Defending the Email Infrastructure - Why Email Requires Comprehensive Protection

8/14/2019 Defending the Email Infrastructure - Why Email Requires Comprehensive Protection

http://slidepdf.com/reader/full/defending-the-email-infrastructure-why-email-requires-comprehensive-protection 1/6

Defending the emailinfrastructure:

Why email requires comprehensiveprotectionWith organizations facing a growing number of threats and an increasinglyregulated business environment, ensuring security and compliance across theemail infrastructure is paramount. The complexity of this challenge requires acomprehensive solution. To block attacks and enforce acceptable use of email,organizations need to deploy integrated protection at the email gateway, on theemail server and on all endpoint computers. This paper explores the threatsfacing email infrastructures, illustrating the need for multi-layered security.

Defending the email infrastructure: why email requires comprehensive protection

Defending the email infrastructureWhy email requires comprehensive protectionThe increasing risk from emailIt is impossible to imagine business without email.According to analysts The Radicati Group, a typical employee spends 19 percent of their working dayusing email1, while IDC Research estimates that 97 billion messages are sent worldwide each day 2.As more of the world goes online, the popularity of email – and the business world’s almost completereliance on it – will grow.

The proliferation and ease of use of email does, however, open it to abuse. Spammers bombard userswith unsolicited messages daily or even more frequently, and organized criminal gangs systematicallyuse email to disseminate malware and commit identity theft. The barrage is relentless: in 2007 just 5 percent of all emails sent were legitimate, the other 95

percent of messages being spam or containing malicious links3

.Organizations also need to ensure that their own employees use email systems appropriately.

The spread of dubious content and malware via email has the potential to cause offense andreflects negatively on an organization. Inadequate protection of the email infrastructure no longer justcosts businesses in terms of time, but also leads to bad public relations, lost revenue, damaged shareprices and financial penalties in the form of fines and lawsuits.What is more, it is estimated that 80 percent of an organization’s operational records are stored withinthe email infrastructure, and so it is easy to see how business-critical data can fall into unauthorizedhands.As the continued growth in external threats is compounded by internal threats, an email securitysolution must serve a dual purpose:

Block spam, phishing and malware attacks

Ensure that organizations control their intellectual property and avoid costly compliance mishaps.


Overview of the email infrastructureEmail is a system constructed of multiple components that play differing roles. To ensure that eachcomponent delivers maximum performance, email security must also take



a multi-layered approach. A basic email infrastructure is made up as follows.

Email gateway – also known as the email boundary or perimeter. This is the first line of email contactbetween your organization and the outside world. It is the point through which all inbound andoutbound email travels.

Email server – in addition to all inbound and outbound mail, the email server handles all internalemail, and acts as a storage depot for mail not yet downloaded by the email client.

Endpoint – the desktops and laptops and other devices, such as Blackberries and mobile phones,that run email clients.

The inbound threatIn terms of volume, the most significant threat to the email infrastructure comes from externalspammers and cybercriminals. They have long used email to advertise their merchandise and breachsecurity defenses, and are constantly adapting their tactics in an attempt to bypass current securitymeasures.

SpamSpammers use increasingly creative ways to obfuscate their sales slogans, hiding them insidepdf attachments, images or even mp3 files.

Such techniques all attempt to outmanoeuvre traditional email filters, providing spammers with anunobstructed path to user inboxes.Spammers have also become very adept at using social engineering to disguise the true content of amessage in order to trick recipients into opening it and clicking on any weblink contained inside.While a user may think they are accessing a YouTube video, e-card or software upgrade, they mightend up accessing a website selling Viagra, counterfeit branded goods, or indeed anything.

“Pump-and-dump” campaigns are also increasing in popularity. This tactic sees spammers talk up

a public company’s prospects in order to falsely inflate its share value, allowing them to sell theirshares and realize a substantial capital gain.

Phishing, spear phishing and whalingPhishing involves sending out emails that appear to come from reputable retailers, banks or creditcard companies. These emails lure victims to fake websites that are almost exact replicas of the realthing. From here criminals capture usernames and passwords, bank account numbers and PINs. InOctober 2007, 31,560 phishing campaigns were reported to the Anti-Phishing Working Group (APWG),with 120 different brands hijacked4.Spear phishing is a phish attack launched at a specific organization. An email appearing tocome from a trusted source, e.g. the CEO or IT administrator, tricks employees into providing networkpasswords, intellectual property and confidential data.Defending the email infrastructure: why email requires comprehensive protection

Whaling is a highly targeted phish attack directed at a high profile individual, such as a journalist,celebrity or business leader.

