Any organizations spend a considerable amount of time, resources and dollars to secure the perimeter of their organization’s network. When it comes to email, however, the same fervor that came with ordering firewalls, intrusion detection and prevention systems, web application firewalls, penetration tests, end point security and even data encryption comes up short when email security is concerned.
From the network security expert’s point of view the mail servers exist behind the firewall or in the DMZ so they are secured as much as they need be. The operating systems are patched and the machines are running anti-virus software with the latest signature database so what more could you ask for? Anti-spam filtering? No need for anything more than a list of words to filter and domains to block right? After all, spam is dead.
Its unfortunate, but true, that a majority of managers and executives understand security threats when they are glamorized or newsworthy. Anonymous launching a large scale distributed denial of service attack against major credit card companies make the mainstream news so what do people look for? Ways to prevent DDoS attacks from taking down their business web site. Social networking accounts are compromised so what is the immediate reaction? Two-factor authentication becomes the silver bullet.
But when you look at the root of most of the recent attacks, email is the source. Whether the attack tricked a user into giving up their login credentials, or an attachment loaded malware onto the victim’s computer odds are an email message was used to deliver the payload.
If you find that you are having trouble getting your bosses to understand the need for greater email security due to a lack of sensationalized news stories, try running these statistics by them to see if they still shrug it off as not important:
91 percent of Advanced Persistent Threat attacks start with a spear-phishing email
Just as we stated earlier, almost every serious breach can be traced back to an employee falling for a spear-phishing scam. Using anti-spam filtering solutions that aren’t up to par are useless when it comes to identifying these carefully crafted malicious email messages that carry dangerous payloads. A simple content filter won’t do the trick if it is only looking for misspelled words, all caps and the names of common pharmaceuticals. Anti-spam filters have to be intelligent enough to analyze the message and compare it to common attack vectors in order to be effective.
63 percent of malware delivered to large enterprises came through email
Scanning USB drives and banning portable hard drives from the office helps, but it is not addressing the larger issue. Emails are delivering malicious software into your organization everyday through attachments. Not included in this 63 percent is the number of emails that contain links to malicious web sites that infect visitors via drive by download and other malicious scripts housed on the site. Unless these issues are addressed with solutions that can help identify malicious attachments and links your organization will continue to be at serious risk of a breach.
76 percent of network intrusions exploited weak or stolen credentials
When your users are sent emails that look legitimate and take them to a site that looks legitimate, odds are they will offer up their username and password with no reservations. Many spear-phishing attacks are created to do just this. By carefully crafting their emails and login pages to look identical to your organization or partners criminals can easily dupe even the most savvy user into offering up their credentials if the right emotional triggers accompany the request.
75 percent of all attacks were opportunistic
The targets of these attacks are not just the IT administrator with access to the servers or the Chief Financial Officer who can see all of the organization’s financial data. Victims are chosen at random from all levels in the organization because all the attacker is looking for is a way in to establish a foothold. Once inside, they can work their way through until they find what they are looking for, even if it takes months. That’s whey they are called Advanced Persistent Threats.
The fact of the matter is that unless an organization treats email security as, if not more, important as they do securing assets that just aren’t viable targets anymore then that organization will always be at risk.