An email review using CAATS

1
An e-mail review using CAATS

• Graeme Peddle CA(SA)

2
The purpose of this presentation

• Why audit e-mail?
• Microsoft Exchange Message Tracking Logs
• Using CAATs to determine what type of e-mail is
  entering and leaving the organization
• Produce value adding audit reports
• FAQ

3
Why audit e-mail?

• ISACA Guideline 33
• E-mail presents risks such as
• the casual use of email may cause problems not
  envisaged by the writer
• intellectual property may be transferred easily
  outside of the company
• pornographic, racist, and sexist remarks, jokes
  or innuendoes may leave a company open to charges
  of discriminatory behaviour
• excessive personal use of email
• email with inappropriate content
• unsolicited email (spam) wastes resources
• all email is potential evidence and may be used
  in a court of law
• It is the responsibility of the internal auditor
  to provide independent assurance that acceptable
  and effective email governance processes are in
  place.

4
A typical electronic communications policy (in a
nutshell)

• The e-mail and computer system is owned by the
  company, provided for business purposes only, and
  may be monitored when the employer deems it
  necessary
• employees should not expect that any messages
  they exchange via company computers, documents
  they maintain thereon or usage of the Internet,
  is in any way private or confidential
• the e-mail system may not be used for any illegal
  or improper purpose and
• failure to follow the policy will result in
  discipline, and possibly, discharge.

5
Use CAATs

• To audit compliance to the e-mail policy
• Non-business use is controlled
• Spam is controlled
• Confidential information is not sent via e-mail
• Message size limits enforced
• To obtain information about the usage of e-mail
• the top domains sent to and received from
• usage of e-mail etc.
• Obtain the data for the CAATs analysis from
  Microsoft Exchange Message Tracking Logs

6
Message Tracking LogsWhat they are NOT

• Are not switched on by default
• Do not record the e-mail subject by default
• Are not stored indefinitely
• Are not adequately protected by default

7
Message Tracking LogsWhat they are

• Track the progress of each message sent or
  received by the Exchange server
• Stored in a folder on the exchange server with
  the following share ltServernamegt.log
• The daily log file name follows the format of
  ltYYYYMMDDgt.log
• 5 or 6 tab-delimited records for each specific
  e-mail message
• Can be VERY large files

8
Message Tracking LogsWhat they look like inside
9
Message Tracking LogsWhat they contain

• Date
• Time
• client-ip
• Client-hostname
• Partner-Name
• Server-hostname
• server-IP
• Recipient-Address
• Event-ID
• MSGID
• Priority

• Recipient-Report-Status
• total-bytes
• Number-Recipients
• Origination-Time
• Encryption
• service-Version
• Linked-MSGID
• Message-Subject
• Sender-Address

10
Message Tracking LogsThree messages in Excel
11
The AnalysisEstablishing the population

• Determine which day(s) and /or servers to analyse
• Select the necessary fields (not all the fields
  are necessary)
• Not all the records are necessary either - filter
  the logs on two event IDs
• 1028 (received)
• 1031 (sent)

• 1028
• 1031

12
The AnalysisExample of a filtered e-mail message

• Date 25/07/2006
• Time 101934 GMT
• Server-hostname EXCHSRV
• Recipient-Address example_at_hotmail.com
• Event-ID 1031
• Total-bytes 3179
• Number-Recipients 1
• Message-Subject FW BILL GATESs rules
• Sender-Address auser_at_example.com

13
The AnalysisMaking the data available

• Use your favourite data analysis tool (not Excel
  too few rows)
• Import the log files
• Filter the rows and remove the unnecessary
  columns
• Create an index number for each record in the
  data set
• Look at the data

14
The AnalysisThe population

• Once filtered, the e-mail population can be
  analysed for
• Message size limits
• Top domains sent to and received from
• Number of e-mails
• Sent to external
• Received from external
• Sent and received internally
• Scan the population to help with the sample size
  calculation

15
The AnalysisSelecting the sample

• Use random sampling
• Calculate an appropriate sample size
• Use Excel to draw the random numbers
• Extract a sample database (e.g. Access or Excel)
  from the population
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

16
The AnalysisCalculating sample size

• PS Population Size ??
• SE Sampling Error 2.0
• CL Confidence Level 95
• EER Expected Error Rate ?? (20)
• Z score values
• Confidence level Z score value
• 80 1.28
• 85 1.44
• 90 1.65
• 95 1.96
• 99 2.58
• The formula used is as follows

17
The AnalysisClassifying the sample

• Use a simple log analysis front-end in Microsoft
  Access to classify the e-mails as either
• Business
• Spam
• Non-business
• System (i.e. e-mail messages generated by
  Exchange or by tools)
• Undetermined
• Fax
• Read Receipt messages

18
(No Transcript)
19
The AnalysisExtrapolating from the sample
20
The AnalysisExtrapolating from the sample
21
Frequently Asked Questions

• Is this legal?
• Surely messages sent internally will be included
  in the population more than once?
• Do the statistics add up?
• Does this work in an environment with multiple
  exchange servers?
• Which Microsoft Exchange Server Versions (e.g.
  will this work with 2007)?

22
Useful references

• ISACA Guideline 33 - General Considerations on
  the Use of the Internet
• Available http//www.isaca.org
• Professional Issues Bulletin - Email abuse and
  internal auditing (IIA UK)
• Available http//www.iia.org.uk/cms/IIA/uploads/3
  8170217-f0a0a52cef--7e24/Emailabuseandinternalaudi
  ting.doc
• Microsoft Technet
• Available http//www.microsoft.com/technet/prodte
  chnol/exchange/default.mspx
• A Practical Guide to Sampling (UK National Audit
  Office)
• Available http//www.nao.org.uk/publications/Samp
  lingguide.pdf
• Regulation Of Interception Of Communications And
  Provision Of Communication-related Information
  Act
• Available http//www.internet.org.za/amended_ricp
  ci.html
• Additionally, a set of files can be downloaded
  from the following site
• http//itaudit.co.za/isaca2006 - User ISACA
  Password 3733t

23
Questions?