As
messaging technology overlaps and more employees communicate
using a variety of tools, IT shops will have to respond with new
user policies to lock down corporate data.
 | | | | | Enterprises increasingly need
outbound content monitoring and encryption for compliance and risk
management.
Arabella Hallawell,
vice presidentGartner
Inc. |
| | | | | |
| |
|
Gartner analyst Arabella Hallawell delivered that message during
a presentation at the Gartner IT Security Summit Tuesday. She noted
that messaging technologies are converging, with people using
instant messaging (IM), Web mail and blogs to communicate. On the
Voice over Internet Protocol (VoIP) side alone, Skype, IM,
videoconferencing and chat programs are being used in combination,
she said, adding that companies need to make sure proprietary
information isn't being sent through these channels.
"Blogs are an example of how proprietary information can be sent
out," Hallawell said. "Corporate blog use policies will probably
become necessary at some point, and companies need to be thinking
about what should be in those policies."
Attackers can also take advantage of the technology convergence,
finding holes to gain access to sensitive information.
Don Ulsch, technology risk management director in the Boston
office of Jefferson Wells International, delivered a similar
warning on blogging threats during a
luncheon presentation to a group of IT security professionals
last month.
 |
| Messaging security: | Special Report -
Messaging insecurity fuels data leakage
fears: The proliferation of messaging technology means more
opportunity for malware to take root and sensitive data to be
lifted.
Special Report -
IT pros look for ways to lock down IM: To
control growing IM threats, administrators are trying to limit
which programs can be used or ban the technology altogether. But
that's not always possible.
Special Report -
Messaging Security podcast: Burton Group
analyst Diana Kelley discusses the latest threats to messaging
security and where the solutions
are.
Messaging Security School: SearchSecurity.com's Messaging
Security School has brought together some of the most knowledgeable
experts in the messaging security field to offer you personal
instruction on how to secure the information handled by your
organisation's
employees. |
|
| |
|
He noted at the time that there are approximately 100 million
blogs across cyberspace and some of them are used by organised
criminal outfits to push gambling and pornography. When an employee
does personal blogging on a company machine and corporate email
account, blog databases are able to suck in a wealth of email data.
Hackers can use sophisticated data mining software to scan the
blogs for proprietary information that may be sitting in some of
those stored messages, Ulsch said.
Hallawell said IT shops will also have to consider what kinds of
controls they want in place to deal with the convergence.
One of the biggest messaging-related problems is spam, and
Hallawell sees no end to it. Image spam in particular is on the
rise. That trend is illustrated in a warning the Bethesda,
Md.-based
SANS Internet Storm Center issued Monday about a
new round of malicious spam that has been circulating of late,
attempting to trick users with such bogus subject lines as "Re:
U.S. violent crime up again, more murders, robberies," and "Man
Awakens From 19-Year Coma."
"Enterprises increasingly need outbound content monitoring and
encryption for compliance and risk management," Hallawell said.
"Most companies don't want to buy new tools to deal with [messaging
threats] and they are looking to their email security vendors for
help. But many are not up to the challenge."
She offered some figures to illustrate the scope of the problem.
Image spam is up 30-40%, she said, and botnets are the main source
of 80% of the spam flooding inboxes today.
Meanwhile, there's a flip side to messaging security -- messages
from legitimate companies are getting blacklisted. To minimise the
problem, Hallawell said companies need to ask their vendors how
they make decisions on what they decide to block; what the
geographical reach is and how often data is refreshed. It's also
important to ask what kind of reporting capabilities exist to see
who and how much is being blocked.
To stay off the blacklists, she recommended IT pros get an
inventory of sending domains from their marketing departments,
including a list of who sends emails on the company's behalf. She
also suggested companies be careful not to overuse a single
domain.
Companies also have to be careful about the lists they choose to
buy.
"Buying a bad list gets you on blacklists," she said.