How Real Are Email Threats?
Written by Jeff Orloff on March 7, 2013
If the only real email threat was spam, not much would be done on a business level to stop it. We all know that dealing with spam drains time away that could be spent on more productive things, but honestly receiving junk advertising messages isn’t always the biggest concern for your average business.
Spam isn’t the only threat facing the email administrator; but it is the one that most people are familiar with so it has become the de facto poster child for email related risks. As a result, many organizations put their resources into anti-spam solutions that block emails using keywords and blacklists and then divert the remaining security budget towards network based security solutions. Cyber criminals are well aware of this fact. They know full well that many organizations leave email full of vulnerabilities and they take advantage of this.
Of course, if you are aware of the many other threats that face your email assets, and can relate these to management, you stand a better chance at thwarting any attacks launched at them. But first, you have to know what the threats are…
A little story
If you have been reading up about the recent Mandiant report on Advanced Persistent Threats then you are truly ahead of the game here. If you’re scratching your head and wondering what report I’m talking about then allow me to explain how a cyber criminal can use email to compromise a system with this little story.
Alice works for XYZ Industries, a company who sells widgets over the Internet. She is an executive with access to just about every resource the company has. Bob works in shipping and has limited access to things like databases and customer information.
Mallory wants the credit card numbers and verification codes that Alice and Bob’s company has so she crafts an email with a malicious attachment that is actually a keystroke logger and sends it out to everyone at XYZ Industries. While Alice ignores the email, Bob downloads the file and infects his computer. It is only a matter of time before Bob’s user credentials are compromised by Mallory. Using these stolen credentials, she is able to access the XYZ network and gather more information to successfully compromise Alice, giving Mallory access to all of the credit card data, and customer data, that she was originally after.
Just don’t download, right?
Most people might think that if downloads were blocked by the email filter then this would never be a problem. What they fail to realize is that the threats are so advanced now that simply blocking against known vulnerabilities will not work.
Attackers might use a link to a malicious website instead of an attachment. When the victim clicks the link and visits the site their computer is infected. Sometimes, they wait a few days to upload malware to the site in question; a technique called waterholing. Other emails simply use URLs that point to a forged site in order to capture usernames and passwords. The victims, thinking they are logging into their account, are actually visiting a website that has been crafted to look exactly like the original. Only the forged site was built to steal their login information.
Seeing things like this might make you question whether or not email is even worth it. After all, if blocking emails that contain certain words, come from certain senders or contain attachments is not protection enough then what is a business to do?
The only answer is to take email threats seriously enough to look for a solution that encompasses more than just your traditional whitelist/blacklist technology. Email security solutions need to be able to protect against all known threats and defend against zero-day threats. By looking at patterns and learning from user input, these advanced solutions can do more than just stop and email whose subject line contains the words, “lower your mortgage”. Tell your boss this story; maybe you want to switch out credit card numbers for blueprints or schematics. Maybe the attacker is after email conversations about a merger. Whatever the target, it can fit into this scenario because if it’s worth protecting, then the bad guys are after it. And they will use email to get it.
Posted in Email Security | 4 Comments »
March 7th, 2013 at 8:02 pm
I think email threats are not taken in earnest partially because very often victims are not aware of what happened. For instance, if Mallory gets access to the data Alice has access to, Alice will hardly know it – when data is stolen, it’s just copied and the original remains, so Alice will have no clue that an uninvited pair of eyes got hold of credit card numbers. As far as Alice is concerned, she will continue to tell that such things as data theft never happen in her company because she simply doesn’t know about it.
March 25th, 2013 at 4:33 am
Opting for zero threats seems to be a tall order for e-mail solutions. Even if they are the most sophisticated, they wouldn’t be able to trap all spam and malware because these things evolve as well. They are mindful of the changes in security and change their modus operandi almost immediately. Nevertheless, we can always hope for a much higher percentage, say, 80 to 90 percent. The 10 percent should be spent on education, letting the users know that spam is real and can be very dangerous. They should also be taught how to spot them and other kinds of threats.
March 29th, 2013 at 10:44 am
E-mail threats are as real as they get. For example just yesterday I found out that my e-mail was hacked AGAIN. This is the second time in less than a year. Am I bothered? Yes. What makes this attack different from the previous one is that I never accessed my mail in public not even in my own mobile device. Yet someone was still able to get hold of my new passwords. My assumption is this: the possible culprit is one of the e-mails I received, especially those that pretend to be from friends.
April 2nd, 2013 at 12:17 pm
David is right. A lot of email users are not really aware that their mails and personal information are already compromised. This is one of the biggest stumbling blocks of blocking email threats. In order to strengthen the fight against spam and spammers, we need to go down to the basics and find a way for people like Bob to know the difference between a legitimate mail and a destructive one. It ‘s evident that a clear definition of what to do and what to avoid is needed. Education, information and training can take time; but they can work wonders.