Should spam be treated as a security threat?We all hate spam. No great revelation there, but spam is in the process of crossing that threshhold from a personal nuisance to a threat to your business. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a recent report from Nucleus Research, businesses lose an average of $874 per employee, per year, due to lost productivity related to handling spam. Nucleus found that the average employee receives about 13 spam e-mails per day, which translates into six and a half minutes lost each and every day. While that may not sound like much, that time adds up and when you multiply those costs to account for a large enterprise, the damage done by spam is staggering: For every 72 employees, a company loses the equivalent of at least one employee's services to spam for the year. With numbers like these in mind, the way enterprises treat spam needs to change. Regarding spam as an annoyance is no longer accurate. Unlike other forms of direct marketing, such as junk mail See spam and junk faxes. or telemarketing telemarketing, the practice of selling goods or services to customers by means of the telephone or of surveying consumer preferences in telephone conversations. , spam should be considered a threat. A threat, you ask? Isn't that a tad extreme? Not when you consider that spam, like viruses and denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. , directly affects your bottom line. Moreover, consider this: Spammers are increasingly employing tactics from the hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. community. Addresses have been harvested from Trojan horse See Trojan. Trojan Horse hollow horse concealed soldiers, enabling them to enter and capture Troy. [Gk. Myth.: Iliad] See : Deceit (application, security) Trojan horse programs and, when taken together, the massive volume of spam often acts like a de facto [Latin, In fact.] In fact, in deed, actually. This phrase is used to characterize an officer, a government, a past action, or a state of affairs that must be accepted for all practical purposes, but is illegal or illegitimate. denial-of-service attack "DoS" redirects here. For other uses, see DOS (disambiguation). A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. . Moreover, as corporations attempt to assess the damage done by spam, they are beginning to realize that $874 per employee is low, accounting only for lost productivity. When you factor in wasted bandwidth and the need for additional infrastructures like mail servers and storage appliances, the total cost of spam skyrockets. A quick fix to the spam problem has emerged: Legislation. President Bush just signed the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM (Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003) A U.S. statute effective January 1, 2004 that allows spammers to be fined up to $6 million. ), which went into effect on January 1, 2004. Like most quick fixes, however, this one is flawed. Market research firm Gartner believes that if spammers feel threatened by U.S. laws, they'll simply start using overseas ISPs--the law acting as little more than a speed bump. In the early days of the Internet, security was simple and straightforward: If you had a firewall and virus protection, you were fairly secure. Today, with more and more sophisticated attacks emerging every day, security professionals have adopted a policy of layering security. Firewalls and antivirus programs Software that searches for known viruses. Also known as a "virus scanner." As new viruses are discovered by the antivirus vendor, their binary patterns are added to a signature database that is downloaded periodically to the user's antivirus program via the Web. are now just the foundation. Today, in order to be truly secure you must add layers of security on top of that foundation, incorporating such things as URL URL in full Uniform Resource Locator Address of a resource on the Internet. The resource can be any type of file stored on a server, such as a Web page, a text file, a graphics file, or an application program. filtering, intrusion prevention See IPS and IDS. , application security, and forensic tools. To deal with spam effectively, a similar methodology is needed. Spam is currently being dealt with in a manner similar to the early attempts to deal with viruses: Basic desktop programs. As any network manager knows, depending on individual desktop users, to maintain and manage a critical component of your company's security posture is a losing battle. Desktop spam filtering A software routine that deletes incoming spam or diverts it to a "junk" mailbox (see spam folder). Also called "spam blockers," spam filters are built into a user's e-mail program. is fine--but only when it is the last layer of defense, not the first. Effective spam filtering starts with the Internet itself. Your first layer of spam defense should assess what is known about spammers, compiling sample spams and the URLs of common spammers into a database that can then be used to craft both white and black lists, while also filtering out the most obvious types of spam. This layer should constantly monitor the activity of spammers to keep this piece of protection as current as possible. Next, for those e-mails that get through this first layer, you need tools that reside in the network, not on the desktop, to analyze each and every e-mail. Keyword searches are not enough, since spammers quickly shift their terminology or use intentional typos like Via$gra or h-o-t t*eens to circumvent cir·cum·vent tr.v. cir·cum·vent·ed, cir·cum·vent·ing, cir·cum·vents 1. To surround (an enemy, for example); enclose or entrap. 2. To go around; bypass: circumvented the city. keyword filters. What is also needed to supplement keyword searches is a tool to analyze the text itself, one that can assess the total content to judge whether or not a message is spam. The most common form of text analysis is called scoring, where, for instance, a phrase like "spring break" receives a positive score, while other non-spamming words receive a negative score. If the total score stays under a certain threshold, then the e-mail is allowed through. Of course, spammers are aware of these scoring methods, so they employ tactics such as embedding 1. (mathematics) embedding - One instance of some mathematical object contained with in another instance, e.g. a group which is a subgroup. 2. (theory) embedding - (domain theory) A complete partial order F in [X -> Y] is an embedding if white text on a white background to lower the score. The hidden text is read by the filter, not the recipient, so it throws off the filter without detracting from the sales pitch. One way to fine tune scoring is to focus on a fairly simple element of nearly all spam: a URL link. While this isn't fool-proof, since legitimate e-mails can include URL links, it is an easy way to flag messages for further analysis, after which a more sophisticated content analysis method can be employed--one that looks not just at the text, but also at the whole e-mail. A granular granular /gran·u·lar/ (gran´u-lar) made up of or marked by presence of granules or grains. gran·u·lar adj. 1. Composed or appearing to be composed of granules or grains. 2. content analysis filter assesses such common e-mail elements as URLs, images, attachments and text to come up with a more accurate understanding of the message and its intent. Finally, after all of these network-level layers of spam detection occur, there is still the chance that legitimate e-mail may be blocked, which is known as a false positive. For certain corporate groups like a sales department, the fear of false positives often undercuts their desire to filter out spam. This final layer of spam protection, protecting against lost e-mails you actually want, is critical, and it has to be handled by each end user on that individuals end device. In essence, you need to save every one of those blocked e-mails until your end users have had a chance to review them. At first glance, this may seem like it defeats the whole process, but it doesn't have to Sophisticated anti-spam products are hitting the market that save blocked messages for a time, but which only pass along a summary report of what is blocked. As opposed to manually combing through your in-box to find spam, these reports can typically be scanned in seconds, vastly reducing the productivity drain. Moreover, if this filter stores suspect messages outside of the enterprise the service delivered by an ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. , it then protects corporations from bandwidth drain as well. Service providers can benefit by sending reports during non-peak traffic times. Taken together, all these layers (spam and URL databases, white and black lists, holistic content and image filtering, and false-positive protection) protect your employees' productivity, your limited bandwidth, and your underlying network infrastructure. While spam will never go away, by adopting a layered approach to spam, you can manage its impact, minimizing its ability to undermine your bottom line. Rene Seeber is chief technology officer for Cobion AG (Burlington, MA) www.cobion.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion