The State of E-Mail (In)Security

The New E-mail Battleground

Simple arrogance (or denial) leads many to believe that they have the e-mail problem completely covered, and that e-mail virus outbreaks and that attacks are issues that only other companies face. The prevailing feeling at many of these organizations is, "So far we have been lucky to not be the first one hit by a virus, and as long as we keep our anti-virus signatures updated, we'll be just fine."

The irony is that, while the e-mail security challenges companies face today have evolved from a decade ago, or even a year ago, the e-mail security technology entrusted to protect businesses and consumers has failed to keep pace with the changing threat landscape. Legal and regulatory mandates, as well as business survival, now give organizations pause to re-evaluate their approach to e-mail security in the face of three new e-mail attacks.

Fast-moving attacks exploit the window of vulnerability that exists between the time a new virus breaks out, its signature can be developed, and deployment of the signature to security products.

In order for antivirus software companies to develop new virus signatures, they must first contain and analyze potential threats. After antivirus companies validate a new virus or worm, researchers must create a new signature that must be added to the existing database of known viruses in order to trap the new virus the next time it hits.Some of the fastest moving viruses, such as the Bagle or Sober virus, can account for as much as 75 percent of all Internet traffic in a matter of hours. These viruses have the ability to quickly mutate, with dozens of different strands of the same virus infecting system after system.

Virus writers have also added new tricks to their trade that enable their attacks to be swift and effective. Blended attacks combine characteristics of multiple threat classes such as both viruses and worms. An attacker using a blended approach might send a virus via an e-mail attachment, along with a Trojan embedded in an HTML file that will cause damage to the recipient computer. The Nimda amd CodeRed viruses were examples of blended threats.

E-mail's value comes from its ability to quickly exchange data and information. Anything that restricts this rapid information exchange will create a noticeable and sometimes severe impact on business operations. In an attempt to reduce the impact of fast-moving threats that can halt communications, some companies have adopted the policy of manually quarantining or delaying the delivery of messages that "might" be malicious.

E-mail can be held for up to 48 hours while messages are scanned with the latest signature files prior to delivery. Sometimes the messages are even opened the e-mail to attempt to physically observe any unusual activity. These practices open businesses to significant risk from data privacy regulations, and can have potentially long term affects on business relationships if time-sensitive materials fail to reach their destination when required.

Even though anti-virus companies employ teams that work around-the-clock to catch, identify, and develop definitions for new outbreak viruses--in the best case, this process is usually measured in terms of days, during which a new virus can run wild infecting hundreds, if not thousands of companies before protection is available.Unlike traditional e-mail attacks that indiscriminately target hundreds of thousands of e-mail accounts in an effort to infect a relatively few number of machines, there is a growing trend towards the use of e-mail to execute attacks that specifically target an organization. These isolated targeted attacks may involve the sending of only a few e-mails to a select group of people.

These cunningly crafted messages have a much higher quality than rampant Spam which can often be easily spotted. Why is organized crime turning to a more one-to-one attack method? We can look towards the criminal justice system for the answer to that question.

Motive and opportunity are the key drivers behind isolated, targeted attacks. Given the assumption that there are intelligent and trained individuals around the world who derive value from the acquisition of information at select companies, someone can start to build the framework for the targeted attack an isolated targeted attack. In particular:

• Motive: Organizations that have valuable electronic assets, or exchange sensitive data with third party organizations, are prime candidates for isolated targeted attacks. Cyber thieves are motivated by the growing value of personal and confidential information that is often held for business purposes.

• Opportunity: Organizations that provide relatively free accessibility using inter-networked resources are the model candidate for isolated targeted attacks. Where e-mail is a key business mechanism, significant opportunity for success exists. Without completely stating the obvious, accessibility provides the key to liability.History has demonstrated that e-mail is most-often the primary avenue for network penetration. Skilled spammers can spoof a message that appears to come from a legitimate internal contact, and that can deliver a malicious payload without ever being detected. Custom keylogger applications can be created to capture password information from an internal IT staff member, or a remotely controlled bot network can be designed to capture and stream personal or financial information from the desktop of an internal payroll clerk. These Isolated Targeted Attacks have the ability to exist for months, if not years, without detection.

Here again the nature of pattern-based e-mail protection falls short. Both traditional virus protection and modern spyware scan-and-remove applications are only capable of stopping malware for which a pattern exists. In the case of isolated targeted attacks, there may be no prior evidence from which to generate a signature.

If the Internet Era has taught companies anything, it's the lesson that just because you don't know about it, doesn't mean it's not possible or not out there. With billions of users of all motives and skill levels online every day, the probability that there is a threat out there which has yet to be discovered by security guardians is relatively high. Where necessity is the mother of invention, paranoia is the father of protection. Wise organizations will analyze and re-analyze their e-mail defenses based upon emerging evidence of evolving threats.

E-Mail Security, As Evolved

Over the first half of 2005, the world has witnessed a rapid rise in the disclosure of data breaches affecting some of the most well-known and respected companies. Does this mean that all of a sudden businesses have somehow become less secure?Hardly. Rather, businesses that fail to protect personal information are now being forced to disclose their data breaches to those who may have been affected. Many states are taking their lead from California, where State Bill 1386 set the precedence for protecting the rights of consumers. SB 1386 not only requires companies in California to disclose data breaches, but also extends to those companies merely doing business in California.

New York and Pennsylvania have followed suit, and several other states are preparing to send bills to the floor for a vote. Add to these disclosure requirements the increasingly strict information protection guidelines outlined by Sarbanes-Oxley and the Health Information Portability and Accountability Act (HIPAA), and it's clear that e-mail security is in need of an overhaul.

The existing anti-virus and anti-spam technologies used today are capable of stopping a good portion of the malicious e-mail targeting their business. Unfortunately the risks to a company for deploying "good enough" e-mail security are too great to ignore. An emerging class of e-mail outbreak and isolated targeted threat protection technologies is gaining popularity for solving the signature dilemma.

These solutions forego the reactive practice of signature matching in favor the more proactive approach of viewing the intended behavior of e-mail messages in a secure "virtual" replica of the target desktop. This use of virtual machines to test e-mail messages in a secure, controlled environment before delivery, ensures malicious e-mails can be captured, whether or not they are "known" viruses.

The most effective e-mail defense involves the deployment of multiple layers of protection including traditional anti-virus and anti-spam security at the network gateway and on individual computers, and includes a virtual machine-based threat protection layer to stop fast-moving, targeted or completely unknown attacks. New Motivations, Methods

The most successful and unscrupulous of the online underworld are not motivated by fame or recognition. Cyber crime has become big business. Online fraud has grown at exponential rates as cyber thieves dupe Internet users in an effort to steal thousands and even millions of digital identities leading to millions if not billions of dollars worth of stolen assets.

Personal and sensitive information, often unprotected inside of corporate networks, has become a favorite target of organized crime syndicates. Industrial espionage no longer resembles a scene from a James Bond movie. More likely, it's nothing more than two inconspicuous people in a foreign country using the Internet to steal the company goods.

Terry Dickson is CEO of Avinti. The Avinti iSolation server provides early virus outbreak protection by running suspicious files in an offline virtual machine environment.