End of spam, phishing threats not far off

By Eric B. Parizo, News Editor 09 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Viruses, spam and phishing may have been big messaging security threats in 2005, but this year expect secure archiving, risk management and layered threat prevention to take center stage.

That's the forecast from San Francisco-based Ferris Research, which last week unveiled its latest report, Top 10 Messaging & Collaboration Issues of 2006.

According to one of the report's authors, Ferris Lead Analyst Richi Jennings, traditionally vexing problems like spam and phishing still exist, but increasingly sophisticated antispam software and its ubiquitous use are mitigating those threats.

"Spam will continue, but people will no longer see it," Jennings said. "And if they can't see it, they can't buy things from spam ads. And if they can't buy, then the spammers don't get paid, since they work on commission. And if they don't get paid, there's no more incentive, and then presto, the spam problem implodes."

But that won't happen overnight. Jennings said it's likely to be another 18-24 months before the spam industry recedes. Phishing may take even longer, he said, but it's only a matter of time before it goes away as well, thanks to improved defenses and an increased willingness among companies exploited as phishing fronts -- eBay, PayPal and major banks, most notably -- to go after phishing outfits.

As a result, Ferris sees other security issues taking the fore. E-mail archiving and retention topped the overall list. Jennings sees it as a security issue because compliance with the Sarbanes-Oxley Act and other government regulations typically mandates secure retention and purging of messaging archives. He said most organizations will need add-on software products or new hosted services to complete these tasks.

The bottom line, Jennings said, is that organizations can no longer risk losing sensitive information that could in turn result in a regulatory violation. "Regulations like HIPAA have a great deal to say about the security and privacy of heath care information," he said, "so I think it should be very much top-of-mind."

Mobile messaging security is becoming more important as well, but many fail to realize that it's a two-fold issue. In addition to securing mobile data and the devices it resides upon -- "If someone comes across a lost BlackBerry and wants to extract the data," Jennings said, "it can be quite easy to do," -- it's necessary to constantly monitor and evaluate the risk management aspects of mobile messaging.

For instance, Jennings said, mobile messaging requires an organization to "punch through the firewall and expose a service using an additional protocol," but doing so creates another potential point of entry that attackers could exploit.

"It's a classic risk management argument, and it's something some people don't understand well," Jennings said. "They don't understand how to go about making risk management decisions and understanding the implications, particularly the small and medium-size organizations that choose to run all their IT themselves."

Zero-hour exploit control is also an increasingly urgent issue, Jennings said, because several incidents in 2005 proved that attackers can take advantage of vulnerabilities almost immediately with damaging consequences, most notably the Zotob attacks of last summer that caused network outages at CNN, ABC and The New York Times.

Despite the myriad of emerging messaging threats, Jennings said the best way to circumvent any number of them is through a layered defense strategy, such as using a perimeter security product from one vendor, a messaging-specific product from a second vendor and desktop security software from a third. That way, if one vendor's product fails to spot a problem, perhaps another will.

"It's tempting to go with one vendor whom you're familiar with and just buy an all-in-one product," Jennings said, "but for zero-hour exploits and variability among vendors, it's a good idea to have several security layers."

He also recommended always tracking state-of-the-art messaging security products, because better techniques are always emerging. "The bad guys aren't standing still," Jennings said, "so you shouldn't stand still either."

Tags: IM Security Issues, Risks and Tools,  Email Security Guidelines, Encryption and Appliances,  Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IM Security Issues, Risks and Tools What are effective ways to stop instant messaging (IM) spam? Secure messaging complications result in limited protection Is it possible to ban chat programs on an enterprise LAN? How to lock down instant messaging in the enterprise AOL closes AIM attack vector, but risks remain Researcher says AIM still vulnerable, AOL insists it's fixed Serious security flaw in AOL Instant Messenger Security flaws found in AOL, Yahoo IM programs Flaw found in MSN Messenger AOL, Yahoo, Trillian IM applications under threat Email Security Guidelines, Encryption and Appliances Information security book excerpts and reviews How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Email and Messaging Threats (spam, phishing, instant messaging) Yahoo login credentials at risk to hijacking attack The world's top 5 riskiest domains How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greynet  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary