ASD-Cyber-Security-Bulletin-2014-06
ASD-Cyber-Security-Bulletin-2014-06
ASD-Cyber-Security-Bulletin-2014-06
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Watch that Webmail<br />
Web-based email, or webmail, is a convenient<br />
way to communicate from anywhere, at any time.<br />
Webmail is email that is accessed through a web<br />
browser – such as Windows Live Mail, Gmail, Yahoo<br />
or email provided by Internet Service Providers.<br />
However, government agencies using webmail for<br />
business purposes should be aware of the security<br />
risks of this approach.<br />
Government agencies have their own security<br />
measures for handling email and other sensitive<br />
communications. Employees using a webmail<br />
account for sensitive business information<br />
will not have these same protections for their<br />
communications. This increases the risk of<br />
unauthorised disclosure – and in some cases, this<br />
may even breach legislative requirements.<br />
It is also important to note that agencies may<br />
not have full control over your data when using a<br />
webmail service. Service providers are subject to<br />
the laws and regulations of the country where they<br />
are based. This may involve a number of countries,<br />
depending on where the data is stored and<br />
processed and where it transits.<br />
Foreign governments may have the right to lawfully<br />
access the data held by the webmail service without<br />
user knowledge. It may also be difficult to sanitise<br />
or clean up data spills in the case of a data leak.<br />
<strong>ASD</strong> has seen malicious emails that have been<br />
sent to government agencies also forwarded onto<br />
users’ personal webmail accounts, which can lead<br />
to the compromise of the device used to access<br />
the webmail – such as a personal mobile phone<br />
or tablet. In some cases, the device may already<br />
be compromised (for example, if you are using a<br />
public terminal or a device running outdated and<br />
vulnerable software.)<br />
If you and your colleagues become accustomed<br />
to seeing webmail used for business, there is the<br />
danger that it will be more difficult to detect the<br />
commonly used intrusion technique of ‘spoofing’.<br />
This is where a webmail account is set up to appear<br />
as if it is a legitimate user, to trick the receiver<br />
into opening the email and clicking on a malicious<br />
link or attachment.<br />
If your agency does allow webmail use, it is recommended that you:<br />
• use your agency’s email service rather than webmail when accessing email from your<br />
work network<br />
• maintain separate accounts for work and personal purposes<br />
• send only publicly available, unclassified government information over webmail –<br />
never send sensitive or classified information<br />
• ensure that your webmail software is up to date with<br />
anti-virus installed<br />
• use a strong and unique password or multi-factor<br />
authentication to enhance the security of your account.<br />
More information is available at the <strong>ASD</strong> website in the Protect<br />
publication Implications of Using Webmail for Government Business.<br />
Issue #13 – June <strong>2014</strong> Page 4