TECHNOLOGY SPECIAL REPORT
Managed Security Services: A Hedge Against E-Mail Attacks

In today's world of merged business and technology applications, e-mail has become as essential as the telephone. But e-mail on the corporate level is also one of the most deadly communication tools. It is through e-mail that most security risks occur, warn security specialists.

If the corporate e-mail system is not tightly guarded, hackers can use it as a private access line to the computer system. Whether the security breach is done by a hacker or by attack tools like phishing scams, worms and viruses, the corporation's computer network is at great risk.

The security of the computer network is the prime responsibility of corporate chieftains, not the rank and file. That is the message Earle S. Humphreys, senior vice president of channel partners and marketing for Solutionary, preaches. It is up to the highest level of corporate management to secure e-mail from viruses, worms and other online attacks.

"Security must be integrated into the corporation's development and infrastructure," Humphreys told TechNewsWorld.

That integration can best be done through the around-the-clock protection managed security services provide to corporate customers.

Managed Security Key to Survival

Managed security services are becoming an essential component of preventing e-mail security risks. In most small businesses, IT staffs are either nonexistent or overburdened. In large companies, IT staff operation is often hindered by budget constraints, according to security experts.

Security needs vary for different-size companies. Rather than trusting network security to an internal staff, hiring a security firm to manage the process every day is a growing trend.

Managed security firms take responsibility for making sure e-mail is locked down and security holes are plugged. Managed security software allows the security firm to sweep corporate computer systems and then keep them intruder-free through remote-access security checks and daily traffic monitoring.

"Becoming critical is deep packet checking for intrusion protection," Humphreys said, referring to one aspect of the managed security services Solutionary provides.

The larger the corporation, the greater the risk that it will sustain an attack on its computer system. Large companies need the added protection of layered defenses that managed security services can bring, he said.

Solutionary offers a security service it calls eV3. Its three-part methodology incorporates checks and analysis of a corporate computer system's vulnerability, visibility and verification. Its comprehensive Internet security monitoring and assessment services include protection from phishing attacks.

Phishing Expeditions High Risk

Threat prevention from phishing attacks is one of the most crucial defenses that managed security firms can provide, Craig Sprosts, product manager at IronPort Systems, told TechNewsWorld.

Phishing is an Internet scam that sends unsuspecting users official-looking e-mail. The messages in the e-mails try to fool recipients into disclosing online passwords, user names and other personal information. These messages often contain an invitation to click a link that directs the victim to a look-alike version of an organization's Web site.

Such scams place corporate customers at risk of identity theft. They also jeopardize customer confidence in doing business online with the company.

Phishing scams are becoming more clever, Sprosts warned. Among the most effective ploys perpetrators use are hijacking company URLs and installing pop-up windows from unrelated sources to steal user information, he said.

Managed security services firms can monitor e-mail traffic constantly for tell-tale signs of invalid accounts and messages from forged addresses. IronPort Systems' Sprosts said monitoring the sender's country of origin is a vital part of filtering and content analysis.

The number of phishing e-mails circulating on the Web has increased from 279 to 215,643 during the past six months, according to industry watchers. "Seventy-five percent of these phishing attacks come from Russia and Eastern Europe," Sprosts said.

IronPort uses "spamtraps" to detect phishing attempts. Essentially, the software monitors corporate e-mail traffic for sudden spikes in the number of messages sent to e-mail addresses that have no legitimate purpose for receiving e-mail or that use forged sender addresses. Ironport adds a second level of defense against phishing by using Brightmail, an e-mail application that analyzes message content and the Web sites advertised in the e-mail to detect and block phishing scams.

False Security a Key Threat

Managed security services provide a level of expertise that many companies can't provide on their own. They also prevent misuse of stand-alone security software that isn't monitored for errors.

Corporate executives must know their computer network's risk points. Most companies don't run effective risk assessments or don't run them often enough, said Michael Hrabik, CTO of Solutionary.

"Businesses must run vulnerability assessments from the perimeters of the network. They have to check all possible entry points," he told TechNewsWorld.

According to Hrabik, when he conducts a security audit of small business networks, he typically finds a rash of worm intrusions. One recent risk assessment revealed weaknesses that had existed for years. The computer system had been compromised without any knowledge of the problem by the small IT staff.

"Permission rules were entered incorrectly, default passwords were used by all employees, and self-monitoring security software was flawed," he said.

Factoring the Risk

Solutionary's Hrabik said computer security can be quantified like any other business or budgetary transaction. Corporate managers can calculate the amount of security risk they face by weighing the value of their assets against the likelihood of their computer systems being compromised.

He said risk audits usually fall into categories. Looking at the results shows both weak and strong areas within each category of network assessment.

"The biggest problem we find is that development staff has little background in network security, so applications are loaded with security holes," Hrabik said. Fortunately, he added, "we are starting to see the addition of network security people to developmental departments." These personnel provide a liaison from within the corporate structure to the managed security services staff.

The next big trend will be a security manager. "Business groups are starting to demand that third-party security management provide computer security," said Hrabik.