Email Best Practices

Recommended practices – Part 4:  Email use

This is a multi-part series on recommended practices for organizations and their end-users.  Additional parts will be included in upcoming newsletters.

Email is still the primary business application, although alternatives like texting and social media are gaining ground.  Most business people email to clients, prospects, vendors, stakeholders, etc. on a regular basis; they also accept emails from those in the outside world, occasionally with unforeseen consequence.

Organizations should consider email use in these areas:

  • Inbound – Email received by the organization’s end-users
  • Outbound – Email sent from end-users to others outside the organization
  • Etiquette – The appropriateness of the email’s message and content
  • Archiving – The ability to store and retrieve historic email

I’ll describe the specifics and offer IT solutions to manage each area.

Inbound email

End-users constantly receive email, usually without incident.  However, one misstep in responding can lead to a malware outbreak (or worse).  Plus, failing to block inappropriate email content, even unknowingly, can lead to legal repercussions.  (For example:  An employee could object to receiving an email with explicit pornography and decide to pursue legal recourse.)

Most email-based attacks occur via an attachment; the attachment holds malware designed to activate, usually without fanfare, when the attachment is opened.  Often the email message is enticing, in-disguise, or just plain compelling; the end-user believes that opening the attachment is the right thing to do.

Basic rules for opening an email:

  • Do not open email from an untrusted source; when in doubt, check it out
  • Do not click on an attachment before verifying its integrity
  • Always ask for help if uncertain

The best tool is an email-filtering service or device; a service sits outside your organization (Cloud-based) while a device typically sits inside (on-premise).

A Cloud-based, email-filtering service can improve Internet performance by reducing incoming traffic; all emails are captured by the service before they enter the organization’s Internet connection.  Some services (i.e.: McAfee SaaS Email Protection and Continuity™ or MEPC) also offer email continuity, which provides the ability to receive and respond to email even when your email server or email service is unavailable.  Most email-filtering services are billed monthly on a per-user basis, requiring little or no up-front expenditure.

An on-premise, email-filtering device requires upfront expenditure, but can provide a cost-advantage solution at organizations with many users.  To calculate the true cost per user, you would figure the annual cost of the device, add the annual maintenance fee and support costs, and divide by the total number of users.

Both offer advantages; pick one or use both.  (We offer McAfee Email Protection and Continuity and our Secure Network™ as service options, but also deploy, on-premise, Barracuda’s Spam Filter, Cisco’s IronPort, and WebSense.)

Outbound email

Outbound email should be secure; you don’t want to expose confidential details to an outsider.  However, email is typically sent via open-text format; the contents of the email are unencrypted and can be pieced together by others.

Email typically flows in this fashion:

  • Sender composes the email; this might be on a standalone application like Microsoft Outlook or on a web-based interface like Google Gmail.
  • Sender sends the email, which ships it to the sender’s email server/service.
  • The email server/service addresses the email according to the recipient’s email domain and then forwards it to the email server/service within the recipient’s email domain.
  • Email server/service within the recipient’s email domain receives the email, verifies that the recipient exists within this domain, and then forwards the email to the recipient.
  • Recipient receives the email.

Email within an organization’s email domain via an internal email server is usually secure; an external email service must be examined to ensure messages are encrypted between the sender, service, and recipient.

Security can be enforced through encryption, which offers levels of enforcement.  For example:  You can be forced to encrypt any email with the words “social security number”, but not encrypt other emails.  Likewise, you can encrypt all email from the Accounting team while not encrypting emails from the Marketing team.

Email encryption is available via external services (we recommend McAfee SaaS Email Encryption™) or through an on-premise device (Cisco IronPort or WebSense).

Email etiquette

You should consider what you are saying and how it might affect the recipient.  Even more important, for legal reasons, you should block inappropriate content and malware from being emailed by end-users within your organization.

Outbound policy enforcement and management is available as an external service through McAfee SaaS Email Protection and Continuity, which monitors outgoing email for inappropriate content and malware.  Both Cisco IronPort and Websense provide this capability on-premise.

