Go Ahead and Delete Your Email – See If You Can

Think about the process of sending a single email to one individual:

You create and send an email and a copy of that email is placed into your Sent Items folder (copy 1).
The recipient receives your email (copy 2).
Your email admin makes a nightly backup of your email inbox (copy 3).
The recipient’s admin does likewise (copy 4).
Your company’s archiving system places a copy of your email into archival storage (copy 5).
Ditto for the recipient’s company’s email archiving system (copy 6).
The email you sent to recipient A gets forwarded to someone else (copy 7).
That copy gets placed into a backup and archive (copies 8 and 9).
You, your original recipient and the recipient of the forwarded copy access corporate email on a smartphone and a tablet (copies 10, 11, 12, 13, 14 and 15).

Now, let’s say you decide that you want to delete all of your old email because you’re afraid of incriminating evidence that might turn up in a lawsuit, a regulatory audit, or because you’re running for political office (ahem). Good luck with that. At best, you might be able to delete copy 1 and, if the recipient is nice, copy 2. Copies 3, 4 and 8 might disappear as admins reuse backup tapes over time or as the various mobile devices on which your email is stored deletes older content. But that means that of the 15 or so copies of your email that exist, only about one-third to one-half will ever really disappear.

What should you do? First of all, disabuse yourself of the notion that you can ever completely delete your email. You can’t – it exists and may exist forever in some cases. Second, realize that email will stick around despite your best efforts to purge it, and so plan on it reappearing at some point. That means that if you have incriminating emails floating around your company, it’s best to archive them reliably and prevent their alteration so that at least you have the same evidence that the other side will almost certainly have in a lawsuit or a regulatory audit. While the ideal state is never to have incriminating emails, if you have more than zero employees in your company that’s unlikely to happen.

All of this sounds quite basic, but our work has demonstrated that some are still under the false impression that the process of deleting email actually deletes email. In reality, it does delete email, but only your copies of them – most are still out there somewhere out of your control. The best you can do is ensure that you have copies of your email that you can reliably assume others will also have.

Dealing With Phishing and Next-Generation Malware (Part 2)

This is a continuation of my last post focused on ways that decision makers can address problems with phishing and next-generation malware:

Establish detailed and thorough policies: Most organizations have not yet established sufficiently detailed and thorough policies for the various types of email, Web and social media tools that their IT departments have deployed or that they allow to be used. Consequently, we recommend that an early step for any organization should be the development of detailed and thorough policies that are focused on all of the tools that are or probably will be used in the foreseeable future. These policies should focus on legal, regulatory and other obligations to:

Encrypt emails and other content if they contain sensitive or confidential data.
Monitor all communication for malware that is sent to blogs, social media, and other venues.
Control the use of personally owned devices that access corporate resources.
Creating detailed and thorough policies will help decision makers not only to determine how and why each tool is being and should be used, but it also will help decision makers determine which capabilities can or cannot be migrated to cloud-based security solutions and which should be retained in-house.

Implement best practices for user behavior: The next step is to implement a variety of best practices to address the security gaps that have been identified. For example:

Employees need to employ passwords that match the sensitivity and risk associated with their corporate data assets. These passwords should be changed on an enforced schedule, and should be managed by IT.
Employees should be strongly encouraged and continually reminded to keep software and operating systems up-to-date to minimize a known exploit from infecting a system with malware.
Employees should receive thorough training about phishing and other security risks in order to understand how to detect phishing attempts and to become more skeptical about suspicious emails and content. It is important to invest sufficiently in employee training so that the “human “firewall” can provide the best possible initial line of defense against increasingly sophisticated phishing and other social engineering attacks.
Employees should be tested periodically to determine if their anti-phishing training has been effective.
Employees should be given training about best practices when connecting remotely, including the dangers of connecting to public Wi-Fi hot spots or other unprotected access points.
Employees need to be trained on why not to extract potentially suspicious content from spam quarantines that might end up being phishing emails.
Employees need to be given a list of acceptable and unacceptable tools to employ for file sync and share, social media and other capabilities as part of the overall acceptable use policies in place.
Ensure that all employees maintain robust anti-virus defenses on their personally managed platforms if access to any corporate content will take place on them.
Employees should be reminded continually about the dangers of oversharing content on social media. The world will not be a better place if it knows that you had breakfast in Cancun this morning, but it could give cybercriminals a piece of information they need to craft a spearphishing email.

