Taking Control of the RisksWritten by Paul Cunningham on October 14, 2009
We can all agree that spam is a huge problem for anyone who is making use of the internet. But spam itself is not the actual risk we need to focus on.
The real risks are the objectives that spammers are attempting to achieve, such as identity theft, credit card fraud, bank fraud, selling fake goods, phishing, taking over computers for botnet armies and other online scams.
Too often we focus on solving the problem of spam, instead of addressing the risks that spam presents to us. We scan for malware but not phishing attacks. We do email content filtering but no web content filtering. We run a firewall but an open wireless network. We ban Twitter and Facebook but not online forums.
Protecting ourselves from the risks of spam means first understanding those risks, and then implementing a comprehensive protection strategy that addresses each of them in turn.
Malware – malware comes in many forms. There are the traditional viruses and worms that infect computer networks and are often destructive in nature.
Little has changed with this threat in the last decade. The infection sources are still largely the same – innocent-looking software containing malicious code, network worms that can spread across the LAN or the internet, and files shared between business and home computers via removable media (USB flash drives being the most popular these days). Spammers will also attempt to spread malware by promoting it as free software alternatives to expensive proprietary brand names.
Security vendors often refer to their preventative products in this category as “endpoint security”, the name intended to convey that there is more to malware protection than just scanning files on the computer’s hard disk. Endpoint security solutions extend traditional anti-malware protection and control to include portable storage devices.
You cannot rely on others to protect their own computers and prevent them from infecting yours.
Phishing and Scam Emails – My own experience is that of the tens of thousands of spam emails a business may receive, only a small handful contains malware. Security vendors support this type of statistic with their own much broader analysis, reporting as little as 4% of malicious email contains a malware payload.
An email user is far more likely to receive a phishing email than a virus these days. The email will attempt to fool the user into revealing credit card or online banking details. The protection against such emails is email content filtering using an anti-spam product.
You cannot rely on others, even major ISPs and email providers, to protect you from email attacks.
Websites and Social Networks – now that we have looked at email content filtering we must consider malicious web content as well. There are two simple reasons for this – firstly not all malicious emails will be detected, so in some cases an end user may be tricked into clicking a link to a website. Secondly email is not the only vector that attackers use to try to draw traffic to their websites.
Web content filtering from a reputable security vendor will protect users from known malicious websites in the cases where they are successfully tricked into visiting one, whether by email or from other online communications such as social networking, instant messaging, and forums.
You cannot rely on social networks and other web services to strictly police their often free services for spammers and other malicious people.