E-mail Insecurity - CXO Magazine
E-mail Insecurity – New Threats Facing Global Businesses
Terry Dickson, Chief Executive Officer
Avinti, Inc.
There isn't a CEO today that would deny the paradigm shift e-mail communications created around the world. E-mail changed the very nature of the way businesses operate. It enabled the creation of new processes that drove the costs from operations, helped create a collaborative dialogue with customers and partner, and increased the speed at which a company's message could reach the desired audience.
Now, e-mail and the security risks it poses have CEO's running for cover and fearing for their jobs. Who could have imagined the day when the thought of something as seemingly insignificant as an e-mail virus or e-mail Spam could place an executive's job at risk. But that's where we are today. E-mail has become the most widely used method for hacking into corporate networks, stealing people's identities, crippling IT systems and committing a whole laundry list of online crimes. What has CEO's so scared? They can now be held personally liable for certain types of information security breaches where sensitive or confidential information about people or organizations is compromised.
The New E-mail Battleground
Simple arrogance (or denial) leads many to believe that they have the e-mail problem completely covered, and that e-mail virus outbreaks and attacks are issues that only other companies face. The prevailing feeling at many of these organizations is, "So far we have been lucky to not be the first one hit by a virus, and as long as we keep our anti-virus signatures updated, we'll be just fine."
The irony is that while the e-mail security challenges companies face today have evolved from a decade ago, or even a year ago, the e-mail security technology entrusted to protect businesses and consumers has failed to keep pace with the changing threat landscape. Legal and regulatory mandates, as well as business survival, now give organizations pause to re-evaluate their approach to e-mail security in the face of three new e-mail attacks.
Threat #1 – The Fast-Moving E-mail Attack
Fast-moving attacks exploit the window of vulnerability that exists between the time a new virus signature can be developed and its deployment to security products. In order for antivirus software companies to develop new virus signatures, they must first contain and analyze potential threats. After antivirus companies validate a new virus or worm, researchers must create a new signature that must be added to the existing database of known viruses in order to trap the new virus the next time it hits. Some of the fastest moving viruses, such as the Bagle or Sober virus, can account for as much as 75 percent of all Internet traffic in a matter of hours. These viruses have the ability to quickly mutate, with dozens of different strands of the same virus infecting system after system.
Virus writers have also added new tricks to their trade that enable their attacks to be swift and effective. Blended attacks combine characteristics of multiple threat classes such as both viruses and worms. An attacker using a blended approach might send a virus via an e-mail attachment, along with a Trojan embedded in an HTML file that will cause damage to the recipient computer. The Nimda, CodeRed, and exploits were examples of blended threats.
E-mail's value comes from the ability to quickly exchange data and information. Anything that restricts this rapid information exchange will create a noticeable and sometimes severe impact on business operations. In an attempt to reduce the impact of fast-moving threats that can halt communications, some companies have adopted the policy of manually quarantining or delaying the delivery of messages that "might" be malicious. E-mail can be held for up to 48 hours while messages are scanned with the latest signature files prior to delivery. Sometimes the messages are even opened the e-mail to attempt to physically observe any unusual activity. These practices open businesses to significant risk from data privacy regulations, and can have potentially long term affects on business relationships if time-sensitive materials fail to reach their destination when required.
Even though anti-virus companies employ teams that work around-the-clock to catch, identify, and develop definitions for new outbreak viruses--in the best case, this process is measured in terms of days — during which time a new virus can run wild infecting hundreds, if not thousands of companies before protection is available.
Threat #2 - Isolated Targeted Attacks
Unlike traditional e-mail attacks that indiscriminately target hundreds of thousands of e-mail accounts in an effort to infect a relatively few number of machines, there is a growing trend towards the use of e-mail to execute attacks that specifically target an organization. These isolated targeted attacks may involve the sending of only a few e-mails to a select group of people. These cunningly crafted messages have a much higher quality than rampant Spam which can often be easily spotted. Why is organized crime turning to a more one-to-one attack method? We can look towards the criminal justice system for the answer to that question.