Deploy alternatives to solutions that employees use today: Decision makers should seriously consider implementing tools that will replace many of the employee-managed solutions in place today, but that will provide users with the same convenience and ease of use. For example, IT may want to deploy an enterprise-grade grade file sync and share alternative for the consumer version of Dropbox that is so widely used today. They may want to implement a business continuity solution that will enable corporate email to be used during outages instead of users falling back on their personal Webmail accounts. They may want to consider deploying an enterprise-grade file-sharing system that accommodates very large files if the corporate email system does not allow these files to be sent.

Implement robust and layered security solutions based on good threat intelligence: It almost goes without saying that it is essential to implement a layered security infrastructure that is based on good threat intelligence. Doing so will minimize the likelihood that malware, hacking attempts, phishing attempts and the like will be able to penetrate corporate defenses.

An essential element of good security is starting with the human component. As we discussed above, users are the initial line of defense in any security system because they can thwart some potential incursions like phishing attempts before technology-based solutions have detected them. Consequently, we cannot overemphasize the importance of good and frequent user training to bolster this initial line of defense, the goal of which is to heighten users’ sensitivity to phishing and related threats, and to help users to be less gullible. By no means are we suggesting that users can be the only line of defense, but they should be incorporated into the overall security mix.

Determine if and how the cloud should be used: A critical issue for decision makers to address is whether or not internal management of security, as well as other part of the IT infrastructure, is a core competency that is central to the success of the organization. Key questions that decision makers must answer are these:

Will our security improve if solutions remain on-premises?
Will managing security on-premises and managed by in-house IT staff contribute more to the bottom line than using a cloud-based provider?
Should a hybrid security approach with both on-premises and cloud-based solutions be use? If so, for which systems?

An important requirement in accurately evaluating the use of cloud-based security solutions is for decision makers to understand the actual and complete total cost of ownership for managing the current, on-premises infrastructure. Osterman Research has found consistently that many decision makers do not fully count all of these costs and are not confident in their estimates. If decision makers do not understand accurately what it costs their organization to provide a particular service to their users, this leads to poorly informed decision-making, as well as an inability to determine the potential cost savings and the return-on-investment from competing security solutions.

If you’d like to download our recently published white paper that explores these issues, you’re welcome to do so here.

Dealing With Phishing and Next-Generation Malware (Part 1)

To address the risks associated with phishing and next-generation malware, Osterman Research recommends a variety of actions that any organization should undertake:

Understand the risk that your organization faces: The critical first step in developing a best practices approach to security is to understand, at least at a high level, the risks that an organization faces. Many decision makers do not sufficiently appreciate these risks because they are too busy, they don’t have enough budget, or they have not focused enough on the growing number of risks they face. Consequently, Osterman Research recommends that security decision makers study the growing variety of security risks in detail and realize that they represent a serious threat to their organization. While this sounds simplistic, too many decision makers take a defensive approach, waiting until bad things happen until they take action, when they should be much more proactive in order to prevent them to the greatest extent possible.

As just one example, organizations must monitor the risk levels associated with their data assets, corporate systems and other tools that users may employ in response to regulatory requirements, advice from legal counsel, recent data breaches, cybercriminal activity and other factors. For example, a database might contain non-sensitive data that can safely be accessed using only a username and password. However, a change in an organization’s offerings or a new industry regulation may mean that sensitive data will be added to the database, thereby increasing the risk of inappropriate access of that content store.

Understand the breadth of tools that might be used (and maybe shouldn’t be): There are a number of capabilities that employees use that can create significant risks. For example:

Personal Webmail accounts that users employ when the corporate email system is down or when they need to send files that are too large to be sent by the corporate email system.
Consumer-focused file sync and share tools that give users access to all of their files from any platform, but that typically do not scan content for malware or other threats.
File-transfer tools that are designed to send very large files independently of the corporate email system, and so do not get scanned for malware.
Personally owned smartphones or tablets that can be the target of mobile malware.
Social media tools that can be used to send corporate content or that can allow malicious content to enter an organization via short URLs or malvertising links.
Employees’ home computers, which often are shared by family members who download non-secure content, and for which anti-virus defenses are often out-of-date.
The growing variety of mobile apps, cloud-based applications and other tools that can subject corporate data to infiltration by malware or expose sensitive data to exfiltration by cybercriminals.

Conduct a complete internal audit: Organizations need to conduct a thorough audit to understand where all of their data is located, who has access to this data, the specific legal and regulatory obligations to which this data is subject, the identity of the data stakeholders, and other relevant information. This is essential in order to build a map of sorts that will help decision makers to understand the security risks they face and how to prioritize their resources in closing the security gaps that exist.

The next blog post will offer some additional recommendations. If you’d like to download our recently published white paper that explores these issues, you’re welcome to do so here.