Malware and blended threatsIn 2007, 1 in 909 emails contained malware, a sharp decline from 2005, when the figure stood at 1 in446. While this figure might appear a positive move downwards, in reality, it only serves to highlightthat cybercriminals have adopted more sophisticated techniques with which to infiltrate corporatenetworks. A popular tactic is to spam out emails containing weblinks that point recipients towardswebsites hosting malicious code. These emails contain no malware themselves, and so are more likelyto bypass perimeter defenses.

Directory harvesting



Hackers use directory harvesting to continually probe an organization’s email server, guessing atemail names and formats in order to gather bona fide addresses, which they can either use or sellon to other cybercriminals. The sheer number of server requests – and subsequent non-deliveryreceipts – can, in extreme cases, cause the server to fail, leaving the organization without email.

Inappropriate content and PUAsMost organizations accept the occasional use of their email systems for personal reasons. However,

there is a risk that personal emails can harm the organization’s reputation if an employee isreceiving pornographic or violent content. Incoming personal emails can also add extra strain to thenetwork, especially if they contain large music, gaming or video files. Potentially unwantedapplications (PUAs) such as remote access tools and automatic dialers, can also be difficult to manageand drain network resources.

The outbound threatEmail leaving networks is smaller in absolute volume than incoming messages, but it posessimilar risks in terms of security and compliance.

Inappropriate contentFew organizations will allow pornography or other offensive content to be sent from their network, butthe threat can come from a more innocent source.

Family photos and videos, links to non-business web sites and other personal content consume

bandwidth and can negatively affect the image of the company if sent to unintended recipients.Data leakageAccording to IDC email is the number one source of leaked business information 7, and these leaks areusually accidental. For example, many email clients use an auto-complete feature when typing namesin the ‘To:’ field, to help reduce the amount of typing. However, this feature makes it easy toinadvertently add an unintended recipient.Research shows that half of employees have sent an email containing embarrassing or sensitiveinformation to people by mistake8.

Why spam works

»» Millions of messages can be sent out in seconds through compromised computers.

»» Unlike physical mail, it costs virtually nothing to send spam.

»» Recipients respond to it. In February 2007, 5 percent of computer users admitted to buying goods sold via

spam and by November 2007 this had risen to 11 percent5.

Vulnerable information

»» Personally identifiable information (PII)

»» Financial statements

»» Trade secrets

»» Customer lists

»» Business plans


The Radicati Group also found that 77 percent of business users have, at times, forwardedbusinessrelated emails to their personal accounts9. This might help employees work more flexibly, but

it represents a hole in the organization’s defenses and is particularly worrying for firms operating inhighly regulated industries.

BotnetsHijacked computers can become part of a botnet and, unknown to their owner, launch malware,spam or distributed denial of service (DDoS) attacks. Botnets will impact on network processing speedsand damage reputations, as offending messages will appear to come from a legitimate source. Inextreme cases, an organization can find its domains and/or IP ranges are blocked by service providersand other institutions.



The internal threatMany of the outbound and inbound threats are also found in internal email. Data leakage betweendepartments, the circulation of inappropriate content and the distribution of non-essentialapplications all put email infrastructures at unnecessary risk.In addition, the rise of regulatory compliance governing the security, storage and retrieval of information also has a direct impact on email use. With email often acting as the “corporate memory”,businesses must adopt strategies that keeps information safe and easy to locate. Under manycountries’ laws, organizations are obliged to keep all recorded communications, including email. If theyare later required in court, the absence of archived emails will be regarded as negligent.

A four-step approach to email defencestep one

Protect the gateway The central pillar in the defense against email abuse is gateway protection, which should scan all

inbound and outbound messages for spam. The Gartner Group recommends that 97 percent should beblocked or quarantined11. To achieve this the anti-spam engine must be able to detect new andemerging campaigns, using techniques such as reputation filtering, pattern matching, URL detectionand image and attachment fingerprinting.

Multiple techniques are important as spammers use many tactics to evade spam filters.In the same scan, emails identified as being part of a phishing attack, or containing viruses, spywareand unwanted attachments must also be blocked.Organizations should also be able to choose how to handle encrypted, corrupt or suspicious messages.Gateway protection should guard against known and unknown (or zero day) attacks by incorporatingsophisticated Host Intrusion Prevention System (HIPS) technologies, in addition to rapid signatureupdates. HIPS technologie proactively scan messages and their attachments and analyze likelybehavior before any codeexecutes, reducing the risk of a breach. The best products will provide proactive protection againstnew threats, even before specific detection rules are announced.Gateway protection should also scan mail for sensitive or confidential content. Powerful contentfiltering and monitoring will prevent data leakage, protect valuable assets and ensure compliance withlegal and regulatory requirements. This includes the ability to search for keywords, regular expressionsand file types, as well as enforcinglists of allowed senders.

