Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
In Today’s API World, IT Needs to Assume A Breach and Marketers Need to Be Security Conscious
Widgets & RSS FeedsWhen Message Systems’ Mike Hillyer (director of solution engineering) and Dave Lewis (CMO) set out to write the recently published white paper Safeguarding Message Streams for Enterprises and Email Service Providers -Technology Principles for Architecting a Secure Messaging Environment the authors quickly realized that they could not write about inbound message streams without talking about outbound message streams, they could not write about marketing without talking about security, they could not write about Email Service Providers (ESPs) without talking about enterprises. Messaging today is now about relationships and interrelationships between messaging channels, between online marketing and security, between siloed business units and consistency, between data stewardship and trust, between stealth attacks and breaches, and on and on. It can be difficult to talk about messaging because of the “if we address this, then we should also address that” aspect that the medium has become.
The number of channels that constitutes messaging is more than making an impact; it is changing the game. As Lewis points out for enterprises many business units make their own decisions about messaging deployments. Some might have an in house arrangement, another might outsource. Even within the same business unit email might be handled one way, SMS, or IM another. In the white paper, Lewis and Hillyer talk about how this typical enterprise treatment of messaging channels operating in silos is opening up more points of vulnerability than ever before.
Others in the industry agree that companies are more at risk today due to the number of channels organizations use for messaging. “Companies are clearly at greater risk now and this will only increase as messaging moves more and more away from what we think of as conventional email to new methods and techniques,” states Michael O’Reirdan, chairman of the Messaging Anti-Abuse Working Group (MAAWG). “A few years ago when you thought of messaging, email was the first thing that came to mind - and with it the problem of spam. But now, think of messaging and a plethora of techniques come to mind that are all suddenly available to the bad guys. Email is still there, and is a very effective tool for slipping a compromised file onto an unsuspecting CFO’s desktop, but what about a Facebook message from an old friend or a link in a Tweet that looks like it might be fun to follow up? Then there is the whole issue of the mobile ecosystem and how smart phones can be used to compromise a target’s personal data.”
This interplay between messaging channels, as I noted above, and the number of ways to deploy (and protect) them has really changed messaging radically in the last few years. MAAWG, an open, global organization with high-profile members from the messaging industry, has long been on the forefront of messaging abuse since the days when spam was at its height. O’Reirdan shared with me that during MAAWG’s recent meeting the group decided to rename itself to better reflect the breath of what has become the organization’s charter.
“MAAWG is evolving from just being the “spam” organization into focusing on handling new methods of abuse in the messaging arena, including continuing to work on mobile,” explains O’Reirdan. “At the same time, the malware, once executed, that sets up botnets is still at the core of abuse and MAAWG will persist in its work to help ISPs eliminate this. Hence the new view we have of MAAWG is M3 (cubed), M3AAWG, representing the three areas of concern, Messaging, Mobile and Malware.” The official announcement of the name change is expected in the coming months.
The number of vulnerability points that Lewis notes as a growing concern for organizations is largely due to the newer threat landscape of APTs (advanced persistent threats) that are more targeted and more stealth in execution than before. In the white paper, a definition of APTs is given from the analyst group Garner: “’Advanced’ means it gets through your existing defenses. ‘Persistent’ means it succeeds in hiding from your existing level of detection. ‘Threat’ means it causes you harm.” This sophistication has led Lewis to caution organizations to think about shifting to a posture beyond frontline defense and assume that infiltration from cybercriminals has either already occurred or will occur.
“The number of breaches that we publicly read about in the press, is not representative of the number of breaches that are actually happening,” says Lewis. “This is for two reasons. One is that the breaches have not been reported because there are no reporting requirements standards – often companies may decide what constitutes a breach. For different reasons they choose not to disclose a breach, as there are consequences to doing that, so if they can avoid it, they do. It’s human nature. The other is that they might simply not recognize the breach. They might not know that it actually occurred.”
Fail-proof messaging security cannot be counted on in today’s messaging world believes Lewis. “My point about the inevitability of a breach, when you look at the issue of all the various points of vulnerability that a hacker can find to get into your system, including simply human neglect – a memory stick fallen into the wrong hands, or even more intentional than that – the point is these threats are so persistent that sooner or later, something is going to get through your defenses. So you need to be prepared for that inevitability and it is not just a matter of having an incident response plan waiting in the wings and to be ready to move on it, at that point, it is already too late. If you are calling up your clients and issue a press release and so forth – you are in damage control mode.
Instead, Lewis encourages organizations to focus on mitigation. “What we mean by mitigation is not just damage control, but an extension of your prevention processes. You need to continue to monitor for abusive activity in your mail streams both incoming and outbound as an ongoing thing and be prepared to act on it.”
On outbound messaging for example, Lewis says companies typically use complaint data, ISP block and bounce data to measure deliverability. “That is all well and good, and an appropriate use to see if a campaign is successful or not, but how about applying that data in your security program?” he asks. “If you have a huge spike in complaints or you suddenly find yourself blocked, or are getting bounces – it could mean you have done something wrong, like send content to the wrong audience, but it could also mean that your system has been compromised and you don’t know about it. The trick is to be able to capture that data and act on it in real time so that you don’t turn a data breach into a data disaster.”
Staying vigilant is a re-occurring theme when dealing with today’s messaging threats. Lewis cautions online marketer’s to think more security-minded in today’s messaging world. “Marketing people in most organizations don’t think in terms of security. It is an afterthought, if they think of it at all,” he observes. “Marketers need to recognize the criticality of security, not in some abstract way, but in terms of them achieving their own goals. Marketers are typically tasked with generating revenue and building relationships. Both of those goals could be in jeopardy if there is a loss of trust. For example, the way most marketers think about authentication is as a tactic to improve deliverability, but that is not really its intended purpose. They need to be thinking about authentication on not just their outbound, but also on their inbound. They need to take a page from the ISP carrier book and apply it to their own organizations.”
The increase of spear phishing incidents is another example of how advanced threats have become. Lewis feels that marketers should not under value their marketing data. “Companies often say, it is only an email address, or only marketing data with the notion that it does not have the same value as PII (personally identifiable information), but if you can use that data to target an individual and get them to open an email, then a phisher can do that too. We have to think in terms of how they are using the data. It is really a mistake to underestimate them.”
Phishers are really incredible marketers. Anyone can become a victim and technology is often fooled too. O’Reirdan recommends to everyone: “Think before you act, look before you leap, don’t be gullible. All obvious, I know,” he says. “But what works well in the real world, works well online too. Spear phishing almost always relies on social engineering so no amount of software will protect against a good and ingenious exploit of the ‘human in the loop’.”
Messaging security is never done, according to Lewis. “I think the biggest mistake companies can make at this juncture is to make a few tweaks in their technology, to make a few practice changes and call it done. The most dangerous thing organizations can do is to underestimate spear phishers. They may not have any scruples, but they understand the value of data. I see this as a significant threat to the ecosystem. This isn’t a short-term thing. We need to figure out how to maintain a safe and secure environment because this is crucial to our ability to obtain data and use data for messaging. This is the way it will be from here on in.”
The Online Trust Alliance, as part of its Security by Design campaign, created a very useful self-survey (in the form of 20 questions) for organizations to use to help become better prepared to respond to and avoid security incidents. Questions like: Is your definition of personal information current and in line with both applicable industry regulation and customer’s expectations? Have you conducted a comprehensive audit of your data flows across the enterprise and vendors including a privacy and security review of all data collection and management activities? Are employees equipped to notify management of security incidents, including intrusion, breach, data misuse or data loss? What processes do you have in place for data minimization, secure archiving and data destruction? Take a look at all Top 20 Questions as steps toward what Lewis terms “proactive mitigation”.
Above all else, stay vigilant and ready, especially toward social engineering tactics. As O’Reirdan states, “Social engineering remains a major threat and a route by which many APTs begin to weave their insidious webs within organizations. In many cases, APTs are long term operations that get embedded within the enterprise so that when exfiltration of data commences, they are so below the radar that detection is very hard.”
