Many Means to Security End
Only a few weeks ago, a
targeted e-mail attack reached the in-box of a county employee in Arlington
County, Va. David Jordan, the county's chief information security and privacy
officer, recalled that a password dump program had been hidden within an e-mail
attachment. However, because the employee had received security awareness
training, she did not open it.
"The employee knew
better than to open the attached file," said Jordan. "She simply forwarded
the suspect e-mail to the technology services help desk."
The county uses Symantec
Client Security, and Jordan said the system likely
would have neutralized the malicious program even if the user had opened the
attachment. Nonetheless, he cited the incident as an example of the importance
of living in a constant state of vigilance from a security and employee
"One of my missions is
to make sure employees are educated and to empower them to be responsible and
accountable for safe computing practices," he said. "For instance, I
personally meet with every new hire during the training process to ensure
individuals are aware of online threats and the county's security policies,
which include Web and e-mail usage. Additionally, we conduct ongoing training
and awareness initiatives, such as publishing weekly newsletters and alerting
employees to the latest scams and e-mail threats via the county's SMS [Short
Message Service] text alert system."
Indeed, no technology can
protect an organization if users are not properly educated about the do's and
don'ts of Web security, said Kevin Hewitt, network administrator for Stevens
"Here at Stevens
Aviation, we alert all of our users on any new possible threats," Hewitt
said. "We do this to protect our network but also to help our users avoid
these issues at home. In the event we send out an e-mail within the company to
inform our users of new issues, we also include an FAQ section to review and
remind our users of ways to avoid being scammed, infected or exploited."
Stevens Aviation opted for a
software as a service approach to e-mail security with Webroot's E-mail
Security SAAS. The aviation company receives about 120,000 e-mail messages
daily, of which about 93 percent is spam, Hewitt said. The SAAS model, he
added, saves bandwidth and allowed the company to eliminate a server that had
been acting as the company's internal spam solution.
Read tips here on how to ease spam threats.
Hewitt offered several
e-mail security best practices, and he advises businesses
to choose enablement over blocking when it comes to Web mail, allowing users to
access Web-based accounts instead of their work e-mail for all personal
But letting employees access
Web mail doesn't come without risks-and not just in terms of employee
In MessageLabs' Intelligence
Report for February 2008, researchers noted that 4.6 percent of all spam
originates from Web mail-based services. The researchers also found that the
proportion of spam from Gmail increased twofold, from 1.3 percent in January to
2.6 percent in February. Yahoo Mail was the most abused Web mail service,
responsible for sending 88.7 percent of all Web mail-based spam.
"I think some companies
would just take the view, -We're not allowing Web mail because in theory it
could be a bullet hole in your security,'" said Sunner, the MessageLabs
security analyst. "If you think about it, if you've got a mail gateway,
you've probably got some form of content filtering, some level of anti-virus
protection. You'll be doing something almost certainly these days to protect
your corporate e-mail system. So, having done that, if you allow access to
Hotmail [for example], of course if someone then receives a virus in their
Hotmail account and they go and access it, they completely blind-sided all the
mechanisms you did put in place."