Beyond the basics listed above, email etiquette extends to these areas:

  • Sending – Always verify grammar, spelling, courtesy, and content
  • Formatting – Don’t type all CAPS; use a white background for readability
  • Forwarding – Don’t forward emails unless relevant and desired by recipient
  • Attachments – Zip large attachments and virus check before sending
  • Privacy – Hide recipients email address when sending to a group

My favorite rules (which I sometimes break):

  • Don’t say things in an email that you would not say verbally to the recipient.
  • If your email is emotionally tinged, sleep on it overnight before sending.

For tips on email etiquette, please visit http://www.101emailetiquettetips.com/.

Email archiving

Archiving is all about reliable storage and quick retrieval; you never know what you might need to bring back to life or when it will be needed.  Saving tens or hundreds of thousands of emails can be challenging; finding the right email can be virtually impossible, but might be required at a moment’s notice.

Archiving can reduce management and storage costs while satisfying e-discovery and compliance requirements.  Archiving can also simplify requests for email histories during litigation.

We recommend these archiving options:

 

Bryley Basics:  Print from your mobile phone

CNet has a video demonstrating how to setup printing from your Android phone at http://www.cnet.com/how-to/print-from-your-android-to-any-printer-cloud-print/ using Google Cloud Print; we tried it and it works!

Turns out there are also options for iPhone users.

wikiHow offers these three methods to print from your iPhone:

  • Use AirPrint with an AirPrint-supported printer
  • Find a third-party printing application via the iTunes apps store
  • Send document to an alternate device (ie: Windows-based PC) and print

View the article at http://www.wikihow.com/Print-from-Your-iPhone.  Or, visit

http://www.cnet.com/how-to/how-to-print-wirelessly-from-your-iphone-ipad-or-ipod-touch/ for CNet’s video on setting up the first method listed above.

3 Simple Steps To Secure Your Mobile Device

Three simple steps to keep your mobile device secure:

  • Turn off the Wi-Fi capability when not using it
  • Turn off GeoLocator when not needed
  • Logout and lock when finished

See Ray Ramon’s article at http://www.smallbiztechnology.com/archive/2014/02/3-simple-ways-to-be-secure-no-wifi-no-geolocation-logout.html/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Smallbiztechnologycom-SmbNewsAndInsight+%28Smallbiztechnology.com+-+small+biz+tech+news+and+insight%29 for more information.

Bryley Basics: Encrypt your iPhone

iPhones, versions 3GS and later, offer hardware encryption; it is activated through the data-protection feature by enabling a passcode:

  • Tap Settings > General > Passcode.
  • Follow the prompts to create a passcode.
  • After the passcode is set, scroll down to the bottom of the screen and verify that “Data protection is enabled” is visible.

Note: Your encryption protection is only as good as the passcode; try to make this difficult to guess and keep it hidden.

You should also encrypt your backup for added security.  Check the “encrypt local backup” in iTunes if you back up to your computer.  If you back up to iCloud it is automatically encrypted, but be sure you have a really good iCloud passcode.

Maintaining your dynamic website

Guest writers: Al Morel, Carlos Ramos, and Dan Rouse of www.CommAreUs.com

Your car, house, and most things in life, take some amount of maintenance. Add to that list your website. A website can be comprised of thousands of files working with all kinds of tools and underlying code.

The days of ‘static’ websites, i.e. built with just HTML, is essentially over for most organizations. This article will speak to the steps to take when using a Content Management System, CMS, such as WordPress.

Your essential strategy is: BackupandUpdate.

Backup

This is your ‘get out of jail free’ option. Even if your website gets totally hacked, you forget to pay your hosting bill, the data center in Utah gets hit by a meteor, you should still be able to roll back and get your website back up.

With a dynamic site, it’s a little trickier because you have the site files such as the HTML and images, graphics, etc. And then there’s the database files, which in the WordPress scenario, starts at several thousand files.

