Why Using Exchange for Archiving Email is Wrong and an Email Archiving Solution is Essential

Many people are using Microsoft Exchange for archiving email and some people do not archive email at all. Both are big mistakes. To find out why, it is important to know what true email archiving actually is.

What is email archiving?

Email archiving means more than just clearing your inbox. An email archive is a technical term used to describe a permanent and unalterable record of email data.

An email archive is essential for businesses and depending where a business is located, and the industry in which it operates, will determine just how important an email archive is.

An email archive is required in case of litigation, and government audits will require emails to be retrieved from an archive.

It is important to make a distinction between an email archive and an email backup because the two terms are frequently confused. Both are important, but they are used in different situations.

An email backup is a store of emails that can be recovered in case of emergency. If email data is lost, corrupted, or accidentally deleted, a copy can be recovered from a backup. Email backups will restore email accounts to the state they were in when the backup was made. Backups therefore need to be performed daily, but also weekly and monthly. Each time a backup is made, it will usually overwrite a previous copy. Email backups are not permanent.

An email archive is different. It is a permanent store of email data. An archive is searchable, and individual emails can be retrieved as necessary.

Why is it important to have an email archive?

One of the main benefits of an email archive is to reduce the storage space required for individual mailboxes. Smaller mailboxes are faster to search and retrieve information. The mailbox should only contain a working copy of email from the last few days or weeks. The remaining emails should be moved to an archive where they can be retrieved as and when necessary.

Email archiving is a legal requirement in many countries around the world. It is necessary to maintain an email archive to comply with specific industry regulations, as well as country and state laws. An archive is also required for eDiscovery. If legal action is taken against a business, it must be possible for emails, and documents sent via email, to be retrieved. These must be provided during litigation.

eDiscovery can prove extremely expensive if an email archiving solution is not used. If documents or emails are requested they can be obtained from an archive. If they need to be obtained from individual computers, the time required to locate the emails would be considerable. You may even need to search every computer in your organization. If you run a small business and have 20 computers and email accounts, this would take quite a while. If you run a business with 10,000 computers and email accounts, you could be in real trouble if you don’t have an email archive.

eDiscovery requirements mean an email archive must be searchable, and therefore the organization of the archive is critical. How so? Well, that is best illustrated with an example. An executive criminal case involving Nortel Networks resulted in 23 million pages of electronic email records being delivered by the prosecution. That is a lot of data. Unfortunately, the data was in a bit of a mess because it had not been well organized. So much of a mess that Ontario Superior Court Justice Cary Boswell ordered the prosecution to re-present it to the defense in a comprehensible format. It was described as an “unsearchable morass.”

Organizing 23 million pages of email takes a considerable amount of time. It is therefore important to get the structure of the archive correct from the outset.

Can I use Microsoft Exchange for archiving email?

Is it possible to use Microsoft Exchange for archiving email?  Since the 2007 version was issued, Microsoft has included the option to use Exchange for archiving email in its journaling and personal archive functions.

However, there is a problem with using Exchange for archiving email. The journaling function does not work as a true email archive. Using Exchange for archiving email can cause many problems.

Reasons why Exchange for archiving email can cause problems for businesses

  • MS Exchange does not allow email in its archive to be effectively indexed and searched
  • Individual email account holders can create personal PSTs and store email on their computers
  • Individual PSTs may not meet the requirements of eDiscovery
  • There are no data retention configuration settings in journaling

The journaling function doesn’t really satisfy the requirements of businesses, but what about the Personal Archive? Can that be used? Unfortunately, while that does offer some enhanced email archiving functionality using the Personal Archive of Exchange for archiving email will also cause problems.

Let us take a look at the functionality of the personal email archive in the 2010 release. Exchange 2010 is better for email archiving than the 2007 release, but there are still some major issues.

In Exchange 2010, it is possible to create a mailbox archive for each email account. The purpose of the archive is to free up space in the mailbox. This is a get around for restrictive mailbox quotas. The archive is intended to be used as a medium-term store for additional emails that the user does not want to delete, but does not need in the mailbox for day to day operations. They are not really email archives, but secondary mailboxes. They lack the functionality of a true email archive.

Exchange users have two options for their personal archive, regardless of whether it is located in the production database or in the cloud. The archive can be configured to move messages automatically after a set period of time (based on retention tags) or the task can be performed manually as and when required.

There are two main drawbacks to using an Exchange personal archive. For many organizations the main disadvantage is the cost: It is necessary to purchase an enterprise client access license or CAL, or to purchase Office 2010 Professional Plus if Outlook is required.

Even Microsoft points out that it may not be wise to use personal archives in Exchange for archiving email, stating they “may not meet your archiving needs.” Does that seem an odd statement to make? That is because it is not a true email archive. It is a personal one.

Users are able to choose what information is loaded into the personal archive. They can also delete emails from the archive. That is no good for regulatory compliance and eDiscovery. There is a get around though. It is possible to meet certain eDiscovery and regulatory compliance requirements when using Exchange for archiving email. Users can be given Discovery Management roles, and can perform indexing and multiple mailbox searches. Unfortunately, the Control Panel in Exchange 2010 is difficult to use, especially for eDiscovery purposes.

Some of these issues have been addressed in Exchange 2013, but there are still eDiscovery issues. Users have far too much control over their personal archives and mailboxes. They have the ability to create their own policies and apply personal settings to their mailboxes and archives. They can potentially bypass corporate email storage policies. Unfortunately, unless Litigation Hold or In-Place Hold is applied to each and every mailbox, the administrator is incapable of overriding settings that have been applied by each user.

Is it possible to use Microsoft Exchange for archiving email if SharePoint 2013 is used?

The issue of eDiscovery has been tackled by Microsoft. It is possible to use SharePoint 2013 to perform searches of all mailboxes, but there are even problems with this added eDiscovery feature.

For a start, it is necessary to buy SharePoint 2013 and that has a cost implication. It is also necessary to use cloud storage and keep the data on an Exchange server, otherwise the In-Place Discovery tools of Exchange will not work.

There is another issue. That is the storage space you will require. Every email that has ever been sent or received through MS Exchange will need to be stored. Over time your email “archive” will become immense. Over 90% of the emails stored in that archive will never need to be accessed. It will involve paying an unnecessary cost and searching through all those emails will take a long time. Recovering emails will be particularly slow.

A true archive will remove a significant proportion of the 90% of emails that you will never need to access, and search and recovery time can be greatly reduced.

You cannot consider the archiving function of MS exchange to be a true email archive that will meet all compliance and eDiscovery needs.

The ArcTitan approach to email archiving

ArcTitan is a true email archiving solution that has been custom designed to meet compliance and eDiscovery requirements, as well as meeting data storage needs.

Key Features of ArcTitan Email Archiving

exchange-for-email-archiving-1

Network Security Checklist for SMBs

Network Security Checklist for SMBs

Our network security checklist for SMBs acknowledges the fact that many small-to-medium sized businesses do not have the resources to dedicate to their network security. However, network security is essential. Without protection against hackers and malware, an SMB´s survival could be under threat.

Consequently, our network security checklist for SMBs contains common sense approaches to network security that can be implemented for little or no cost. Indeed, it is in an SMB´s best interest to adopt these best practices before even considering a “comprehensive security solution” software package – which would be ineffective without first taking the steps below.

Start by conducting a risk assessment

The first item on our network security checklist for SMBs is to assess your risk levels and the consequences of an attack on your network. In order to do this, you will need to know:

  • What information is stored
  • How is it stored
  • Who has access to the information
  • How is the information protected
  • What would be the consequences of a successful cyber-attack on your business

Develop an acceptable usage policy

Most hackers use the weakest link in your network security to launch attacks – your employees. Consequently it is essential that you develop an acceptable usage policy to advise your employees how they should use systems and resources while at work. Some factors you may want to consider when compiling an acceptable usage policy include social media use and the use of private devices (including USBs) in the workplace.

The policy should be accompanied by appropriate employee training. This will help you to assess whether you employees understand acceptable usage and can identify security risks. The U.S. Chamber of Commerce has an excellent online “Test Your Internet Security IQ” quiz that can be printed off and distributed among your employees. The results are likely to surprise you.

Change your passwords regularly – all of them!

Most business owners will be aware of the necessity to change user passwords regularly, but how often is regularly? Once a year? Once a quarter? In order to develop solid network security, you should be changing passwords at least once a month – and not just those of your user accounts.

