Like all organizations, we've been fighting spam for a long time. We have filtering technology in place, and we've even given intensive email security awareness training to our employees -- including phishing and social engineering testing -- but spam keeps getting through and employees keep clicking on malicious links (like with the RSA SecurID attack, we had a user actually remove a malicious message from a spam folder and open it!). Is there anything else you'd recommend we do?
As you are finding out, there are limits to the effectiveness of information security awareness training. Security awareness is important when technical measures fail, but it should not be the only information security controls used. Your question doesn’t mention what types of security awareness or filtering technologies are in use, but you may want to re-evaluate the effectiveness of your security controls to prevent spam virus infections if users are not following the recommendations or the technology is consistently failing. You should determine exactly what is failing and ensure the control is working as expected, including your host-based security controls. For instance, if users are being infected by malware in spam messages retrieved from a spam folder, it's worthwhile to not only re-evaluate information security awareness training to ensure users are educated about the dangers of clicking on links in spam messages, but also examine host-based malware detection systems to determine why the malware was allowed to execute. You could also notify users of messages in the spam folder, but require an administrator to retrieve a spam message by a user.
While blocking email at the network perimeter is probably not a reasonable option in most cases, there are additional protections that could be used. You could strip all attachments, only allow plain text email, run your email client in a virtual machine, or use an alternative email client. None of these may be reasonable in your environment, but it may be worth testing one or more of these additional protections to see if it helps significantly reduce the infections vs. the effort that would be necessary to deploy the change. An easier change may be to add an additional check, by an appliance or service, in the SMTP stream that uses a different detection method than the one currently used. This could add some additional complexity, but also add some protections if the different method complements your current detections.
This was first published in January 2012