Email Security: How Much is Enough?

Corporate networks are under attack from email threats and viruses. To protect the network, we layer security, but how many layers are enough? How much is too little?
Although we have long since known about the virility of email threats and viruses, this year continues to supply heavily evolved and critically destructive email attacks.

According to Symantec's semi-annual Internet Security Threat Report, which was released this past September, between January 1 and June 30 of this year, a record-breaking 1,862 new vulnerabilities were documented -- 97 percent of them weighing in at moderate to high severity.

Adding to our problems, the time between vendor vulnerability disclosure and the release of an exploit decreased from 6.4 days to 6.0. On average, 54 days passed between a vulnerabilitys appearance and the release of a patch to fix it.

Doing the math, that means approximately 48 days went idly by between the exploitation of a vulnerability and the means with which to fix it.

It's not surprising that hackers are quickly devising exploits although the large window of vulnerability makes it much easier for them. With all that extra time, they're creating myriad versions of attacks and experimenting with speed and voracity.

It's difficult to get ahead when ''known'' vulnerabilities mean that they're known to the bad guys, as well. Common knowledge gives the hackers a map to more attack points, while the IT department gets the burden of prioritizing multiple top-tier crises.

The concept of layered security is academic by now. We routinely utilize an army of solutions working in concert to protect our communication networks, such as intrusion detection and prevention, spam filters, anti-spyware tools, authentication, anti-virus, company rules, regulations and user education. Despite the fortress we've built, we've failed to adequately fill the gaps and the attacks keep seeping in.

''Some parts of our system have three layers of protection,'' says Brett McKeachnie, director of Infrastructure Operations for Utah Valley State College (UVSC) in Orem, Utah. ''Even then, we've found that there are things that can get by all three layers. The threats that are out there are so diverse that it's beyond the capability of one vendor and one solution to protect us,''

UVSC has 3,000 faculty and staff email users, with an average daily email volume of 50,000 to 100,000 messages. The IT department needed a way to reduce the slowdowns caused by virus storms, where servers are inundated by virus-laden emails. UVSC chose to deploy Lindon, Utah-based Avinti Inc.'s iSolation Server to augment their existing anti-virus solution.

''If you're concerned about security, you have to have multiple layers,'' McKeachnie explains. ''When we started using Avinti iSolation Server, we didn't know how many viruses were getting through. It was a wake-up call. When school is in full session, we see anywhere between 1,000 viruses on slow days to 17,000 one particular day, getting caught up in our email protection.''

Developed as an augmentative tool, the iSolation Server is best implemented as part of a layered email security strategy that integrates anti-virus, anti-spam and anti-spyware solutions from other security vendors. UVSC uses Novell GroupWise for its faculty and staff email system, SpamAssassin's anti-spam technology and the iSolation Server to augment Guinevere, a GroupWare-specific anti-virus solution.

Adding to the Layers?

As an industry, we may have accepted that layered protection is the best course of action, but when the layers are legacy solutions that the attacks have long since outsmarted, it becomes a question of how much more we should add. IT administrators at some large companies say nothing else is necessary when their existing anti-virus solution is catching all the known attacks on the network.

In terms of security, a reactive response is rarely the most advantageous approach to a problem. As a short-term solution, many top-tier organizations are patching what they've already got. This would be perfect if we knew every pattern and signature yet to be created, but the reality is that security and attacks are both evolutionary and fluid.

''While the email security challenges companies face today have evolved from a decade ago, or even a year ago, the email security technology entrusted to protect businesses and consumers has failed to keep pace with the threats,'' says Terry Dickson, CEO of Avinti, a provider of email outbreak protection.

In June and July of 2005, The UK government's National Infrastructure Security Co-ordination Centre noted a series of attacks identified as targeted Trojans that were infiltrating companies via email. The built-from-scratch malware has a much higher chance of defeating anti-virus products and remaining under the radar long enough to create extensive security breaches. The malicious nature of the Trojans is such that even if you report the malware to anti-virus suppliers and receive updates, the attacker already may have compromised other systems, and subsequent detection of the original malware will no longer be of help.

''The issue of whether or not to augment existing security is something the market has grappled with since the advent of virus protection,'' says Curtis Tirrell, a vice president at Avinti. ''The number one line of defense in protecting email communications is to know what you have. AV does that by examining known patterns and specific elements of incoming malware and stops it in your environment. The reality is, sometimes malware gets missed because of its sophistication and its placement in the window of vulnerability.''

Prepared for Increased Attacks?

This year's 10th Annual CSI/FBI Computer Crime and Security Survey found that for the 690 participating companies, unauthorized access to the networks has greatly increased and the loss from theft of proprietary data per head has doubled .

Ironically, at the June, 2005 CSO Interchange in Chicago nearly 100 percent of the participant CSOs said they were well-prepared to handle spam, worms, viruses, DoS attacks, and hacker attacks.

''Large enterprises have a specific investment in security systems and they're doing whatever they can to tweak what they've got. I think most companies will say, 'What we've got now is not perfect, but it's working, stable, and we're going to stick with it,'' says Peter Firstbrook, program director for Gartner, Inc., an industry analyst firm based in Stamford, Conn. ''I certainly wouldn't tell people to wholesale replace their solutions, but augmenting with new technologies that don't detract from what they have is definitely a good idea.

''Let me put it this way, if your email security vendor is not evolving with the threatscape, then you definitely should be looking at alternatives and installing new hardware,'' says Firstbrook.

We have come to accept that enterprise security is a formula based on budgets and acceptable levels of risk but if history teaches us anything, we know that we'll never be able to call the race 'won'. The biggest threat we face is our own complacency and the idea that our current levels of protection are likely good enough.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.