“You can never be too cautious these days,” says Cherveny-Keough, director of academic computing at New York Institute of Technology (NYIT) in Old Westbury, N.Y. “Even if you implement the latest security solutions, you still need to educate everyone about current and emerging risks.”
NYIT, a college with more than 15,000 students, faculty and staff, must continually combat digital threats. In mid-2005, a virus targeted several NYIT student accounts, attempting to deliver email falsely claiming that Michael Jackson had tried to commit suicide. The email, which was widely circulated across the web on June 10, contained trojan code that deletes antivirus and security services from target computers.
NYIT’s defensive measures — including Symantec Corp. antivirus software on its servers and Barracuda Networks Inc. spam firewalls — stopped the attack in its tracks.
“We’ve got the spam filtering set up so that it is not so aggressive as to kill any real messages,” says Brian Maroldo, technical director at NYIT. “We’ve seen dramatic reduction in unwanted messages and viruses” because of the Symantec and Barracuda solutions.Still, as email threats continue to evolve, so too must today’s defensive strategies. Just ask Roland Voyages, former CIO of Commerzbank AG, a German bank with 33,000 employees — 7,400 of whom work outside Germany.
“You’ve also got to worry about spam filtering, identity protection and global compliance regulations,” says Voyages, who recently took a sabbatical from the bank. “Without the proper tools in place, it’s not unusual for each employee in a major company to receive one megabyte of spam per day. Suddenly, your email system is causing compliance, archiving and storage concerns among top management.”
Best defenses for 2006
Rather than resting on their laurels, progressive companies are taking a proactive approach to email security. Today’s strategies must:• block spam, viruses, worms and trojans
• encrypt messages
• educate users about phishing threats
• maintain compliance with Sarbanes-Oxley, HIPAA and other regulatory requirements.
Email compliance, in particular, has become a major distraction for senior IT executives.
“Compliance mandates like Sarbanes-Oxley have thrown a wrench into many email security strategies,” says Ed Golod, president of Revenue Accelerators Inc., an executive consulting firm in New York. “It’s fine to wipe out worms and viruses. But that’s not enough. If your email system leaks confidential financial information, or if you can’t retrieve old emails when regulators knock on your door, your executives can wind up in legal trouble.”
That’s why businesses are spending heavily to safeguard their email systems. Indeed, worldwide sales of email security solutions will reach $5.5 billion in 2010, up from $3.7 billion in 2005, predicts Ferris Research, a San Francisco-based market research firm. Moreover, half of all large companies now use email archiving and retrieval services to meet regulatory compliance requirements, according to The Radicati Group Inc., a research firm in Palo Alto, Calif.
Plugging in appliances
While traditional antivirus and anti-spam software remains popular, many organizations are deploying specialized security appliances from such companies as CipherTrust Inc., IronPort Systems Inc. and Mirapoint Inc.
These single-purpose devices typically include “hardened” operating systems that are stripped of all non-essential services. Secure email appliances are particularly popular with service providers, which manage millions of messages per day. Many service providers — from British Telecom to Research in Motion — have embraced Mirapoint’s MessageServer and/or RazorGate security appliance.
RazorGate secures Microsoft Exchange, Lotus Notes and Novell GroupWise environments, while Mirapoint MessageServer is a full-blown email system that includes integrated antivirus and anti-spam technology running atop a customized version of the FreeBSD operating system.
“MessageServer is the only cost-effective solution we’ve found that blocks viruses and spam, and offers five-nines [99.999 percent] reliability,” asserts Brian Johnson, a network administrator at Dickey Rural Networks, a telecommunications service provider in North Dakota. So-called “five-nines” availability is less than 5.26 minutes of unplanned downtime per year.
Generally speaking, that reliability also comes at an aggressive price point. Indeed, the three-year total cost of ownership (TCO) for a traditional email system like Exchange Server is about $320 per user, compared to about $88 per user for Mirapoint’s appliance, estimates The Radicati Group.
Even with the right mix in place, effective email security now requires related storage management solutions.
“The email and storage markets are converging in the age of compliance,” says Golod. “If you can’t backup and recover your email messages quickly, you can’t meet information retrieval deadlines from regulators or prosecutors.”
That line of reasoning drove Symantec to acquire Veritas Corp. for about $13.5 billion in July 2005. The deal paved the way for Symantec to integrate its security solutions with Veritas Enterprise Vault, an automated, policy-controlled email archiving and recovery system.Faced with compliance concerns, nearly half of all large companies now have email archiving and recovery solutions in place, up from 25 percent in 2004, according to The Radicati Group. Still, many companies believe archiving solutions require too much time to manage.
Moreover, backup email systems can be too expensive to design and deploy.
“In most cases, it’s too costly to build an exact replica of your existing email infrastructure,” says Samy Aboel-Nil, vice president of product technology at MessageOne Inc. of Austin, Texas.
Instead, MessageOne offers Emergency Mail System (EMS), a hosted email service that keeps electronic communications flowing when a company’s primary email system fails or suffers from a security incident. The emergency system costs about $1 per user per month, and requires little to no user training since users can continue to use their traditional email inboxes even as backend services switch to the hosted EMS system during an emergency.
Meanwhile, companies that grapple with email security must also wrestle with instant-messaging security concerns. Over the past year, the use of IM has risen 19 percent within U.S. businesses, according to America Online Inc. Yet popular IM systems from AOL, Microsoft Corp. and Yahoo Inc. lack comprehensive security and archiving capabilities. Moreover, only 18 percent of companies archive their IM traffic, estimates The Radicati Group.
Many users believe IM is a safe “back channel” or “hidden doorway” for moving information between departments or companies. However, IM systems are subject to the same compliance mandates that email systems must meet.
Notes Jay Chaudhry, CEO, chairman and founder of CipherTrust, which now offers IM security appliances that complement the company’s email security appliances: “The real-time, interactive nature of instant messaging makes it a valuable tool for collaborative efforts with business partners, customers and fellow employees, but at the same time it is a significant liability when not properly secured and managed.”
“Today’s college graduates take IM in the office for granted,” adds Golod. “If you protect your email systems but ignore IM, it’s like locking the doors but leaving your windows open. Your security initiatives have to blanket both IM and email.”
Security administrators would be wise to heed that message.
Joseph C. Panettieri is a freelance writer based in New York, who previously held senior editorial positions at CMP Media and Ziff Davis Media. He can be reached at email@example.com.
IM safety tips: Avoiding headaches
Financial institutions, in particular, should consider the following practices regarding Instant Messaging as part of an effective information security program:
1. Establish a policy to restrict public IM usage and require employees to sign an acknowledgement of receipt of the policy.
2. Consider implementing an intrusion detection system to identify IM traffic. Assess the need for other IM security products.
3. Create rules to block IM delivery and file sharing.
4. Consider blocking specific IM vendors.
5. Ensure a strong virus protection program.
6. Ensure a strong patch (software update) management program.
7. Include the vulnerabilities of public IM in information security awareness training.
Tech prep: 7 steps to email security
1. Create an email security policy that is communicated electronically at least quarterly, and printed in employee handbooks.
2. Educate employees about phishing, spam, spim (spam over instant messaging) and social engineering.
3. Enforce the email policy through monitoring, system checks and other random inspections. Be sure the written policy discloses these steps.
4. Tell employees to be wary of unsolicited email attachments, even from people they know.
5. Save and scan any attachments before opening them.
6. Turn off the email option to automatically download attachments.
7. Even if it is beyond your current budget, chart a long-term direction to a secure email system that offers strong end-to-end encryption, mutual authentication, auditing and enterprise control.
Source: SC Magazine Archives