Security and privacy are often interwoven concerns, complementing and conflicting simultaneously.
Scanning encrypted e-mail messages for viruses poses such a quandary for the enterprise. Strong person-to-person encryption is great for privacy, but hampers virus-scanning efforts. Conversely, aggressive antivirus scanning at the gateway means that a potentially sensitive message is decrypted somewhere before it reaches its intended recipient.
Scanning encrypted e-mail can be tricky but it can be done without sacrificing security for privacy or vice versa.
Scanning encrypted e-mail, by nature, cannot be done because messages are scrambled. "We literally can't see it," said Chris Wraight, a technology consultant with Sophos.
So the easy answer would be to scan e-mail messages for viruses when they are decrypted. However, what if the message is decrypted on a person's desktop? That person will need to make sure their antivirus software scans all messages. Of course, such software will need to be properly updated.
Such a scenario actually flies in the face of the trend towards scanning for viruses as far from the desktop as possible. Server-based antivirus scanning is what a lot of companies are relying on. Such set-ups make updating virus definitions easier as only a few servers need updating, rather than hundreds or thousands of desktops.
"The theory is to catch viruses as high in the food chain as possible," said David Perry, Trend Micro's global director of education. Beyond insuring that updates are made, such an approach also removes much of the social engineering that virus writers use to trick people into opening their creations. Also, gateway scanning allows a company to stop infected e-mail before it hits users' boxes.
Ultimately, ISPs and communications providers may offer an even higher level of antivirus protection at their end, Wraight said.
Yet organizations can't think of security as a single line of defense but should take a more layered approach, said Dee Liebenstein, a product manager for Symantec Security Response. Protection at the gateway is very important but "it's not a silver bullet," she said.
Companies face threats past the gateway, Liebenstein, said. For example, "blended threats" such as Nimda spreads both by e-mail and by traveling internally through network file shares. "(Gateway-based antivirus software) won't help you against them. You need it at the desktop," she said.
Now, one may question whether users will put up with desktop antivirus software. Some disable it as it eats up system resources. Others fall behind on updating the antivirus definitions. Moreover, users will need to make sure all e-mail they decrypt is scanned. In other words, there is a level of responsibility on the end user's part.
Allowing users to use person-to-person encrypted e-mail requires trust in itself, Perry said. Literally, users would be able to send anything without the company knowing about it because it's encrypted.
Companies should also consider what specifically they want to send and receive encrypted, Perry said. If they only want to encrypt messages, then a text-only system would remove the risk of viruses.
For companies that need full encryption, an alternative would be having a centralized server with all the encryption keys that can also scan e-mails for viruses. Such an approach, relieves end users of some responsibility but it also means others could possibly see the message. However, companies would need a lot of trust in their system administrators, as they would have access to all the encryption keys, Perry said.
While encrypted e-mail does pose a challenge for antivirus software, such e-mails are much less likely to contain viruses, said Steven Davis, CEO of IT GlobalSecure, a computer security consulting firm. Such messages have to be consciously encrypted. A document-based Macro virus is perhaps the most likely one to get in.
People are using encrypted e-mail but so far there is no standard, Davis said. In other words, there is nothing analogous to Secure Socket Layer (SSL) for the Web. "Say we want to send encrypted messages back and forth. We both decide on a product that works for both of us," Davis said.