How Costly Can Configuration Mistakes Be?

mistakeAn article in Computerworld UK caught my attention because its subtitle read “Phishing attacks previously caught in the spam filter are now getting through to employee inboxes.

The post, which appeared in a section titled Security Manager’s Journal was written by someone who is in the midst of taking on email security issues on a daily basis. Reading the article, it was evident that the author was telling a first hand account of their company’s failure to prevent spam from sneaking past the filters and winding up in users’ inboxes.

Unfortunately, the emails that made it through contained malicious attachments that installed malware on the computers of those who opened the files. The author was lucky in the sense that the command and control server that this malware reported to was shut down so the damage was contained without a major breach.

Tracing the issue back, the article goes on to explain that during a migration from one anti-spam solution to another certain security functions were never enabled, thus the malicious email was able to make it past the filter.

The part of this story that really concerned me was that the organization where this happened seemed to take security seriously and the author appeared to be knowledgeable about his or her work. Reading further, the author states that his or her team would be tasked with analyzing the problem. This incident happened despite several people working together to prevent something just like this.

Now, if this could happen in an environment where you have a dedicated team of people working to, how is the smaller sized organization expected to keep up with the vast landscape of email related security threats out there?

Hope for the little guy

In this instance it is easy to fault the security team, but if that is the case then how is an IT department made up of only a few people supposed to get by? Worse still, what if the company has no one on staff that specializes in email security? No, while the team in this example should have done a better job at making sure that the necessary security functions were turned on their security solution could have done a much better job at making the configuration and management easier.

For those worried about their organization’s security, there is a hopeful takeaway from this. That is the fact that not all email security solutions leave you hanging out to dry. Nowadays, security appliances are not all reliant on specialized languages and not everything needs to be configured using the command line or terminal. Solutions that rely on such are capable at protecting assets, but they are so highly customizable that their effect is often lost on the average sized organization, as it their price tag.

Small to medium sized organizations can easily provide the same level of protection for their less complicated email structure by researching solutions that fit the needs of their unique situations. By looking into the products that are on the market they can find a solution that offers:

  • Security against multiple types of attacks
  • Ease of configuration
  • Simple management tasks
  • A way for users to help increase the effectiveness of the solution

Emerging threats

Spam littered with keywords and misspellings, signature based malware and mass mailings are a thing of the past when it comes to identifying the threats out there. Too many companies, regardless of their size, are still relying on solutions that identify threats based on the attack vectors of ten years ago.

As recent reports have shown, cyber criminals are well funded and thus have found ways to circumvent many of the blockades we had in place just a few years ago. To prevent these more sophisticated attacks from compromising your data and other assets you will need to re-evaluate the tools you have in place to protect them. If what you have doesn’t address the current threat landscape and doesn’t make security something that is manageable and affordable then you need to look to another solution that will meet these criteria. Until you do, your organization remains at risk.

Written by Jeff Orloff

4 Comments

  1. David Black · March 14, 2013

    This story proves a very basic truth – one small misstep and you are in trouble. Congrats for the author for admitting what happened – in such situations many teams will just keep the truth under wraps and pretend nothing has happened. You can never be sure you won’t become a victim – even with the best software and the most skillful email security pros, breaches can happen.

  2. Kenny Marcus · March 17, 2013

    Most office communication nowadays is coursed through email, so keeping it secure should be one of a company’s top priorities. Small businesses need to invest on security – email security, to be exact. If their security system is constantly updated, they won’t have to scramble every time something unfamiliar happens. It is also important to educate all employees, not just the technical guys, about spam. And it should be a continuous learning process, not just a one-time thing. As you mentioned, many still have not moved on and are not aware that there are now more complicated forms of spam/malware.

  3. Freddy · March 20, 2013

    I think any kind of IT mistake is bound to have costs. In fact, all mistakes do. It’s just a matter of knowing how much, which usually depends on the severity of the problem. You’ve raised some great pointers, though. If these errors can happen in huge companies, then it leaves the small ones with a very high vulnerability. The good thing is we’ve got websites such as this to provide the right set of education. That’s a good start. Then you provide people with limited knowledge some recommendations, so they can better protect themselves while they’re still creating their security plans.

  4. Chuck · March 23, 2013

    Yes, David, you are absolutely right. I don’t know where I read it, but the article spoke about how a team decided to hide an error in their administration. However, because such mistake bore consequences, it didn’t take long before it became more emphasized, and the whole thing basically unraveled itself. It definitely is such a pity since, by the time it was discovered, the company had already lost a lot because of that one hidden mistake. Nevertheless, to admit a mistake is extremely hard, especially if you’re supposed to be learned and thus should have prevented it from happening.

Leave A Reply