Stop Viruses, Can Spam
Eliminating virus threats from e-mail is a two-fold process. First, you must prevent viruses from entering your e-mail infrastructure by using software or hardware. Then, you must ensure your solution is updating its virus-definition files--year-old definition files are useless. And it's not sufficient to simply deploy protection that scans incoming e-mail for viruses; you must prevent users from spreading the infection among internal e-mail servers as well as to computers outside your IT networks. Second, each desktop computer must have virus-scanning software that searches e-mail attachments to remove the threat of infection.
McAfee, Symantec, Trend Micro and other security vendors all offer add-on software that downloads regular updates to ensure you have the latest signatures for current viruses. You also can replace your inbound gateway e-mail servers with an appliance capable of removing virus content from e-mail. IronPort, Sonicwall and Symantec offer e-mail security in hardware devices that do more than virus scanning; these appliances also find potential malicious content.
As we mentioned last November, legislation such as the CAN-SPAM Act of 2003 has not led to a decrease in the amount of spam a typical end user receives (see "Spam Filters: Still Sick of Spam"). Content-filtering software, however, can reduce the number of spam and phishing messages that make their way to e-mail in-boxes. Our Network Computing Barracuda spam filter tagged 86.7 percent of all our mail as spam earlier this year--that's 7,348,391 messages. That ratio was relatively unchanged from testing we did in October 2005 and May 2004. (Barracuda won Network Computing's 2005 Well-Connected Award in the Antispam Tool category.)
Most spam is now blocked at the boundary, before it reaches the messaging server, by devices such as Tumbleweed's MailGate Email Firewall, which uses the company's DAS (Dynamic Anti-Spam) technology, and IronPort's C600 appliance with Symantec Brightmail Anti-Spam. You can also buy software that runs on a corporate mail platform to protect gateway server devices.
Today, the greater threat comes from spyware and phishing attacks rather than conventional spam. In extreme cases, instances of spyware, especially key loggers, can compromise a company's intellectual property. Besides the increased risk of losing data when spyware is installed, it can be difficult and time-consuming to remove. And, productivity can suffer when employees spend company time fixing credit reports harmed during a phishing attack. So filtering only for spam is clearly not a wise choice.
One area of content filtering that doesn't get enough attention is that of intellectual property in outbound e-mail. Nearly 50 percent of network security attacks come from within the so-called secure boundary of the corporate network, according to Deloitte's 2006 Global Security Survey (see "Data Drain"). People have different incentives for accumulating corporate information illegally. They might be paid handsomely for stealing data, or they might simply take data because they can. We've all come across the end user who, knowing he'll be leaving the company soon, decides to forward all e-mail in his in-box to his personal e-mail account. We're also familiar with the more damaging scenario of the employee who takes all of her contacts--including valuable sales leads--with her to her next job. Creating an effective e-mail security policy that includes scanning outbound e-mail for sensitive content can help protect your corporate secrets and keep information from getting to where it shouldn't. But content scanning is still not as accurate as virus scanning. False positives, mistuned policies and e-mail mistakenly held up as "potential" threats on outbound servers will cause business delays.
Policing Your Setup
Combating viruses, spyware and phishing attacks does not stop with the selection and implementation of one of these technologies. Your security policy must be clearly defined to match the sensitivity of your data, and it must be enforced; it must convey who owns e-mail and how it is used. Undesirable e-mail security scenarios can be avoided through awareness campaigns and personnel training. Make sure your end users log out of their Windows sessions when leaving their workstation to prevent unwanted browsing of their in-boxes. Work with HR to ensure that employees are aware that all corporate e-mail is the express property of the company, not the employee. Take measures to make sure passwords aren't written down and placed on monitors or under keyboards. These sound like common-sense measures, but we all know how often these guidelines are ignored. Finally, be wary of visitors to your offices, and make sure they are chaperoned when appropriate. Based on these concepts, create e-mail education seminars for your users. Training your end users will allow them to police themselves.
One of the more deadly delusions in the IT world is that the systems administrator or security officer can somehow maintain control over the network and all the information in it. The fact is, though IT professionals create and enforce policy, end users' actions ultimately dictate how technology is used in the enterprise.
