Is spam a threat and how can I block it?
Does the panel have any advice on how
to reduce the amount of unsolicited e-mail and spam entering
corporate systems. Also, is spam just a pain or does it pose a real
security threat to my business?
Danger lies in the naivety of the end-user
Yag Kanani, Partner in charge of security
services, Deloitte & Touche
Spam is currently the biggest consumer of unnecessary bandwidth on
the internet. There is a risk that users receiving huge numbers of
unsolicited e-mail a day may become even more complacent than they
are at the moment. Social engineers thrive on end-user complacency
and a number of worm outbreaks, such as I Love You and Anna
Kournikova, have been successful because recipients were tricked
into launching a program, which devastated their systems and those
of others.
Spam or any other unsolicited message could be used to convince an
end-user to reveal sensitive information about themselves or
internal computer systems, a message posing as an online survey
could ask recipients for their password. The survey could also ask
for other information which may allow an attacker targeting a
specific organisation to gain valuable intelligence prior to
launching another type of attack.
The worst thing a user can do when they received spam is reply
asking for their name to be removed from the list. Unfortunately
spammers do not adhere to or respect the Data Protection Act and to
them a reply proves that an address is in use making it even more
valuable. Spam should be discarded, preferably not opened.
Train employees to ignore spam e-mail
Roger Marshall, Elite
From being a minor annoyance just months ago, spam is fast becoming
one of the top issues for corporate IT. The costs are largely
hidden but are real nonetheless. They consist mainly of the time
employees spend pressing the delete button as they go through the
entries in their in-boxes. Some will spend time actually reading
the stuff. If staff could be dissuaded from opening these e-mails,
the spam industry would die a natural death, eventually.
The only effective solution on the horizon is international action
to outlaw the practice entirely. The problem with that is the time
it takes to get countries to act. What we can do is point out to
our government the actual cost of spam to our businesses, to raise
it on its agenda.
Finally, the Sobig virus is now being spread by spammers, so the
answer must be yes. At least with viruses, unlike spam, the
protection is effective if properly applied. One thing that you
need in both cases, and for effective IT security generally, is
good end-user education and firm corporate policies.
Spam wastes valuable business resources
Robin Laidlaw, President, CW500 Club
This it is becoming more of a problem and only in the last year or
so have tools become available to try to tackle the issues.
From a business point of view the issues are:
- Wasted user productivity with rubbish clogging up mail boxes
- Wasted server space having to store and manage them until deleted.
From a security point of view the issues are the increased
potential threat of virus infections and Trojans, if a user opens
up an malicious e-mail or clicks on a link within the e-mail. These
days however, malicious e-mails are more likely to come from known
contacts so would not be blocked by spam filters anyway, especially
worms that propagate by copying and e-mailing an infected PC's
address book.
Get end-users to think before they click
Ollie Ross, Corporate IT Forum Tif
All e-mail receipt and internet access undertaken without
appropriate anti-virus and firewall protection exposes your systems
to potential intrusion.
Spam is a popular means of virus propagation and is a serious
security threat. Tif members have seen spam levels double over the
past year, and predict that "virus spam" will increase at the same
rate, so ensure you have desktop and perimeter protection in place,
and that your mail servers are configured to reduce your exposure
to unauthorised access and usage.
There is a wealth of sound advice and effective coping technologies
available. But one answer does not fit all, so enlist the
professional help of an expert. Whether you build and manage
in-house, or outsource your systems will depend on the extent of
your problem, your definition of and vulnerability towards spam and
the resources you have at your disposal.
Organisations using unconventional e-mail address formats and
functions as opposed to individuals' names on corporate websites
appear to be less afflicted than others.
Tif member discussions have concluded that your key tools are
education and user buy-in. A company policy on messaging is
imperative and must be communicated, understood, signed up to,
current and enforced to be effective. A long list of rules is
easily forgotten; your aim is to make users "think before they
click". Generate a real awareness of responsibility and
consequence.
Likewise, any spam reduction process you deploy will require user
involvement and active participation, especially if you intend to
base your solution on heuristics or white list creation. Ensure
your helpdesk has a "top tips" or "what to do" list and keep
everyone informed of what you are doing.
It is easy to forget the issue of "internal" spam, but don't ignore
the unnecessary traffic generated by interdepartmental
communications. Discourage the use of "cc" and e-mail broadcasts in
favour of a regular summary of links into the company
intranet.
Don't undertake any solution provision in isolation. Key spam
control decisions involve blocking, quarantining, retention,
notification and deletion. And while the process may belong to IT,
the decision-making must rest with the business.
The next big threat >>
