Home page logo

basics logo Security Basics mailing list archives

Re: Risk of Redirecting Email.
From: Meenal Mukadam <meenal.mukadam () gmail com>
Date: Wed, 8 Apr 2009 12:16:51 +0530

Hello Munyaradzi,

I agree with your concern. But according to me, the real problem is
not "Personals requesting  to redirect their mails", but is actually
"having no proper controls in place to terminate the account" when a
person leaves the organization.

If there were proper controls implemented like:
1) Having a comprehensive and apt policy and procedures in place (to
guide the actions to be taken when any employee leaves the company)
2) Termination of account and access rights
3) Backup of the critical business information from the account
4) Not sharing default access credentials
5) Verifying if no backdoors are opened (having forwarding mails in
place can be considered as a type of backdoor)
6) Cleansing the system after employee leaves (many employee tend to
implant malicious codes to have a perpetual source of
information....so any organization has to guard against it....best
way, but not the easiest, is to take info backup and reinstall the
O.S. and applications again)

According to me if these controls were in place, even if  the
personals requested for redirecting their mail, it wouldn't be
possible to do so. Cause if an account was PROPERLY terminated, then
from where would they get the mails?

Risk faced were nicely covered by many. But I will add in a few:
1) Risks due to loss of confidential info (new product/service info)
2) Risks due to loss of mission critical or competitive info
(tender/contracts, R&D info)
3) Risks due to Internal secrets being leaked out
4) Risks due to Sales info being sold or used by competitors
5) Risk due to availability of info, etc

Hope this answers your question :)


Meenal A. Mukadam

On Tue, Mar 31, 2009 at 9:24 PM, M.D.Mufambisi <mufambisi () gmail com> wrote:
Hi people.

I have seen on some clients of mine, that when an employee leaves the
organisation, they request IT to redirect their emails to a particular
email address....personal.
What are the risks of this? I can only think of company information
being directed to this individual....which could be bad if he/she has
gone to work for a competitor. What other risks or security issues
could this give rise to?


Munyaradzi Dumisani Mufambisi

This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT.


Meenal A. Mukadam

Far away there in the sunshine
are my highest aspirations.
I may/maynot reach them,
but I can look up and see their beauty,
believe in them and try to follow
where they lead

This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most 
concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain 
a laser like insight into what is covered on the exam, with zero fluff!


  By Date           By Thread  

Current thread:
  • Re: Risk of Redirecting Email. Meenal Mukadam (Apr 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]