ISSeG logo

 Training and Dissemination web site

 FP6 logo

Integrated Site Security for Grids

 A project co-funded by EU FP6 programme
Home page

Top Recommendations
Top Threats
Security Checklists
Risk assessment

my Role
my Site
my Community
All Recommendations
All Threats
Training
Downloads

Security terms


Contact
ISS & ISSeG

Recommendation
Improve user awareness and security for e-mail communications

ID: R22
What: Users should be aware of the risks involved in using electronic messaging, and security measures that can be used to mitigate these risks.
Why: Unsolicited e-mail messages, also known as spam, are one of the main vectors for introduction of malicious software inside an organization. In addition, information transferred through e-mail is subject to breaches of confidentiality and integrity.
How :

Users should be aware of the basic rules:

  • Never reply to unsolicited messages, or ask to be removed from mailing lists (this trick is commonly used by spammers to validate e-mail addresses, which can subsequently be sold to other spammers).
  • Never click on links contained in e-mail messages, or open attachments if you are unsure of the origin of the message (malicious code in attachments is not always detected by your antivirus).

Information which is transferred through electronic messaging is also subject to interception (breach of confidentiality) and modification (breach of integrity). E-mail messages may be encrypted, in order to ensure confidentiality, and/or electronically signed to protect their integrity. This can be performed using S/MIME (see links below), which requires users to have personal certificates: Alternatively, cryptographic software packages such as PGP or GnuPG (see R39) may be used. Once installed, these techniques are fairly straightforward to use and may be integrated with several types of e-mail clients.

The following links respectively contain e-mail background information, and best practices (Windows environments): For further guidance on e-mail policies and best practices, refer SANS Institute policy templates (Automatically Forwarded Email Policy, Email Policy, Email Retention) (http://www.sans.org/resources/policies/).

For further information on e-mail security (signing and encrypting mail, securing e-mail clients, securing and managing e-mail servers, etc.), refer to:

Relevant recommendations

R3, R4, R6, R8
Relevant threats:

T7, T8, T12, T13, T19, T30, T31, T33

Relevant ISS audit questions: Q51, Q68, Q69, Q105
Keywords

Antivirus, Desktop, Spam, Training, User, Virus, Worm
Recommendation Category:
Technical - Administrative - X  Educational -
Copyright (c) Members of the
ISSeG Collaboration
2008		 Top of page Home page Information Society and media logo

This is version 5.2 of the website - view release notes
 -view visitor statistics