At first look, a failure rate of 10.5 percent doesn’t sound like a lot, at least until you realize that that’s the percentage of emails that online security systems apparently miss when they’re looking for spam, malware and phishing. Then when you consider that most organizations of any size receive thousands of emails per day, the numbers add up.
In that 10.5 percent average false negative rate researchers at Cyren, Ltd., a provider of Software as a Service internet security company, found, that .33 percent contained malware and phishing emails. The remainder was spam.
Of the 11.7 million emails that Cyren tested recently, that means approximately 34,000 emails contained phishing scams and 5,000 contained malware after they had passed through an email security appliance or other security software.
The numbers were derived from Cyren’s Email Security Gap Analysis project which examined emails forwarded from email security systems at companies that wanted to test their email security systems. The test took place in September and October, 2017. The numbers are averages since the names of the actual companies aren’t being revealed.
Much of the problem has developed because email security had become a commodity, according to John Callon, senior director of product marketing at Cyren. As a result there wasn’t a lot of new research and development going on, he said.
“But there’s a lot going on in threats over time,” Callon said, which caused the people at Cyren to wonder, “Has email security been keeping up with the threats?”
Callon said that the problem of phishing and malware has grown to the point that it’s become an industry in itself. “A whole service economy has developed around delivering and developing threats,” Callon said. “Now there’s malware as a service.”
Callon said that the barriers to entry used to be higher because would-be hackers had to develop their own malware and delivery mechanisms. That’s changed, he said. “I can rent services that will give me exploit kits that will deliver botnets.”
The problem is getting worse and there’s less time than ever to respond to a threat before it does damage.
Georgia Weidman says that while general security awareness has gotten better, preventing an attack has become more difficult. “If you want to get to a specific person, it’s not very difficult.” Weidman, who is CTO and founder of Shevirah, a security firm in Ashburn, Va., said that spending some time doing research will generally enable a hacker to create a convincing phishing email that most people, not to mention automated systems, will miss.
Weidman’s company specializes in penetration testing. She noted that while it’s still possible to spot fake emails and the imposters that create them, it pays to have training.
“A lot of companies aren’t doing that,” Weidman said. “They aren’t taking that threat seriously.”
Weidman said that one important method of training employees in email security is to send out fake phishing emails. She said that anyone can create such emails for training by using the company’s Dagah software, and she said that a limited version is available for free.
The training can be crucial, because without it, malware and phishing attempts can penetrate a company in surprisingly little time. According to Callon, a new phishing campaign can expect a delay of only 2.5 minutes before the first email is opened and only 4 minutes before the first click. This means that any automated systems must respond almost immediately to be effective.
Adding to the complexity of catching such email attacks, Callon said that everything about them is dynamic, with phishing URLs changing in minutes. This means that many of the automated email screening packages can’t react in time if they’re keying on a phishing URL.
“Within the first hour, 80 percent of the recipients of a phishing campaign have already clicked,” Callon said stressing that security needs to work on that time scale. Cyren sells a cloud-based product that Callon said can react fast enough, but he said that training also helps keep malware and phishing at bay.
But Callon said that there’s a lot more that email security can do to ferret out problem emails than many appliances and filtering systems are doing. Those methods include pattern recognition and metadata examination. “There’s a rethinking of email security going on,” he said.
The problem, as Weidman said, is that organizations need to take email security seriously. And they should. Weidman pointed out that virtually all of the recent breaches have a phishing component that was delivered by email and in many cases the phishing email was also used to deliver malware.
But as employees become more security aware, the threat has begun to morph. “We are seeing phishing move to text messages, Twitter, Facebook and even quick response codes that people can scan,” Weidman said. She noted that mobility makes it worse because it’s harder to identify the threats when they arrive.
The stakes are getting higher, so the need to deal with email, and by extension social media, attacks is becoming more important. A gap in email security can lead to a major data breach including the theft of money or other assets bringing embarrassment for the organization when it has to confess that it was penetrated by hackers. Email security may be boring, but it’s critical to the organization if it’s going to stay secure.