Servers, routers and switches all have passwords (or should have). When was the last time you changed your Wi-Fi password? Also remember that many devices have default passwords. You should change them immediately after installation and then change them regularly thereafter.

Identify your vulnerabilities

There are plenty of free online tools that offer network security checks, but you have to be careful to use a reputable one to ensure you are not infecting your system with hidden malware. Metasploit is one of the best resources for network security testing we have identified. For identifying vulnerabilities on individual operating systems and devices, we recommended choosing from the list provided by StaySafeOnline.

Protect your network against malware

Having just mentioned malware, this seems a good time to include the subject in our network security checklist for SMBs.

You can protect your network against malware by using some existing tools in your system – for example in browser settings. You should strengthen your protection by adjusting the content filters, pop-up blockers, cookie and certificate settings. This not only needs to be done on all your company´s hardware, but on personal mobile devices if they connect to the company´s Wi-Fi.

One wise investment is an email filter. Spammers often use emails as a means to con employees into exposing network vulnerabilities, but if the emails do not arrive in employee inboxes, the risk is eliminated. An email filter is not necessarily an expensive investment, and it can be deployed in various ways to filter out the potentially catastrophic consequences of an employee clicking on a link which allows a hacker to install malware on your network.

Avoid data loss and data lock with back ups

According to research conducted by Kroll Ontrack, 40 percent of data loss is attributable to human error – either due to inadvertently deleting a file or folder, or by spilling a drink on a piece of IT hardware. Regular backups ensure that the data can be recovered with minimal disruption.

Regular backups also prevent your company being held to ransom if ransomware is installed on your network. Ransomware encrypts all your data with a key that only the person demanding the ransom has access to. The threat of your company being held to ransom can be eliminated if you are able to restore data from a recent back up.

There is a variety of back up options available for SMBs – file or volume synching, cloud backup, traditional backup software, and replication. The most appropriate option will depend on the volume of data your company produces.

Control software installations

Controlling the installation of software on the server or on any device is especially important because software is increasingly open-source and could introduce new vulnerabilities. For example, it may be convenient to install remote access software on your server, but this provides potential attackers with another gateway to penetrate your network. Software installations should be decisions you make with the same considerations as with other business decisions – weighing up the benefits against the risks.

Similarly the use of personal devices or software-as-a-service (SaaS) applications can also introduce risks to the network´s security. The use of personal devices and SaaS applications should have the same controls as would be applied to on-site company resources to avoid data loss, the installation of malware on the network and attacks from hackers.

Don´t ignore software updates

The final box to tick on our network security checklist for SMBs is not to ignore software updates. Software updates are released for a purpose – usually to patch vulnerabilities that have been discovered since the software´s installation.

From a security perspective, it is essential to apply software updates as soon as they are released. This applies to operating system software (Windows, Mac OS, Linux), security software such as antivirus software and standard programs. Some network security solutions have automatic software updates, and you should choose these whenever such an option is available.

Benefits of Teaching Hacking Techniques

This article explores the benefits of teaching hacking techniques. Why on earth would I want to do that you may ask? Isn’t that the same as telling someone how to rob a bank? Well, it is, but teaching hacking techniques does have a lot of benefits. For a start, it is essential if you want to be able to defend a network from an attack by a skilled black hat. You must be able to think like a hacker in order to protect a network from one, but you need a real hacker to tell you if your network has been properly secured.

Teaching hacking techniques is like training a new army of hackers!

Let’s take a look at the three “types of hacker”. First there is the black hat hacker (boo, hiss). This rather nasty individual is intent on causing havoc with their malicious ways. They want to destroy, disrupt, and rob.

According to Robert Moore (2005), a black hat hacker is someone who “violates computer security for little reason beyond maliciousness or for personal gain.”

Then there is the white hat hacker. A white hat hacker uses his or her skills for good (hooray!) They are computer security experts who want to protect computer systems from attack.

Then there is the gray hat hacker. This individual is somewhere between the black and white. They are often called ethical hackers, and these are the individuals that perform penetration testing (pentesting). These individuals behave exactly like a black hat would, minus the maliciousness. Their goal is to find vulnerabilities and exploit them to show whether it can be done. They must gain access and be able to cause havoc. To do that they must be as good as a black hat hacker.