Protection at the gateway will also identify and provide an alert if an organization’s email server orendpoint computers have become part of a botnet. By assessing outgoing mails for spam- andmalware-like traits, a business can ensure its infrastructure is used only for legitimate purposes.

step two

Defend the email server

Protection at the email server brings two benefits:

Spam or malware for which protection might not have been available when it passed throughthe gateway can be captured here

Internal threats sent between departments and not through the gateway can be blocked.



Scanning interdepartmental emails for spam, malware, unwanted content and sensitive information iscritical. An employee might, for example, unwittingly visit an infected website and share the link withcolleagues via email, thereby placing more endpoint computers at risk of infection. Equally, while theHR department might need to share confidential information about staff members, such as salaryincreases for example, scanning of the mail server will ensure that this data is not shared across theorganization.

This level of defense will also protect message stores, ensuring that an organization’s email archivesand those messages not yet downloaded to the local client remain malware-free.

step three

Secure the endpointEndpoint protection should underpin an organization’s security strategy, as it is the end user, and hisor her confidential information, that is the ultimate target of any attacks. Cybercriminals attack theendpoint via numerous vectors, including websites, email, instant messaging (IM), P2P networks andUSB drives. Once infected, computers can be hijacked to spy on corporate networks, steal networkresources and unleash attacks on others.Any endpoint defense also needs to take into the account the different operating systems that are inuse. While the majority of computers use Windows a significant number of users operate Mac andLinux computers, and these are equally at risk.

The first ever virus for the Mac OS X platform (which spread using IM) was discovered in 2006 and ayear later a Mac-targeting Trojan – malware that poses as something more benign – was alsodiscovered12. Both attacks relied on the behavior of the user, not just the vulnerability of the operatingsystem. This is why endpoint security requires protection for all major operating systems.

step four

Control access to the networkNetwork access control (NAC) manages who and what connects to your system, protectingdata and ensuring compliance with all regulatory requirements.An effective NAC solution continuously assesses against defined policies the computers of guestsemployees who work out of the office, and unknown users. It can verify, for example, thatanti-malware and firewall applications are up to date, security patches are installed, and prohibitedapplications are not being used.

A preventive approach to NAC stops problems before they happen by combining pre- and postconnectassessment of computers with multiple remediation and enforcement options. NAC will allow you toquickly define endpoint security and acceptable use policies (AUPs) for all end-user scenarios so youcan detect and fix managed endpoint vulnerabilities before infection, quarantine infected computersand block unauthorizedcomputers.

Choosing the right solutionEvery organization has a point at which enforcement and/or management adds too much expense oroverhead so as to offset the benefit of security. Even for large organizations with dedicated IT securitydepartments, the less timespent on day-to-day administration, the better.

An effective security solution should be assessed against a wide ranging criteria:

High mail processing volumes that can handle millions of messages per day

A single scan that can identify spam, malware, data leakage, and all unnecessary applications



Small and rapid updates with minimal footprint

Directory services integration for simple and central enforcement of AUPs on an individual, workgroupor departmental basis

Powerful reports that deliver data on the integrity of the whole email system

A single consolidated view of all email traffic, even in multiple server environments

Performance monitoring that automatically alerts the administrator if corrective action is required

Managed appliances that can be remotely monitored and maintained by the vendor

A single vendor for streamlined deployment, management, maintenance and support.

SummaryEmail threats continue to grow and can come from inside and outside an organization, whileincreasing regulatory compliance places additional demands on how email is managed and protected.Deploying defenses in depth – at the gateway, the email server and the endpoint – will close manysecurity holes. Organizations should seek out solutions that, in addition to offering the best possiblesecurity, minimize the impact on network and IT department resources.

This article was provided by Sophos and is published here with their full permission. Sophos

provides full data protection services including: security software, encryption software, antivirus,

and malware protection.

http://www.sophos.com/products/secure-your-data/

http://www.sophos.com/


http://www.sophos.com/products/enterprise/encryption/


http://www.sophos.com/products/malware-protection/



http://www.sophos.com/products/enterprise/encryption/



http://www.sophos.com/products/secure-your-data/

Documents

Defending the Email Infrastructure - Why Email Requires Comprehensive Protection