Email Information Disclosure (Part 4): STRIDEing through Email Threats
This is part four is a series of articles looking at the STRIDE Threat Model to identify and mitigate the threats risks posed to Email security.
In this article we look at Information Disclosure. If you missed Part 3, you can find the article here
Information Disclosure (the Threat)
Information Disclosure is the exposure of information to someone not authorised to see it. Information Disclosure is also referred to as information leakage. In email terms, information disclosure fundamentally means that somebody not authorised to see the contents of an email (potentially confidential in nature) has seen it.
Confidentiality (the Property)
Email Confidentiality refers to protecting information from being accessed by unauthorised parties. In other words, only those parties authorised to do so, can gain access to sensitive or confidential data contained within email or an email system.
Countermeasures - Technical Controls
The primary technical control that can be implemented to enable email confidentiality is Email Encryption. The fundamental issue with Email is that it is insecure by design and by default. Email is not encrypted by default and in some cases, the implementation of Email Encryption is not easy or straightforward and is often difficult to use.
A Secure Email Gateway that provides email encryption capabilities to safeguard the contents of email will help address this threat.
Countermeasures - Administrative Controls
Security Awareness Training - ensuring your users are trained and understand both the limitations around email security and best practices when sending emails to people outside of your organisation.
A Non-Disclosure Agreement (NDA) or including automatic confidentiality disclaimers in emails is a common way to do protect information shared through email. Although this strategy is not fool proof, it will at least create awareness amongst the recipients of your email about the need for confidentiality.
Access Control - ensure mechanisms and policies are defined and in place around roles and privileges.
Monitoring and Auditing - reviewing audit logs and monitoring for signs that Email accounts may have been compromised is a useful detective control.
If you would like more information or would like StarSwift Information Security to support you with the implementation of Email Encryption and Email Security please do not hesitate to get in touch.
Please contact us for more information.