Internet-based email is insecure unless you take steps to secure it. To
               secure email, you should provide for nonrepudiation, restrict access to

               authorized users, make sure integrity is maintained, authenticate the
               message source, verify delivery, and even classify sensitive content.
               These issues must be addressed in a security policy before they can be
               implemented in a solution. They often take the form of acceptable use
               policies, access controls, privacy declarations, email management
               procedures, and backup and retention policies.


               Email is a common delivery mechanism for malicious code. Filtering
               attachments, using antivirus software, and educating users are
               effective countermeasures against that kind of attack. Email
               spamming or flooding is a form of denial of service that can be
               deterred through filters and IDSs. Email security can be improved
               using S/MIME, MOSS, PEM, and PGP.

               Fax and voice security can be improved by using encryption to protect

               the transmission of documents and prevent eavesdropping. Training
               users effectively is a useful countermeasure against social engineering
               attacks.

               A security boundary can be the division between one secured area and
               another secured area, or it can be the division between a secured area
               and an unsecured area. Both must be addressed in a security policy.

               Communication systems are vulnerable to many attacks, including
               distributed denial of service (DDoS), eavesdropping, impersonation,

               replay, modification, spoofing, and ARP and DNS attacks. Fortunately,
               effective countermeasures exist for each of these. PBX fraud and abuse
               and phone phreaking are problems that must also be addressed.