Last week New York Times revealed that former USA state secretary Hillary Clinton used a private email account instead of official email address for communications while serving the State department. It is reported that Clinton used a private email server, not the likes of Gmail or Yahoo, but a hosted email server at the domain Clintonemail.com and was hosted at her home.
As a security professional, I wouldn’t be talking about the potential violation of the federal government rules. Instead, I would be worried about the security of the server and the emails in that server. in the age of cyber espionage, countries around the world are in look out for important information assets and Mrs. Clinton’s email is nothing less than a very high value asset. A private server, without the security protections of a federal system / corporate controls would have become an easy victim of attacks from spy agencies and hackers.
In 2009-2010, one of the Banks in the Gulf region hired a new CEO. Though the bank had its own email server with best security available at the time, the CEO decided host another email for his communications. With the help of a 3rd party service provider, he hosted a domain *team.* and issued email addresses to his inner circle team. The inner circle used this email for all critical communications which include, M&A,internal appraisals, Financial reports etc. The inner circle had people from the Bank, 3rd party advisors and even 3rd party advisor’s secretaries.
We were contracted to perform security assessments of this mail server. It was no surprise that we were able to filter out confidential emails from the server. The key findings of our assessment were:
- Vulnerable Operating System
- Never patched after the installation
- No perimeter protection
- Weak Passwords
- No security controls such as Firewall / IPS
- Lack of encryption
The CEO and his banking advisers always thought its safe to run email servers in the internet. With the kind of information we have provided, they have taken steps to improve the security and then eventually moved to Google Apps