What Threats Should You Be Concerned About? (Part 2)

Last week, I enumerated a list of things that decision makers should be concerned about with regard to potential security holes, focused both on malicious content that might make its way into your organization, as well as for valuable data assets that might make their way out. We continue that list of issues here:

Employee errors: Employees will sometimes inadvertently install malware or compromised code on their computers. This can occur when they download a codec, install ActiveX controls, install various applications that are intended to address some perceived need (such as a capability that IT does not support or that a user feels they must have), or when they respond to scareware/fake anti-virus (rogue AV or fake AV) software. Scareware is a particularly dangerous form of malware because it preys on users who are attempting to do the right thing – to protect their platforms from viruses and other malware. Even users who are quite experienced can be fooled by a well-crafted scareware message.

Malvertising: Malicious Internet advertising is intended to distribute malware through advertising impressions on Web sites. An Online Trust Alliance brief discussed how a single malvertising campaign can generate 100,000 impressions, with approximately 10 billion malvertising impressions occurring in 2013 via more than 200,000 malvertising incidents. Underscoring just how serious the malvertising problem has become, a study by RiskIQ for the period January to September 2013 found that 42% of malvertising is carried out by drive-by exploits that did not require interaction by end users (58% of malvertising involves users clicking on malicious advertisements).

Mobile malware: The growing use of smartphones and tablets, particularly personally owned devices, is increasingly being exploited by cyber criminals. For example, Alcatel-Lucent found that 16 million mobile devices were infected with malware during 2014, an increase of 25% from 2013. This represents an infection rate of 0.68%, meaning that in an organization of 1,000 employees, each of whom has an average of 1.5 mobile devices, there will be a total of 102 infected mobile platforms at any given time. The vast majority of infections impact Android devices – the Alcatel-Lucent research suggests that under 1% of iPhone and BlackBerry devices are infected with malware.

Mobile copycat applications: Many developers distribute their mobile apps through vendor and third party stores that offer varying levels of security, much of it inadequate. Some app stores are highly secure operations and require that developers satisfy rigorous standards before their apps can be offered. Others’ standards, however, are less stringent and create the opportunity for serious security risks. The result is that many third-party app stores are susceptible to a number of security and related problems like the distribution of copycat apps and malware distribution.

Compromised search engine queries: Valid search engine queries can be hijacked by cybercriminals to distribute malware. This form of attack relies on poisoning search queries, resulting in the display of malware-laden sites during Web searches. Search engine poisoning is particularly effective for highly popular search terms, such as information on celebrities, airline crashes, natural disasters and other “newsy” items.

Botnets: Botnets are the cause of a large number of successful hacking and phishing attacks against many high-profile targets. For example, Sony, Citigroup, the US Senate, Lockheed Martin, the International Monetary Fund, Northrup Grumman, and RSA have all been victimized by botnet attacks. The result has been that millions of records have been exposed that will result not only in the disclosure of personal and sensitive information, but also lawsuits and other expensive remediation efforts.

Hacking: This is a form of specialized cyberattack in which cybercriminals use a number of techniques in an attempt to breach corporate defenses. An example of a successful hacking attack is the recent incursion against Sony Pictures that may have been carried out by an operation of the North Korean government.

Gullible users: Users can represent a major security threat because of a combination of their specific personality types and inadequate training. For example, 100 students from an undergraduate psychology at the Polytechnic Institute of New York were sampled. These students a) completed a survey focused on their beliefs and habits with regard to online behavior; b) asked about how likely they thought they would be the victim of online crime, such as password theft; and c) completed a personality assessment survey. After completing these activities, these students were then sent obvious phishing emails.

One out of six of those tested – most of whom were engineering or science majors – fell for the scam emails. Ignoring the gender differences of those who were most likely to fall for the phishing emails in this study, the researchers found that those with the most “open” personalities – i.e., those who are most extroverted – were more likely to fall for phishing scams. The findings strongly suggest that people who overshare on Facebook or Twitter, for example, are more likely to become victims of phishing scams and other online fraud than those who are more introverted, share less or who don’t have social media accounts. Another study found that younger students (aged 18-25) were more likely to fall for phishing scams than their older counterparts.

Ransomware: One of the more common recent examples of ransomware is the CryptoLocker malware that encrypts victims’ files and then demands ransom to decrypt them. Victims who choose not to pay the ransom within a short period of time will have their files remain encrypted permanently. Cryptolocker typically extorts a few hundred dollars per incident and is normally delivered through email with a PDF or .zip file disguised as a shipping invoice or some other business document.

We have just published a white paper focused on addressing these issues – you can download it here.