What’s the weakest link in your email security? Your firewall? Your anti-virus software? The operating systems on your users’ computers? How about the users themselves?

Over the last decade great strides have been made in securing systems against attacks by cyber miscreants. We’ve gone from the Golden Age of Hacking–where few computers had firewalls, multiple operating system services were turned on and patching was haphazard at best–to an era where firewalls are turned on by default, services are kept to a minimum, memory locations are protected and patching procedures have been standardized.

At the turn of the century, if you took a computer out of the box and connected it to the Internet, it would be compromised in a matter of hours. Take a computer running Windows 7 out of the box today, marry it with cyberspace and that computer may never be hacked. That’s because, according to Lance Spitzner, director of the SANS Institute‘s Securing the Human Program, “by default, the firewall is on, it is running few if any services, and it is using a variety of new and enhanced memory protection mechanisms.”

“In addition,” he added, “Microsoft has invested tremendously in a robust Security Development Life Cycle (SDLC).

According to Microsoft, SDLC “encompasses the addition of a series of security-focused activities and deliverables to each of the phases of Microsoft’s software development process.”

“These activities and deliverables include the development of threat models during software design, the use of static analysis code-scanning tools during implementation, and the conduct of code reviews and security testing during a focused ‘security push,’” it explained.

“Before software subject to the SDL can be released, it must undergo a Final Security Review by a team independent from its development group,” it added, “When compared to software that has not been subject to the SDL, software that has undergone the SDL has experienced a significantly reduced rate of external discovery of security vulnerabilities.”

Despite that progress, however, nary a day passes without news of some new malware infection spreading through organizations everywhere or some new botware enslaving millions of computers to perform malicious mischief on its behalf. Why is that so? According to Spitzner, an internationally recognized leader in the field of cyber threat research, training and awareness, it’s because we expose computers to the weakest link in the security chain–people.

“Once people start interacting with a computer, its risk exposure is exponentially increased,” Spitzner asserted.  “Humans read email, click on links, download files and open file attachments. People, not technology, are the weakest link–and attackers know it.”

He cited one study by a security firm that found that 90 percent of today’s malware requires some form of human interaction to work.

The chief way to strengthen the human link in your security chain is to make employees more aware of the security risks they pose to a computing environment. Spitzner, writing for SearchSecurity.com, offered these tips for designing an effective awareness program for an organization.

1. Design your program for your audience. A program designed for full-time employees may not be suitable for other types of workers who have access to your system–for instance, part-time employees, telecommuters and contractors–or even your customers, if they have access to your system for ordering and account management. “It is often these non-employee resources that have employee-like access that can be the greatest risk,” Spitzner wrote. In addition, it sometimes makes sense to further tailor an awareness program to specific groups within your organization, such as management people or IT staff.
2. Sell your program. Sure, participation in a program can be mandated, but just because an employee’s butt is in a seat doesn’t mean his or her mind is in the room. “Nothing is more boring to employees than having to sit through hours of training, and being told what they can and cannot do for the benefit of the company,” Spitzner wrote. “The key to success is not to focus on the organization, but to focus on how employees benefit.”
   “About 70 percent to 80 percent of any security awareness program not only applies to the organization, but applies to an employee’s personal life,” he added. “Most of the same technologies, such as email, instant messaging, mobile phones and laptops, are used in both environments.”
3. Make your program digestible. “Have your security team go through the risks in your environment and identify what you feel are the greatest, and prioritize those,” Spitzner recommended. “By focusing on no more then 10-12 topics, you will have a far more effective awareness program.”

3 tips for building an effective email security awareness program

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There’s a very interesting report on CNet about how the FBI used spyware to nab a variety of cybercriminals who committed crimes via email. Here’s an excerpt:

One suspect used Microsoft’s Hotmail to send bomb and anthrax threats to an undercover government investigator; another demanded a payment of $10,000 a month to stop cutting cables; a third was an alleged European hitman who was soliciting for business from a Hushmail.com account.

The FBI spyware, called CIPAV, came to light in July 2007 through court documents that showed how the bureau used it to nab a teenager who was emailing bomb threats to a high school near Olympia, Wash. (CIPAV stands for Computer and Internet Protocol Address Verifier.)

An affadavit written by FBI Special Agent Norman Sanders at the time said that CIPAV is able to send “network-level messages” containing the target computer’s IP address, Ethernet MAC address, environment variables, the last-visited Web site, and other registry-type information including the name of the registered owner of the computer and the operating system’s serial number. 

The report points out that although anti-virus programs should conceivably detect such spyware, not one of the major companies that make such software would admit to helping the FBI in getting their spyware through such filters. Pretty interesting. While it appears to be used only for good at the present time you do have to wonder what might happen if CIPAV were to fall into the wrong hands. It just goes to show that our emails and presence on the net aren’t nearly as anonymous as we’d like them to be.

FBI Used Spyware to Nab Cybercriminals

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Georgia Tech Information Security Center (GTISC) released its “Emerging Cyber Threats Report for 2009″, which reported on the top five information security threats for the coming year. The results were notably different from last year’s top five, which were: Web 2.0 and client-side attacks, targeted messaging attacks, botnets, threats targeting mobile convergence, and threats to RFID systems. According to the report, the biggest threats for next year are: malware, botnets, cyber warfare, threats to VoIP and mobile devices, and the evolving cyber crime economy. The report notes that all emerging threats and attacks are data-driven.

In describing the growth of malware, the report notes that the cyber criminals have gone beyond mass distribution and are now focusing more on localized and personalized attacks, which appear to be more realistic and give them a better chance of penetration. Expect targeted attacks (such as spear-phishing) to increase. Related to malware is the botnet threat, and the report expects for botnets to grow worse next year. Last year’s report held that ten percent of all online computers were part of botnets, and this year’s report predicts that number will rise to 15 percent. In discussing the cyber crime economy, the report sugests that attacks will become increasingly profit-driven.

The report notes that technological solutions from the security industry are an essential part of the solution, but only a part–and this must be balanced with education and increased regulation. The report suggests following the model of road and airline safety. For example, car insurance is mandated by the government, and one of the analysts suggested a similar mandate for security protection. Of course, many such mandates are already in place, although it stops short of a universal regulation, or at least, a mandate that applies to all entities that are part of the country’s critical infrastructure.

Cyber threats in 2009

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators