mailing list archives
RE: email content monitoring / effectiveness
From: Krul Thomas <Thomas.Krul () OCIPEP GC CA>
Date: Thu, 13 Feb 2003 12:47:52 -0500
Besides not being able to monitor encrypted emails and other forms of
information dissemination, monitoring email content doesn't do much good due
to the fact that by the time you catch an offence the damage has already
been done. Content monitoring could only act as a deterrent and
policy-enforcer - in which case just informing the employees that you're
monitoring the content of their email is a good first step.
Your next step could be someing draconian, such as keylogging or installing
"micromanagers(tm)" in every office. If you're really concerned about this
(and let's be honest, employees make mistakes - it's quite possible that
they're not even being malicious), it's possible that you could keyword
filter email before it's actually left the building. That would require
manual intervention and maybe during a sensitive IPO period, that might not
be too bad a thing.
From: Douglas K. Fischer [mailto:fischerdk () purefm net]
Sent: Wednesday, February 12, 2003 3:15 PM
To: security-basics () securityfocus com
Subject: Re: email content monitoring / effectiveness
-----BEGIN PGP SIGNED MESSAGE-----
At 12:50 AM 2/12/2003, laurence field wrote:
I would like to get feedback on the quality/usefulness
of email content monitoring tools available on the
Our problem: We need to identify users and monitor
email content (scary) as some staff are sending
"gossip" to the press about our public internet system reliability,
pending IPO gossip / info etc. which then escalates to professional
bodies / governments whom in turn start formal investigations - all
over an email!!! (we are a financial company).
There are some key issues here apart from how well e-mail content
monitoring work that deal with the effectiveness of this solution to
address the stated problem(s).
You are assuming the employees are using your corporate e-mail system to
send these messages. They could be sending the e-mail from home, using an
external mail system from the office (e.g. web-based mailer like Yahoo),
using a chat client, message board, newsgroup, etc. For that matter they
could be using non-electronic means as well, including direct contact. Or,
they could be encrypting the contents of the messages even if they are
indeed using the corporate mail system. If any of these are being used, no
e-mail content filtering on your corporate mail system is going to provide
I'm sure you and others have already considered this and are not looking
for a long diatribe about the general issues or the merits of content
filtering in general. I mention these issue, however, because I have in the
past been in a similar situation and have had to address these issues. Such
filtering may provide management with a warm and fuzzy feeling, and it may
catch or scare some people, but the bottom line is if personnel are going
to leak info, plugging up one hole out of 100 isn't going to make all that
Make sure you have a policy in place regarding dissemination of
confidential information and the consequences of breaching this policy.
Harsh penalties for disclosure and enforcement by management are good
deterrents for casual information leakers. Of course it is also important
to limit who has access to this information to begin with - obviously the
fewer people who know the less people there are to consider as information
leaks when the information appears in the press.
Just a few thoughts.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
-----END PGP SIGNATURE-----
This email, and any included attachments, have been checked
by Norton AntiVirus Corporate Edition (Version 7.6), AVG
Server Edition 6.0, and Merak Email Server Integrated
Antivirus (Alwil Software's aVast! engine) and is certified Virus Free.