So you have been tasked with securing your organization’s email services.

There are quite a few guides available on the Internet and in different computer bookstores that can take you through the basics – and if you are ahead of the game you may have already done your homework.

So you have looked at your email server, or servers, and taken the recommended steps of:

• Installing a commercial email security solution,
• Updating the server’s operating system,
• Patching all required software,
• Turning off all unnecessary services,
• Configuring your email server to sit behind the external firewall,
• Encrypting your email storage,
• Setting a back up schedule,
• Testing the recovery portion of your back up,
• Training your users on your company email policies.

Confident that your email services are now secure, you can roll up your sleeves and attack the next item in the pile of projects that is sitting on your desk, right?

Not just so fast. Unfortunately, there is still quite a bit of work to do.

What am I missing?

Like any other computer service, email requires many different users to share information with the email server or cluster of servers. Each user connects via a desktop computer, a laptop, tablet, or smart phone; as result, there is a two way communication going on between them where data is exchanged. Can you see where we are going with this?

That’s right. Even if the servers that drive your company’s email are secured, there still remains that one variable that is often the root of so many security problems – the user.

If just one of those many users connects to the company’s email servers with an unsecured or infected device, it could mean disaster for your organization’s email. Considering the fact that email is still the preferred method of business communication and you could have some serious problems on your hands.

Securing the endpoint

Your company can buy the top of the line security tools, train users until they can recite policies in their sleep and keep everything under a watchful eye, but all it takes is one zero-day vulnerability to be exploited on a device that a user connects to your network with and you can consider yourself compromised.

You see, attackers know that the weakest point in any organization is the user and his or her computer. Servers are often guarded with firewalls, intrusion detection and prevention devices, and diligent operators. The low hanging fruit is the user so that is where the attackers concentrate.

Training is always considered the best way to enforce security in an organization. The thought is that if people are aware of what the threats are and what they can do to stop them, then most attacks can be mitigated. We know that’s not the case. Training and education works, but only so much. Instead of being looked at as the solution, it should be considered a part of a larger plan to stop threats against your email. Other elements of the overall strategy should include:

Check your computers for malware

No solution is going to stop 100 percent of all malicious software from infecting computers on your network. However, having a solution in place that constantly scans your network devices for malicious software is a crucial part of your overall security because believe me, something is better than nothing. However, this means running anti malware software that will be automatically updated. Even better, make sure you can configure the solution so that users can’t opt to postpone the updates.

Update the OS and all software

After you have tested the updates and patches published for your computers’ operating systems and software, make sure that they are installed. Most patches are released to fix problems and plug up exploits found in the software code. Not updating your machines leaves them open to attack.

Update the browser

As email moves to the cloud, it is essential that the browser used in your organization is updated as regularly as any other software. This includes any plug-ins or extensions used by the browser. Even if you are still hosting mail services yourself, websites continue to grow as a method of delivering malware to computers, using a secured browser is essential to protect users from being infected by seemingly harmless sites that they visit.

Email security is not easy. As with any other portion of your infrastructure’s security, it takes diligence, knowledge and skill. However email security cannot be avoided because it is simply too hard of a task to complete. You can certainly look into solutions that help ease the workload and make up for any deficiencies when it comes to this job.

Secure Your Desktop – Protect Your Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Malware

According to Secure List malicious files were found in 3.18% of all emails sent during the month of February showing a rise in .43% when compared to January’s numbers of this year. While this may look insignificant, the Radicati Group estimates that 294 billion emails are sent every day so that equates to almost 10 billion malicious emails sent on a daily basis.

While this doesn’t represent the numbers seen in the early days of commercial email when email messages were the primary methods used to spread malware, it does show that this trend is rising again. And if there is an increase over time then it can only mean that this method of spreading malware must be working on a significant enough level for attackers to use it in such numbers.

As we know, malware can be sent to users as a malicious attachment that infects a computer when the file is opened or through a link that takes the user to a malicious web site when the link is followed. The ten most common malicious programs spread through email are as follows:

