Q

To nullify targeted attacks, limit out-of-office message security risk

Expert Michael Cobb details how to reduce out-of-office message security risk --and thus targeted attacks -- by limiting personal info given.

I'm concerned about my coworkers' use of out-of-office (OOO) notifications, particularly during the holidays, and

how they may be used to carry out targeted or phishing attacks against the company. Do you have any advice for lowering out-of-office message security risk? Is there a template for the information that should be provided in an out-of-office notification? Or are out-of-office notifications worth the risk?

Ask the Expert

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)

An out-of-office message ensures that clients and colleagues know that their email or voice message isn't being ignored and/or provides an alternative point of contact that can address their query or problem. However, the amount of detail that some OOO notifications contain, such as the day or time of return, reason for absence, email signature, and alternative contact details, is a goldmine of useful information for hackers and criminals. This information can be leveraged in social engineering and targeted attacks. Also, an email out-of-office reply provides proof that a particular address is genuine, which signals that it can be harvested for verified email spam lists; it can cause problems with backscatter too.

Users should certainly limit the information that they include in OOO notifications. Location, duration and reason for absence, job title, contact information and detailed alternative contact information are all unnecessary. Information detailing physical absence should never be given; thieves and hackers can launch a break-in or attack, knowing an individual will not be around. Vague wording, such as "currently unable to reply" or "unavailable at the moment," instills uncertainty in potential attackers and are more than adequate to serve their intended purpose. Instead of offering a specific individual to contact, the message could instead say to contact "my department." In terms of voicemail, users should say something equivocal, such as "I am unable to take your call. Call our main switchboard if you need further help." Alternatively, incoming email and voice messages can simply be forwarded to a colleague, provided that he or she is fully briefed on the colleague's absence so that they do not give out sensitive information.

Network administrators can configure their email server software in various ways to make OOO messages more secure. They can block certain users from setting OOO messages, disable notifications to external domains or limit them solely to people in the user's address book. Better still, one notification message can be set for people within an organization and another for those outside it; OOO messages sent to external email addresses should never have a signature attached. High-value personnel should never reveal their comings and goings and have all inquiries directed through a well-trained, security-aware secretary.

Users should be made aware of the risk of information leakage in OOO notifications, as well as in social media profiles where employees often post their whereabouts. Personal data that could assist in a targeted attack, such as important location and diary events, should never be posted online. While OOO notifications are useful for clients and colleagues not being left wondering what's happened to their inquiry, they should be kept brief to limit the security risk. The less said, the better.

This was first published in April 2013

Dig deeper on Email and Messaging Threats (spam, phishing, instant messaging)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close