Many Means to Security End

By Brian Prince  |  Posted 2008-04-18 Print this article Print

Many Means to Security End

Only a few weeks ago, a targeted e-mail attack reached the in-box of a county employee in Arlington County, Va. David Jordan, the county's chief information security and privacy officer, recalled that a password dump program had been hidden within an e-mail attachment. However, because the employee had received security awareness training, she did not open it.

"The employee knew better than to open the attached file," said Jordan. "She simply forwarded the suspect e-mail to the technology services help desk."

The county uses Symantec Client Security, and Jordan said the system likely would have neutralized the malicious program even if the user had opened the attachment. Nonetheless, he cited the incident as an example of the importance of living in a constant state of vigilance from a security and employee education perspective.

"One of my missions is to make sure employees are educated and to empower them to be responsible and accountable for safe computing practices," he said. "For instance, I personally meet with every new hire during the training process to ensure individuals are aware of online threats and the county's security policies, which include Web and e-mail usage. Additionally, we conduct ongoing training and awareness initiatives, such as publishing weekly newsletters and alerting employees to the latest scams and e-mail threats via the county's SMS [Short Message Service] text alert system."

Indeed, no technology can protect an organization if users are not properly educated about the do's and don'ts of Web security, said Kevin Hewitt, network administrator for Stevens Aviation.

"Here at Stevens Aviation, we alert all of our users on any new possible threats," Hewitt said. "We do this to protect our network but also to help our users avoid these issues at home. In the event we send out an e-mail within the company to inform our users of new issues, we also include an FAQ section to review and remind our users of ways to avoid being scammed, infected or exploited."

Stevens Aviation opted for a software as a service approach to e-mail security with Webroot's E-mail Security SAAS. The aviation company receives about 120,000 e-mail messages daily, of which about 93 percent is spam, Hewitt said. The SAAS model, he added, saves bandwidth and allowed the company to eliminate a server that had been acting as the company's internal spam solution.

Read tips here on how to ease spam threats. 

Hewitt offered several e-mail security best practices, and he advises businesses to choose enablement over blocking when it comes to Web mail, allowing users to access Web-based accounts instead of their work e-mail for all personal transactions.

But letting employees access Web mail doesn't come without risks-and not just in terms of employee productivity.

In MessageLabs' Intelligence Report for February 2008, researchers noted that 4.6 percent of all spam originates from Web mail-based services. The researchers also found that the proportion of spam from Gmail increased twofold, from 1.3 percent in January to 2.6 percent in February. Yahoo Mail was the most abused Web mail service, responsible for sending 88.7 percent of all Web mail-based spam.

"I think some companies would just take the view, -We're not allowing Web mail because in theory it could be a bullet hole in your security,'" said Sunner, the MessageLabs security analyst. "If you think about it, if you've got a mail gateway, you've probably got some form of content filtering, some level of anti-virus protection. You'll be doing something almost certainly these days to protect your corporate e-mail system. So, having done that, if you allow access to Hotmail [for example], of course if someone then receives a virus in their Hotmail account and they go and access it, they completely blind-sided all the mechanisms you did put in place."


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel