Defending the email infrastructure: Why email requires comprehensive protection
Defending the email infrastructure
Why email requires comprehensive protection
The increasing risk from email
It is impossible to imagine business without email.
According to analysts The Radicati Group, a typical employee spends 19 percent of their working day using email1, while IDC Research estimates that 97 billion messages are sent worldwide each day2.
As more of the world goes online, the popularity of email – and the business world’s almost complete reliance on it – will grow.
The proliferation and ease of use of email does, however, open it to abuse. Spammers bombard users with unsolicited messages daily or even more frequently, and organized criminal gangs systematically use email to disseminate malware and commit identity theft.
The barrage is relentless: in 2007 just 5 percent of all emails sent were legitimate, the other 95
percent of messages being spam or containing malicious links3.
Organizations also need to ensure that their own employees use email systems appropriately.
The spread of dubious content and malware via email has the potential to cause offense and reflects negatively on an organization. Inadequate protection of the email infrastructure no longer just costs businesses in terms of time, but also leads to bad public relations, lost revenue, damaged share prices and financial penalties in the form of fines and lawsuits.
What is more, it is estimated that 80 percent of an organization’s operational records are stored within the email infrastructure, and so it is easy to see how business-critical data can fall into unauthorized hands.
As the continued growth in external threats is compounded by internal threats, an email security solution must serve a dual purpose:
Block spam, phishing and malware attacks
Ensure that organizations control their intellectual property and avoid costly compliance mishaps.
Defending the email infrastructure: why email requires comprehensive protection
Overview of the email infrastructure
Email is a system constructed of multiple components that play differing roles. To ensure that each component delivers maximum performance, email security must also take a multi-layered approach. A basic email infrastructure is made up as follows.
Email gateway – also known as the email boundary or perimeter. This is the first line of email contact between your organization and the outside world. It is the point through which all inbound and outbound email travels.
Email server – in addition to all inbound and outbound mail, the email server handles all internal email, and acts as a storage depot for mail not yet downloaded by the email client.
Endpoint – the desktops and laptops and other devices, such as Blackberries and mobile phones,
that run email clients.
The inbound threat
In terms of volume, the most significant threat to the email infrastructure comes from external spammers and cybercriminals. They have long used email to advertise their merchandise and breach security defenses, and are constantly adapting their tactics in an attempt to bypass current security measures.
Spam
Spammers use increasingly creative ways to obfuscate their sales slogans, hiding them inside pdf attachments, images or even mp3 files.
Such techniques all attempt to outmanoeuvre traditional email filters, providing spammers with an unobstructed path to user inboxes.
Spammers have also become very adept at using social engineering to disguise the true content of a message in order to trick recipients into opening it and clicking on any weblink contained inside.
While a user may think they are accessing a YouTube video, e-card or software upgrade, they might end up accessing a website selling male enhancement pills, counterfeit branded goods, or indeed anything.
“Pump-and-dump” campaigns are also increasing in popularity. This tactic sees spammers talk up a public company’s prospects in order to falsely inflate its share value, allowing them to sell their shares and realize a substantial capital gain.
Phishing, spear phishing and whaling
Phishing involves sending out emails that appear to come from reputable retailers, banks or credit card companies. These emails lure victims to fake websites that are almost exact replicas of the real thing. From here criminals capture usernames and passwords, bank account numbers and PINs. In October 2007, 31,560 phishing campaigns were reported to the Anti-Phishing Working Group (APWG), with 120 different brands hijacked4.
Spear phishing is a phish attack launched at a specific organization. An email appearing to
come from a trusted source, e.g. the CEO or IT administrator, tricks employees into providing network passwords, intellectual property and confidential data.
Defending the email infrastructure: why email requires comprehensive protection
Whaling is a highly targeted phish attack directed at a high profile individual, such as a journalist, celebrity or business leader.
Malware and blended threats
In 2007, 1 in 909 emails contained malware, a sharp decline from 2005, when the figure stood at 1 in 446. While this figure might appear a positive move downwards, in reality, it only serves to highlight that cybercriminals have adopted more sophisticated techniques with which to infiltrate corporate networks. A popular tactic is to spam out emails containing weblinks that point recipients towards websites hosting malicious code. These emails contain no malware themselves, and so are more likely to bypass perimeter defenses.
Directory harvesting
Hackers use directory harvesting to continually probe an organization’s email server, guessing at email names and formats in order to gather bona fide addresses, which they can either use or sell on to other cybercriminals. The sheer number of server requests – and subsequent non-delivery receipts – can, in extreme cases, cause the server to fail, leaving the organization without email.
Inappropriate content and PUAs
Most organizations accept the occasional use of their email systems for personal reasons. However,
there is a risk that personal emails can harm the organization’s reputation if an employee is receiving pornographic or violent content. Incoming personal emails can also add extra strain to the network, especially if they contain large music, gaming or video files. Potentially unwanted applications (PUAs) such as remote access tools and automatic dialers, can also be difficult to manage and drain network resources.
The outbound threat
Email leaving networks is smaller in absolute volume than incoming messages, but it poses similar risks in terms of security and compliance.
Inappropriate content
Few organizations will allow pornography or other offensive content to be sent from their network, but the threat can come from a more innocent source.
Family photos and videos, links to non-business web sites and other personal content consume bandwidth and can negatively affect the image of the company if sent to unintended recipients.
Data leakage
According to IDC email is the number one source of leaked business information 7, and these leaks are usually accidental. For example, many email clients use an auto-complete feature when typing names in the ‘To:’ field, to help reduce the amount of typing. However, this feature makes it easy to inadvertently add an unintended recipient.
Research shows that half of employees have sent an email containing embarrassing or sensitive information to people by mistake8.
Why spam works
»» Millions of messages can be sent out in seconds through compromised computers.
»» Unlike physical mail, it costs virtually nothing to send spam.
»» Recipients respond to it. In February 2007, 5 percent of computer users admitted to buying goods sold via spam and by November 2007 this had risen to 11 percent5.
Vulnerable information
»» Personally identifiable information (PII)
»» Financial statements
»» Trade secrets
»» Customer lists
»» Business plans
Defending the email infrastructure: why email requires comprehensive protection
The Radicati Group also found that 77 percent of business users have, at times, forwarded businessrelated emails to their personal accounts9. This might help employees work more flexibly, but it represents a hole in the organization’s defenses and is particularly worrying for firms operating in highly regulated industries.
Botnets
Hijacked computers can become part of a botnet and, unknown to their owner, launch malware, spam or distributed denial of service (DDoS) attacks. Botnets will impact on network processing speeds and damage reputations, as offending messages will appear to come from a legitimate source. In extreme cases, an organization can find its domains and/or IP ranges are blocked by service providers and other institutions.
The internal threat
Many of the outbound and inbound threats are also found in internal email. Data leakage between departments, the circulation of inappropriate content and the distribution of non-essential applications all put email infrastructures at unnecessary risk.
In addition, the rise of regulatory compliance governing the security, storage and retrieval of information also has a direct impact on email use. With email often acting as the “corporate memory”, businesses must adopt strategies that keeps information safe and easy to locate. Under many countries’ laws, organizations are obliged to keep all recorded communications, including email. If they are later required in court, the absence of archived emails will be regarded as negligent.
A four-step approach to email defence
step one
Protect the gateway
The central pillar in the defense against email abuse is gateway protection, which should scan all inbound and outbound messages for spam. The Gartner Group recommends that 97 percent should be blocked or quarantined11. To achieve this the anti-spam engine must be able to detect new and emerging campaigns, using techniques such as reputation filtering, pattern matching, URL detection and image and attachment fingerprinting.
Multiple techniques are important as spammers use many tactics to evade spam filters.
In the same scan, emails identified as being part of a phishing attack, or containing viruses, spyware and unwanted attachments must also be blocked.
Organizations should also be able to choose how to handle encrypted, corrupt or suspicious messages. Gateway protection should guard against known and unknown (or zero day) attacks by incorporating sophisticated Host Intrusion Prevention System (HIPS) technologies, in addition to rapid signature updates. HIPS technologie proactively scan messages and their attachments and analyze likely behavior before any code executes, reducing the risk of a breach. The best products will provide proactive protection against new threats, even before specific detection rules are announced.
Gateway protection should also scan mail for sensitive or confidential content. Powerful content filtering and monitoring will prevent data leakage, protect valuable assets and ensure compliance with legal and regulatory requirements. This includes the ability to search for keywords, regular expressions and file types, as well as enforcing lists of allowed senders.
Protection at the gateway will also identify and provide an alert if an organization’s email server or endpoint computers have become part of a botnet. By assessing outgoing mails for spam- and malware-like traits, a business can ensure its infrastructure is used only for legitimate purposes.
step two
Defend the email server
Protection at the email server brings two benefits:
Spam or malware for which protection might not have been available when it passed through the gateway can be captured here
Internal threats sent between departments and not through the gateway can be blocked.
Scanning interdepartmental emails for spam, malware, unwanted content and sensitive information is critical. An employee might, for example, unwittingly visit an infected website and share the link with colleagues via email, thereby placing more endpoint computers at risk of infection. Equally, while the HR department might need to share confidential information about staff members, such as salary increases for example, scanning of the mail server will ensure that this data is not shared across the organization.
This level of defense will also protect message stores, ensuring that an organization’s email archives and those messages not yet downloaded to the local client remain malware-free.
step three
Secure the endpoint
Endpoint protection should underpin an organization’s security strategy, as it is the end user, and his or her confidential information, that is the ultimate target of any attacks. Cybercriminals attack the endpoint via numerous vectors, including websites, email, instant messaging (IM), P2P networks and USB drives. Once infected, computers can be hijacked to spy on corporate networks, steal network resources and unleash attacks on others.
Any endpoint defense also needs to take into the account the different operating systems that are in use. While the majority of computers use Windows a significant number of users operate Mac and Linux computers, and these are equally at risk.
The first ever virus for the Mac OS X platform (which spread using IM) was discovered in 2006 and a year later a Mac-targeting Trojan – malware that poses as something more benign – was also discovered12. Both attacks relied on the behavior of the user, not just the vulnerability of the operating system. This is why endpoint security requires protection for all major operating systems.
step four
Control access to the network
Network access control (NAC) manages who and what connects to your system, protecting
data and ensuring compliance with all regulatory requirements.
An effective NAC solution continuously assesses against defined policies the computers of guests employees who work out of the office, and unknown users. It can verify, for example, that anti-malware and firewall applications are up to date, security patches are installed, and prohibited applications are not being used.
A preventive approach to NAC stops problems before they happen by combining pre- and postconnect assessment of computers with multiple remediation and enforcement options. NAC will allow you to quickly define endpoint security and acceptable use policies (AUPs) for all end-user scenarios so you can detect and fix managed endpoint vulnerabilities before infection, quarantine infected computers and block unauthorized computers.
Choosing the right solution
Every organization has a point at which enforcement and/or management adds too much expense or overhead so as to offset the benefit of security. Even for large organizations with dedicated IT security departments, the less time spent on day-to-day administration, the better.
An effective security solution should be assessed against a wide ranging criteria:
High mail processing volumes that can handle millions of messages per day
A single scan that can identify spam, malware, data leakage, and all unnecessary applications
Small and rapid updates with minimal footprint
Directory services integration for simple and central enforcement of AUPs on an individual, workgroup or departmental basis
Powerful reports that deliver data on the integrity of the whole email system
A single consolidated view of all email traffic, even in multiple server environments
Performance monitoring that automatically alerts the administrator if corrective action is required
Managed appliances that can be remotely monitored and maintained by the vendor
A single vendor for streamlined deployment, management, maintenance and support.
Summary
Email threats continue to grow and can come from inside and outside an organization, while increasing regulatory compliance places additional demands on how email is managed and protected. Deploying defenses in depth – at the gateway, the email server and the endpoint – will close many security holes. Organizations should seek out solutions that, in addition to offering the best possible security, minimize the impact on network and IT department resources.
This article was provided by Sophos and is reproduced here with their full permission. Sophos provides full data protection services including: security software, encryption software, antivirus, and malware.