Bug Watch: The hidden danger in email

Bug Watch: Each week vnunet.com asks a different expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's expert is Graham Cluley, senior technology consultant at UK-based antivirus company Sophos.

Email is becoming the most popular form of communication in business. Discretion, however, is not one of its advantages.

To counter this lack of privacy, many companies are turning towards public key infrastructure and so-called desktop-to-desktop encryption.

Sending encrypted email is like using an armoured car to deliver valuable goods. You are safe in the knowledge that only authorised people have access to the goods, and while it is being transported no one can interfere with it.

It is an attractive idea to treat your email in the same way. If you can disguise your email and protect it with encryption while it is being transported, there is less chance of anyone being able to read or tamper with it.

However, there is a drawback: as no one can open the package during transit, no one can check it until it has arrived at its destination. This is also the case with encrypted email. Until it arrives at the destination computer, it cannot be scanned or checked. This is great for privacy, but rather less great for security. Just as the package might turn out to be a bomb and not a bundle of cash, so too the email might harbour a virus rather than a sales report.

The relevance of this for IT security is that the demand for encryption clashes with the increasing demand for internet-level virus scanning. Attractive as it might be to stop viruses before they reach the desktop, this will not be possible in the case of encrypted files.

The only way around this would be to leave a back door somewhere in the encryption process to allow virus scanning. This does, however, compromise the whole point of encryption in the first place. Do you really want to give a third party access to your private emails and confidential data?

This is not to say that internet-level scanning is a waste of time per se, but despite their expertise, you can't leave all the hard work to the security guards delivering the package. Companies need to make sure that their IT security strategies are co-ordinated. If they plan to introduce desktop-to-desktop encryption, then they should be aware that the onus on virus protection will lie with the end users themselves.

While antivirus vendors recognise the advantages of scanning at the internet level, real virus protection can only come from the education of computer users coupled with effective virus scanning at the desktop. Unfortunately, as nice as it would be, you cannot place your trust entirely in the messenger.

Next edition: 20 October