1. Trojan-Spy.HTML.Fraud.gen
   This malicious program uses spoofing to trick victims into visiting a fraudulent web page under the premise that the email is coming from a bank, store or financial institution. Once there anyone who enters private account information will most likely fall victim to theft whether it be identity or financial
2. Worm.Win32.Mydoom.m
   Mydoom, once the quickest spreading worm, falls into the number two spot and opens a backdoor that listens on TCP port 1034, which is used primarily by ActiveSync, and will send itself to email addresses it finds on the host using its own STMP engine. This can be used in concert with other malware further infect computers.
3. Worm.Win32.Mabezat.b
   Mabezat was commonly spread through removable drives and network shares but can also be spread through email attachments. Its payload will single out files with certain extensions and encrypt them then demands payment to have the files restored.
4. Trojan-Banker.Win32.Banker.bgsd
   This is a new addition to the Banker family of Trojans that is used to steal financial information such as passwords, usernames and account information by scanning the keylog and sending information it finds back to the attacker.
5. Worm.Win32.Agent.gnd
   According to Microsoft’s security portal, “Malicious files detected as variants of Win32/Agent can have virtually any purpose.” Commonly these are used to terminate security software and open a backdoor on the computer to allow future attacks.
6. Worm.Win32.NetSky.q
   NetSky’s code originally had comments that insulted the authors of the Bagle and Mydoom worms. For those infected, NetSky will email itself as an attachment to email addresses it finds on the host computer and can be used to perform other actions. Most notably, NetSky was used to launch Denial of Service attacks against certain peer to peer file sharing websites.
7. Trojan-Spy.Win32.SpyEyes.ffc
   SpyEyes is another Trojan that in addition to opening a backdoor will steal confidential information by capturing keystrokes and makes use of the form grabbing technique to steal user authentication information. This Trojan also uses a rootkit to help hide any malicious activity from the user.
8. Worm.Win32.Bagle.qt
   Bagle is a mass mailing work that can also be spread through peer to peer networks. It will open a backdoor on the host computer allowing the attacker access and control of the infected machine.
9. Trojan-Ransom.Win32.PornoBlocker.efo
   Like Mabezat, PornoBlocker is another form of ransomware. This malicious program takes control over the victim’s computer and locks the screen to prevent access. The victim is told to send an text message via SMS to a premium number for the code to unlock the desktop.
10. Trojan-Banker.Win32.Banker.bghb
    This is another variant of the Trojan-Banker family and performs the same actions as mentioned earlier under Trojan-Banker.Win32.Banker.bgsd.

While these malicious programs are indicative of the ones most frequently spread over a certain period of time they do provide us with three things of note:

• Email is still a viable method of transporting malware
• Malware spread through email can be used to launch further attacks against an organization’s network through backdoors
• Malware that is used for identity and financial theft can be applied to theft of confidential and proprietary information at a corporate level

As mail administrators, we can expect to see these programs and their continued variants being sent to our addresses and it is up to us to work with our security teams to put effective tools in place to stop them.

10 Most Common Malicious Programs Sent By Email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Every company attempts to minimize server downtime as any outages mean loss of productivity, potential loss of data and more importantly loss of revenue.

It has been estimated that forty-two percent of businesses had experienced database corruption in the year 2007. The risks of database corruption is cause for great concern in the data center particularly for email administrators who are responsible for protection of email content and for providing near continuous availability of email communications.

Without email communications companies can experience the same loss of productivity, loss of data and loss of revenue that is associated with database server downtime. Near continuous operation of email servers and communications is a necessity in order to maintain any company’s reputation with their customers and also as a competitive edge in their respective marketplace.

With these thoughts in mind here are some of the most common reasons for Email server downtime.

1. Server Patches

   A recommended practice is to install your patches and fixes on to test servers before going into production with a new patch. This way you can avoid the downtime caused by patches that have not yet been fully tested or which create incompatibilities with other existing code on the system. Sometimes it is the patches themselves that are corrupted as a result of a link to a corrupted library when the patch was created. Testing patches within a virtual environment is another way to avoid potential downtime.

2. Dynamic Workloads

   Companies which run multiple environments within an enterprise class server can experience unexpected or unplanned for changes in resource allocations which can lead to hung or downed systems. Sometimes workload changes can be due to large file transfers between servers that, if left unattended, can result in a crashed system. Microsoft Windows servers have been known to issue messages such as, “Drive 0 not found: Serial ATA, SATA – 0″ after crashing during large file transfers.

3. Database Corruption

   As already mentioned, database corruption can lead to server downtime. And if there are problems with the underlying storage devices this can also result in email server crashes. It could be problems with a drive controller or RAID array problems. This is one of the reasons why virtualization of storage has become an important consideration in the enterprise environment as uptime of data has become as important as uptime of servers. Sometimes the downed server could be caused by writes to error logs that are themselves corrupted within the database.

4. Directory Problems

   Sometimes a server will crash due to problems with Active Directory. Worse yet administrators can experience situations where not only are their email servers down but also all servers due to a domain-side Active Directory failure. Reboots are the last resorts to fixing such problems but when everything else fails they can sometimes be the only solution. When something like this happens only a concerted effort by all administrators involved will be required to bring up all systems online and hopefully within your recovery time objectives. I have seen four-tiered environments take hours upon hours before fully coming back up enough for end users to be able to log back in again and resume normal business activities.

