How to Audit an Email System

Question

I am working on an auditing process for my company's email system (Exchange 2010). From this process, we're hoping to expand it out to other systems and start to clean up the rampant security issues we have (my place of employment neglected security for years and it's catching up to them). Some of the issues we're experiencing are lack of baseline, privilege creep, poor/non-existent configuration, unnecessary ports, protocols, services, lack of timely patching... It goes on.

Anyhow, we are mostly concerned with the technical aspects. Below is what I've covered already:

1. Reviewed installed software for necessity, contract support if necessary, EOL/outdated/unpatched software.
2. CIS, DISA, and Microsoft SCM baseline audits for OS and other installed software (part of our work here is to establish a hierarchy of what industry best practices we'll use)
3. Reviewed PPS for each machine to determine if PPS "makes sense" (one machine just happens to have firewall rules for all the Quake Arena ports).
4. I'm in the process of determining the breadth of users (internal, external, 3rd party vendor, contractors, etc).
5. Related policies like email retention/backup/storage and account management (SPOILERS: Slim to none).

I am reviewing NIST 800-53 and 800-137, Assess and Monitor documents, and just recently found NIST 800-45 that looks promising.

The ultimate goal is to assign a risk value to the system and the vulnerabilities, then use the process to branch out to other systems. Do you see any major holes in my approach?

Answer 1

Before you start auditing the security controls around this email system, and recommending any changes that would enhance security, it would be helpful to take a step back and assess the risk through a risk assessment. Some questions to help guide you:

What is the "business value" of the data stored within this email system?

Take into consideration permitted data loss (RPO) and maximum allowable downtime (RTO)

What is security classification / labeling of the data stored within this email system? Is it considered confidential / sensitive?

The more sensitive the application data is, the tighter you would want controls surround the application to be. While its important to consider threats and associated vulnerabilities that together constitute a risk broadly, in this instance, I would suggest you focus on the security controls that mitigate risks to Confidentiality and Integrity.

Confidentiality should be a top priority as the email can contain sensitive data, such as upcoming business plans, or forecasts as well as personal information on customers / employees. The disclosure of this data to unauthorized parties can result in lost competitive advantage, legal fines etc.

Integrity is important, as in order for information to be trusted, you would want to ensure that the information was not modified from when it was sent to when it was received. Depending on the sensitivity classification of emails, you may also want to digitally sign the email so that the sender of the email can be traced, and any message tampering detected.

What can happen if the threats to this email system is realized? - Impact

If you have the data available, you can quantify your risk assessment in terms of numerical loss. If such data is not available, you can qualitatively state potential adverse outcomes such as loss of confidential data could lead to damaged reputation, legal fines...etc.

As to the specific set of procedures you listed, they are a good start but I would add the following to that list:

1. Review safeguards against specific attack vectors that often exploit email such as phishing / spear phishing / whaling

2. Review acceptable use policies concerning email and in place, (if any)safeguards against data leakage such as a DLP solution.

Email is one of the primary methods through which attacks that can result in data compromise such as the variants of phishing I listed are spread.

With regards to point 2, data exfiltration is a serious risk that can have severe impacts to your organization. For example, corporate email containing sensitive communications can be forwarded by an unwary employee to a personal email account, or be copied to an USB stick and carried outside the company where company IT lose all control over how the emails may be used and / or distributed.