|
 |
|
General Information
|
Add To My Personal Library |
August 29, 2008
• Vol.30 Issue 35
Page(s) 9 in print issue
|
Mixed Messages
Social Engineering & Unprotected Data Plague Enterprise Email
|
 The threats to enterprise email are many. Social engineers use bogus emails to dupe employees into breaking security. Employees unwittingly send messages they shouldn’t, which contain important information. Email snoopers snap up unencrypted mail in transit. Employees forward email off the network to unsecured devices and consumer Web mail applications to work off-hours. And, finally, enterprises themselves implement corporate Web mail access without proper security measures.
However, by auditing the network carefully, adopting clever email policies, educating employees in street smarts and common sense around vulnerabilities, and countering with security technologies, SMEs will address most threats.
 Email Traps & Hazards
Social engineering—a type of attack that leverages employee trust to break security—is an SME’s No. 1 email security vulnerability, according to Randy Abrams, director of technical education at ESET (www.eset.com), a leading anti-malware software vendor. Emails asking users to click links or log in to their banks are prime examples.
“By simply clicking a URL in an email, a user could infect their system without realizing anything has happened,” says Chad Loder, director of engineering at Rapid7 (www.rapid7.com), a network security software vendor. Email-based links entice users to log in to bogus representations of their banking sites, only to record their passwords, access their accounts, and steal their identities for profit.
Attackers have developed the latter form of social engineering, commonly called phishing, into spear phishing—emails that appear to come from trusted sources inside the employee’s enterprise. The attackers target these emails at stealing intellectual property or confidential data from the specific company, according to Gene Spafford, executive director of CERIAS (Center for Education and Research in Information Assurance and Security) at Purdue University (www.cerias.purdue.edu).
Data leakage, another serious vulnerability, happens when employees forward important data by email. People who aren’t authorized to do so or who simply don’t know the information is private may transmit important documents, account information, or passwords out of the network to parties who shouldn’t be privy, according to Spafford. Employees who want to work remotely forward email off the network to unsecured BlackBerrys or Web-based mail accounts such as Gmail, where it is susceptible to compromise, according to Loder.
Still another form of data leakage occurs when messages and traffic aren’t encrypted, exposing them to snoopers who listen in on connections and retrieve or change the emails’ contents. By changing key information and sending it on to its destination, snoopers cause companies to make pivotal decisions based on errant data, Spafford explains.
Corporate Web mail is a weakness in the email security chain, according to Loder. SMEs providing remote Web-based email access for their users often require only usernames and passwords for access, Loder explains. Users log in to these accounts from home computers, laptops, or public computers in cyber cafés or hotels, exposing their passwords to family members or strangers.
Protective Measures
One of the best ways for an SME to discover its vulnerabilities is through self-audit, according to Spafford. SMEs should audit policies for rules that circumvent email vulnerabilities. If rules and means of enforcement don't exist, the enterprise may be vulnerable.
Healthy policies address appropriate email usage and specify what employees should do with questionable messages. “Policies should specify that employees don’t open certain kinds of attachments and don’t click on embedded Web links,” Spafford explains.
Educate users about the dangers of email so they don’t succumb to social engineering or carelessly release confidential data, Spafford continues. Make sure they understand the technology behind the threats so they can apply common sense to their email usage, adds Stephan Mueller, lead evaluator at Atsec Information Security (www.atsec.com).
Consider data leak prevention tools that scan messages and attachments for confidential information and stop it before it leaves the organization. Encrypt emails and message traffic to stop snoopers who read, alter, or capitalize on messages sent in plain text, says Spafford.
Get a handle on outbound mail. Configure firewalls to block outbound connections to TCP port 25, which the SMTP protocol uses for outbound mail transfer, explains Loder. Then, permit a limited number of designated company mail servers to make outbound SMTP connections.
Monitor that outbound mail to see who is automatically forwarding mail off the network to handheld devices and Web mail accounts, which are not under the enterprise’s control. Sensitive emails that are forwarded this way are at the mercy of the protections, or lack thereof, of those devices and services, warns Loder.
Develop and enforce policy to stop or secure email-forwarding behavior. If SMEs don’t provide employees with what they need to do their jobs, they will find a way to circumvent policy to do it. If they are forwarding email in order to have 24/7 access for working anytime and anywhere, provide them with a secure solution that enables this, Loder suggests.
For SMEs that use a remote Web mail server, two-factor authentication is a good technology for securing that remote access, according to Loder. Add another factor of authentication to usernames and passwords, such as requiring the user to type in characters presented in an image file. This will prevent phishers who steal only passwords from gaining access. For BlackBerrys and other devices, add email encryption on-the-wire and on the device, Loder advises. 
by David Geer
Top Vulnerability: Employee Email Behavior
Randy Abrams, director of technical education at ESET (www.eset.com), a leading anti-malware software vendor, believes that an employee who exercises naïve email behavior at home—opening attachments and clicking embedded links—will transfer that behavior to work, exposing the enterprise to the same kinds of threats.
“Security isn’t simple,” Abrams explains. As products evolve to address vulnerabilities, the bad guys will be working on ways to skirt them. Their methods will be rooted in social engineering.
“The only truly effective solution for social engineering is an educated and thinking employee,” Abrams concludes. “The enterprise can’t simply give users a checklist of ‘Dos and Don’ts’ and expect everything to be done right. They have to understand the concepts. When they understand the concepts, they can see variations on social engineering attacks." Then, they can exercise good and intuitive judgment to avoid entrapment. |
|
|
