Social Networking Lessons Can Catalyze E-mail

I just had the following article published by Computer Technology Review:

Social Networking Lessons Can Catalyze E-mail

The popularity of social networking sites over the past decade has stemmed from the connectivity these sites afford users and the ability to coalesce around the commonality of a hobby, profession or past experience. However, their pervasive appeal in part can be attributed to the inherent security these sites offer (in the form of identity confirmation) that other mediums of communication don’t. Facebook, the originator, intervenes at the onset of every relationship to ask users to agree to communicate through its “friend request.”  Without an agreement, the relationship doesn’t evolve and access is denied. The identity confirmation principle is critical because it affords users the means to control relationships, information and access.

Facebook owes its existence to e-mail, its electronic predecessor. Unlike today’s social networking sites, e-mail evolved when electronic connectivity was in its infancy and potential future ramifications were unknown. Without an understanding of what the future would hold (including potential for misuse), the early e-mail forefathers didn’t necessarily have a need to consider e-mail security within the initial model — a painful absence felt by any everyday user today. Add to this equation the fact that e-mail is now so ubiquitous and entrenched in today’s lifestyles that everyday functions grind to a halt in its absence, and it is clear that it’s time for e-mail to evolve to the level of its social networking counterparts.

E-Threats Worsen and Exact a Higher Price

A recent Google study estimates that 94 percent of all e-mail is spam. But worse than the annoyance of receiving one (or more) of the billions of spam messages sent daily, these e-mails include malicious components such as “worms,” “Trojans,” “bots” and other Internet “crimeware” and “scareware”.  As new and innovative threats emerge, it’s clear that spammers are using increasingly advanced “business” models with the dual purpose of increasing their effectiveness and providing the needed subterfuge.

Today’s threats are also more resistant to conventional filtering efforts.  One such hazard is location-based spam. As part of the social engineering threat vector, these threats yield greater success because they don’t originate through a readily-impactable ISP and are tag-resistant because of their benign language and content (the McColo crackdown, as large as it was, will soon seem amateur in comparison).

Location-based spam is tailored to the recipient’s geographic location — data that can be easily discovered from the IP addresses used by inbound e-mail servers.  This enables spammers to use classic affinity fraud techniques and develop personally-relevant attacks. Fraudsters send targeted e-mails, with geographically-germane information, which elicits the desired higher click rate and transports recipients to fraudulent websites. There, spammers can put into play a variety of techniques, from infecting visitor’s computers via e-cards, to prompting the viewing of a virus-containing video of a purported local disaster and other ploys to exploit the unsuspecting. The ultimate objective is to collect personal information for later attacks and/or identity fraud. This more personalized spamming (or “spear phishing”) is relatively resistant to status quo filter methodologies because it contains pertinent information, is sent in small batches through “botnet” channels, and seems highly authentic.

On-Line Identity Confirmation Changes the Game

How then can IT administrators and end-users protect themselves from an antagonistic on-line environment?  Identity confirmation, the central tenet of social networking, is the missing link in today’s hostile e-mail environment and the means by which to re-establish e-mail as a trusted communications tool.

The world has changed since the birth of e-mail and it’s no longer reasonable for end users to be electronically open to the universe: identity confirmation is necessary.  In reality, social networking’s friend request has nothing to do with friends—it is an invitation to access, an opening of the security screen. Networking sites are so attuned to “access is key,” that they offer adaptable levels of entree, from varying access to the Wall, to the tweaking of privacy settings.

E-mail security solutions that leverage identity confirmation (using a method similar to the friend request of the social networking site) to secure the end-user’s inbox are able to provide organizations with more advanced levels of protection.  As opposed to filter-based solutions that focus on scanning content, these solutions focus on the validity of contacts themselves to determine the legitimacy of an e-mail message.

The typical filter-based solution is only able to guess (be it an educated one or not) as to whether an e-mail message is spam or not.  In addition, even if a message does not meet the traditional definition of “spam,” it isn’t necessarily a message the recipient would like to receive.  Differentiating between wanted and unwanted messages is a task that filter-based solutions are unable to accomplish, but one that solutions focusing on the relationship between sender and recipient can. Ultimately, solutions that focus on the sender of a message allow users to create their own network of trusted contacts – once and for all putting the e-mail user in control of their inbox as opposed to the solution protecting it.

The Solution

Sendio’s E-mail Security Platform (ESP) is one example of a solution that focuses on the relationship between sender and recipient, as opposed to the content of a message to secure an organization’s e-mail infrastructure and restore trust in e-mail communications. Similar to the friend request utilized by popular social networking sites, the ESP utilizes a technology called Sender Address Verification (SAV), in conjunction with a number of other security technologies, to confirm senders as trusted e-mail sources and automatically build each e-mail user’s trusted network of contacts.

According to Gilbert Mendoza, IT Security Administrator at Pechanga Resort & Casino, California’s largest casino, based in Temecula, Pechanga implemented Sendio’s solution to address the huge amount of time his users were spending sorting through spam and looking for false positives.  The “opt-in” component of the solution was the most compelling for Mendoza: “Sendio’s ESP works because it uses the right approach for attacking the problem of spam –Sender Address Verification (SAV) to prevent spam and the loss of ‘good’ e-mails that previously wound up in limbo.”

By believing that people, not filters, should choose who they interact with, Sendio guarantees delivery of all clean messages and protection from e-mail borne attacks. In today’s on-line risk environment, filter-based e-mail security solutions are no longer able to effectively address the threats e-mail servers and inboxes faces.  Taking a lesson from its social networking counterpart, it is time for the e-mail paradigm to shift and adopt the security measures needed to catalyze e-mail to become the trusted tool users need.