This article can also be found in the Premium Editorial Download "Information Security magazine: Comparing five of the top network-based inline IPS appliances."
Download it now to read this article plus other related content.
To compound the problem, virus writers and spammers are sharing each other's methods. More than half of the top 50 code samples submitted to Symantec through June provided a way for attackers to disseminate spam from infected systems. The security firm also reported the number of active zombie PCs--infected with bots used to control systems, launch denial-of-service attacks and disseminate millions of spam messages--increased 140 percent over the first half of 2004.
Aside from leveraging these zombie networks, spammers and phishers continuously update their messages by randomizing the text and pixels within attached images, says Dave Cole, director at Symantec Security Response.
Joel M. Snyder, Ph.D.
Senior Partner, Opus One
Specialty: networking, security, messaging and VPNs
Q: Some recent attacks attacks have been within the body of the e-mail itself. Would content scanning help defend against these attacks?
Snyder: Yes, but your AV vendor or your antispam vendor should find those attacks. You need to pressure your AV and AS to catch these, if they are not already doing so.
While the blockage of legitimate e-mail is annoying, it's a small price to pay considering the number of threats launched against e-mail from spammers, fraudsters and virus writers. Coupled with the increasingly stringent state and federal regulations aimed at protecting the availability, confidentiality, privacy and security of protected financial and health information, security managers are paying more attention to e-mail security than ever.
Although anti-virus and antispam technologies thwart the majority of e-mail-borne threats, inboxes need higher levels of protection to block new and rapidly replicating threats such as mass-mailing worms like Zotob.C, which struck in August.
Security managers need the equivalent of a security "panic button" when e-mail threats break out, says John Pescatore, a Gartner security analyst.
"That way enterprises can start quarantining all incoming e-mail with attachments until signatures are available."
Mark Pfefferman is one of those managers. As more spam and viruses managed to evade his filters, Pfefferman sought a better defense.
"We knew our first layer of defense was no longer sufficient," he says. As director of distributed computing services, he's responsible for protecting Western & Southern Financial Group, a $2 billion provider of insurance and financial services. For years, he protected the company's 4,200 PCs from viruses and spam with a layered security defense that included blocking proscribed types e-mail attachments and utilizing "hundreds and hundreds of firewall rules."
Q: Does standard Outlook/Exchange e-mail going out over the Internet get encrypted, or do we need to do something ourselves to encrypt it? Is the default S/MIME a type of encryption?
Snyder: Standard Outlook can be encrypted, digitally signed or both. But it won't be secure unless you take active steps using the S/MIME features built into Outlook.
For Pfefferman, IronPort's Virus Outbreak filters offer an early line of defense by intelligently quarantining suspicious e-mail during the earliest stages of a virus outbreak--before the company's Sophos antivirus signatures have been updated.
Within four months of deployment, the IronPort appliance blocked about 15 million spam e-mails and 3,400 viruses.
"You can watch [the spammers] shoot their 'spam cannons,' with hundreds of thousands of spam messages flying out over the weekend," says Pfefferman. IronPort's advanced virus warning system is also a welcomed pre-emptive defense. "We're alerted several times a month to possible virus outbreaks. Suspicious e-mails are quarantined until virus updates are pushed out."
IronPort's early warning filters can notify companies to quarantine or block certain messages 10 to 12 hours in advance of antivirus signatures, according to Joel Snyder, senior partner at Tucson, Ariz.-based networking and security consulting firm Opus One. These filters could prove helpful at stopping future techniques that spammers will undoubtedly employ to mass-mail their scourge, he adds.
This was first published in October 2005