Top 5 E-mail Security Threats

Executive Summary

Are worries about spam and virus attacks to your enterprise email system keeping you up at night? The bad news is that they're not the only email security threats you should be worried about. Let's take a closer look at the top five email-borne security threats, including ones originating from inside your network that you may not have considered before.
1. Viruses
2. Spam
3. Directory harvest attacks (DHAs)
4. Denial-of-service (DoS) attacks
5. Internal policy violations

Threat #1: Viruses
Viruses have been around for years, but that doesn't make them any less dangerous or easy to eradicate. New, more destructive viruses and worms are being unleashed at an alarming rate. Reports indicate that 50 percent more virus attacks were launched in 2003 than the prior year. The January - March 2004 Mydoom virus outbreaks were the biggest the Internet has encountered to date.

Threat #2: Spam
Spam is expected to increase to 80 to 90 percent of total email. Moreover, the boundary between spam and viruses is blurring. New viruses turn desktop PCs into spam-spewing "zombies." There is also a new type of spamming technique called "phishing," used to dupe recipients into providing confidential personal identity information. You can expect the occurrence of these spam-virus hybrids to increase and develop into even more dangerous and damaging threats. The January 2004 CAN-SPAM Act has so far had no effect on spam, primarily because Internet technology allows spammers to hide their identities, and some spammers merely move their operations offshore where U.S. laws cannot touch them. It is also clear from the rise of virus attacks that the threat of vigorous enforcement with severe penalties has not deterred virus writers either.

Threat #3: Directory Harvest Attacks (DHAs)
Also called "dictionary attacks," this technique steals proprietary information from corporate directories. During a DHA, spammers attempt to deliver messages to multiple addresses, such as [email protected], [email protected], and [email protected]. Addresses that are not rejected by the receiving mail server are determined to be valid. A successful DHA can net a spammer thousands of corporate email addresses in just a few minutes. These addresses are compiled and sold to other spammers worldwide; companies who have had their email addresses harvested are vulnerable to an ever-growing amount of junk mail. Unwittingly, a company's own mail servers can compound the network traffic problem by generating thousands of bounce messages in response to invalid email addresses. The increase in activity creates traffic spikes that are essentially self-inflicted denial-of-service attacks that can completely shut down mail servers. By the time log analysis identifies a suspect IP address barraging an email server with invalid delivery attempts, the valid addresses have long been harvested. The sobering reality is that on average, 10 percent or less of SMTP connections handled by corporate mail servers are legitimate email. An estimated 30 to 40 percent of inbound SMTP connections through the corporate mail gateway can be traced to DoS and DHA attacks. These threats can overwhelm mail transfer agents (email servers) to the point of shutdown.

Threat #4: Denial-of-Service (DoS) Attacks
DoS attacks are designed to disable a company's network by flooding it with useless traffic, disrupting network connections between machines, or disrupting services to network machines or users. They consume resources, destroy or alter configuration information, and even physically harm or alter network components. As in the virus scenario, hackers can turn unsuspecting computers into "attack droids" by using automated self propagating programs to scavenge for computers on the Internet that are poorly secured, or that have out-of-date or non-existent anti-virus software protection. They then install programs that can remotely carry out the attack. Self propagation enables large attack networks to be built very quickly. A by-product of the network-building phase is yet another DoS attack, because searching for other vulnerable computers creates significant traffic as well. Both DoS and DHA attacks exploit vulnerabilities in SMTP connections. These connection-level threats are difficult to detect and drain server and bandwidth. Unfortunately, first generation desktop and gateway/server solutions are not well equipped to detect these rapid-fire, multi-source SMTP connection-level attacks because they run behind the firewall and therefore can see only a narrow piece of the Internet.

Threat #5: Internal Policy Violations
An often overlooked class of email security threats concerns email that may violate corporate HR, legal or IT policies or industry regulations. For example, companies establish internal policies to enforce HR rules against the inappropriate use of language and content, such as profanity or sexually explicit terms, in internal or external company communications. These policies protect employees from a hostile work environment and protect the company from the risk of employee lawsuits. The universality and ease of use of email make it a threat to intellectual property, so email policies are established to enforce rules against the disclosure of confidential company information or enforce compliance with industry security, privacy, and ethical practice regulations. Since email can also carry fun but time wasting content like MP3 and JPG files, companies may also establish policies to monitor email attachments for appropriateness to business activities.