Email management as good as your email security
Email management as good as your email security
January/February Edition, 2008: When it comes to securing the inbox the biggest threats are the human ones – from a careless mistake that innocently leaks sensitive data, to revealing compromising details on social networks and dealing with employees who will believe anything with their name on it
2008 has already seen almost every organisation connected to the internet inundated with more sophisticated threats than ever before, but that’s true of every year because as the security organisations stamp out one malicious piece of software, several more spring up in its place. This year the real difference, particularly in the Asia-Pacific region, is the rising threat of data leakage.
Do you really want to push send?
One of the classic ways data escapes the corporate network is through an incorrectly addressed email. It’s shortcuts like auto-complete that make emailing simpler but spell costly consequences when the CEO’s email address is right below that of a journalist and the sender blows the whistle on revealing information, simply by wrongfully addressing an email.
This type of data leakage is preventable, but often overlooked in email security. When these mistakes occur and data spills it’s more often than not an innocent mistake, yet one that can cause irreversible damage to an organisation.
“From what I’ve seen, data leakage is the fastest growing vulnerability and if you look at the average cost of losing just one personal record, then suddenly you’re looking at hundreds of millions of dollars when you look at the cases where they’ve lost thousands,” says Bjorn Eng Engelhardt, senior director, Symantec.
Personal records can easily be compromised through email attachments or from being pasted into the email itself, not to mention through non-email means. Yet according to Engelhardt these risks are not enough to bring the problem to the attention of chief information officers and other senior executives.
“It’s less about which product to choose and more about understanding what the risk are - we spend a lot of time educating the market on what data leakage prevention is,” says Engelhardt. “You can’t buy a solution off a shelf, click a wizard and say now we're protected, you need a policy assessment and then you need to line that up against risk and liability.”
The damages from data leakage are persistent and extremely hard to counter; A simple mistake targets the reputation of an organisation, leaving customers and partners questioning the reliability of doing business in the future.
Threat detected!
Keeping an ear to the ground is hard to do in the world of email security, because there is a constant earthquake and when that settles down the earth’s so changed you barely have enough time to get your bearings before the next one hits. Despite this, there’s still a lot to be gained from evaluating the current armada of threats.
Adam Biviano, premium services manager from Trend Micro says most organisations have good email security solutions and policies, especially by way of document files that can be easily transported are severely locked down. “People are aware of the threat of an email attachment, but now we are seeing emails being used as a vector to send you to a malicious web site.” said Adam Biviano, premium services manager, Trend Micro.
“An example of how this can happen was during the Christmas period where it was common practice for people to send each other e-cards,” says Biviano. “But that’s opening up users to being sent to websites that are malicious in intent and putting their companies at risk.”
Other email threats include the rise of targeted attacks, which see the use of individual and corporate data to fool users into thinking email was legitimately sent by someone within the organisation. If they hit reply, the email compromises the system.
Philip Routley, product marketing manager at MessageLabs says it’s these targeted attacks currently dominating their radars. “There were two major outbreaks last year; one was from a recruitment organisation that was highly targeted with the name of the company in the subject field. It was going after managers with a top-down approach,” says Routley. The attacks was based on the idea that if the email regarding a job role hit the CEO, he/she would forward it on the HR manager who might act on it immediately.
“I don’t think there's much awareness out there, it’s still very limited in the numbers of attacks but they're actually getting the email addresses right and make sure it’s very accurate. They're putting bait on the hook basically,” says Routley.
These dangers could affect almost any industry, but certain segments provide a bigger jackpot for the bad guys. So far, Routley believes the attacks are coming from the same group, though this is expected to soon change as a horde of online illegal toolkits are putting the skills in just about anyone’s hands.
Preventing these attacks requires technical know-how as well as an educated workforce who understand the risks. The best option is to block targeted spam, a different approach to the more common software that is ‘accept then block’ meaning traffic is being sent in and potentially wreaking its havoc before it’s blocked.
“Because of the pure volume of spam, we've found organisations becoming a lot tighter about what they let through in terms of using their policies to restrict more,” says Phil Vasic, General Manager Australia/New Zealand, Websense.
The emerging security threats are numerous but what should not be forgotten is that these are coupled with the usual array of problems. It’s necessary to prepare for all that’s new in the world of security, but just as necessary to never forget the barrage of existing security challenges.
Surfing the social networks
Despite the hype around social networks and their role in the business, allowing employees to freely surf social networks like Facebook and Myspace is risky due to the vast quantity of private data they contain.
“Its still a traditional joke that if a bunch of lads go to the pub and are chatting to the nice looking girl at the of the bar, at the end of the night one of them will ask for her phone number, and most ladies might be reluctant to dish it out at the pub,” says Paul Ducklin, head of technology at Sophos.
“Yet on a social networking site that same lady would be willing to give out her phone number and a great deal more without any such reluctance.”
To test the vulnerability of social networks, Sophos created a fake account of a 28 year old single male living in London. Using a picture of a plastic frog as their identifying picture, the account asked 200 random people to be friends with the counterfeit profile.
“Over 40% said yes and at least a quarter of those gave us their personal phone number straight away. Of those 200 people, 1 of them even went so far as to allow us to access her mother’s maiden name on her profile information,” says Ducklin.
The risk here is when third party users with malicious intent view this often publicly accessible information and use it to infiltrate the company with subterfuge and targeted attacks.
“In 1907 the scammers had to go face to face to get old ladies to sign over their inheritance and sell people the Eiffel Tower, they can now do it remotely and keep hundreds on the hook at the same time,” says Ducklin.