy a secured e-mail system solution like PKI technology for the encryption of the data or information and signing the message for the perfect address of the sender. Data leakage prevention systems and digital rights management are other approaches that could be helpful in ex-filtration and accidental leakage of private and sensitive information.
Securing the Supporting Operational Environment
Mail clients and mail server can be considered as the most important and crucial components of the e-mail system. However, supporting network infrastructure can also not be neglected as it is also a very crucial component for the secure operation and exchange of mails (Sliberschatz, Galvin & Gagne, 2014). Most of the instances network infrastructure includes routers, intrusion detectors, firewalls and intrusion prevention systems those are helpful in providing the very first layer of the protection of network for untrusted users or programming.
Maintaining a Secure Mail System
It can be stated that maintaining the security of an e-mail system is an ongoing process that requires resources, vigilance, constant effort, and many more those are listed in the following paragraphs:
Protect, Analyze, and Configure Log Files
It can be represented that the only record for the suspicious activities of the organization are the log files. This implies that implementation of logging mechanism could be helpful in allowing the organization to collect data or information related to the attempted intrusion and breaches those have been either successful or failed (Ryan, 2014). This could also be helpful in ensuring the notification for any attempted intrusion when an intruder or hacker tries to enter the system using the e-mail server and could be possibly blocked from accessing other personal and sensitive information related to the organization or the individual. Tools and procedures both are the crucial objectives for the organization in manner to analyze and process the log files for reviewing the notification related to the alert of the data breach.
Back up Data Frequently
Maintaining the integrity of the data can be represented as another crucial and important function of the mail server administrator. It has been being represented as the important aspect because mail servers are the ones which could be most exposed and vital servers on the network of the organization. Mail server should be backed up by the mail administrator that should be based on regular basis in manner to support the compliance with the regulations related to the archiving and backup of information and data. This could also be helpful in reducing the downtime in the e-mail service outage events (Boss et al., 2015).
Protect Against Malware
It can be noted that cyber attacks have become the greatest concern for this digital world, it is very important to be protected against such attacks that might affect the data and information related to the organizational operation activities. An organization should install proper and updated anti-malware and ant-virus software to be protected against such malicious attacks. These should be capable of spam filtering and malware scanning at the mail system levels and at the mail client. Awareness and training programs are other most effective measures for such intrusion and data breaches (Perlman, Kaufman & Speciner, 2016). This could be helpful in understanding the employees about the activities that might affect the privacy and security of the data and information travelling in the e-mail server network.
Technology is being evolved and developed every day and internet is becoming an integral part of the lives of the human beings. Email is the very common objective that is being practiced by every user connected to the internet. Based on the above report it can be concluded that email was one of the earliest application of the internet and now it has become an integral part for all the organizations to exchange the information. This has become one of the trending technologies for the ease exchange of files including text, images, audio and other files. Despite of all these advantages there are certain security issues related to the application of e-mail services. These security issues could be much damaging than any other faults in the system. The above report presents a thorough research on the e-mail security system and is very helpful in managing the security of high levels for the network being used for the exchange of information via e-mail system. Encrypting the data before sending to the receiver can be recommended as the best approach for acquiring the maximum security in the mail system.
Al-Mashhadi, H. M., & Alabiech, M. H. (2017). A Survey of Email Service; Attacks, Security Methods and Protocols. International Journal of Computer Applications, 162(11).
Aziz, K., Tarapiah, S., & Atalla, S. (2016, September). SIMSSP: Secure Instant Messaging System for Smart Phones. In Proceedings of SAI Intelligent Systems Conference (pp. 647-657). Springer, Cham.
Badran, H., Pluye, P., & Grad, R. (2015). Advantages and disadvantages of educational email alerts for family physicians. Journal of medical Internet research, 17(2).
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors.
Chhabra, G. S., & Bajwa, D. S. (2015). Review of E-mail System, Security Protocols and Email Forensics. International Journal of Computer Science & Communication Networks, 5(3), 201-211.
