Security Manager's Journal: Spam makes a comeback
Out of the blue, phishing attacks previously caught in the spam filter are getting through to employee inboxes.
Computerworld - How could spam be an issue for a security manager in 2013? It's been years now since we all started subscribing to services that do a phenomenal job of filtering out advertisements for prescription medications and exotic vacations and dumping them into spam folders, where they usually accumulate and never bother anyone.
Until this past week, I likely hadn't spent five minutes in 10 years thinking about spam -- a testament to the effectiveness of spam filters. After all, about 98% of our incoming email is spam. If we didn't have effective spam-filtering engines, every employee would receive an extra 40 to 50 emails per day. That would hit productivity.
Probably because real spam has long been out of sight and out of mind for our employees, our general counsel was dismayed when he recently started regularly receiving emails that he deemed to be spam. He forwarded some of them to me, wondering what was going on. The emails purport to be from organizations such as ADP, FedEx and eFax, and at first glance they look legitimate. Only an inspection of the email headers would tell you otherwise.
Some of the emails contain links to questionable sites in places like China and Russia. Some include attachments that are supposedly required certificates or e-fax documents but in reality are zip files containing an .exe file. In short, these are not ordinary spam -- which is annoying and clogs networks but is generally benign. No, these are phishing attacks.
Soon, others in the company began to complain about an increase in spam. Why, I wanted to know, weren't these phishing attacks being intercepted and shuttled away from employees' inboxes?
I was aware that we have been migrating users to a managed Microsoft email service and that there had been talk of saving money by dropping our current spam provider in favor of Microsoft's spam prevention system, which is bundled with the mail service. I figured that was likely the root of the problem, and sure enough, my suspicions were right.
We previously had not only inspected attachments, but also restricted the types of attachments authorized to be delivered. We also had what is called Sender Policy Framework checking enabled, which verifies that senders are really who they say they are. When the email team migrated our email, they neglected to enable these critical security functions. And thus spam has become an issue of concern for me in 2013. Now, employees potentially could click attachments or links and execute malicious programs.
Luckily our endpoint protection software prevented most of the attachments from causing harm, but there wasn't 100% detection. As a result, I'm having my security team analyze the suspicious email attachments and links that have been identified and build rules in our security incident and event management tool to look for evidence that employees have clicked on any of them or downloaded nefarious software.
We have also recently enabled a really cool feature within our Palo Alto Networks firewalls called Wildfire, which redirects executable files to a secured sandbox, where it evaluates the program to determine whether it is malicious. Unfortunately, since this is a new functionality, we're simply monitoring the events and haven't yet enabled blocking.
We've had to take action a couple of times, but we've been lucky so far. For example, one attachment that was executed by several employees proved upon evaluation to be programmed to reach out to a server in China to download additional software. Luckily, the server in China had been taken down.
Now, we have to continue to monitor for suspicious activity, and I need to ensure that our current email architecture is deployed in a secure manner.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at email@example.com.
Join in the discussions about security! computerworld.com/blogs/security
More by Mathias Thurman
- Security Manager's Journal: Stopping vendors from making us a Target
- Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- Security Manager's Journal: Another step toward eliminating data loss
- Security Manager's Journal: Siccing MDM on personal mobile devices
- Security Manager's Journal: An admin surfing on a server? That's a big no-no
- Security Manager's Journal: Time to tweak the security policies
- Security Manager's Journal: Found: 30 unmanaged servers that shouldn't be
- Security Manager's Journal: The ins and outs of extending DLP
- Security Manager's Journal: Move to hosted email opens new vulnerabilities
- Security Manager's Journal: Two big goals for 2014 budget won't require a lot of money
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts