Electronic Mail - E-mail
Electronic Mail - an electronically transmitted message which arrives as a computer file on your PC or organisation's server. Originally conceived as a simple means of sending short messages from one computer to another, the Simple Mail Transfer Protocol (SMTP) was introduced without security in mind.
Whilst standards have been agreed for the attachment of files to e-mail messages, be aware that such files can contain malicious code such a virus. Use extreme caution when opening an e-mail message with an attachment; even if the e-mail is from someone you know; it is better to leave it unopened and enquire whether the e-mail is bona fide. If in doubt; destroy the e-mail and advise the sender that you have been unable to verify the authenticity of the attachment and to advise its contents. If in doubt; destroy the e-mail; if it's genuinely important, they will either make contact again or you have the option to send them an explanatory email.
Why is e-mail insecure ?
- An e-mail message can purport to have been sent from a specific individual, but the message could have come from someone else entirely. Anyone can set up an e-mail address with anyone else's name as the sender. e.g. a Mr. Bill Clinton could easily setup and email address as George_Bush@hotmail.com. However, where email comes from a company or organisation, the user name is likely to have been setup centrally, with the opportunity for misrepresentation, less likely.
- Even where you have your own organisation's domain name e.g. firstname.lastname@example.org, this too can be modified, such that the "From" field in the e-mail is sent with a fallacious sender; all designed to deceive the recipient.
- An e-mail message can be opened by anyone; and not only the intended recipient. There is no authentication such that only the intended recipients are able to read the mail. Like a postcard, an e-mail may be read by anyone who comes across it, either legitimately, or otherwise.
- The safe transmission of e-mail to its destination is not secure. Whilst the use of a "Read-Receipt" can be useful, especially using e-mail on Local Area Networks where network traffic is within known boundaries. E-mail sent across the Internet will pass through multiple computer nodes as it "hops" and "bounces" towards its destination address. However, even if it reaches its destination mail server, delivery to the recipient may be delayed or may not necessarily occur. Therefore, when e-mail is sent, even using a Digital Certificate, certified delivery to the recipient(s) is lacking. Best Practice is to request safe receipt from the recipient(s).
- It does not carry any legal validity. Unless sent using a Digital Signature an e-mail does not carry the legal validity as enjoyed by hard copy or signed fax transmission. However, legal reliance upon an e-mail sent using a Digital Signature cannot necessarily be relied upon as it was only in 2000 that the US and UK accepted that such e-mails could be used as legally binding documents.
*** The Information Security Glossary ***