Countermeasures to Prevent Hacks on E-Mail Servers
The following countermeasures help keep e-mail messages as secure as possible and deter hacking. Who doesn’t use e-mail these days? It’s important to protect those messages and ant sensitive information that might be contained in them.
The right software can neutralize many threats:
Use malware-protection software on the e-mail server — better, the e-mail gateway — to prevent malware from reaching e-mail clients. Using malware protection on your clients is a given.
Apply the latest operating system and e-mail application security patches consistently and after any security alerts are released.
Encrypt (where’s it reasonable). You can use S/MIME or PGP to encrypt sensitive messages or use e-mail encryption at the desktop level or the server or e-mail gateway. You can also use SSL/TLS via the POP3S, IMAPS, and SMTPS protocols. A better option may be to use an e-mail security appliance or cloud service that supports the sending and receiving of encrypted e-mails via a web browser over HTTPS.
Don’t depend on your users to encrypt messages. Use an enterprise solution to encrypt messages automatically instead.
Make sure that encrypted files and e-mails can be protected against malware.
Encryption doesn’t keep malware out of files or e-mails. You just have encrypted malware within the files or e-mails.
Encryption keeps your server or gateway antivirus from detecting the malware until it reaches the desktop.
Make it policy for users not to open unsolicited e-mails or any attachments, especially those from unknown senders, and create ongoing awareness sessions and other reminders.
Plan for users who ignore or forget about the policy of leaving unsolicited e-mails and attachments unopened. It will happen!
Some simple operating rules can keep your walls high and the attackers out of your e-mail systems:
Put your e-mail server behind a firewall on a different network segment from the Internet and from your internal LAN — ideally in a demilitarized zone (DMZ).
Harden by disabling unused protocols and services on your e-mail server.
Run your e-mail server and malware scanning on dedicated servers if possible (potentially even separating inbound and outbound messages). Doing so can keep malicious attacks out of other servers and information in the event the e-mail server is hacked.
Log all transactions with the server in case you need to investigate malicious use. Be sure to monitor these logs as well! If you cannot justify monitoring, consider outsourcing this function to a managed security services provider.
If your server doesn’t need certain e-mail services running (SMTP, POP3, and IMAP), disable them — immediately.
For web-based e-mail, such as Microsoft’s Outlook web Access (OWA), properly test and secure your web server application and operating system by using testing techniques and hardening resources.
Require strong passwords. Be it standalone accounts or domain-level Exchange or similar accounts, any password weaknesses on the network will trickle over to e-mail and surely be exploited by someone via Outlook web Access or POP3.