Professional Documents
Culture Documents
THREATS:
HOW SAFE IS YOUR COMPANY?
PROTECT YOUR BUSINESS
PROTECT YOUR BUSINESS
AGAINST HARMFUL EMAIL
Introduction
The year ahead in email security will likely raise many of the same concerns
that presented themselves in years past but 2010 is sure to underscore the
importance of employing effective, integrated Web, email and data security.
Experts predict that email will once again be used as a top vector for
malicious attacks. Not only are more emails containing malicious
attachments, but researchers also have seen increasingly sophisticated
blended attacks that are difficult to close down.
blended attacks that are difficult to close down.
During 2010 more emails containing malicious data‐stealing attachments and
malicious URLs are expected. Therefore, in order to effectively secure email,
organizations need to have email security with integrated Web and data for
protection against these converged threats.
t ti i t th d th t
Modern business is reliant on email. All organisations using email need to
answer the following questions:
• How do we control spam volumes without the risk of trapping a
How do we control spam volumes without the risk of trapping a
business email?
• How do we stop leakage of confidential information?
• Can we detect and stop exploitation from phishing attacks?
• How do we prevent inappropriate content from being circulated?
Every company has to have security with the ability to carry on conducting
business freely. This short guide will discuss the current threats of internet
and email security and help you determine whether your business is safe.
Contents
Increase in Unpredictable Spam Volume 4
Start with Internet Security 5
Are you Sure That Email is Safe?
Are you Sure That Email is Safe? 6
It’s Only Becoming More Difficult 7
Robust Email Policies 9
Be Clear About the Dangers 10
A Viable Solution
A Viable Solution 11
Staying Current with SaaS Solutions 12
Time to Revisit your Options 13
About MXSweep 14
Increase in Unpredictable Spam Volumes
Spam levels are predicted to remain a concern unless rogue ISPs are
taken down.
These rogue ISP host servers control and send spam through robots on
infected computers. That could mean increased pressure on
infrastructures and could potentially require a higher investment on
additional hardware and the internal resources to manage it. The
unpredictability of the spam volume increases could make budget
d bl f h l ld k b d
planning difficult. Taking the problem off the infrastructure and finding
ways to economically manage the ever rising amount of spam will
continue to be a top priority for IT management this year. That is why
Security‐as‐a‐Service (SaaS), or solutions using platforms that are in the
y ( ) gp
cloud will continue to be increasingly popular.
Start with Internet Security
Blended threats have forged ahead and are dominating the security
landscape. 81 percent of all emails circulating during the same period
contained links to spam sites or malicious websites. These types of
attacks demonstrate why intelligent Web security is a critical component
of email security.
Users may not know that the websites they are directed to are
d
dangerous because often times, emails with links go to a legitimate site
b f l hl k l
that the user doesn’t know has been compromised.
Are You Sure That Email is Safe?
Criminal hackers keep hard at work to inject malware into legitimate
websites in links sent via spam emails. Long gone are the days when
users could expect to be safe while visiting sites of reputable brands or
organizations. Sadly, 2009 provided numerous exploits to choose from.
Spammers used brand names such as McDonald’s and Coca‐Cola to
infect users with malicious code sent in email attachments that
contained malicious files. In other cases, they continued to rely on the
d l fl h h d l h
trusted reputations of large and recognized organizations such as CNN
and duped users by leading them to websites through spam emails
claiming to be from the international news network.
Users were also targeted in a phishing scam that claimed to link to the
Federal Reserve Bank via email where users were asked to confirm,
update or verify account data by visiting the fake link that led them to a
spoof website resembling the real Federal Reserve Bank’s site.
The combination of these exploits and legitimate websites means that
the problems affect more people, go undetected longer, and maximize
the criminals’ return.
It’s Only Becoming MORE Difficult
The need for email protection is also crucial because hackers tap into
users’ perceptions. For instance, end‐users now expect spam to be
filtered in emails, so anything that gets through appears more legitimate
t th
to the end‐user. Hackers are aware of this behavior and have begun
d H k f thi b h i dh b
targeting social networking sites that have good reputations. They
launched a phishing campaign in 2009 to get their hands on username
and passwords. The scammers used Facebook’s email system, which
made them appear legitimate in their attacks.
As spammers continue to develop their sophistication of spam, their
veiled attacks put your defenses in jeopardy. That means email users can
no longer rely on apparently trustworthy emails to be safe.
Securing email is an increasingly important factor when it comes to
preventing data loss. Criminals are sending links via email to malicious
websites in addition to the traditional methods of concealing malicious
code within an attachment.
Most of these emails will be random spam and phishing attacks, but
some will be carefully crafted spear‐phishing attacks on individuals using
social engineering techniques and personal information to make them
more compelling. Companies need to ensure that their email protection
a so oo s at t e ebs tes be d t e e a
also looks at the websites behind the email in order to protect their
o de to p otect t e
intellectual property, confidential information and sensitive personal
data. A global study of 69,000 employees by the Intrepidus Group, found
that people were less cautious when clicking on active links in emails
than when they are asked to provide sensitive data.