5. Viruses

   Some viruses are written with the intent purpose of crashes as many systems and servers as possible. Some use denial of service strategies hidden in unopened email attachments while others can surprisingly be unintentional holes in the fabric of the enterprise that are exploited by malicious hackers on the internet. One such example is the denial of service vulnerability that exists in how the Microsoft Server Message Block (SMB) client interacts with custom SMB responses. Hackers are able to exploit this vulnerability without using authentication by sending a custom SMB response to a client-initiated SMB request. If successful the result is that the server could be prevented from responding and would need a complete system restart to be able to resume normal business operations.

6. Configuration Errors

   Sometimes changes are made to configuration settings that can lead to email servers experiencing unintended downtime. If the changes affect the WAN link settings then this can cause WAN link failures with undesirable effects on the email servers. Some of those effects can include Exchange servers that are in different geographies will become unavailable and begin to report delivery errors. An error message might indicate that the recipients could not be reached and that, “A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients.  Contact your administrator. “

This last problem is more perplexing because an administrator would expect a downed, crashed, or unavailable system of being unable to respond with error messages. The normal expectation would be that the unavailable system would simply queue the incoming messages and then resend them at a later time when the server returned to normal operations or when the WAN link configuration settings had been corrected. Well, that just leaves more fun for the troubleshooters among us.

6 Causes of Email Downtime

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Sometimes spam, viruses, and other malware filtering at your email gateway isn’t enough. It’s important to keep your host anti-virus signatures up to date, and if you don’t have anti-virus protection at your firewall or on your network at the Internet gateway you should seriously consider it.

Here’s why these items are critical. Some recent malware attacks have used malware embedded in video and audio streams as a transfer. They can gain an initial foothold, so to speak, by managing to get a link to your users in a spam email. If your spam filter doesn’t block the message, a link in the email appears to be a video or audio link, but in fact the destination contains a trojan that is embedded in the content stream.

This method of attack isn’t exactly new. For example, the ZLOB Trojan began making rounds in 2005, and began gaining traction in 2006. Some attacks with it simply involved downloading other viruses or malware. Using a video link, however, for users that have their ActiveX controls set to download codecs automatically means that those users with poor virus protection would automatically download the virus and become infected.

Now, most of us won’t have this problem, right? Surely you and your users would, at a minimum:

1. Have host-based as well as network/perimeter-based anti-virus protection.
2. Keep your anti-virus signatures up-to-date for all your systems.
3. Not have your browsers set to automatically download and install ActiveX controls or codecs.
4. Have users trained, understanding not to install random codecs or ActiveX controls themselves.
5. Have in place strong anti-spam protection that may block messages from domains likely to send these messages.
6. Have perimeter security measures in place that detect and block or intercept malicious content as it appears.
7. Have users trained well on the risks of clicking unknown links, or going in search of suspicious content.
8. Have a proxy or firewall with content filtering in place, with a policy that prohibits visiting or traffic from certain domains known to be sources of malware.
9. Keep your systems patched with the latest security patches from your OS vendor and from your application vendors.
10. Frequently review your security protections and rules in place, and carefully consider before making changes allowing more permissive use and access to and from protected resources.

The most security conscious of us and those that keep current with security risks and trends in security technology may think that all of this is old news, that of course they won’t have any problems–and they may be right. I hope so. However, new small businesses and new business Internet users are appearing all the time. As these businesses grow and expand, they may have transition periods where their deployed technology changes and of course upgrades will happen sometime. At those times, extra vigilance is required. If you are brought on board during a transition period as an email administrator, network administrator or security administrator, be aware that such risks are heightened.

While the attempt to execute malicious code via a codec installation may seem to be old hat, consider that new vulnerabilities appear frequently. Consider that Windows Media Player can play streaming content, and couple that with the recent vulnerability MS09-047, Microsoft Windows Media Playback Memory Corruption Vulnerability. This vulnerability can permit remote code execution. Exactly the sort of vector needed by the sender of the spam we started this discussion with. A maliciously crafted Windows Media Format file pointed to by a link in a spam email. Granted, this vulnerability and other like it have been patched, and if you are up-to-date on your patches it isn’t actually a threat.

Where this can become a problem (and as far as I know it isn’t with this vulnerability) is when the patches interfere or conflict with mission critical applications and can’t be applied, and when system updates (unfortunately including some antivirus and security patches) that may require reboots can’t be done as soon as they are received. Testing and verification may be required in your business (and is a good idea if it’s not part of your routine) before applying new patches and updates. During this window of time, when the attacks are launched on “zero day”, till your patches are applied, your systems may be vulnerable. During this (hopefully brief) time period the sort of attack described at the beginning of this post could actually penetrate your security and wreak havoc. Follow the ten tips listed above, and minimize your vulnerability.