Durumeric, Z., Adrian, D., Mirian, A., Kasten, J., Bursztein, E., Lidzborski, N., ... & Halderman, J. A. (2015, October). Neither snow nor rain nor MITM...: An empirical analysis of email delivery security. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference (pp. 27-39). ACM.
Gersch, J., Massey, D., & Rose, S. (2017, January). DANE Trusted Email for Supply Chain Management. In Proceedings of the 50th Hawaii International Conference on System Sciences.
Gu, C. Y., & Fang, R. Y. (2012). Email Security and PGP Technical Analysis. In Advanced Materials Research (Vol. 546, pp. 1075-1079). Trans Tech Publications.
Hartman, R. (2016). U.S. Patent Application No. 15/165,000.
Hassouna, M., Barry, B., Bashier, E., & Mohamed, N. (2015). An end-to-end secure mail system based on certificateless cryptography in the standard security model.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information systems journal, 24(1), 61-84.
Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information systems journal, 24(1), 61-84.
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79.
Jang-Jaccard, J., & Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973-993.
Ji, H. (2013). Research on Email Security Policy based on Network Technology. In Applied Mechanics and Materials (Vol. 339, pp. 292-296). Trans Tech Publications.
Kim, S. M., & Ha, Y. G. (2016). A Method of Detecting Careless Email Use that May Cause Security Problems Based on Analysis of Enterprise Email Big Data. International Journal of Software Engineering and Its Applications, 10(10), 31-42.
Kumar, A. (2014). Email Borne Virus & Worms.
Mateescu, G., & Vladescu, M. (2013, September). A hybrid approach of system security for small and medium enterprises: Combining different cryptography techniques. In Computer Science and Information Systems (FedCSIS), 2013 Federated Conference on (pp. 659-662). IEEE.
Mohamed, G. (2014). J, M. Mohammed Mohideen, Mrs. Shahira Banu. N,“E-Mail Phishing-An Open Threat to Everyone”. International Journal of Scientific and Research Publications, 4(2).
O'sullivan, P. J., Harpur, L., Willner, B. E., & Stern, E. H. (2017). U.S. Patent No. 9,742,778. Washington, DC: U.S. Patent and Trademark Office.
Pandove, K., Jindal, A., & Kumar, R. (2013). Email spoofing. International Journal of Computer Applications, 5(1), 27-30.
Pehlivano, M. K., & Duru, N. (2015). Email Encryption using RC4 Algorithm. International Journal of Computer Applications, 130(14).
Pelland, D. (2015). Email security risks hiding in plain sight. Financial Executive, 31(1), 38-44.
Perlman, R., Kaufman, C., & Speciner, M. (2016). Network security: private communication in a public world. Pearson Education India.
Petry, S. M., Akamine, S., Lund, P. K., Cox, F., & Oswall, M. J. (2014). U.S. Patent No. 8,725,889. Washington, DC: U.S. Patent and Trademark Office.
Rowney, K. T. (2016). U.S. Patent No. 9,515,998. Washington, DC: U.S. Patent and Trademark Office.
Rueben, S. L., & Jakobson, G. (2013). U.S. Patent No. 8,510,664. Washington, DC: U.S. Patent and Trademark Office.
Ryan, M. D. (2014, February). Enhanced Certificate Transparency and End-to-End Encrypted Mail. In NDSS.
Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., & Sommerlad, P. (2013). Security Patterns: Integrating security and systems engineering. John Wiley & Sons.
Shingala, K., & Patel, J. (2017). Automatic Home Appliances and Security of Smart Home with RFID, SMS, Email and Real Time Algorithm Based on IOT.
Silberschatz, A., Galvin, P. B., & Gagne, G. (2014). Operating system concepts essentials. John Wiley & Sons, Inc..
Stine, K., & Scholl, M. (2013). E-mail security. An overview of threats and safeguards. Journal of AHIMA, 81(4), 28-30.
Wang, S. (2014). PGP Encryption Software.
Xu, G. F., & Chen, Y. (2017). Investigation of the Email Notice Issue in Aleph. International Journal of Librarianship, 2(2).