But the danger doesn’t always lie in a link. The widespread use of
broadband Internet connections means that people can send and
receive very large emails, sometimes running into tens of megabytes.
Malicious employees can send copies of confidential information such as
customer databases to new employers or competitors. Even a well‐
intentioned but absent‐minded employee could send a confidential
email to the wrong recipient. Email auto‐complete features can be, in
this context a real menace In fact according to Gartner 80 percent of
this context, a real menace. In fact, according to Gartner, 80 percent of
sensitive information leaks are due to accidents and ignorance.
Historically, identity management and access control were the main
ways to secure data. Now, companies need an extra line of defense in
ways to secure data. Now, companies need an extra line of defense in
their email infrastructure to oversee the flow of information and
prevent data loss.
Robust Email Policies
Servers don’t send email, people do. That’s why it is important that
everyone in your organisation understands exactly what is acceptable
when using email.
There is an inverse correlation between how much time a company
spends developing and promoting its email policy and how much money
they spend chasing the problems created by poorly managed email.
A good policy looks like this:
• Clear – easy to understand, with minimal room for
interpretation
• Realistic – based on the involvement of all parts of the business
to reflect the way you work
• Granular – recognising that different users, departments and
locations use email differently (while sharing common ground)
• Flexible –
Flexible the ability to change as your business changes
the ability to change as your business changes
• Up to date – covering all new threats and reflecting continuous
feedback from the business
• Visible – an effective policy is seen on induction, on bulletin
boards in cafeterias company newsletters
boards, in cafeterias, company newsletters…
Don’t just tell all staff about the policy: tell them that is enforced using
filtering technology. The deterrent effect alone will prevent breaches
from occurring.
Be Clear About the Dangers
If your organisation’s email security strategy doesn’t cover every one of
these threats, you’re inviting trouble:
• Viruses
• Trojans and bots
• Spam and phishing attacks
• Spyware
• Denial
Denial‐of‐service
of service (DoS) attacks
(DoS) attacks
• Confidential data leaks
• Hate mail and pornography
• Illegal material and stolen files
• Regulatory breaches
Regulatory breaches
A Viable Solution
An email security strategy that over‐burdens the IT department and
email administrators will ultimately fail – not to mention wasting talent
that can be better employed elsewhere.
A sustainable approach is:
• Technology‐enabled – supported by robust traffic‐filtering and ‐
analysis tools
• Integrated – handling all threats in one solution from a single
interface
• Web‐managed – giving administrators access from any browser,
anywhere
• Shared sensibly – with users managing their own quarantine
lists and authorised departments helping with relevant policy
breaches
• Automatically updated – minimising manual patches and
updates to profiles software and operating systems
updates to profiles, software and operating systems.
• Easy to deploy, monitor and manage – with comprehensive
reporting to keep things on track
Take a look at your current defences. If any one of the above is not true,
Take a look at your current defences If any one of the above is not true
both efficiency and security could be compromised.
Staying Current with SaaS Solutions
The threats targeting your enterprise are always changing. You don’t
want to invest in technologies that will be out of date when the next
piece of bad news crops up. That’s why timely and easy upgrade paths
are essential.
One solution is Security‐as‐a‐Service (SaaS) or solutions whose
platforms are “in the cloud”. Not only are they usually more economical,
according to Osterman
d Research, but they are also more secure and
h b h l d
easier to manage. Security solutions using SaaS are a rapidly growing
segment of the overall market. Email security is rarely strategic to a
business, and turning to a SaaS provider can free up IT staff for more
important work. SaaS
p offers contractual service level agreements (SLAs)
g ( )
to specific performance metrics.
Time to Revisit your Options
Email is critical to doing business today. As email threats continue to
evolve and grow, organizations cannot be complacent about their
security. “Organizations that do not adequately address email security
problems face legal liabilities, financial risks, the potential for not being
in compliance with statutory and legal requirements and other risks,”
according to a recent white paper by Osterman Research.
Perhaps it’s time to reexamine your email security options to ensure
h ’ l
they can adapt to and address today’s dynamic email threats. If you are
curious to see what you can do to reduce costs, workload, and still
operate safely and free from modern IT threats, ask your existing email
security vendor how they deal with modern security threats —
y y y
specifically emails containing links redirecting you to malicious content
hosted on newly compromised, legitimate websites. It could be the most
important question you ask this year.
About MXSweep
MXSweep's SaaS security services platform delivers world class and cost
effective email security alongside disaster recovery and corporate
compliance services designed for the corporate and public sector
markets.
MXSweep protects organizations from all email‐borne cyber threats, loss
of confidential data and provides important compliance, reporting and
email back up functionality via the partner portal Our email security
email back up functionality via the partner portal. Our email security
services allow organizations minimize productivity loss from cyber
threats or loss of critical email data and focus on core business. Founded
in 2006, MXSweep is a privately held company based in Dublin, Ireland
with hundreds of established partners in UK/Ireland, Scandinavia,
Benelux, Germany, France and the US.
For more information please contact MXSweep:
www.mxsweep.com
sales@mxsweep.com