Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

E-mail Security Guide for Managers

Staying on top of the latest e-mail threats.

Staying on top of the latest e-mail threats.

You are trekking through very rough terrain. Spammers and virus writers are blending mass-mailing spamming techniques to distribute malware, whose impact is more destructive than ever before. To combat this trend, we've compiled a comprehensive guide for managers grappling with these issues. We've out lined the e-mail security landscape and the latest threats, gathered solutions from users, and compiled a guide of the latest product offerings. What's more, we've given you practical tips on some of the most common and vexing problems to help you navigate the rocky e-mail security landscape.

Brett McKeachnie is fighting an uphill battle against e-mail-borne threats. He's deployed all the usual weapons--blacklists, antispam scanners and signature-based antivirus engines--but he still doesn't feel he is keeping pace with the bad guys.

"It's as bad as I've ever seen it," says McKeachnie, director of infrastructure operations at Utah Valley State College (UVSC). In early 2004, McKeachnie noticed that antivirus software makers were consistently starting to release two or three signature updates each day. "We thought that, if [AV vendors are] putting stuff out that quickly, there's got to be a lot of things that are getting by during the time when these companies identify a virus and publish the signatures."

Policy checklist for preventing
e-mail borne blended attacks
  • EDUCATE USERS to never click on any e-mail attachments, especially if they are unsolicited or from a stranger.

  • BLOCK E-MAIL ATTACHMENTS at the gateway through firewall rules. If a business absolutely must use e-mail attachments, set that department up with its own dedicated mailbox segregated from the main e-mail system.

  • USE SPAM FILTERS and educate users to delete any and all spam before reading it--spam should never be opened or responded to.

  • SET UP E-MAIL CLIENTS to only display plain text -- never HTML.

  • HAVE A POLICY in place to access (or to block access) personal e-mail accounts from the office.

  • Joel Dubin, CISSP, is the author of The Little Black Book of Computer Security and an independent computer security consultant based in Chicago, specializing in Web and application security.

McKeachnie opted for a technology that tests each attachment by running it in a virtual machine environment and blocking or quarantining anything that exhibits suspicious behavior. Avinti's iSolation Server gives UVSC a proactive layer of defense and relieves the necessity of blanket prohibitions on file attachments, which caused headaches particularly for computer science majors trying to file their homework.

McKeachnie isn't paranoid; he's typical of thousands of IT and security pros who try to counter escalating threats posed by e-mail.

Short-span and Blended Attacks
Research consistently shows that spam constitutes 70 percent or more of all e-mail communications. To make matters worse, the tactics used by virus writers and spammers are becoming more sophisticated. To avoid detection by antivirus software, malware writers are blending mass-mail spamming techniques to distribute viruses, worms and Trojans, and to lure users to malicious Web sites. These so-called short-span attacks leverage vast networks of infected computers to distribute viruses within hours by seeding malware to thousands of computers instantaneously.

A handful of these short-span virus attacks, including Goldun.BA and Beagle.BQ, were completed in less than seven hours, according to research compiled by antivirus software maker Comm-touch in June. Such attacks strain the ability of antivirus software makers to create and distribute anti-virus signatures fast enough to squash the outbreak. Another tactic: Virus writers use the serial variant, in which a new version of the worm or virus is released each day in an at-tempt to outrun the ability of anti- virus vendors to create signatures.

According to Symantec Corp.'s latest Internet Security Threat Report, this could explain why the number of virus variants targeting Windows reached 10,866 through June, up 142 percent over the first half of last year.

To compound the problem, virus writers and spammers are sharing each other's methods. More than half of the top 50 code samples submitted to Symantec through June provided a way for attackers to disseminate spam from infected systems. The security firm also reported the number of active zombie PCs--infected with bots used to control systems, launch denial-of-service attacks and disseminate millions of spam messages--increased 140 percent over the first half of 2004.

Aside from leveraging these zombie networks, spammers and phishers continuously update their messages by randomizing the text and pixels within attached images, says Dave Cole, director at Symantec Security Response.

Expert Advice
Joel M. Snyder, Ph.D.
Senior Partner, Opus One
Specialty: networking, security, messaging and VPNs

Q: Some recent attacks attacks have been within the body of the e-mail itself. Would content scanning help defend against these attacks?

Snyder: Yes, but your AV vendor or your antispam vendor should find those attacks. You need to pressure your AV and AS to catch these, if they are not already doing so.

