Backing Up on Autoforward

It's a useful feature that carries a lot of risk. And it's painful to find that out the hard way.

By Mathias Thurman

December 17, 2007 12:00 PM ET

Computerworld - Trouble Ticket

Issue: Outlooks autoforward feature emerges as a security risk.

Action plan: Disable it for employees who cant demonstrate a valid business use. And find out who those people are.

The other day, our CIO wanted to know why an executive vice president had been able to receive an e-mail containing a spreadsheet with sales forecasts. That didnt sound too alarming to me. An executive vice president is a likely person to be given clearance for that sort of data. Then the other shoe dropped.

It turned out that this particular executive resigned two months ago and is now working for a competitor. We have a couple of problems.

The first is that our employee termination process is broken. Ideally, we would have an identity management tool tied into our various enterprise systems. When an employee left the company, all access to our infrastructure and applications would be quickly removed.

Unfortunately, we have neither the budgetary nor the human resources to do that. What we do have is single sign-on and SecurID two-factor authentication for remote access. Single sign-on ensures that when a user is removed from one location, access across the board will be denied to that user. The benefit of SecurID in this regard is that departing employees must turn in their tokens to their managers prior to picking up their final paychecks.

The second problem is that autoforward to the Internet is enabled.

Microsoft Outlook is very flexible. Among its many bells and whistles is the ability to autoforward mail, which is useful if you ever need to read e-mail from some other mail account or if you need someone else to receive a copy of some of your e-mails. This feature has been incorporated into some of our business processes. For example, résumés are autoforwarded to our external hiring agency. But while its valid to allow autoforward for such business-related functions, I decided that the risk is too great to allow all employees to configure their email accounts so that they can forward mail outside the company.

Not So Fast

Disabling autoforward is a simple check-box operation. But just checking the box and saying, There, thats all set, could lead to business disruptions. We had to run this like a miniproject so that we could discover, as best as possible, all accounts with autoforward enabled. We did this by sending a global e-mail message and using Proofpoint to detect instances of it being forwarded to outside e-mail addresses.

We mainly use this tool, from Proofpoint Inc., to guard against spam, but it can also be used to conduct keyword searches on e-mail leaving the company. With it, weve been able to detect intellectual property and other confidential information being sent to unauthorized destinations.

Comments ()

What is Tech Briefcase?

TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more

Bookmark content

Speed up your research efforts with content across the web.

Search and Store

Find the white papers you need. Create folders for any topic.

View Anywhere

Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.

Don't have an account yet?

Additional Resources

WHITE PAPER

Enter the Security KnowledgeVault

Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

WHITE PAPER

Cut Communications Costs Once and for All

New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Top Stories

Free Insider Guide

Excel 2010 Cheat Sheet: Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.

Security White Papers

Driving Secure Enterprise File Sharing and Syncing in the Enterprise: GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
The Enterprise File Sharing Option: Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
Security Strategies to Virtualizing Internet-Facing Applications: The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....
Cloud Security Planning Guide: Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...
Cloud Security Vendor Round Table: This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions...

Security Webcasts

Live Webcast Data Privacy and Protection in Production Environments: New Research from Ponemon Institute: Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT

In a recent study conducted by Ponemon Institute, fifty-five percent of respondents...
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute: Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT

In a recent study conducted by Ponemon Institute, fifty-five percent of respondents...
Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?: FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...
BlackBerry PlayBook OS 2.0 Security Overview: The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...
BlackBerry NFC Security Overview: The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...
Playing Defense: Staying on Top of Your Disaster Recovery Game: When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing...