Monday, August 31, 2009

A Lapse in Policy

We have all be on the phone talking to someone that we may not know all to well, when at the end of the conversation they say "sounds good, go ahead and shoot me an email about this.". If you are like me you think, "why did we just talked about it". However that email actually is used for quite a few things: The most obvious one is that it will be used as a reminder, people often use there inbox as a to-do list. The next thing that email will be used for is a record of your request, most companies have very strict policies on change management where all changes must have a request associated with it. The final thing that email will be used for is authentication, with the raise of knowledge about social engineering over the phone email as authentication has come into play.

The lapse in policy comes from the last two things the email serves. It comes from the assumption that only the person who controls the email account can send an email from that email address.  Unfortunately email, like most Internet protocols was invented before security was taken into account. Its actually considered quite trivial to send an email appearing to come form any name and email address that you please.

Fortunately there is a simple fix to this problem: Simply reply to all request emails with a confirmation request. So if person A requests person B to preform some task on the companies file server. Before preforming the task, person B should send a confirmation email to A asking for A to confirm the task.  Then the request and the confirmation should be stored for record keeping and we can be sure to the point of the security of the email account that the request was authentic.