For McKeachnie, the virtual-machine approach has helped ease his e-mail headaches. The system runs more smoothly, despite the fact that 70 percent of the 50,000 to 100,000 e-mails destined for the college each day are spam, viruses or other unwanted messages. And, except for the occasional valid e-mail that inadvertently gets blocked, spam and viruses no longer pose a problem on campus.

While the blockage of legitimate e-mail is annoying, it's a small price to pay considering the number of threats launched against e-mail from spammers, fraudsters and virus writers. Coupled with the increasingly stringent state and federal regulations aimed at protecting the availability, confidentiality, privacy and security of protected financial and health information, security managers are paying more attention to e-mail security than ever.

Although anti-virus and antispam technologies thwart the majority of e-mail-borne threats, inboxes need higher levels of protection to block new and rapidly replicating threats such as mass-mailing worms like Zotob.C, which struck in August.

Reputation Filters
Security managers need the equivalent of a security "panic button" when e-mail threats break out, says John Pescatore, a Gartner security analyst.

"That way enterprises can start quarantining all incoming e-mail with attachments until signatures are available."

Mark Pfefferman is one of those managers. As more spam and viruses managed to evade his filters, Pfefferman sought a better defense.

"We knew our first layer of defense was no longer sufficient," he says. As director of distributed computing services, he's responsible for protecting Western & Southern Financial Group, a $2 billion provider of insurance and financial services. For years, he protected the company's 4,200 PCs from viruses and spam with a layered security defense that included blocking proscribed types e-mail attachments and utilizing "hundreds and hundreds of firewall rules."

Expert Advice
Q: Does standard Outlook/Exchange e-mail going out over the Internet get encrypted, or do we need to do something ourselves to encrypt it? Is the default S/MIME a type of encryption?

Snyder: Standard Outlook can be encrypted, digitally signed or both. But it won't be secure unless you take active steps using the S/MIME features built into Outlook.

In October 2004, Western & Southern deployed IronPort's C60 e-mail security appliance, providing reputation and antivirus filters to identify and block spam and viruses. These appliances analyze the sender of the e-mail and quarantine or block e-mails from sources known to spam or transmit viruses.

For Pfefferman, IronPort's Virus Outbreak filters offer an early line of defense by intelligently quarantining suspicious e-mail during the earliest stages of a virus outbreak--before the company's Sophos antivirus signatures have been updated.

Within four months of deployment, the IronPort appliance blocked about 15 million spam e-mails and 3,400 viruses.

"You can watch [the spammers] shoot their 'spam cannons,' with hundreds of thousands of spam messages flying out over the weekend," says Pfefferman. IronPort's advanced virus warning system is also a welcomed pre-emptive defense. "We're alerted several times a month to possible virus outbreaks. Suspicious e-mails are quarantined until virus updates are pushed out."

IronPort's early warning filters can notify companies to quarantine or block certain messages 10 to 12 hours in advance of antivirus signatures, according to Joel Snyder, senior partner at Tucson, Ariz.-based networking and security consulting firm Opus One. These filters could prove helpful at stopping future techniques that spammers will undoubtedly employ to mass-mail their scourge, he adds.

Highly Targeted Phishing Attacks
Another trend security managers and analysts say they're witnessing is the growing number of highly targeted attacks aimed at specific companies, regional financial services firms and banks.

"We're seeing more spoofed e-mails that appear to be coming from internal employees, but are really phishing attacks attempting to grab passwords or lure users to malicious Web sites," says Gene Fredriksen, vice president of information security at Raymond James and Associates.

By shooting a few dozen highly targeted e-mails, rather than spamming out thousands, fraudsters are often able to sidestep antispam filters.

Expert Advice
Q: What is the value of using multiple antivirus engines on SMTP or Exchange front ends? Is this a recommended practice rather than relying on a product with a single engine at the edge?

Snyder: Multiple AV engines are always a good idea. My personal preference is to have one at the edge and one at the desktop. This guards against failures on the edge or messages that don't go through the edge. But there are many ways to accomplish this. Where and how you do it is largely an architectural choice.

"Typical white lists and e-mail throttling filters aren't effective against these [specific] types of attacks," says Gartner's Pescatore. But filters like Microsoft's anticipated antiphishing toolbar, bundled with Internet Explorer 7, is heralded to block users from accessing known phishing Web sites, and to spot suspicious URLs embedded within e-mails.

That's good news to Fredrikson. "Phishing attacks can be devastating to a corporation's brand. Any technology that will help increase security outside of the corporate perimeter is welcome," he says.

