Friday, September 20, 2024

Email Security: How Much is Enough?

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Although we have long since known about the virility of email threats and

viruses, this year continues to supply heavily evolved and critically

destructive email attacks.

According to Symantec’s semi-annual Internet Security Threat Report,

which was released this past September, between January 1 and June 30 of

this year, a record-breaking 1,862 new vulnerabilities were documented —

97 percent of them weighing in at moderate to high severity.

Adding to our problems, the time between vendor vulnerability disclosure

and the release of an exploit decreased from 6.4 days to 6.0. On average, 54 days passed between a vulnerabilitys appearance and the release of a patch to fix it.

Doing the math, that means approximately 48 days went idly by between the

exploitation of a vulnerability and the means with which to fix it.

It’s not surprising that hackers are quickly devising exploits although

the large window of vulnerability makes it much easier for them. With all

that extra time, they’re creating myriad versions of attacks and

experimenting with speed and voracity.

It’s difficult to get ahead when ”known” vulnerabilities mean that

they’re known to the bad guys, as well. Common knowledge gives the

hackers a map to more attack points, while the IT department gets the

burden of prioritizing multiple top-tier crises.

The concept of layered security is academic by now. We routinely utilize

an army of solutions working in concert to protect our communication

networks, such as intrusion detection and prevention, spam filters,

anti-spyware tools, authentication, anti-virus, company rules,

regulations and user education. Despite the fortress we’ve built, we’ve

failed to adequately fill the gaps and the attacks keep seeping in.

”Some parts of our system have three layers of protection,” says Brett

McKeachnie, director of Infrastructure Operations for Utah Valley State

College (UVSC) in Orem, Utah. ”Even then, we’ve found that there are

things that can get by all three layers. The threats that are out there

are so diverse that it’s beyond the capability of one vendor and one

solution to protect us,”

UVSC has 3,000 faculty and staff email users, with an average daily email

volume of 50,000 to 100,000 messages. The IT department needed a way to

reduce the slowdowns caused by virus storms, where servers are inundated

by virus-laden emails. UVSC chose to deploy Lindon, Utah-based Avinti

Inc.’s iSolation Server to augment their existing anti-virus solution.

”If you’re concerned about security, you have to have multiple layers,”

McKeachnie explains. ”When we started using Avinti iSolation Server, we

didn’t know how many viruses were getting through. It was a wake-up call.

When school is in full session, we see anywhere between 1,000 viruses on

slow days to 17,000 one particular day, getting caught up in our email

protection.”

Developed as an augmentative tool, the iSolation Server is best

implemented as part of a layered email security strategy that integrates

anti-virus, anti-spam and anti-spyware solutions from other security

vendors. UVSC uses Novell GroupWise for its faculty and staff email

system, SpamAssassin’s anti-spam technology and the iSolation Server to

augment Guinevere, a GroupWare-specific anti-virus solution.

Adding to the Layers?

As an industry, we may have accepted that layered protection is the best

course of action, but when the layers are legacy solutions that the

attacks have long since outsmarted, it becomes a question of how much

more we should add. IT administrators at some large companies say nothing

else is necessary when their existing anti-virus solution is catching all

the known attacks on the network.

In terms of security, a reactive response is rarely the most advantageous

approach to a problem. As a short-term solution, many top-tier

organizations are patching what they’ve already got. This would be

perfect if we knew every pattern and signature yet to be created, but the

reality is that security and attacks are both evolutionary and fluid.

”While the email security challenges companies face today have evolved

from a decade ago, or even a year ago, the email security technology

entrusted to protect businesses and consumers has failed to keep pace

with the threats,” says Terry Dickson, CEO of Avinti, a provider of

email outbreak protection.

In June and July of 2005, The UK government’s National Infrastructure

Security Co-ordination Centre noted a series of attacks identified as

targeted Trojans that were infiltrating companies via email. The

built-from-scratch malware has a much higher chance of defeating

anti-virus products and remaining under the radar long enough to create

extensive security breaches. The malicious nature of the Trojans is such

that even if you report the malware to anti-virus suppliers and receive

updates, the attacker already may have compromised other systems, and

subsequent detection of the original malware will no longer be of help.

”The issue of whether or not to augment existing security is something

the market has grappled with since the advent of virus protection,” says

Curtis Tirrell, a vice president at Avinti. ”The number one line of

defense in protecting email communications is to know what you have. AV

does that by examining known patterns and specific elements of incoming

malware and stops it in your environment. The reality is, sometimes

malware gets missed because of its sophistication and its placement in

the window of vulnerability.”

Prepared for Increased Attacks?

This year’s 10th Annual CSI/FBI Computer Crime and Security Survey found

that for the 690 participating companies, unauthorized access to the

networks has greatly increased and the loss from theft of proprietary

data per head has doubled .

Ironically, at the June, 2005 CSO Interchange in Chicago nearly 100

percent of the participant CSOs said they were well-prepared to handle

spam, worms, viruses, DoS attacks, and hacker attacks.

”Large enterprises have a specific investment in security systems and

they’re doing whatever they can to tweak what they’ve got. I think most

companies will say, ‘What we’ve got now is not perfect, but it’s working,

stable, and we’re going to stick with it,” says Peter Firstbrook,

program director for Gartner, Inc., an industry analyst firm based in

Stamford, Conn. ”I certainly wouldn’t tell people to wholesale replace

their solutions, but augmenting with new technologies that don’t detract

from what they have is definitely a good idea.

”Let me put it this way, if your email security vendor is not evolving

with the threatscape, then you definitely should be looking at

alternatives and installing new hardware,” says Firstbrook.

We have come to accept that enterprise security is a formula based on

budgets and acceptable levels of risk but if history teaches us anything,

we know that we’ll never be able to call the race ‘won’. The biggest

threat we face is our own complacency and the idea that our current

levels of protection are likely good enough.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles