The Increasing Risks from Email ABSTRACT With organisations now facing a growing number of security threats and an increasingly regulated and compliance driven business environment, ensuring security and compliance across their email infrastructure is paramount. The complexity of this challenge is ever changing and requires a comprehensive email gateway security solution that will provide outstanding protection against email security risks. This white paper details the increasing risk from email and the threats both inbound and outbound. We will then examine how organisations go about protecting their email gateway and provide a list of questions organisations should ask when choosing the right solution.
INTRODUCTION It is impossible to imagine business without email. According to analysts The Radicati Group, a typical employee spends 19 percent of their working day using email, while IDC Research estimates that 97 billion messages are sent worldwide each day 1. As more of the world goes online, the popularity of email and the business world s almost complete reliance on it will continue to grow. THREATS The proliferation and ease of use of email does, however, open it to abuse. Spammers bombard users with unsolicited messages daily or even more frequently, and organised criminal gangs systematically use email to disseminate malware and commit identity theft. The barrage is relentless: in 2007 just five percent of all emails sent were legitimate, the other 95 percent of messages being spam or containing malicious links 2. In March 2010, the Messaging Anti-Abuse Working Group (MAAWG) released a report which showed that these spam levels have remained consistently between 88% and 92% in the previous 18 months. There are many other figures that cite spam levels being higher or lower; but whichever number you choose to believe, there s no doubt that spam is a huge problem and one which is not going to go away. Although the Web has long eclipsed Email as the primary vector for distributing malware, the problem of email borne malware still presents a significant security risk. Indeed, according to the Sophos 2010 Security Threat Report, threats spread by email attachments and embedded links saw a resurgence in 2009. Organisations also need to ensure that their own employees use email systems appropriately. The spread of dubious content and malware via email has the potential to cause offence and reflects negatively on an organisation. Inadequate protection of an organisation s email infrastructure no longer just costs businesses in terms of time, but also leads to public relations disasters, lost revenue, damaged share prices and financial penalties in the form of fines and legal proceedings. EMAIL PRESSURE Email is a system constructed of multiple components that play differing roles. In terms of volume, the most significant threat to the email infrastructure comes from external spammers and cybercriminals. They have long used email to advertise their merchandise and breach security defences, and are constantly adapting their tactics in an attempt to bypass current security measures. Spam Spammers use increasingly creative ways to obscure their sales slogans, hiding them inside pdf attachments, images or even mp3 files. Such techniques all attempt to outmanoeuvre traditional email filters, providing spammers with an unobstructed path to users inboxes. Spammers have also become very adept at using social engineering to disguise the true content of a message in order to trick recipients into opening it and clicking on any Web link contained inside. While a user may think they are accessing a YouTube video, e-card or software upgrade, they might end up accessing a Website selling Viagra, counterfeit branded goods, or indeed anything. Pump-and-dump campaigns are also increasing in popularity. This tactic sees spammers talk up a public company s prospects in order to falsely inflate its share value, allowing them to sell their shares and realise a substantial capital gain. Phishing, spear phishing and whaling Phishing involves sending out emails that appear to come from reputable retailers, banks or credit card companies. These emails lure victims to fake websites that are almost exact replicas of the real thing. From here criminals capture usernames and passwords, bank account numbers and PINs. In October 2007, 31,560 phishing campaigns were reported to the Anti-Phishing Working Group (APWG), with 120 different brands hijacked 3. Spear phishing is a phish attack launched at a specific
