When the largest pharmaceuticals distributor in the United States considers stronger security controls, it's Patrick Heim's job to patch the holes. He weighs a number of factors, including employee productivity, corporate strategy and return on investment.
Heim, chief information security officer of McKesson Corporation, said critical corporate data must be protected with the right security controls to battle a scourge of spam-clogging email servers, targeted phishing attacks seeking gullible employees, and potential instant messaging woes. The trick is finding the right balance, Heim said, so employee productivity isn't handcuffed, but risk factors are still considered.
"If you deploy controls without proper education, end users will find ways of backdooring it," Heim said. "There is a certain amount of risk acceptance, but we're not going to take a Draconian stance to turn off capabilities for security sake."
Heim and other CISOs are increasingly finding themselves in a juggling act: Spam levels are rising with more sophisticated attacks using botnets, phishing has become more targeted, and instant messaging attacks are steadily rising, according to security researchers. U.K.-based security firm MessageLabs reported spam levels reaching almost 85 percent of all global email traffic at the end of 2006. New sophisticated spam techniques include embedding industry-related buzzwords into the body of the spam message to dupe antispam software that the message is legitimate, or complex image spam delivered like puzzle pieces or in obscure image file formats to slip by spam guards.
Spam is becoming even more noticeable as it slips through some of the toughest controls into unsuspecting inboxes. When botnets came on the scene in 2004 as an outgrowth from Internet Relay Chat (IRC) servers and clients, botnet Trojans were used to self-replicate mass mailers, blasting out spam to other email addresses.
The spam surge quickly caught the attention of corporate IT security pros and software vendors, who aggressively sought to root out botnets. But today, botnet spammers use their sophistication to remain undetectable, because the longer a botnet can send spam, the more lucrative the attack, said Mark Sunner, chief security analyst at MessageLabs. The botnets are beginning to force the hand of Internet service providers to start filtering spam, he said.
With the surge of spam is a spate of targeted phishing attacks. They have moved beyond online banking sites and significantly increased to e-commerce sites, such as eBay and PayPal, as well as social networking site MySpace, according to MessageLabs By late 2006, more than 50 percent of malicious emails intercepted by MessageLabs were phishing attacks.
"Raw phishing attacks have gone up significantly," said Alfred Huger, senior director of engineering at Symantec Security Response. "They're harvesting email addresses of people in the same geographical area and that has resulted in more people falling prey to it."
In the first half of 2006, Symantec detected nearly 900 unique phishing messages a day--up from about 500 per day over the previous six-month period. Symantec said that nine of the top 10 phished brands were financial institutions, the sector most likely to produce the greatest monetary gain for attackers.
As IM gains traction in corporate environments, the use of spim--spam over IM--is growing said Chris Boyd, director of malware research at IM security vendor FaceTime Communications. "IM is one of last great unknowns," Boyd said. "People use IM in the workplace, but a large majority of IT guys are leaving the IM space wide open. It's a massive avenue of attack."
Still, many businesses are addressing IM as part of compliance projects. Heim said McKesson will roll out a corporate instant messenger application in 2007, but until then, the risks are not great enough to prohibit employees from using IM, he said.
"We take threats one step at a time," he said. "Quite frankly, at the end of the day it has to come down to education--having employees that understand the need for what we're doing."