Malware Threats from Unexpected Sources: Trojans Embedded in Streaming Video Links

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Last week, Google announced its new Chrome operating system amidst fanfare and excitement throughout the blogosphere. The new operating system is an open-source, Linux-based OS initially targeted at netbooks. I’ve not looked at the Chrome OS up close, but I have no reason to doubt the veracity of their claims of elegance and simplicity, but there’s one claim that Google is making that deserves a response. According to Google’s announcement, they are “completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates.”

Absolute nonsense. The announcement was written by Google’s Engineering Director, but it sounds more like it was written by their Marketing Director. No security expert in his or her right mind would claim that any operating system, open source or otherwise, is completely bullet-proof and immune to malware. It’s just not gonna happen. We’ve heard the same claim from Apple for years, but the fact is, the Mac is not immune to malware any more than a Chrome system, or for that matter, a Windows system. There are fewer Mac intrusions, but it is certainly possible for penetrate one and it is certainly possible for a hacker to create a Mac virus. There are more Windows machines, so opportunistic hackers simply realize that there is more economic incentive to attack those instead. The same principle applies to Chrome. How many people, in reality, will roll out the Chrome OS over the next few months? In the big picture, it’s likely to be a fraction of a percent of all PC users. As a result, the greatest protection afforded users of Chrome OS will be security through obscurity. Hackers just won’t be paying attention to it.

Beyond that, it’s simply impossible to create a foolproof operating system that is immune to all viruses. It is possible to make an OS more secure, and it’s done all the time. Some hardware firewall devices run on “hardened” OS platforms that are exceedingly difficult to penetrate. But to make one that is absolutely secure? Foolproof, and user-friendly to boot? Impossible. For one thing, malware writers are constantly at work, constantly innovating, and constantly looking for new vulnerabilities that weren’t considered by the OS’s engineers. That’s why patches and security updates are a good thing–because it’s not possible to consider absolutely every possible vulnerability at the get-go. For Chrome to say that users “won’t have to deal with” security updates frankly is a frightening thought. Nuisance though it may be, security updates are what keeps us a step ahead of the bad guys.

Google’s claim on Chrome security is nonsense

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The FBI’s head of cyber security, Shawn Henry said last week that Conficker media hype is distracting people from other threats. Henry is only half right in his comments, which he made at a speech at the RSA security conference in San Francisco.

Henry correctly pointed out that there are many other cyber threats out there that also deserve attention, and some of the threats may be bigger than Conficker. Henry praised the idea of public awareness, but said he wanted to see more coverage of the “entire threat vector.”

Conficker became big news, for several reasons: it was the biggest botnet to come along in years, and it ran differently than other botnets. And much of the media attention also came from the April 1 deadline, which was supposed to be the “launch date.” Nothing much happened on April 1 (except for a few April Fools jokes), and so what’s happening now is that we’re seeing a sort of “anti-hype” in some circles that is now downplaying Conficker. This is a dangerous thing. The April 1 deadline was obviously either a ruse, or the perpetrators decided to delay the launch date because of the media attention. Conficker is still with us, and reports are out that it is now coming to life, fulfilling on its promise to transform millions of victims’ PCs into spam-spewing robots.

Was Conficker a “false alarm”? Obviously not. The worst is yet to come–and the media attention served the purpose of getting more people to update their systems and install relevant patches. And there’s very little doubt that Conficker has had a monetary impact already. According to the Cyber Secure Institute, it has already consumed “an extraordinary amount of time and energy.” A cyber Secure Institute blog entry noted that because there was no major event on April 1, “numerous commentators are now downplaying the significance of the worm. This view is misguided.”

Cyber Secure Institute also discusses the overall financial impact of the worm in terms of wasted resources and time–and extrapolating from their previous studies about the average costs of other attacks, the agency estimates the total economic cost of Conficker to be as high as $9.1 billion.

FBI cyber guy says Conficker media attention is “distracting”

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Downadup worm, referred to in some reports as “Conficker”, at last report from the SANS Institute, has infected over a million PCs within a 24-hour period, for a total to date of 3.5 million infections. The worm takes advantage of a flaw in the Windows Server service used by all versions of Windows, which was corrected in a patch released last October–so the good news is, if you keep up with patches like you’re supposed to, you don’t have anything to worry about. And the latest version of Microsoft’s Malicious Software Removal Tool was released on January 13, and this one will detect the worm and remove it. Unfortunately, according to reports, nearly a third of all Windows systems are unpatched, and this has led to the incredibly high number of infections. This is why I enable the auto-update feature, because I know that if it were left up to me to manually install patches, I, like most people, wouldn’t do it. Manual patch updates would get put into the same “around-to-it” bucket as organizing my desk, cleaning out the garage, and patching up all those little nail holes in the plaster.