And not just corporate image is at risk. The spike in phishing attacks--combined with rising identity-theft fears--is quickly eroding trust in e-commerce. In a report earlier this year, Gartner estimated that the loss of trust could squeeze e-commerce growth by 3 percent and cost corporations billions in lost revenue.

Dan Lissek, information technology director for international law firm Holme Roberts & Owen, already knew the perils of insecure inboxes. Lissek estimates that during 2003, 30 percent of e-mail sent to the firm was spam and phishing attacks; the figure reached roughly 70 percent by early 2004. To make matters worse, the firm's 215-plus attorneys were spending at least 30 minutes a day sifting through junk e-mail--too much time for a business that relies on billable hours. Meanwhile, Lissek's IT staff had to respond to spam inquires from employees and sort through lengthy spam filter reports.

"We had to do something," says Lissek, "to stop our IT department from having to manage an internal filtering system that was pretty much unsuccessful and very labor intensive."

In 2003, the firm's defensive measures included MX Logic's managed E-mail Defense Service. According to Lissek, when he cranked the filters up to their highest levels, "all of a sudden my Exchange administrator, my technical support manager and their staff weren't spending time on [sorting through junk e-mail], and our attorneys got a good portion of their day back."

Buyers Guide
Click here for a comprehensive list of e-mail security solutions available today (PDF).

Richard Smith, director of information technology for R.W. Smith & Associates, a facilitator of trades between securities dealers and dealer banks, saves all of his spam. While e-mail worms and viruses aren't a problem, complying with stringent regulations certainly is. The Kirkland, Wash., firm receives 33,000 to 68,000 e-mails each month. To keep those messages clean of spam and viruses, it relies on two open-source tools--SpamAssassin and ClamAV.

"[These products] get a lot, but not everything," Smith says. "There's still a substantial amount of spam that gets through." Smith's greatest concern is making sure that the firm is ready with a communications report at a moment's notice should regulators arrive.

That's why R.W. Smith & Associates deployed Captaris Inc.'s Exchange Archive Link to capture and archive all of the company's inbound and outbound e-mail. According to Smith, the software makes it possible for the firm to transparently create a copy of and index each e-mail.

Expert Advice
Q: Norton Antivirus scans all incoming e-mails on my system, and I have XP with Service Pack installed. Why am I still open to viruses?

A: You need a gateway AV scanner. Norton isn't going to catch every virus. Your updates could be out-of-date, or Norton could be behind with a virus type. You've got discretionary control over your AV scanner; you could disable it, your kids could, a worm could. You don't have control over a gateway AV scanner; it's controlled by the network manager. Two lines of defense are always better than one.

According to SEC regulations, many financial organizations have to ensure that covered e-mails are captured, stored, indexed and searchable. "But they don't necessarily tell you which e-mails you can omit and which you can't," Smith says. So he saves everything.

Should regulators ask Smith to produce copies of e-mails, the Captaris application gives him the ability to search, view and sort each e-mail, and deliver it to the auditors on various storage media, such as recordable DVDs. The system's archival e-mail system, including hardware, software and training, costs about $13,000.

"The ROI was quick, about three months," says Smith.

The real ROI, though, came quickly after the installation. Not only did the firm undergo its required annual third-party compliance audit, but it also got a visit from regulatory bodies.

"When [the auditors] request a drop (a period of time), they're not interested in what the software might have flagged as spam and what it didn't. They want to see everything, and there are no exceptions," says Smith. Fortunately, Smith was able to provide copies of all the communications the auditors requested within the requested timeframe. "Without Captaris, we simply wouldn't have been able to produce the report in time."

While no one expects the heat from regulations to let up any time soon, neither will the threats of viruses and worms targeting inboxes. With security researchers predicting that virus writers will increasingly devise methods to sidestep antivirus applications, and spammers getting all too creative in blasting their sludge e-mails, the original killer application will continue to be in the IT security flashpoint.

Security researchers and industry analysts predict that increasingly popular targets for virus writers will be smart phones and PDAs. Security vendor McAfee last year identified five malicious applications that target mobile phones; that number reached 50 during the first quarter of this year.

For Your Inbox
Click here to arm yourself against attacks with practical advice from e-mail security experts (PDF).
Although neither e-mail viruses nor spam are now a problem for the mobile devices at Holme Roberts & Owen, Lissek is on the lookout for such threats.

"I'd never say that we're 100 percent safe," he says. "We're always leery of what's going on, and staying on top of the next threats to come."

That's probably the proper stance for anyone with an inbox.

Article 4 of 15

Dig Deeper on Email and Messaging Threats-Information Security Threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All