organisation. An email appearing to come from a trusted source, e.g. the CEO or IT administrator, tricks employees into providing network passwords, intellectual property and confidential data. Why spam works Millions of messages can be sent out in seconds through compromised computers. Unlike physical mail, it costs virutally nothing to send spam. Recipients respond to it. In February 2007, 5% of computer users admitted to buying goods sold via spam and by November 2007 this had risen to 11% 4. Whaling is a highly targeted phish attack directed at a high profile individual, such as a journalist, celebrity or business leader. Malware and blended threats In 2007, 1 in 909 emails contained malware, a sharp decline from 2005, when the figure stood at 1 in 44 5. While this figure might appear a positive move downwards, in reality, it only serves to highlight that cybercriminals have adopted more sophisticated techniques with which to infiltrate corporate networks. A popular tactic is to spam out emails containing Web links that point recipients towards websites hosting malicious code. These emails contain no malware themselves, and so are more likely to bypass perimeter defences. Directory harvesting Hackers use directory harvesting to continually probe an organisation s email server, guessing at email names and formats in order to gather bona fide addresses, which they can either use or sell on to other cybercriminals. The sheer number of server requests and subsequent non-delivery receipts can, in extreme cases, cause the server to fail, leaving the organisation without email. Inappropriate content and PUAs Most organisations accept the occasional use of their email systems for personal reasons. However, there is a risk that personal emails can harm the organisation s reputation if an employee is receiving pornographic or violent content. Incoming personal emails can also add extra strain to the network, especially if they contain large music, gaming or video files. Potentially unwanted applications (PUAs) such as remote access tools and automatic diallers can also be difficult to manage and drain network resources. THE OUTBOUND THREAT Email leaving networks is smaller in absolute volume than incoming messages, but it poses similar risks in terms of security and compliance. Inappropriate content Few organisations will allow pornography or other offensive content to be sent from their network, but the threat can come from a more innocent source. Family photos and videos, links to non-business Web sites and other personal content consume bandwidth and can negatively affect the image of the company if sent to unintended recipients. Data leakage According to IDC, email is the number one source of leaked business information 6, and these leaks are usually accidental. For example, many email clients use an auto-complete feature when typing names in the To: field, to help reduce the amount of typing. However, this feature makes it easy to inadvertently add an unintended recipient.
Vulnerable Information Personally identifiable information (PII). Financial Statements. Trade secrets. Customer Lists. Business Plans. Research shows that half of employees have sent an email containing embarrassing or sensitive information to people by mistake 7. The Radicati Group also found that 77% of business users have, at times, forwarded business-related emails to their personal accounts. This might help employees work more flexibly, but it represents a hole in the organisation s defences and is particularly worrying for firms operating in highly regulated industries. Botnets Hijacked computers can become part of a botnet and, unknown to their owner, launch malware, spam or distributed denial of service (DDoS) attacks. Botnets will impact on network processing speeds and damage reputations, as offending messages will appear to come from a legitimate source. In extreme cases, an organisation can find its domains and/or IP ranges are blocked by service providers and other institutions. What is a botnet? A botnet is a centrally controlled network of zombie computers that hackers have infiltrated to perpetrate malicious acts. Hackers use the combined processing power of multiple zombies to send out spam or phishing campaigns, email-borne malware or web links to malicious sites. A botnet can also be used to instigate distributed denial of service (DDoS) attacks against websites or email systems. Botnets can make huge sums of money. A recent botnet broken up in Quebec allegedly earned its controllers $44.6 million 8. THE INTERNAL THREAT Many of the outbound and inbound threats are also found in internal email. Data leakage between departments, the circulation of inappropriate content and the distribution of non-essential applications all put email infrastructures at unnecessary risk. In addition, the rise of regulatory compliance governing the security, storage and retrieval of information also has a direct impact on email use. With email often acting as the corporate memory, businesses must adopt strategies that keep information safe and easy to locate. Under many countries laws, organisations are obliged to keep all recorded communications, including email. If they are later required in court, the absence of archived emails will be regarded as negligent. PROTECT THE GATEWAY The central pillar in the defence against email abuse is gateway protection, which should scan all inbound and outbound messages for spam, malware and in the case of outbound messages should provide protection against data leakage. The Gartner Group recommends that 97% should be blocked or quarantined. To achieve this, the anti-spam engine must be able to detect new and emerging campaigns, using techniques such as reputation filtering, pattern matching, URL detection and image and attachment fingerprinting. Multiple techniques are important as spammers use many tactics to evade spam filters.
Indeed, spam is such a fast moving dynamic problem, using multiple spam engines that deliver a broad range of multi-layered technologies to detect and block spam, is now emerging as offering better protection. In the same scan, emails identified as being part of a phishing attack, or containing viruses, spyware and unwanted attachments must also be blocked. Organisations should also be able to choose how to handle encrypted, corrupt or suspicious messages. Gateway protection should guard against known and unknown (zero day) attacks by incorporating sophisticated anti-virus technologies, in addition to rapid signature updates. Advanced AV technologies scan messages and their attachments and analyse likely behaviour before any code executes, reducing the risk of a breach. The best products will provide proactive protection against new threats, even before specific detection rules are announced. Gateway protection should also scan mail for sensitive or confidential content. Powerful content filtering and monitoring will prevent data leakage, protect valuable assets and ensure compliance with legal and regulatory requirements. This includes the ability to search for keywords, and file types, as well as enforcing lists of allowed senders. Protection at the gateway will also identify and provide an alert if an organisation s email server has become part of a botnet. By assessing outgoing mails for spam- and malware-like traits, a business can ensure its infrastructure is used only for legitimate purposes. CHOOSING THE RIGHT SOLUTION An effective email gateway security solution should be assessed against a wide range of criteria. Some of the key questions to ask are: What level of throughput does the solution offer and will it match my organisation s typical email usage? What level of protection is provided against inbound and outbound threats? How many spam-engines does the solution have and is the technology used comprehensive enough to block the wide range of spam types? How often are the spam engines updated? What are the typical levels of false positives? Does the solution offer a single scan that can identify spam, malware, data leakage, etc? Does the solution provide comprehensive malware protection? How much ongoing management of the solution is required? Does the solution have directory services integration for simple and central enforcement of AUPs on an individual, workgroup or departmental basis? Are there powerful reports available that deliver data on the integrity of the whole email system? SUMMARY Email threats continue to grow and can come from inside and outside an organisation, while increasing regulatory compliance places additional demands on how email is managed and protected. Deploying defences in depth at the gateway, the email server and the endpoint will close many security holes. Organisations should seek out solutions that, in addition to offering the best possible security, minimise the impact on network and IT department resources.
1. IDC Research, Worldwide Email Usage 2007-2011, March 2007. www.idc.com/getdoc. jsp?containerid=206038 2. SophosLabs worldwide research network www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-report-08.pdf 3. www.antiphishing.org/reports/apwg_report_oct_2007.pdf 4. www.sophos.com/pressoffice/news/articles/2007/12/spam-buyers.html 5. www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-report-08.pdf 6. Securing the Enterprise through Network Access Control (NAC) and Data Loss Prevention (DLP), IDCResearch web conference, December 20, 2007 7. www.sophos.com/pressoffice/news/articles/2007/11/data-leakage-poll.html 8. www.theregister.co.uk/2008/02/21/canada_botnet_bust/ ABOUT BLOXX Bloxx provides Web and E-mail filtering solutions to thousands of organisations around the globe. We have an in-depth understanding of the unique challenges faced by educational establishments. Bloxx uses unique patented Tru-View Technology (TVT) to analyse and accurately categorise webpages being requested in real-time. With unsurpassed flexibility in deployment, Bloxx Web filtering lets you quickly and effectively roll out 1-to-1 learning programmes and easily manage BYOD Web traffic. Available as hardware and virtual appliances, Bloxx filtering easily scales to meet your current and future requirements and our dedicated web reporting appliances ensure you can store years of traffic logs. In addition, our unique approach to licensing lets you decide the most cost-effective approach for your deployment which means you don t end up paying for expensive licenses you don t actually need. To find out more about Bloxx content filtering and security, email info@bloxx.com, visit www.bloxx.com, or chat to us on Twitter or Linkedin. t. +44 (0)1506 426 976 e. info@bloxx.com w. www.bloxx.com Copyright 2015 Bloxx Ltd. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Bloxx. Specifications are subject to change without notice.