The security battle today has two main fronts: the software vendors, who create the tools to protect our systems and infrastructure against ever-evolving threats, and the end-users, who need to be educated to avoid common mistakes that expose them to unecessary risk. Someone seems to have forgotten the admins in this equation. It is quite common today for admins to install and use advanced security tools, yet unfortunately to set up the infrastructure improperly, and render it vulnerable to the very threats they are trying to protect against.
In our years toiling in the email security trenches, we have come across far too many systems that are improperly configured. It makes for very simple cases to solve for the support team, but it does not increase the overall security on the Net. This has nothing to do with the actual software or tool that the admin chooses to use for protection, it has to do mostly with improper setup of simple features and functions like SPF, Open Relay, Reverse DNS and others.
Email Security Grader (ESG) is a new tool that we developed to help educate admins on how simple it can be to improve the security of their email infrastructure. It started as a skunkworks in our R&D team, and kind of took off from there. Developers were eager to find some extra time here and there to work on it. As it advanced, we gave the go-ahead to work on it full time for a few weeks and get it production-ready. I would still consider it beta, and it will stay beta for the foreseeable future. A positive side-effect has been that the developers are just dying to get back at it and further improve it.
An early goal for ESG was for it to be tool-agnostic: quite simply, what email security software you use should have little or nothing to do with how well you score! Our company is an email security vendor, and it is abundantly clear that customers of ours, who use exactly the same software, can score very differently based on their setup. An ESG test can be a first step towards further securing their mail infrastructure.
You will see Email Security Grader evolve over the next few months. I anticipate at first some heated discussions on the Forum over the algorithm used to compute the score. Let’s be honest, we are hard-working geeks, we all want to score well. I hope to see discussions on additional tests to be added to the Grader, as well as other discussions where more experienced admins are helping others secure their systems. Someone will no doubt bring up the security concerns inherent in exposing the information that such a tool can access. We are looking forward to all of it.
So, give ESG a try and find out if your system makes the grade. And be sure to look through the ESG Forum to hear what others have to say about email security.