|
Over at Word to the Wise, Laura Atkins has a post up where she talks about the real problem with ESPs and their lack of internal security procedures which resulted in the breach of many thousands of email addresses (especially Epsilon). However, Atkins isn’t only criticizing ESP’s lack of security but also the industry’s response wherein they have suggested countermeasures that are irrelevant to the problem. Better spam filtering, signing mail with DKIM and securing consumers’ machine are all besides the point—the problem is that ESPs do not have security policies in place that would have prevented this problem.
As I read through the comments on the blog, what Atkins is getting at is that Epsilon should have implemented policies where even if they were breached by a third party, it shouldn’t have mattered:
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists. These controls must address technical attacks, spear phishing attacks and social engineering attacks.
To further clarify on this, here’s a brief 411 on the above paragraphs:
The problem is that even if these security procedures were implemented, it still doesn’t harden an organization against a spear phishing attack. Software companies need to take part of the blame. Why do I say this? Because the RSA attack that just occurred could have implemented all of this and still been hacked.
In the RSA attack, hackers got the random seed and the algorithm that they use to create the random tokens. They got this by sending phishing mails to a few employees—employees who would have had the proper access—that were caught by spam filters with a subject line that said something along the lines of “Documentation for 2011” along with an attachment. Employees then went into their junk folders, believed it was a false positive and opened the document. Mayhem ensued.
These people know about attacks. The reason they went into the junk folder is because they have experienced times when their spam filters blocked legitimate mail. They have therefore been subconsciously trained to not trust their spam filter 100% because they have obviously missed legitimate messages in the past. Whose fault is it that users have been trained to go into their spam filters and retrieve legitimate mail?
Even if they had their antimalware signatures and software patches up-to-date, this malware executed zero-day vulnerabilities and compromised the machine. The attackers knew what they were looking for and got what they needed. They did some pre-operational surveillance to target the people they needed to target, get in and get out, and then cover their tracks (this is very similar to what happened to Google in January 2010). The point is this: whose fault is it that the software they were using contained a zero-day vulnerability?
If an attacker specifically targets someone and goes to the time and effort to customize a zero-day, and knows their way around the inside (or has the technical know how to navigate their way around and create a map quickly), then creating policies to resist these types of attacks is going to put constraints on people. The reality is that some people need access to data to do their jobs. Code is written in plain text somewhere that allows people to reverse engineer and steal critical data. People will sometimes fall for phishes.
If I get you to name any card at any number, I have an advantage over you. Everything looks perfectly fair, but it’s not. I know what I’m doing and my odds of success are very high whereas you are merely looking to be entertained. Every one of us have other things to do during the day and get distracted, protecting against phishing is not high on our list of priorities—we are looking to do our day-to-day jobs. Attackers who want to get the data have the advantage of surprise and subterfuge. This advantage is the difference between success and failure. As Sun Tzu said, “He will win who, prepared himself, waits to take the enemy unprepared.”
I don’t know what the answer is but I know it’s not simple. Industry needs to come up with a comprehensive guide to securing your IT environment. People need training. Data probably should be encrypted. But it’s not going to solve everything.
In the meantime, think of a number. Next time we meet up in person, I’ll tell you what it is.
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byVerisign
What we said and are saying
is that now is the time for the ESP community to embrace _all_ of the best practices they have dithered with, to a degree, for a long time, like email authentication. That allows for the successful parsing by receiving systems, of good mail vs. the inevitable spear-phishing that will happen.
Security on their outbound email obviously would not have prevented Epsilon. What would have prevented Epsilon is they, and every other ESP and mailer treating their email lists like their most valuable commodity, which it is. That means hiring security professionals to harden their networks, and doing things like database encryption, that is industry standard in other sectors.
I did get the point, but the point of my article was that even if you do all sorts of security procedures, you are not completely hardened. > What would have prevented Epsilon is they, and every other ESP and mailer > treating their email lists like their most valuable commodity, which it is. That > means hiring security professionals to harden their networks, and doing things like > database encryption, that is industry standard in other sectors. Not necessarily. According to Microsoft's internal data classification procedures (specified in a Word doc and publicly accessible at this link: http://is.gd/8A8bXY), they classify data in to three different categories - High Business Impact (HBI), Medium Business Impact (MBI) and Low Business Impact (LBI). HBI consists of authentication credentials and highly sensitive PII like medical or financial records. MBI consists of PII that is not highly sensitive like political opinions, name, address, and email addresses. MBI must be encrypted when while it is in transit, but HBI must be encrypted when it is in transit *and* while stored, and accessed using two factor authentication. Thus, for Epsilon to encrypt email addresses while stored would not necessarily be industry standard. I understand your point that perhaps they *should* be treated as HBI, but classifying data as HBI has all sorts of other implications.
These are absolutely basic and necessary. And this is something that shouldn't be overlooked by any ESP. Epsilon isnt the first ESP to be compromised and it won't be the last.