The traditional method of backing up a site involves the lengthy process of manually backing up all your site’s files, exporting your database, and finally moving everything somewhere safe. There are software additions (called ‘plugins’ in the WordPress world) that will simplify this process and even automate it for you.

We add a plugin with all of our builds that lets you quickly backup, restore, and migrate a site – often times with only a single click. Most backup plugins will offer two different types of backups: full and database. Full covers all site files and the database, the database option only includes the database. The full backup is the safest bet and is generally the recommended option, however the database only backup might be more appropriate if you’re simply experimenting with settings on a plugin, or some other activity that only involves the database.

One key feature and advantage over manual backups, is that using a backup plugin allows you to set up an automatic backup schedule. For example, we recommend our clients schedule a weekly backup of the database and a monthly full backup. Manual backups can also be performed whenever needed.

In addition, most plugins have the capability to back up the site to your hosting server and to another source as well. So you can have redundant backups to a third party service such as Amazon S3.

 

Update

It is critical to schedule regular updates of your website as well. In WordPress, there are regular updates to the core code and also plugins. Your administrative interface or ‘dashboard’ will tell you when to update.

It goes without saying that no update (WordPress or Plugin) should be done before a full backup has been made.  Your dashboard will go to great lengths to tell you to backup first, so don’t ignore them! Although we haven’t seen many updates go wrong, it can happen.

Generally, we recommend to our clients that updates be applied as soon as they are available for security and stability reasons.

Once you have your backup completed, proceed to the Updates screen in the WordPress Dashboard. From here you can update WordPress, plugins and your themes. If you have an update to WordPress and plugins waiting, perform the WordPress update first, then proceed to update your plugins.

It’s worth noting that in recent WordPress releases (security and maintenance related) are installed automatically to promote better security.

 

Google’s ChromeBook – A realistic alternative to a Windows Ultrabook?

Google introduced its Chromebook in 2009; sales have increased and it can be considered a low-cost alternative to the pricier, Microsoft Windows-based Ultrabook, but Chromebooks have significant limitations.  Some also say that a Chromebook can replace a tablet, but comparison1 suggests otherwise.

Chromebooks run Chrome OS, Google’s Linux-based operating system integrated with Google’s Chrome web browser.  (Chrome was recently ranked the number one Internet browser used in the US with 31.8% of sampled traffic, followed closely by Microsoft’s Internet Explorer at 30.9%; reported by ADI, a marketing research branch of Adobe Systems.2)  As such, they are designed to be used primarily when connected to the Internet and are closely linked to Google’s Cloud-based services like Google Drive, Google Apps, etc.

Reasons to buy3 include:

  • User interface – Intuitive; easy to use and simple to navigate
  • Offline – Works best online, but supports some offline activity
  • Platform agnostic – Can access all Cloud-based data
  • Fast boot-up – Access the Internet within 8 seconds
  • Security – Google Rewards for bug notification
  • Apps – Growing application options
  • Price – Starts at just under $200

Primary disadvantages of a Chromebook:

  • Thin client that gets its best features only via an Internet connection
  • Offline mode requires setup and has severely reduced functionality
  • Fewer compatible apps and games than Windows-based devices
  • Limited connections to printers, scanners, and mobile devices
  • Low-end processor not built for intensive use

My take:  A Chromebook is a good, low-cost option under these circumstances:

  • You do not use processor-intensive applications (i.e.: games),
  • You use Google Apps for content creation and review,
  • Your data is completely based in the Cloud,
  • You do not connect to other devices, and
  • You always have access to the Internet.

Note:  Google dominates the search industry and makes its money through Google AdWords and other advertising programs.  The core emphasis of all of their efforts is to drive consumers to their advertisers.

Visit http://www.eweek.com/pc-hardware/slideshows/chrome-os-features-to-look-for-in-current-chromebook-crop.html?kc=EWKNLEDP06112014A&dni=132495452&rni=25374491 for an informative overview by Don Reisinger of eWeek.  And, visit Microsoft’s take on Chromebooks at http://www.scroogled.com.

