Are you ready for the next attack?

ESPs are under attack and being tested. But I’m not sure much progress in handling and responding to the attacks has been made since the Return Path warning or the Epsilon compromise.
Last week a number of email marketers became aware that attacks against ESPs and senders were ongoing. The shock and surprise many people exhibited prompted my Spear Phishing post on Friday.
The first round of phishing went out on Wednesday, by Friday they were coming from a different ESP. Whether this was a compromised ESP customer or employee it doesn’t matter. ESPs should have reaction plans in place to deal with these threats.
It’s been months since the first attacks. This is more than enough time to have implemented some response to reports of attacks. Yet, many people I talked to last week had no idea what they should or could be doing to protect themselves and their customers.
Last time the attacks were publicly discussed I was frustrated with many of the “how to respond” posts because few of them seemed to address the real issue. People seemed to be pushing agendas that had nothing to do with actually fixing the security holes. There were lots of recommendations to sign all mail with DKIM, implement 2 factor authentication, deploy validation certificates on web properties, or adhere to sender’s best practices.
None of those recommendations actually addressed the gaping security hole: Humans.

Criminals aren’t just hacking networks. They’re hacking us, the employees.
“The security gap is end users,” says Kevin Mandia, chief executive of security firm Mandiant Corp. The majority of corporate security breaches his firm is currently investigating involve hackers who gained access to company networks by exploiting well-intentioned employees. Geoffrey Fowler, WSJ

An effective response to attacks must include improving employee and customer security. We cannot fix compromises by simply improving authentication, or buying access to pretty colored browser bars. We must teach users to think about security first when they get an unexpected email.
An effective response to attacks must include technical solutions that scan incoming mail for potential viruses. We cannot rely solely on the ability of users to not click on links, no matter how well trained and security thinking they are.
An effective response to attacks must include technical solutions that scan outgoing mail for potential viruses. We must minimize the ability of attackers to use our systems to attack others if our systems do get compromised.
An effective response to attacks must include virus resistant software and programs to read email and deal with hostile traffic. We must acknowledge that attackers will find any hole in an operating system or software program. More secure software is one way to protect our systems from attack.
An effective response to attacks must include clear response channels inside an organization. Employees who think they get a phishing or virus email must know who to inform. Once the attack is verified, specific responses should be activated, everyone notified and outgoing traffic monitored.
An effective response to attacks means security must be drilled into every employee. Employees should never consider using cloud storage or webmail in order to bypass filters or get access prohibited by firewalls.
An effective response to attacks doesn’t mean the end to compromise attempts. It does mean fewer attempts succeed.

Related Posts

New security focused services

Steve’s been busy this week working on some new products.
You can see the first at Did Company Leak? This is a neat little hack that looks at social media reports to see if a there are reports of leaks, breaches or hacks and gives you a list of tweets that reference them. And, yes, I did really receive spam to two addresses stolen from iContact customers today.

Read More

The weak link in security

Terry Zink posts about the biggest problem with security: human errors. Everyone who is looking at security needs to think about the human factor. And how people can deliberately or accidentally subvert security.

Read More

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account.  It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Read More