There is not much difference between an ethical hacker and a black hat hacker. In fact, on black hat forums you will not only find articles aimed at improving the skills of black hat hackers, but also articles aimed at gray hats and white hats. For example, two articles below have recently been posted on a black hat hacking website:

  1. “Harnessing GP²Us – Building Better Browser Based Botnets”
  2. “Hybrid Defense: How to Protect Yourself From Polymorphic 0-days”

The benefits of teaching hacking techniques

You can’t become a hacker from reading a few articles on the internet. Sure you can learn a thing or two, but before you can call yourself a hacker you must be able to demonstrate that you can actually put your knowledge into practice. The best hackers, of all colors, are those who have spent countless hours poking around inside computer systems and studying networks and network devices first hand.

In fact, if you want to be an ethical hacker you must have the skills of a black hat hacker. You will need to be taught, you will need to study, and you will need to practice. Teaching hacking techniques will actually help to build up an army of hackers that can use their skills for good.

If you want to get into pentesting you will need to work hard. Typically, you will need to have passed A+ certification, Network+, Security+, and obtained CCNA, CISSP or TICSA certification. You will need to have worked in tech support and information security. You will need hands on experience. Then, and only then, will you be able to become a Certified Ethical Hacker (CEH).

Of course, it is important that you then only every use your skills for good, even though you would be capable of using those skills for nefarious financial gain or to cause malicious harm.

The danger of teaching hacking techniques

Teaching hacking techniques has potential to create a whole army of hackers that could cause considerable harm, yet without people who have the same abilities as black hat hackers, how would it be possible to properly conduct penetration testing?

According to a recent Bloomberg article, gray hats “break into computer networks and digital devices to find holes before the bad guys do”. They are heroes. Take Barnaby Jack for example. He showed how it is possible to hack ATM machines and get them to churn out cash. His insights resulted in banks enhancing their security measures to make sure that criminals could not take advantage of the same security flaws.

Sure it is important to learn defensive strategies to protect systems from attack, but if you really want to beat bad guys at their game, teaching the hacking techniques used by the bad guys is essential. It is vital that gray hats are taught hacking from an offensive perspective as well as a defensive one!

DNS and Network Security: The Dreaded DDoS Attack

DNS, network security and the feared DDoS attack!

The purpose of the DNS – or the Domain Name System to give it its full title – is to turn the IP addresses that are required by network servers into domain names that are far easier for humans to use and remember. DNS is what allows you to use “Google.com” instead of having to type in or remember “http://173.194.39.78/”. You can consider DNS to be the main directory service of the Internet or the Internet’s phone book.

The Domain Name System (DNS) in Action

When you use a web browser to visit a website, the first thing that must happen is the web browser must contact your current DNS server. It must find out the IP address of the website you are trying to access by using its name. You may run your own DNS server or it can be run by your Internet Service Provider. If you use a router, your router may forward DNS requests to your ISP. A DNS request is not made every time you visit a website. Once a request has been made, your computer will cache the response and will remember the IP address for a limited period of time.

DNS is very useful, but it is also problematic as it can be attacked. A DNS DDoS attack can cause a great deal of damage.

DNS Cyberattacks

Because DNS servers serve as a phone book, they must be available to anyone with Internet access. This means that hackers can access DNS servers. They can also attack them.

Viruses and malware can change your default DNS server and replace it with a malicious one which would direct a visitor to another site. For example, a copy of a site such as Twitter or a bank website could be located at a different IP address. A visitor would believe that they are on the legitimate site because that is what their browser address bar tells them. This may throw up a certificate error message, so it is important to pay attention to any invalid certificate messages. This is an indication that the site is not legitimate.

What are DNS DDoS attacks?

Distributed Denial of Service attack (DDoS) attacks are part of a hacker’s arsenal that is used often. DDoS attacks can cause a lot of damage. They can cause damage so severe that hardware may need to be replaced.

