Last updated at Tue, 25 Jul 2017 18:44:20 GMT
Out of office replies are a blessing and a curse for organizations from an operational security perspective. Many of the out of office auto replies I receive contain too much information. Since many security professionals are at the RSA Conference this week I've had plenty hit my inbox. This is nothing compared to December around the holiday season. Like anything the information in the replies can be used for good and bad. Good people are trying to ensure that work continues while they are away from the office. It is typical to get cell phones, alternative contacts names/numbers, and other internal operational information. Here is an example of a typical out of office reply:
I have other examples but I'd have to redact much more, and this one makes the point. An attacker can send emails around certain times of the year with the sole intent of receiving out of office replies. Or you can just stalk people on Twitter or Facebook (see image below).
This risk can be mitigated in Microsoft Outlook on a technical level. On an operational level personnel should disseminate information, as we said in my military days, "on a need-to-know basis". Only give people the information what they need and nothing more. Does it help them knowing my cell? Does an outsider need to know our internal numbers? The answers vary according to roles, company, etc.
The following steps may vary depending on what version of Outlook you have, but it should be in the ballpark. Regardless of the software, organizations need to educate their users on how to limit the amount of information in their out of office replies.
Step 1 - Select Tools > Out of Office Assistant:
Step 2 - Select the Outside My Organization Tab
There a few things you can configure using the Out of Office Assistant that can reduce or eliminate the information disclosure risk:
- You can un-check "Auto-reply to people outside my organization".
- You can select the "My Contacts only" radio button.
- Type in a custom message that outsiders will see, think "need to know" here.
Let me know if you have any tips in the comments.