RE: email content monitoring / effectiveness

[Krul Thomas <Thomas.Krul () OCIPEP GC CA>]

Besides not being able to monitor encrypted emails and other forms of
information dissemination, monitoring email content doesn't do much good due
to the fact that by the time you catch an offence the damage has already
been done. Content monitoring could only act as a deterrent and
policy-enforcer - in which case just informing the employees that you're
monitoring the content of their email is a good first step.

Your next step could be someing draconian, such as keylogging or installing
"micromanagers(tm)" in every office. If you're really concerned about this
(and let's be honest, employees make mistakes - it's quite possible that
they're not even being malicious), it's possible that you could keyword
filter email before it's actually left the building. That would require
manual intervention and maybe during a sensitive IPO period, that might not
be too bad a thing.

-----Original Message-----
From: Douglas K. Fischer [mailto:fischerdk () purefm net] 
Sent: Wednesday, February 12, 2003 3:15 PM
To: security-basics () securityfocus com
Subject: Re: email content monitoring / effectiveness

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 12:50 AM 2/12/2003, laurence field wrote:
> I would like to get feedback on the quality/usefulness
> of email content monitoring tools available on the
> market.
>
> Our problem: We need to identify users and monitor
> email content (scary) as some staff are sending
> "gossip" to the press about our public internet system reliability, 
> pending IPO gossip / info etc. which then escalates to professional 
> bodies / governments whom in turn start formal investigations - all 
> over an email!!! (we are a financial company).

There are some key issues here apart from how well e-mail content 
monitoring work that deal with the effectiveness of this solution to 
address the stated problem(s).

You are assuming the employees are using your corporate e-mail system to 
send these messages. They could be sending the e-mail from home, using an 
external mail system from the office (e.g. web-based mailer like Yahoo), 
using a chat client, message board, newsgroup, etc. For that matter they 
could be using non-electronic means as well, including direct contact. Or, 
they could be encrypting the contents of the messages even if they are 
indeed using the corporate mail system. If any of these are being used, no 
e-mail content filtering on your corporate mail system is going to provide 
any relief.

I'm sure you and others have already considered this and are not looking 
for a long diatribe about the general issues or the merits of content 
filtering in general. I mention these issue, however, because I have in the 
past been in a similar situation and have had to address these issues. Such 
filtering may provide management with a warm and fuzzy feeling, and it may 
catch or scare some people, but the bottom line is if personnel are going 
to leak info, plugging up one hole out of 100 isn't going to make all that 
much difference.

Make sure you have a policy in place regarding dissemination of 
confidential information and the consequences of breaching this policy. 
Harsh penalties for disclosure and enforcement by management are good 
deterrents for casual information leakers. Of course it is also important 
to limit who has access to this information to begin with - obviously the 
fewer people who know the less people there are to consider as information 
leaks when the information appears in the press.

Just a few thoughts.

Doug 
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPkqrNp938qfSpraDEQKvewCgigNhUV4sj6oLH3+Ew3Qc+2vFHNIAnil+
DrgVLP/y4/DnjOGCL5BGHLxX
=C/7h
-----END PGP SIGNATURE-----


------------------------------------------------------------

This email, and any included attachments, have been checked
by Norton AntiVirus Corporate Edition (Version 7.6), AVG
Server Edition 6.0, and Merak Email Server Integrated
Antivirus (Alwil Software's aVast! engine) and is certified Virus Free.