Message rules

Michael Osterman explains that, while social networks are on the rise, email remains king when it comes to security threats.

Twitter is growing by leaps and bounds among business users. Tens of million of business users communicate on Facebook. LinkedIn users number in the multiple millions. Instant messaging clients - both consumer and enterprise-grade - are used widely. Text messaging/SMS has become the default mode for personal communications for many younger workers.

That said, email continues to be the dominant communications and file transport mechanism used in business today. The results of a recent Osterman Research study confirm this reality.

For example, email users spend an average of 152 minutes on a typical day working in their email client, or 28 percent of their nine hour, nine minute workday. Compare this with their use of the web at 138 minutes per day (23 percent), attending in-person meetings (13 percent) and talking on the phone (12 percent).

Further, email users spend only 13 percent of their time on a typical day not working on a computing platform of some kind, whether it's a desktop computer, laptop computer or smartphone. Slightly more than one-half of email users report that more than a quarter of the information they need to do their work can be found somewhere in their email system.

Spam under attack

It is important to note that the situation on the spam front is getting better in several ways. The takedown of McColo in November 2008 significantly reduced spam, albeit temporarily. Better spam-filtering tools are finding wider use. Reputation analysis systems are blocking spam more effectively than traditional capabilities have in the past.

On the downside, however, a large number of organizations report to us that spam is getting worse, both in volume and sophistication. Spammers continue to get more clever in the ways that they deliver their content. A difficult economy is driving spammers to develop newer, better and more ingenious ways of getting their content through spam filters. Timely subject lines focused on natural disasters or pandemics or financial problems continue to attract many. Further, malware continues to be delivered via email, although much of the focus for malware developers has shifted to the web, as discussed below.

Integrated threats

Email threats are by no means a security problem unto themselves. We are seeing substantial growth in blended threats that use email as an invitation to web-based content. For example, many spam messages contain a link (sometimes a shortened URL) to one of the millions of unique URLs on hundreds of thousands of websites that automatically install malware on visitors' machines. Spam often is used to drive traffic to these sites simply for the purpose of installing malware for later use, such as building botnets that can deliver more spam, or phishing attempts.

Outbound email also represents a security threat. Sending an email without encryption is akin to writing and mailing a postcard with the content exposed to everyone handling the card during its journey to the recipient. Hackers and others with malicious intent can intercept email messages and read them simply by placing packet sniffers on the network. In spite of the risk, the vast majority of email messages are sent in clear text without any sort of encryption applied to protect the content of the message itself or the attachments they include. This, despite the fact that a large proportion of email messages contain some sort of sensitive, confidential or regulated content that should be protected from access by unauthorized parties.

As businesses use email as a standard form of communication, clear text email messages can often contain information that businesses would not like to become public or fall into the wrong hands. But all too often this is exactly what happens. It is easy to rely on the auto-fill feature of many email clients that completes a recipient's name when the sender types the first few letters, but this could result in the email being sent to the wrong person. Also, it is easy to email attachments and other files that contain sensitive information to the wrong individual, or for other users to mistakenly forward such attachments to unauthorized recipients. Further, an email can be forwarded that might contain sensitive information far down in a discussion thread, often unbeknownst to the sender who might not have read the entire message.

The key then is to protect this information using some sort of data leakage protection, encryption or content filtering technology that will monitor outbound communications and maintain the security of sensitive information.

The future

What are the best practices that organizations should follow to maintain robust email security, as well as the security of their data and networks in general? There are a few key guidelines to consider.

It is vital to maintain very robust security defenses to protect against inbound threats sent via email. This includes not only appropriate defenses against the rising volumes of spam, but also capabilities that are updated continually to protect against malicious payloads in email, phishing attempts and the like.

Defenses should be integrated so that web threats can be managed as part of the entire security infrastructure. For example, a spam message that contains a link to a malicious website - one that might download a keystroke logger, for example - should be quarantined because of the nature of the Web site to which the spam message points.

An important consideration in any security infrastructure is protection against the growing number of threats that can be delivered through web 2.0 applications. For example, tools like Twitter and Facebook are finding use in a growing number of organizations. While many organizations simply block (or try to block) these tools, they do offer business value and should find use, where appropriate. Part of any organization's security infrastructure must be to manage use of web 2.0 applications in a way that is consistent with corporate policies, regulatory requirements and other obligations.

Outbound content must be managed as vigorously as inbound content. This will allow emails and other information transmitted beyond the firewall to be sent securely and in a way that will minimize the risk inherent in sending sensitive content to those on the outside.

Many organizations overlook mobile devices as an ingress point for malware. For example, few users have any sort of anti-malware software installed on their smartphones. However, given that many users employ smartphones as their primary or secondary email client and surf the Web from these devices, they can represent an entry point for malware. As a result, smartphones must be part of the overall security plan for protecting against malicious content.