E-Mail Security: Filtering Garbage Out, Keeping Secrets In

By Baselinemag  |  Posted 2007-02-14

There's traditionally been a bunker mentality among the people who secure e-mail. It's us against them, an unseen enemy flinging viruses and spam—little digital grenades that could blow a hole in the CEO's inbox.

Companies still need to have shields to block those Net threats, which continue to evolve in devious ways. Spending in this area, in fact, is expected to zoom: The worldwide market for e-mail security products is estimated to grow from $3.5 billion in 2006 to more than $6 billion in 2010, says research firm The Radicati Group.

And the underlying problems aren't going away. The number of software vulnerabilities—flaws that could be used to compromise an organization's security measures—reported to the CERT Coordination Center was on pace to exceed 7,000 in 2006, compared with 5,990 in 2005.

But now, security managers are looking more closely at the flip side of the e-mail equation: how to minimize the risks of losing precious data, such as customer records, out the virtual front door.

Safeguard Outbound Records

These days, Brandon J. Meyers, manager of networking and communications for Cooper Industries, believes his five-member team has a pretty good strategy for holding down the fort against viruses and spam.

The Houston-based $4.7 billion manufacturer of electrical products and tools operates about 60 Microsoft Exchange e-mail servers around the globe to serve its 29,000 employees. Those have been consolidated into three regionalized server clusters reflecting global operations.

Each e-mail server cluster has a double layer of protection. In the network, Cooper Industries has two redundant appliances from IronPort Systems that scan for unwanted e-mail and quarantine likely viruses and spam.

On the e-mail servers themselves, the company runs the Antigen virus- and spam-filtering package from Microsoft's Sybari Software division. Cooper Industries has configured Antigen to scan for self-propagating e-mails, to eradicate them before they even get to someone's mailbox.

The two systems, according to Meyers, practically run themselves. "They've been hands-off to date," he says. "It's a huge weight off our shoulders from a security perspective."

So, he has turned his attention to a new security problem: making sure somebody isn't taking Cooper Industries' sensitive information and e-mailing it to an accomplice outside.

The problem of accidental—or intentional—breaches of what is supposed to be private data has exploded into public view in recent years. The most closely followed disclosures involve personal information: According to the nonprofit Privacy Rights Clearinghouse, businesses and government agencies have improperly exposed more than 98 million records on U.S. residents between February 2005 and December 2006.

The tricky part of this new technology: How does a piece of software know what constitutes "sensitive" data?

Cooper Industries conducted a test with Fidelis Security Systems, a Bethesda, Md.-based provider of "extrusion" (as opposed to intrusion) prevention software that scans outbound communications to identify certain patterns. Meyers and his team built some "intellectual property signatures" that were specific to Cooper Industries. For example, one such signature looked for certain kinds of computer-aided design (CAD) files, which would likely contain proprietary product plans.

"If there is a scenario where there will be legal action—where we see our proprietary information having leaked out—that's the case for any organization to do this type of scanning," Meyers explains.

Next page: Give Antivirus a Booster Shot Shot">

Give Antivirus a Booster Shot

Other organizations are still primarily focused on improving their defensive line. This basic blocking and tackling remains critical, because for most companies, e-mail is the number-one business application, says Eric Ogren, a security analyst for research firm Enterprise Strategy Group.

"Companies run their business on e-mail," says Ogren, who estimates that about 75% of all businesses exchange contracts via e-mail. "When the e-mail's down, people go home."

Uptime is a big deal for Jim Brady, senior e-mail administrator at Cedars-Sinai Medical Center in Los Angeles. He has the tall order of making sure the servers that store roughly 70 million messages—and counting—for the hospital's approximately 8,000 employees stay secure and continuously available.

Here's what it takes to deliver the e-mail at Cedars-Sinai: 75 Microsoft Exchange message "stores," individual repositories that handle about 200 mailboxes apiece. The message stores run on five separate clusters, each with four Intel-architecture servers. The clusters are configured to be fault-tolerant, meaning that if one server freezes up, another one takes over its duties. Every cluster has about 2.5 terabytes of high-speed disk storage.