Motive and opportunity are the key drivers behind isolated, targeted attacks. Given the assumption that there are intelligent and trained individuals around the world who derive value from the acquisition of information at select companies, you can start to build the framework for the targeted attack an isolated targeted attack:
Motive - organizations that have valuable electronic assets, or exchange sensitive data with third party organizations, are prime candidates for isolated targeted attacks? Cyber thieves are motivated by the growing value of personal and confidential information that is often held for business purposes. x
Opportunity – organizations that provide relatively free accessibility using inter-networked resources are the model candidate for isolated targeted attacks? Where e-mail is a key business mechanism, significant opportunity for success exists? Without completely stating the obvious, 'accessibility' provides the key to liability.
History has demonstrated that e-mail is most-often the primary avenue for network penetration. Skilled spammers can spoof a message that appears to come from a legitimate internal contact, delivering a malicious payload without ever being detected. Custom keylogger applications can be created to capture password information from an internal IT staff member, or a remotely controlled bot network can be designed to capture and stream personal or financial information from the desktop of an internal payroll clerk. These Isolated Targeted Attacks have the ability to exist for months, if not years, without detection.
Again, the nature of pattern-based e-mail protection falls short. Both traditional virus protection and modern spyware scan-and-remove applications are only capable of stopping malware for which a pattern exists. In the case of isolated targeted attacks, there may be no prior evidence from which to generate a signature.
Threat #3 – The Unknown
If the Internet Era has taught companies anything, it's the lesson that just because you don't know about it, doesn't mean it's not possible or not out there. With billions of users of all motives and skill levels online every day, the probability that there is a threat out there which has yet to be discovered by security guardians is relatively high. Where necessity is the mother of invention, paranoia is the father of protection. Wise organizations will analyze and re-analyze their e-mail defenses based upon emerging evidence of evolving threats.
E-mail Security Evolved
Over the first half of 2005, the world has witnessed a rapid rise in the disclosure of data breaches affecting some of the most well-known and respected companies. Does this mean that all of a sudden businesses have somehow become less secure? Hardly. Rather businesses that fail to protect personal information are now being forced to disclose their data breaches to those who may have been affected. Many states are taking their lead from California, where State Bill 1386 set the precedence for protecting the rights of consumers. SB 1386 not only requires companies in California to disclose data breaches, but also extends to those companies merely doing business in California. New York and Pennsylvania have followed suit, and several other states are preparing to send bills to the floor for a vote. Add to these disclosure requirements the increasingly strict information protection guidelines outlined by Sarbanes-Oxley and the Health Information Portability and Accountability Act (HIPAA), and it's clear that e-mail security is in need of an overhaul.
The existing anti-virus and anti-spam technologies used today are capable of stopping a good portion of the malicious e-mail targeting their business. Unfortunately the risks to a company for deploying "good enough" e-mail security are too great to ignore. An emerging class of e-mail outbreak and isolated targeted threat protection technologies is gaining popularity for solving the signature dilemma. These solutions forego the reactive practice of signature matching in favor the more proactive approach of viewing the intended behavior of e-mail messages in a secure "virtual" replica of the target desktop. This use of virtual machines to test e-mail messages in a secure, controlled environment before delivery, ensures malicious e-mails can be captured, whether or not they are "known" viruses. The most effective e-mail defense involves the deployment of multiple layers of protection including traditional anti-virus and anti-spam security at the network gateway and on individual computers, and includes a virtual machine-based threat protection layer to stop fast-moving, targeted or completely unknown attacks.
New Motivations, Methods
The most successful and unscrupulous of the online underworld are not motivated by fame or recognition. Cyber crime has become big business. Online fraud has grown at exponential rates as cyber thieves dupe Internet users in an effort to steal thousands and even millions of digital identities leading to millions if not billions of dollars worth of stolen assets. Personal and sensitive information, often unprotected inside of corporate networks, has become a favorite target of organized crime syndicates. Industrial espionage no longer resembles a scene from a James Bond movie. More likely, it's nothing more than two inconspicuous people in a foreign country using the Internet to steal the company goods.
|