DDoS attacks on DNS servers will start with the hacker attempting to locate a DNS responder. Once the target’s DNS responder has been located, the hacker can launch a Distributed Denial of Service attack (DDoS). That DDoS attack can be conducted on the resolver, or it is possible to conduct an attack on other systems. In a DDoS attack, the target will receive millions of replies from numerous IP addresses around the world. Some of those will be real, some will be spoofed IP addresses.

Oftentimes, the purpose of a DDoS attack is to bring down a website and stop anyone from visiting a particular website. In a DDoS attack, traffic is sent from multiple sources and overwhelms a site. A denial-of-service attack is relatively easy to block as the IP addresses being used can be throttled. A distributed DoD attack is different, because the traffic comes from all over the world. In many cases, IP addresses are spoofed. An attacker would not want his or her real IP addresses to be shown.

DDoS attacks are conducted using a botnet, which is a network of zombie PCs that have been infected by a hacker. They are used to send traffic to the target. The botnet controls those machines, and the botnet is controlled by the attacker.

Hackers can conduct their DDoS attacks not with the aim of killing a site or web service, but to hide other activity. A DDoS attack requires an IT department’s immediate attention and resources. Staff must prevent software and hardware damage and try to keep the website available. While they fight the DDoS attack, other hackers in the group get to work on other parts of the network. This is why it is vital after suffering a DDoS attack to conduct a full system security check and audit the network. You must determine whether hackers have gained access to your network while you were fighting fires.

The Spamhaus DDoS Attack

A DDoS attack, especially one which sends enormous volumes of traffic, are usually short-lived. However, during the time that the attack takes place it can cause permanent damage. Sometimes extremely large attacks are conducted that can bring down even the best defended systems. Take Spamhaus for example. Unsurprisingly, this anti-spam service is something of a target, what with it being a 34-hour anti-spam operation. It servers billions of DNS requests, it has robust defenses, but it is not immune to attack.

In March 2013, Spamhaus suffered an enormous DNS DDoS attack. After receiving one DNS request from a spoofed IP address, a packet was sent and more servers started participating in the attack, then more. Then more. According to the Spamhaus report on the attack, 30,000 DNS resolvers took part.

It is possible to block certain IP addresses to counter an attack. When an attack involves so many different IP addresses, it is impossible to block them all. Because the range of IP addresses used was so large, it was not possible to throttle packets from specific IP addresses being used in the attack.

Is It Possible to Prevent a DNS Attack?

To prevent DNS attacks, you must be able to identify malicious web traffic. Traffic using port 53 for example is often just zone transfers syncing slave servers with masters, but the port can be used by attackers. It is therefore essential to block port 53 zone transfers from any unauthorized slave name server.

If you want to prevent a DNS attack it is important that you do not have an open responder that will respond to requests from any Internet address.

  • stop your DNS from being an open responder. Restrict in-house recursive servers and only allow your own company’s IP subnets. It is essential to keep your resolver private
  • You can use DNS response rate limiting when you configure your authoritative DNS servers. Set response rates and limit source addresses in a given time period. It may be possible to shut down an attack before the full force is felt by your server
  • Throttle DNS traffic by packet type
  • Monitor IP addresses to see which are using the most bandwidth. Your ISP can help you with this
  • Add variability to outgoing requests. This will make it harder for an attacker to get a response accepted
  • Overprovision your server – Make sure you have sufficient bandwidth to absorb an attack. Since some attacks can exceed over 100 Gbps this may not be possible in all cases, but not all attackers have that kind of capacity

SMBs Can Minimize Cybersecurity Risk with Good Risk Management Strategies

All companies must make efforts to minimize cybersecurity risk, but for small to medium sized businesses it is critical. The very survival of the business may well depend on it.

Small to medium-sized businesses must minimize cybersecurity risk

The same types of data are stored by SMBs as multi-national corporations; it is just the volume of data that differs. Just because a smaller volume of data is stored, it doesn’t mean that SMBs are not targeted by cybercriminals. In fact, many hackers choose to attack SMBs because the security defenses employed are not nearly so robust.

Large corporations can invest millions in cybersecurity defenses. SMBs do not have nearly so much cash to devote to protecting their networks from attack. They also do not have very much capital to cover the cost of a data breach when it occurs. A large corporation can easily absorb the cost of a data breach. Take Anthem Inc., for example. The health insurance company suffered the largest healthcare data breach ever reported. The breach had started many months previously but was discovered in February of this year.

78.8 million records were obtained by the hackers responsible for the attack. The cost of dealing with that data breach has been estimated to be somewhere in the region of $100 million to $1 billion. No small business could survive such a breach. Of course, Anthem was covered by an insurance policy which should cover the first 100 million. The company also made $17.02 billion profit in 2014. Even if the cost of resolution is $1 billion it will barely be felt.

In 2010, a study conducted by the Gartner Group indicated that major data breaches resulted in the immediate collapse of 43% of small to medium-sized businesses. Some managed to soldier on for up to 2 years before folding. Only 49% of companies lasted for more than 2 years.

Cyberattacks on SMBs are increasing

There are a number of reasons why SMBs are now being targeted. It is not only a lack of effort made to minimize cybersecurity risk.

  • SMBs can’t afford to investigate attacks and find out the identities of the attackers
  • They don’t have the budgets to prosecute hackers if they do find them
  • Cybersecurity defenses lack the sophistication necessary to thwart many attacks
  • Staff training does not tend to be so extensive
  • SMBs can’t afford to employ the very best IT security professionals
  • SMBs often work as suppliers to large corporations and their networks can serve as a launch pad for an attack on those corporations

The cybersecurity attack on Target is a good example of the latter. An HVAC vendor was attacked with the purpose of gaining access to Target’s network.

It is not all bad news

Most SMBs have the fundamentals right. They have good cybersecurity defenses in place. They just need a little improvement. Fortunately, it does not take much more effort or resources to raise the standard and significantly improve defenses against cyberattacks.

Adopting some simple “best practices” is all that is required to reduce the probability of a cyberattack being successful in many cases. It is possible to minimize cybersecurity risk to the point that the majority of online criminals will give up and search for easier targets.

Best practices to adopt to minimize cybersecurity risk

Listed below are some easy to implement best practices that can help minimize cybersecurity risk and keep networks and sensitive data protected from malicious insiders and outsiders.

Separation of duties

You would not give a cashier a copy of the safe key, or give a purchaser the ability to sign off orders and write checks for suppliers. If you give one individual access to everything, you are exposing your company to an unnecessary amount of risk. That individual may be 100% trustworthy, but if that person is targeted by a spear phishing campaign, and they have access to all computer systems, should that attack prove successful everything could be lost.

Administrative privileges should be limited. Spilt passwords so an IT support worker enters half of a password, with the remaining half entered by his or her manager.

The rule of least privilege

Access to systems and data should be restricted to the minimum necessary information to allow a job to be performed. Rather than give full control to one person, separate duties between staff members and you will minimize network and cybersecurity risk

Do not allow multiple staff members to have access to systems that they don’t really need access to. If you operate two shifts, restrict access to data systems to two members of staff, one for each shift. One or two supervisors can also be given access on the same basis.

Due Diligence and Due Care

A minimum level of protection should be maintained at all times, and the level of due care must meet industry regulations. A program of maintenance must exist to ensure that due care is supported. This is referred to as due diligence. You must ensure that a system exists to monitor for any abuse of privileges or data access rights, and the opportunity for individuals to commit fraud or steal data must be kept to a minimum level.

Implement physical controls to protect equipment used to store data

All equipment used to store sensitive data must be kept under lock and key. Data backups must be secured, and since they are stored offsite, they should be encrypted.

Perform background checks on all members of staff

Any organization that fails to conduct a background check on a new member of staff before access to sensitive data is provided could be classed as negligence. You can’t tell from looking and asking if a new recruit has a criminal record.

Rotate responsibilities

Cross-train staff so they are capable of performing a number of different duties. This will allow you to provide cover in the event of absence from work. If you then rotate duties, it is easier to identify employee theft and insider attacks. Employees can then audit the work of each other.

Maintain access logs

If you do not monitor data access attempts, you will not be able to tell if a member of staff is trying to steal data. Make sure a data trail is left to allow you to determine when employees are accessing data. Make sure the logs are checked frequently and always follow up on any discrepancies discovered.

If you follow these best practices, you should be able to minimize cybersecurity risk effectively. You may not be able to prevent all cyberattacks, but if one does occur, you will at least be able to identify it rapidly and minimize the damage caused.