- Anti-spam filtering can no longer be considered a reliable tool for protecting your e-mail infrastructure and/or your users from the many threats that use e-mail as their primary insertion vector. Smart IT professionals have come to realize it is impossible to determine intent from content. As we move into the 2nd decade of the 21st century, security on the Internet in general, and for e-mail specifically, must become personalized. We can no longer afford to count on the ability, or lack thereof, of a filter to guess what is good/safe and what is not. The next era for e-mail security will be ruled by systems that provide and promote Sender Address Verification and Authentication.
- Domain forgery must be stopped; and we have the tools at our disposal to make this happen. The time has come, once and for all, for IT professionals to embrace and deploy BOTH Sender Policy Framework (SPF — www.openspf.org) and Domain Keys Identified Mail (DKIM — www.dkim.org).
- While its true that “cloud computing” is well on its way to becoming the “2009 Buzzword of the Year,” the time has come for IT professionals to seriously consider moving the major security components of their e-mail infrastructure onto their own private islands within the greater computing cloud. Processes like anti-spam, anti-virus, anti-threat, compliance, data leakage prevention, and managed file transfer can be addressed more effectively and more efficiently before any data ever reaches the threshold of your private network.
- In a difficult economy like we have today, e-mail is a more important tool than ever. E-mail is the ultimate asynchronous communication tool and is critical as a cost effective means for individuals to communicate over long (and short) distances. In both the medium and long terms, IT professionals must continue to strengthen their e-mail infrastructures. Now is not the time for cost cutting with respect to e-mail.
- Early this month Google announced their newest project: Wave (wave.google.com/help/wave/about.html). While it is too early to tell if this new project/protocol will have any real impact in the near term, looking forward 18 – 36 months, this is something upon which IT professionals should keep close watch. If Google is even remotely successfully, and who would bet against Google, this new and open protocol has the potential to completely change the way people communicate on the Internet through the merging of e-mail, instant messaging (IM), and real-time collaboration.
Social Media Tips For Business Owners And Entrepreneurs
Just got some nice digital ink on SanDiego.com.
Social Media Tips For Business Owners And Entrepreneurs (http://tinyurl.com/nhbwb8)
“Seek to understand before asking to be understood,” Golan said. “This is not going to be an overnight thing.”
Social Networking Lessons Can Catalyze E-mail
I just had the following article published by Computer Technology Review:
Social Networking Lessons Can Catalyze E-mail
(http://tinyurl.com/computer-tech-review-20090512)
The popularity of social networking sites over the past decade has stemmed from the connectivity these sites afford users and the ability to coalesce around the commonality of a hobby, profession or past experience. However, their pervasive appeal in part can be attributed to the inherent security these sites offer (in the form of identity confirmation) that other mediums of communication don’t. Facebook, the originator, intervenes at the onset of every relationship to ask users to agree to communicate through its “friend request.” Without an agreement, the relationship doesn’t evolve and access is denied. The identity confirmation principle is critical because it affords users the means to control relationships, information and access.
Facebook owes its existence to e-mail, its electronic predecessor. Unlike today’s social networking sites, e-mail evolved when electronic connectivity was in its infancy and potential future ramifications were unknown. Without an understanding of what the future would hold (including potential for misuse), the early e-mail forefathers didn’t necessarily have a need to consider e-mail security within the initial model — a painful absence felt by any everyday user today. Add to this equation the fact that e-mail is now so ubiquitous and entrenched in today’s lifestyles that everyday functions grind to a halt in its absence, and it is clear that it’s time for e-mail to evolve to the level of its social networking counterparts.
E-Threats Worsen and Exact a Higher Price
A recent Google study estimates that 94 percent of all e-mail is spam. But worse than the annoyance of receiving one (or more) of the billions of spam messages sent daily, these e-mails include malicious components such as “worms,” “Trojans,” “bots” and other Internet “crimeware” and “scareware”. As new and innovative threats emerge, it’s clear that spammers are using increasingly advanced “business” models with the dual purpose of increasing their effectiveness and providing the needed subterfuge.
