Defending the email infrastructure: Why email requires comprehensive protection

Image by Alan Stanton

Defending the email infrastructure: Why email requires comprehensive protection

Defending the email infrastructure

Why email requires comprehensive protection

The increasing risk from email

It is impossible to imagine business without email.

According to analysts The Radicati Group, a typical employee spends 19 percent of their working day using email1, while IDC Research estimates that 97 billion messages are sent worldwide each day2.

As more of the world goes online, the popularity of email – and the business world’s almost complete reliance on it – will grow.

The proliferation and ease of use of email does, however, open it to abuse. Spammers bombard users with unsolicited messages daily or even more frequently, and organized criminal gangs systematically use email to disseminate malware and commit identity theft.

The barrage is relentless: in 2007 just 5 percent of all emails sent were legitimate, the other 95

percent of messages being spam or containing malicious links3.

Organizations also need to ensure that their own employees use email systems appropriately.

The spread of dubious content and malware via email has the potential to cause offense and reflects negatively on an organization. Inadequate protection of the email infrastructure no longer just costs businesses in terms of time, but also leads to bad public relations, lost revenue, damaged share prices and financial penalties in the form of fines and lawsuits.

What is more, it is estimated that 80 percent of an organization’s operational records are stored within the email infrastructure, and so it is easy to see how business-critical data can fall into unauthorized hands.

As the continued growth in external threats is compounded by internal threats, an email security solution must serve a dual purpose:

Block spam, phishing and malware attacks

Ensure that organizations control their intellectual property and avoid costly compliance mishaps.

Defending the email infrastructure: why email requires comprehensive protection

Overview of the email infrastructure

Email is a system constructed of multiple components that play differing roles. To ensure that each component delivers maximum performance, email security must also take a multi-layered approach. A basic email infrastructure is made up as follows.

Email gateway – also known as the email boundary or perimeter. This is the first line of email contact between your organization and the outside world. It is the point through which all inbound and outbound email travels.

Email server – in addition to all inbound and outbound mail, the email server handles all internal email, and acts as a storage depot for mail not yet downloaded by the email client.

Endpoint – the desktops and laptops and other devices, such as Blackberries and mobile phones,

that run email clients.

The inbound threat

In terms of volume, the most significant threat to the email infrastructure comes from external spammers and cybercriminals. They have long used email to advertise their merchandise and breach security defenses, and are constantly adapting their tactics in an attempt to bypass current security measures.

Spam

Spammers use increasingly creative ways to obfuscate their sales slogans, hiding them inside pdf attachments, images or even mp3 files.

Such techniques all attempt to outmanoeuvre traditional email filters, providing spammers with an unobstructed path to user inboxes.

Spammers have also become very adept at using social engineering to disguise the true content of a message in order to trick recipients into opening it and clicking on any weblink contained inside.

While a user may think they are accessing a YouTube video, e-card or software upgrade, they might end up accessing a website selling male enhancement pills, counterfeit branded goods, or indeed anything.

“Pump-and-dump” campaigns are also increasing in popularity. This tactic sees spammers talk up a public company’s prospects in order to falsely inflate its share value, allowing them to sell their shares and realize a substantial capital gain.

Phishing, spear phishing and whaling

Phishing involves sending out emails that appear to come from reputable retailers, banks or credit card companies. These emails lure victims to fake websites that are almost exact replicas of the real thing. From here criminals capture usernames and passwords, bank account numbers and PINs. In October 2007, 31,560 phishing campaigns were reported to the Anti-Phishing Working Group (APWG), with 120 different brands hijacked4.

Spear phishing is a phish attack launched at a specific organization. An email appearing to

come from a trusted source, e.g. the CEO or IT administrator, tricks employees into providing network passwords, intellectual property and confidential data.

Defending the email infrastructure: why email requires comprehensive protection

Whaling is a highly targeted phish attack directed at a high profile individual, such as a journalist, celebrity or business leader.

Malware and blended threats

In 2007, 1 in 909 emails contained malware, a sharp decline from 2005, when the figure stood at 1 in 446. While this figure might appear a positive move downwards, in reality, it only serves to highlight that cybercriminals have adopted more sophisticated techniques with which to infiltrate corporate networks. A popular tactic is to spam out emails containing weblinks that point recipients towards websites hosting malicious code. These emails contain no malware themselves, and so are more likely to bypass perimeter defenses.

Directory harvesting

Hackers use directory harvesting to continually probe an organization’s email server, guessing at email names and formats in order to gather bona fide addresses, which they can either use or sell on to other cybercriminals. The sheer number of server requests – and subsequent non-delivery receipts – can, in extreme cases, cause the server to fail, leaving the organization without email.

Inappropriate content and PUAs

Most organizations accept the occasional use of their email systems for personal reasons. However,

there is a risk that personal emails can harm the organization’s reputation if an employee is receiving pornographic or violent content. Incoming personal emails can also add extra strain to the network, especially if they contain large music, gaming or video files. Potentially unwanted applications (PUAs) such as remote access tools and automatic dialers, can also be difficult to manage and drain network resources.

The outbound threat

Email leaving networks is smaller in absolute volume than incoming messages, but it poses similar risks in terms of security and compliance.

Inappropriate content

Few organizations will allow pornography or other offensive content to be sent from their network, but the threat can come from a more innocent source.

Family photos and videos, links to non-business web sites and other personal content consume bandwidth and can negatively affect the image of the company if sent to unintended recipients.

Data leakage

According to IDC email is the number one source of leaked business information 7, and these leaks are usually accidental. For example, many email clients use an auto-complete feature when typing names in the ‘To:’ field, to help reduce the amount of typing. However, this feature makes it easy to inadvertently add an unintended recipient.

Research shows that half of employees have sent an email containing embarrassing or sensitive information to people by mistake8.

Why spam works

»» Millions of messages can be sent out in seconds through compromised computers.

»» Unlike physical mail, it costs virtually nothing to send spam.

»» Recipients respond to it. In February 2007, 5 percent of computer users admitted to buying goods sold via spam and by November 2007 this had risen to 11 percent5.

Vulnerable information

»» Personally identifiable information (PII)

»» Financial statements

»» Trade secrets

»» Customer lists

»» Business plans

Defending the email infrastructure: why email requires comprehensive protection

The Radicati Group also found that 77 percent of business users have, at times, forwarded businessrelated emails to their personal accounts9. This might help employees work more flexibly, but it represents a hole in the organization’s defenses and is particularly worrying for firms operating in highly regulated industries.

Botnets

Hijacked computers can become part of a botnet and, unknown to their owner, launch malware, spam or distributed denial of service (DDoS) attacks. Botnets will impact on network processing speeds and damage reputations, as offending messages will appear to come from a legitimate source. In extreme cases, an organization can find its domains and/or IP ranges are blocked by service providers and other institutions.

The internal threat

Many of the outbound and inbound threats are also found in internal email. Data leakage between departments, the circulation of inappropriate content and the distribution of non-essential applications all put email infrastructures at unnecessary risk.

In addition, the rise of regulatory compliance governing the security, storage and retrieval of information also has a direct impact on email use. With email often acting as the “corporate memory”,