A CIO's guide to email security

628 readers like this.
CIO Security

An interview with Alec Peterson, CTO of messaging software company Message Systems.

TEP: Email fraud and phishing continue to be a huge problem. What do CIOs need to know about how to avoid such problems?

Peterson: In any business, reputation is far more easily lost than gained, and in the age of the Internet that never forgets anything, that is truer now than ever. Just look at Target for example. That data breach happened almost a year ago and they've made significant changes in their management and practices since then, but I still know people who specifically avoid Target because they're afraid of their data being breached.

Of course, email is different from payment credentials, but the average consumer doesn't draw a distinction. For email marketing (or actually, all email for a corporation, be it marketing, transactional or corporate) needs to be DMARC aligned (DMARC, or Domain-based Message Authentication, Reporting & Conformance, is an industry standard for authentication).

TEP: What other security policies do you recommend?

Peterson: Separately, it's not uncommon for a company to register different email domains for different product lines (or even for different marketing campaigns). DMARC policy does not automatically move from one domain to another, so it's essential that CIOs have a central system for procuring new domains and ensuring that authentication is configured on all of them.

TEP: Are the biggest email-based security threats more sophisticated technological attacks, or are they human-based?

Peterson: Mailbox providers and email client vendors have done a fairly good job of protecting end users from threats that require no interaction (anti-virus software largely). These days, the biggest threat is absolutely data leakage due to human action. Various anti-abuse measures that mailbox providers utilize do a reasonable job of weeding out a lot of these messages (between reputation, heuristic and content filters), however some of this always gets through.

Mass phishing attacks still find their way through, but by far the most dangerous attacks are what are referred to as 'spear phishing' or highly targeted messages directed at specific individuals. These are insidious because the filtering technologies I mentioned earlier rely on a critical mass of messages to determine what a bad one looks like. If an attacker is only going after a handful (a dozen or so) targets, those technologies are not effective. This is because such an attack would look no different than if I were sending an email message to a few friends asking them to sign up for Fantasy Football.

We're always looking at ways to do better against even those sorts of highly targeted attacks, but the best solution is to educate users. Always ensure that any website you're entering information into is encrypted, has a valid certificate and is exactly the domain you expect.

TEP: How have phishing and email fraud gained in sophistication over the years? How must security practices evolve to deal with them?

Peterson: Phishing has evolved with technology. The early phishing attacks were focused on AOL in the late 90s and early 2000s for obvious reasons, because that is where a lot of the users were. Furthermore, one of the big advancements of AOL around that time was enabling access to the greater Internet for all of its users. While this opened up the 'walled garden' that had existed previously, it illustrated a key oversight. Specifically, that all of the users were accustomed to the protection afforded by that walled garden. That isn't completely fair as the greater Internet hadn't really had to deal with large scale fraud up to that point either, but AOL in particular catered to a less technically savvy brand of user, which made them more likely to fall for a scam.

This pattern is what phishing and email fraud in general has followed since then. As one group of users (or one specific type of attack) becomes easier to spot, the criminals move onto another one. AOL phishing gave way to Nigerian 419 scams. Then 419 scams gave way to the early financial institution phishing, and so on. With each new revelation, not only did technology have to change, but user education had to change as well, because that's ultimately the weakest link. Technology security measures are generally reactive, but thankfully we're getting to the point that the general principles of smart user behavior transcend different attack vectors, so that last layer of security is becoming more generally useful in stopping email attacks.

Read, "Good old-fashioned leadership can help reduce IT security incidents."

Alec Peterson is the CTO at Message Systems, the global leader in email infrastructure software. In this role, he is charged with leading the overall strategic direction of technology development for the company. Alec leverages more than 15 years of network engineering and design experience to advance the Message Systems technology vision. Under his guidance, the company develops and deploys integrated, high-performance messaging that enables businesses to effectively reach their customers. Alec has responsibility over technical support, client solution engineering and core engineering, and he also plays a critical role in understanding the evolving needs of the Message Systems client base. Prior to joining Message Systems, Alec was the co-founder and CTO of Catbird Networks, and was the co-founder and director of network engineering at UltraDNS Corporations. Alec began his career at Erols Internet/RCN Corporation where he was instrumental in the firm's expansion of its national network.

Minda Zetlin is a business technology writer and columnist for Inc.com. She is co-author of "The Geek Gap: Why Business and Technology Professionals Don't Understand Each Other and Why They Need Each Other to Survive," as well as several other books. She lives in Snohomish, Washington.