With the specter of Valentine's Day looming, security managers should take note of the increased threat posed by electronic greeting cards sent to their employees.
Experts say e-cards pose several different dangers to enterprises, such as disguising a virus or worm masquerading as a love token. Also a threat are greetings that link to a malicious URL that allows an attacker to execute code on an unwary user's system.
Sixty-four percent of 58 SearchSecurity.com minipoll respondents said e-cards were a threat to their enterprise and more than half (51%) rated the threat as moderate.
We hear it every year, but still the threat persists. "If someone sends you a Valentine's e-card, at best they're an unromantic cheapskate; at worst, they're sending you a virus," Chris Wraight, then technical director of Sophos Inc, said in an interview two years ago.
Nothing has apparently changed.
"We advocate the old-fashioned approach -- flowers, chocolates or a romantic meal for two," he mused. "These gestures are much more seductive and don't carry any risk of infection."
Security professionals say it's sound advice and have frequently warned that malicious code can easily be transmitted through e-cards.
"It's a bit of a shame, but it's only a matter of time before really malicious code exploits e-cards; the problem is that they are html- and script-based," said Roger Thompson, VP of product development at PestPatrol Inc., a Carlisle, Pa.-based developer of security tools. "Other than keeping your antivirus software up to date, the only mitigations are to disable html in e-mail or to reactively block bad Web sites at your firewall as they are discovered."
The ePolicy Institute and Bellevue, Wash.-based Clearswift, which provides security software for electronic communications, published a list of "tips for corporate e-mail and instant messaging users -- and employers -- eager to keep their messages clean, compliant and as risk-free as possible."
First, clearly spell out in a security policy what type of language, images and other content is -- and isn't -- allowed in electronic messaging Give employees explicit notice that they don't have a reasonable expectation of privacy, and educate employees about confidentiality and compliance concerns.
Also establish and enforce a written e-mail and IM retention and deletion strategy, making certain electronic business records are retained and archived while separating and purging nonessential, non-business record messages. And enforce e-mail and IM policy and training programs with policy-based content filtering software that works in concert with your written e-mail and IM policies.
Minipoll respondents were divided on the best form of mitigation: 41% said they would filter executable files; 30% would train users not to open them; and 28% would ban them by blocking the main e-card sites and creating filters.
Click here to see EDS top 10 list of e-card does and don'ts.