The e-mail servers that Brady manages function as the central nervous system for Cedars-Sinai, an 880-bed facility that generates $1.3 billion in annual revenue. Of more than 100 clinical and other information systems, which handle everything from patient management and X-ray images to accounting and payroll, nearly all pump information through the Microsoft Exchange e-mail servers.

For example, alerts and agendas for all medical staff meetings are sent through e-mail. Electronic forms, such as those for new patient information, are delivered via e-mail. And critical alerts for the surgical intensive-care unit are funneled through Exchange as well. "If the e-mail isn't working, everything in the hospital stops," Brady says.

For protection, Brady uses eight virus-scanning packages, including products from Symantec, Microsoft's Sybari, Sophos, Kaspersky Lab and two from CA. Not every e-mail is checked by all eight—a routing algorithm assigns messages to different antivirus engines—but every one is scanned at least twice.

"We felt it was necessary to get a layered approach," says Brady, who concedes, "we've overkilled on the virus protection."

Even with eight virus-scanners, however, Cedars-Sinai didn't eliminate mail security issues. The hospital had been hit by at least one zero-day attack, which exploits a vulnerability for which a patch hasn't yet been issued. That virus spread across the network using the Simple Message Transfer Protocol, or SMTP, the Internet standard for sending e-mail. In effect, a virus had installed tiny e-mail servers on unsuspecting employees' desktops and was sending out more viruses via e-mail.

"Occasionally we would find boxes that were spamming from the inside," Brady explains. To fix this, his team shut off the ability for any unauthorized SMTP server to advertise itself as an e-mail server.

Next page: Learn Spam's New Trickss New Tricks">

Learn Spam's New Tricks

One of the most persistent—and annoying—e-mail threats is unwanted commercial e-mail. Between 75% and 90% of a typical organization's incoming e-mail is spam, says Gartner analyst Peter Firstbrook.

Cedars-Sinai's Brady wasn't quite seeing spam rates quite that high: About half of the 90,000 e-mail messages the hospital receives per day are spam, he estimates.

The hospital brought in Symantec's Brightmail antispam software to help stem the tide. Brady hasn't turned up the settings to be very restrictive because he doesn't want to risk junking a legitimate e-mail: "We have a very low tolerance for false positives."

But spammers invent new tricks to bypass spam filters. A new strain has surfaced within the last year called image spam, which consists of text pasted into an e-mail message as a picture. That way, an antispam filter looking for, say, a text string of "hot stock tips" in the body of an e-mail message would potentially let through an e-mail with "hot stock tips" included as part of an image.

Another trend: "literary spam," which includes sections of classic novels like Pride and Prejudice in the attempt to fool an antispam filter with what is hoped to be natural-sounding text.

At Mary Kay Inc., the $2.2 billion cosmetics distributor in Addison, Texas, senior technical engineer for messaging technology Daryl Smith was seeing about 40 million spam messages per month, sent to "marykay.com" e-mail addresses. The company, which sells its cosmetics through individual resellers, has about 650,000 registered e-mail addresses for its affiliate members. "We were just getting hammered by spam sent to marykay.com e-mail addresses," Smith recalls.

Mary Kay installed two pairs of Proofpoint anti-spam appliances, which protect 4,000 e-mail boxes at corporate headquarters and the 650,000 affiliate e-mail addresses. The appliances have cut the spam load with a variety of techniques, including this one: They automatically detect whether more than 70% of e-mail is originating from a single Internet Protocol address, and then throttle back the bandwidth Mary Kay's e-mail servers will accept from that address.

Still, Mary Kay has seen spam blast back up to old levels—more than doubling in the last 12 months—because of image-based spam, Smith says: "They've found ways to slip past our filters."

Matt Anderson, an analyst with The Radicati Group, says vendors have just started to deliver products that combat this type of spam by examining embedded images in a message for telltale signs that it's been crafted by a spammer. The image filters work, but their catch rates are only 75%, whereas effective rates need to be 90% or higher, he says.

A new tactic spammers are using is to break up an image into 20 small ones that fit together like a puzzle. That gets around many of the image filters, which examine all 20 images independently instead of the overall pattern. As Anderson says: "It's an ongoing cat-and-mouse game."