Strong Security from the Enterprise to the Edge

Security Now Blog: Addressing Today's Information Security Issues

Malicious Email Attachments on the Rise Again

by Eirik Iverson, Product Management

Sophos, a UK-based AntiVirus vendor, announced an eight-fold increase in the volume of malicious email attachments. Their senior technology consultant, Graham Cluley, said “Since they’re going through the effort of constantly changing code and doing it again and again, says to me it must be working.” I’m sure Sophos would agree that signature-based defenses and end-user training are not enough, something else is needed.

How many years have IT personnel and periodicals warned PC users about the risks of opening email attachments? Yet, the malware distributors keep finding new and provocative ways to get them to do just that.

Businesses responded by running all of their email through signature-based malware defenses prior to their reaching employee PCs. They also added content filtering, as did ISPs, to reduce the risks from web based email.

However, malware makers are systematically tweaking their code to elude signature-based malware defenses. Further, the malware makers have responded to network-based appliances that detect malware infestations by scanning traffic for malware communications to the mothership. Malwayre encrypts and/or hides these communications within legitimate traffic.

So, that ‘something else’ must reside on the endpoint itself. And, it must strike a balance between security and usability, avoiding the mistakes of most host intrusion prevention system (HIPS) products.

  • End-users should not have to reliably answer technical ‘do you want to allow this to occur’ questions
  • They should not be distracted with false positives because the defense must guess between normal and abnormal activity

In the enterprise world, administrators should NOT have to:

  • Fine tune complex and numerous allow/deny rules per PC application
  • Analyze mountains of false positives
  • Repeat tuning after an application is patched or updated

‘Something else’ is needed on the endpoint. When making your choice, remember to consider usability from an operations and end-user perspective.

Posted: Thursday, October 30th, 2008 - Endpoint Security
RSS 2.0 - Comment - Trackback

Leave a Reply

You must be logged in to post a comment.