The worm reportedly uses a brute force command to get Admin passwords on local networks, and it infects removable devices and network shares.

The SANS report further noted that the autorun contained “a lot of garbage” in the form of random binary data, which was inserted on purpose to fool some AV programs. The autorun file created by the worm also contains a sort of social engineering ruse. the first two keywords, Action and Icon, results in an Autoplay window poppping up (under Vista), generating a standard folder icon. The user may be tricked into clicking on it and allowing it, under the belief that they are simply opening a USB stick. However, the AutoPlay launches the worm, instead. And so, here’s lesson number two: Besides using the auto-update and keeping up with patches, pay attention to all those little “allow” windows that Vista puts in front of you! It’s tempting to click on them to make them go away, but they are there for a reason, and can prevent a dangerous infection.

Avoiding Conficker/Downadup worm

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Polymorphic Companion Viruses appear to be making a comeback. Last November it was announced that a polymorphic companion virus was making the rounds on Windows CE/Mobile phones.

The virus is interesting because it employs two different attack methods: encryption and a companion attack. What makes it polymorphic is its ability to re-write itself in order to avoid detection.

When a virus spreads using the companion attack method, what it does is disguise itself as a normal executable file already existing on your platform. The virus executes when invoked as a normal program by an unsuspecting user, script or other program. This malevolent approach has been around since the DOS days. As an encrypted virus the malevolent piece of software can go undetected by many anti-virus programs.

If your company authorizes the use of mobile phones for your employees then attention must be given to these new devices. And company wide security policies need to be updated which will address these new threats; threats that, if left unaddressed, can and will hinder company communications which can also have negative financial impacts.

Now that mobile phones are becoming more sophisticated, with some even being viewed as miniature PCs, they are increasingly becoming targets of hackers, malware and viruses. The Georgia Tech Information Security Center (GTISC) recently predicted, in their Emerging Cyber Threats report for 2009, that mobile threats will be one of the top risks to end-users in 2009. They went on to warn against the coming wave of botnets that will spread to handhelds.

One of the reasons given for the forecasted threat to mobile phones is that the battery of a mobile phone is not sufficient to power both normal use of the phone and also run an anti-virus software necessary to prevent a virus attack.

Mobile phones are like sitting ducks to the cyber criminal community. For that matter, an attack made on a mobile phone network might easily be a tactic used by terrorists as part of an overall plan of attack. Disabling communications has often been used as a wartime tactic. Electronic mail and voice communications are essential to your company’s day-to-day operations. So protecting those communications is equivocal to protecting your business. So ask your CIO, at what price are day-to-day operations not essential?

Polymorphic Companion Viruses Back in Vogue

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Let me make one thing clear. There is a perception that the Apple Mac cannot have malware. This is incorrect.

Apple Computer posted a note on its support site late last month, and removed it this week, which encouraged people to use anti-virus software. The presence of the note has caused much consternation among the media, the blogosphere and the Apple faithful, the latter of which have long proclaimed that Apple does not need anti-virus software. The notice read, “Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.”

In fact, Apple should be praised (initially at least) for issuing such a common-sense notice, but spanked for taking it down. No security expert in his or her right mind would recommend going without anti-virus software, regardless of platform. Those who have drunk the Apple Kool-Aid and believe that their machines are impenetrable are making a big mistake. An unprotected Apple is a disaster waiting to happen–sooner or later, an attacker will take a bite out of it.

It’s true that there have been very few viruses targeted at the Apple OS, although that is largely because of market share, and not technical superiority. Attackers want to cast the widest net possible, so they write Windows viruses, because there are more Windows machines. Cute television commercials aside, that’s really all there is to it. And besides traditional viruses, there is a greater shift among cybercrooks to Web-based attacks designed to steal passwords and other data.

It’s very curious that the message disappeared shortly after it was put up–more than likely because it conflicts with Apple’s ad campaign that implies that only Windows PCs need antivirus software. Ultimately though, the threat is very real, and will only become more serious as time goes by. Viruses and other malware threats cannot be ignored, and if Mac gains more market share–which is presumably the company’s goal–there will be viruses. You can count on it.

Mine’s a Mac; Mine’s a PC – both need anti virus

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators