Scott Larsen has taken great pains to be able to sleep at night, confident that the e-mail systems at his workplace are being maintained and that the wall separating those systems from spam and phishing attacks still stands.
But, as at many organizations, the wall guarding the e-mail systems at Larsen’s company-travel agency Groople-is constantly under siege, with the attacks getting more brutal.
“As Groople has grown, I have seen the volume of e-mail-based attacks skyrocket,” said Larsen, the company’s manager of IS. “It soon overburdened our e-mail gateway, and I was forced to implement new systems and software to handle the huge increase.”
Vendors and enterprises alike are faced with a new e-mail threat landscape, where spam is increasingly laced with malware and targeted attacks have become more common. IT pros have a lot to consider-both in terms of technology and best practices-as they deal with the growing e-mail security challenge.
According to Larsen, Groople grapples with about 1 million e-mails each month, 76 percent of which are either blocked by Trend Micro’s Network Reputation Services or quarantined as spam. About 5 percent of spam messages get through to Groople in-boxes, he said.
To avoid this messaging traffic overburdening the network, the company went to a load-balanced e-mail gateway environment earlier this year. Larsen said he made sure security was woven into the gateway’s fabric.
“Our entire e-mail infrastructure is architected in conjunction with our security infrastructure … to maximize the use of multiple layers of protection,” Larsen said. “An attack must make it through several separate layers to get onto a user network. Any company that looks at e-mail as simply a business tool is blind. E-mail is a significant security threat to all businesses and should be addressed aggressively.”
The New Threat Landscape
The New Threat Landscape
According to researchers at Symantec, one in every 617 spam messages now contains malicious code.
“In the past, a message was either spam or a virus. … A single verdict was usually sufficient to catch it or remedy the situation,” said Angelos Kottas, senior manager of product marketing for Symantec Messaging Security. “But what we’re seeing as a trend is spam that also has malicious code embedded in it, so that a simplistic approach might not catch it.”
In MessageLabs’ monthly Intelligence Report for March, the company reported that it found one in every 169.2 e-mails containing a virus and one in every 228.7 e-mails containing a phishing attack.
The report goes on to say that some of these attacks were targeted-aimed at specific people in various organizations.
“We’ve been seeing a sharp increase in [targeted attacks]. On average, we will intercept about 30 targeted Trojans per day,” said Mark Sunner, chief security analyst at MessageLabs. “In December 2005, that average would have been about two per week.”
Spam is clearly increasingly being used as an attack mechanism, infecting machines so they can be used in botnets to send more spam, said Gartner analyst Peter Firstbrook. While only one in every 150 to 200 e-mails may contain a virus, a much higher percentage of e-mails include a link to a malware-infected site.
“Sharing threat intelligence is one reason to have a coordinated SMTP and Web gateway,” Firstbrook said, adding that, for many organizations, the lack of a secure Web gateway capable of filtering malware is a glaring hole in their defenses.
Many Means to Security End
Many Means to Security End
Only a few weeks ago, a targeted e-mail attack reached the in-box of a county employee in Arlington County, Va. David Jordan, the county’s chief information security and privacy officer, recalled that a password dump program had been hidden within an e-mail attachment. However, because the employee had received security awareness training, she did not open it.
“The employee knew better than to open the attached file,” said Jordan. “She simply forwarded the suspect e-mail to the technology services help desk.”
The county uses Symantec Client Security, and Jordan said the system likely would have neutralized the malicious program even if the user had opened the attachment. Nonetheless, he cited the incident as an example of the importance of living in a constant state of vigilance from a security and employee education perspective.
“One of my missions is to make sure employees are educated and to empower them to be responsible and accountable for safe computing practices,” he said. “For instance, I personally meet with every new hire during the training process to ensure individuals are aware of online threats and the county’s security policies, which include Web and e-mail usage. Additionally, we conduct ongoing training and awareness initiatives, such as publishing weekly newsletters and alerting employees to the latest scams and e-mail threats via the county’s SMS [Short Message Service] text alert system.”
Indeed, no technology can protect an organization if users are not properly educated about the do’s and don’ts of Web security, said Kevin Hewitt, network administrator for Stevens Aviation.
“Here at Stevens Aviation, we alert all of our users on any new possible threats,” Hewitt said. “We do this to protect our network but also to help our users avoid these issues at home. In the event we send out an e-mail within the company to inform our users of new issues, we also include an FAQ section to review and remind our users of ways to avoid being scammed, infected or exploited.”
Stevens Aviation opted for a software as a service approach to e-mail security with Webroot’s E-mail Security SAAS. The aviation company receives about 120,000 e-mail messages daily, of which about 93 percent is spam, Hewitt said. The SAAS model, he added, saves bandwidth and allowed the company to eliminate a server that had been acting as the company’s internal spam solution.
Hewitt offered several e-mail security best practices, and he advises businesses to choose enablement over blocking when it comes to Web mail, allowing users to access Web-based accounts instead of their work e-mail for all personal transactions.
But letting employees access Web mail doesn’t come without risks-and not just in terms of employee productivity.
In MessageLabs’ Intelligence Report for February 2008, researchers noted that 4.6 percent of all spam originates from Web mail-based services. The researchers also found that the proportion of spam from Gmail increased twofold, from 1.3 percent in January to 2.6 percent in February. Yahoo Mail was the most abused Web mail service, responsible for sending 88.7 percent of all Web mail-based spam.
“I think some companies would just take the view, -We’re not allowing Web mail because in theory it could be a bullet hole in your security,'” said Sunner, the MessageLabs security analyst. “If you think about it, if you’ve got a mail gateway, you’ve probably got some form of content filtering, some level of anti-virus protection. You’ll be doing something almost certainly these days to protect your corporate e-mail system. So, having done that, if you allow access to Hotmail [for example], of course if someone then receives a virus in their Hotmail account and they go and access it, they completely blind-sided all the mechanisms you did put in place.”
E-Mail Security or Content Security?
E-Mail Security or Content Security?
In an era of data breaches and insider leaks, a conversation about e-mail security is about more than just spam and malware-it is also about DLP (data leak prevention). In fact, the focus of enterprises has shifted more toward overall content security, said John Thielens, vice president of technology at Tumbleweed Communications.
“To [solve content security problems] today, you need to buy products from six or seven different vendors-a Web filter, an e-mail filter, a content analysis suite, a file transfer product, an endpoint protection suite,” Thielens said.
DLP products offer a more comprehensive approach, with their content monitoring, data classification and policy enforcement capabilities.
The DLP market saw a number of acquisitions last year, and the technology is making its way into the enterprise market. However, many companies have been slow to deploy the technology, which helps to prevent the loss of sensitive data by stopping, for example, an e-mail including a Social Security number from crossing the mail gateway.
In the report released last November “Extending Intellectual Property Protection Beyond the Firewall,” analysts from Enterprise Strategy Group found that only 17 percent of the 109 respondents were using network-based DLP appliances at their organizations.
The ability to block classified data before it leaks out via e-mail can be a key element in e-mail security. But before investing in DLP, companies should first understand what their sensitive data is and what their business needs are, according to analysts. The risk of focusing too much on a block-and-allow approach is that employees-ultimately the last line of defense in security-will simply circumvent whatever protections are put in place, Thielens said.
“Think of the content management problem as a bubble in a long balloon animal. If you squeeze the controls around that bubble, the air just moves to the left, to the right,” he said. “If you lock down e-mail, people start using files and Web and instant messaging. If you take this blocking mentality, you’re always in catch-up mode.
“Instead, think about enablement, and tell people, -We’re going to put some defensive controls that block the wrong ways of doing things in place, but we’re also going to give you ways where you know how to do business with your content.'”