What is the price of e-mail security? The word "price" (or a close variation) was in the message area in e-mail messages produced by the latest major virus, which made the rounds of the Internet last week. This variant of the ever-present Bagle worm serves as another reminder of the fragile nature of an e-mail system on which many of us depend. As Microsoft releases its Windows XP Service Pack 2 security-oriented update, which includes a range of security patches and a more visible look at the security status of individual computers, its a good time to assess the state of the technology infrastructure.
At a security summit eWEEK held in May, former White House counterterrorism chief Richard Clarke provided a pessimistic assessment of the current and projected status of the technology infrastructure. "Things are not getting better; they are getting worse" in the information security world, Clarke said at the summit. He listed the growing number of vulnerabilities and exploits, the increasing speed with which those exploits circle the globe, and the growing sophistication of cyber-criminals as evidence of the worsening state of computer security.
Id say Clarke has been correct so far in his forecast. For example, in the race between the spammers and the spam blockers, the spammers are ahead. While there are a lot of good technologies out there to slow spam (our own West Coast technical director, Cameron Sturdevant, has done a great job keeping up with these new products), the spam wave shows few signs of subsiding.
While the technologies are in place to slow spam, the business processes to implement those technologies are lacking. Those processes wont be put in place until companies realize how much the spam wave is hurting their business. In addition, if you ask an IT manager about spam, he or she will tell you about the millions of messages blocked, but dealing with one wave when a bigger wave is headed your way is not the way to solve the problem.
There is no one solution to the spam problem that will block all unwanted mail and allow mail only from trusted parties, but approaches that involve private mail networks are gaining ground. I fully expect to see corporate technology departments set up virtual private e-mail networks that allow communications only among trusted suppliers, vendors and customers.
The time wasted on spam is increasing because of spam delivered on cell phones, as well as spim (spam instant messages). We are losing ground in the spam race.
While spam gets the most attention, phishing (where techno-criminals produce fake sites to gain banking and other personal information from unwary consumers) poses the biggest threat to slowing the growth of the Internet-based economy. Phishing is quickly evolving from crude reproductions of legitimate sites to far more sophisticated attacks. These deceptive attacks include precise reproductions and URLs that almost exactly match authentic sites.
The combination of skillful phishers, rapid theft and identity distribution presents a powerful threat not just to the online economy but also to traditional companies expanding online operations. Combating phishing effectively will require setting up trusted private networks that allow authentication, monitoring and limited access. The wide-open Web is increasingly becoming a place where business cannot be conducted safely.
Next month, we will hold another security conference, and Clarke will again be a keynote speaker. At that event, well examine the technologies and services aimed at stopping spam, spim, phishing and identity theft.
While the odds of stopping those digital attacks and thefts are small, the ability to confine them to noncritical parts of a companys computing infrastructure is a worthy goal. The creation of broad integrated applications and operating systems in the infrastructure without adequate digital walls and restrictions helped create the current mess. We must pick up the pace of this technology race or risk losing many gains in Internet-based commerce and business.
Editor in Chief Eric Lundquist can be reached at firstname.lastname@example.org.