In response to the Australian National Audit Office report 'The Protection and Security of Electronic Information Held by Australian Government Agencies' many government agencies are talking about blocking access to web based email. Here’s the recommendation that has been lighting up the Twitterverse
"emails using public Web-based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."
Some people around our office and others have been relating this to the Defense Signal Directorate's (DSD) Information Security Manual (ISM), that says:
Agencies should not allow personnel to send and receive emails using public web-based email services.
Now keep in mind that all agencies have not been doing so to date because the ISM provides this as a ‘should’ line rather than a ‘must’ line. But now, agencies may make this a ‘must’ in-house.
The concern is that information can be leaked, and viruses / trojans can be brought into the organisation through these types of systems. This is true, but it is not a technology problem. If we were to take this stance, then effectively ALL internet access should be blocked. In fact while email is a popular transmission or insertion mechanism for these things, banner ads, trojaned downloads and other mechanisms are more popular than email for delivering these kinds of things.
So what about data exposure, WikiLeaks style? This is a real threat as well, but to be honest it’s no greater a threat than someone printing something off and leaving it in a public place or leaving a DVD in the drive at the Qantas Club. In fact more data is leaked through lost / stolen laptops and information being left in public places than being exposed through hacked or trojaned email accounts. In fact, Email, Malware and Accidental Web exposure combined don’t add up to as much data that is lost through Improper equipment disposal or fraud. http://www.microsoft.com/security/sir/keyfindings/default.aspx#section_2_3
We are putting too much attention on this topic, and not enough on training people to avoid Social Engineering, and teaching them how to properly dispose of documentation and equipment.
Will blocking email work? Absolutely not. Blocking web based email will only stop about 3% of the infections and information leaks that occur. Even if you blocked ALL internet access, including agency based email, you’ll only stop about 15% of the infections and data leaks.
If the government is serious about stopping data leaks, they need to implement some form of Rights Management System that prevents the unauthorised copying, printing, emailing, sharing, etc of protected or classified documents. Either that or remove people from the equation, which isn’t very practical.
We are spending our money in the wrong places. We are aiming at the wrong targets. This is just going to aggravate people, not fix the problem. To have a truly effective solution, we need to get past the knee-jerk reactions, and look at the real problems.