Today’s threats are also more resistant to conventional filtering efforts. One such hazard is location-based spam. As part of the social engineering threat vector, these threats yield greater success because they don’t originate through a readily-impactable ISP and are tag-resistant because of their benign language and content (the McColo crackdown, as large as it was, will soon seem amateur in comparison).
Location-based spam is tailored to the recipient’s geographic location — data that can be easily discovered from the IP addresses used by inbound e-mail servers. This enables spammers to use classic affinity fraud techniques and develop personally-relevant attacks. Fraudsters send targeted e-mails, with geographically-germane information, which elicits the desired higher click rate and transports recipients to fraudulent websites. There, spammers can put into play a variety of techniques, from infecting visitor’s computers via e-cards, to prompting the viewing of a virus-containing video of a purported local disaster and other ploys to exploit the unsuspecting. The ultimate objective is to collect personal information for later attacks and/or identity fraud. This more personalized spamming (or “spear phishing”) is relatively resistant to status quo filter methodologies because it contains pertinent information, is sent in small batches through “botnet” channels, and seems highly authentic.
On-Line Identity Confirmation Changes the Game
How then can IT administrators and end-users protect themselves from an antagonistic on-line environment? Identity confirmation, the central tenet of social networking, is the missing link in today’s hostile e-mail environment and the means by which to re-establish e-mail as a trusted communications tool.
The world has changed since the birth of e-mail and it’s no longer reasonable for end users to be electronically open to the universe: identity confirmation is necessary. In reality, social networking’s friend request has nothing to do with friends—it is an invitation to access, an opening of the security screen. Networking sites are so attuned to “access is key,” that they offer adaptable levels of entree, from varying access to the Wall, to the tweaking of privacy settings.
E-mail security solutions that leverage identity confirmation (using a method similar to the friend request of the social networking site) to secure the end-user’s inbox are able to provide organizations with more advanced levels of protection. As opposed to filter-based solutions that focus on scanning content, these solutions focus on the validity of contacts themselves to determine the legitimacy of an e-mail message.
The typical filter-based solution is only able to guess (be it an educated one or not) as to whether an e-mail message is spam or not. In addition, even if a message does not meet the traditional definition of “spam,” it isn’t necessarily a message the recipient would like to receive. Differentiating between wanted and unwanted messages is a task that filter-based solutions are unable to accomplish, but one that solutions focusing on the relationship between sender and recipient can. Ultimately, solutions that focus on the sender of a message allow users to create their own network of trusted contacts – once and for all putting the e-mail user in control of their inbox as opposed to the solution protecting it.
The Solution
Sendio’s E-mail Security Platform (ESP) is one example of a solution that focuses on the relationship between sender and recipient, as opposed to the content of a message to secure an organization’s e-mail infrastructure and restore trust in e-mail communications. Similar to the friend request utilized by popular social networking sites, the ESP utilizes a technology called Sender Address Verification (SAV), in conjunction with a number of other security technologies, to confirm senders as trusted e-mail sources and automatically build each e-mail user’s trusted network of contacts.
According to Gilbert Mendoza, IT Security Administrator at Pechanga Resort & Casino, California’s largest casino, based in Temecula, Pechanga implemented Sendio’s solution to address the huge amount of time his users were spending sorting through spam and looking for false positives. The “opt-in” component of the solution was the most compelling for Mendoza: “Sendio’s ESP works because it uses the right approach for attacking the problem of spam –Sender Address Verification (SAV) to prevent spam and the loss of ‘good’ e-mails that previously wound up in limbo.”
By believing that people, not filters, should choose who they interact with, Sendio guarantees delivery of all clean messages and protection from e-mail borne attacks. In today’s on-line risk environment, filter-based e-mail security solutions are no longer able to effectively address the threats e-mail servers and inboxes faces. Taking a lesson from its social networking counterpart, it is time for the e-mail paradigm to shift and adopt the security measures needed to catalyze e-mail to become the trusted tool users need.