REFERENCES

1Please see http://blog.laptopmag.com/chromebook-vs-tablet for the article “Chromebook vs. Tablet:  Which should you buy?” by Cherlynn Low of LAPTOP.

2Visit http://redmondmag.com/articles/2014/06/06/chrome-surpasses-ie.aspx for details on browser rankings from Kurt Mackie of Redmond Magazine.

3Visit http://blog.laptopmag.com/chromebook-buying-advice to review the article “Should I buy a Chromebook?” by Dann Berg of LAPTOP.

5 Facts About Malware

One of our folk compiled this brief list on malware issues:

  • Vulnerabilities in Java are the #1 exploited vulnerability.  (Java is a popular, computer-programming language used in web-based applications.)
  • One of the main causes of malware is “Drive-By Downloads” where all you have to do is browse a website or click on a website from a search engine (Google, Yahoo, Bing, etc.) and you are downloading an infection.
  • Sales, R&D, HR, and other, multi-user email-boxes are targeted by malware distributors since these recipients are the most customer-facing employees; they typically have busy mailboxes and are accustomed to receiving a lot of email and opening it.  They are also accustomed, as part of their jobs, to regularly downloading attachments (resumes, pdfs, etc.).
  • 88% of attacks are on non-government (private) entities.
  • Small businesses with less than 250 users are the most-targeted group.

Are you curious about how to avoid any of these common vulnerabilities?  A member of our staff would be more than happy to discuss the steps you can take to secure your data.

Beware CryptoLocker

We have seen a rise in CryptoLocker virus attacks; these attacks can cripple the data files on your computer and on your computer network.

CryptoLocker is a destructive, ransomware virus; once downloaded, it locates and encrypts data files, which renders them inaccessible.  CryptoLocker does not announce its presence until all data files (Microsoft Office files, PDF files, etc.) are encrypted; it then asks for payment (ransom) to unencrypt these files.  (This type of ransomware is called “cryptoviral extortion”.)

The usual virus-delivery method is via email; the email looks legitimate and includes an attachment.  Once the attachment is clicked, the virus starts and then continues until all data files are encrypted or until the computer is powered-down.

You will not be able to unencrypt these files.  There is no cure.  There is no fix.

If the infected computer is connected to a computer network, data files on other computers and/or on the server(s) may also be encrypted and made inoperable.

Although payment is demanded to unencrypt the files, it should not be sent since any type of response to these criminals could open your computer network to future attacks.  The only recommended recovery method is to restore the encrypted data files from the latest backup.

Please visit http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information for more information on CryptoLocker.

Mike Morel, Engineer at Bryley Systems, suggests adopting these practices to reduce the risk of activating the CryptoLocker virus on your computer:

  • Do not open attachments within emails from sources that look legitimate, but are unexpected.
  • If you are expecting an attachment from someone, save the attachment first (without opening it) and then scan the attachment with your malware and anti-virus scanners before opening it.
  • Backup all data files regularly.

If you discover this virus, please immediately power-down the offending computer; if it is connected to a computer server, shutdown the computer network.  Then, call Bryley Systems at 978.562.6077 and select option one for technical support.

For additional information, see our lead article “Cybercrime targets smaller organizations” from the September 2012 edition of Bryley Tips and Information at

https://www.bryley.com/news/newsletter/bryley-tips-and-information-september-2012/.

Bryley Basics: Getting you informed in 100 words or less

Tips on email attachments

Most folk send attachments with their emails; it is a quick, easy way to share a file with the email recipient.  However, attachments can have a negative impact on your computer-network infrastructure:

  • Emails saved with attachments consume storage.
  • Large attachments slow performance and may be rejected by the provider.
  • Attachments copied to a distribution list (a group of email users) are copied multiple times, once for each user, which can impact network bandwidth.

In addition, emails received with attachments should be treated cautiously, since attachments may become sources of infection.  Basic suggestions when receiving:

  • Do not open if the sender is unknown or suspect.
  • Limit total attachments to under one Gb; zip files greater than one Gb.