Re: Spam prevention vs mitigation

[Todd Haverkos <infosec () haverkos com>]

Steve Sirag <stevesirag () gmail com> writes:

> Hi,
>
> My bosses are demanding 100% spam prevention,

Tell them some guy on the Internet said that the only way to do that
is shut down the email server.   I'll be your fall guy. 

> and I'd like to find some industry papers, articles, etc that
> explains why that's not advisable (if even possible).  My
> understanding is that spam mitigation is the goal, keeping spam down
> to where it's not a distraction from business.  Our current spam
> level is roughly 3-6 spams received per user per day.  That seems
> manageable to me, but I'd like the extra ammunition going into the
> meeting.
>
> Can anyone help?

If you were to try to make that argument, the counterpoint would be
"Okay, what if the 6 that get through are phishes that have malicious
links to recently registered domains or have malicious attachments
that invariably people will click on, that leverage exploits for
things the machine isn't patched against, and they lead to compromises
of the local machine because no one has done the hard work and
planning it takes to strip users of local admin rights?"

And then parlay this discussion into perhaps getting some funding to
do user education about security threats and how to respond, do some
shootouts of new gateway mail solutions (that may have AV and threat
protection that looks at more than just signatures of attachments),
web gateway solutions that look at IP, URL reputation as well as scan
for malware, privileged identity management solutions as well as
political capital to wrestle admin privs away from users who don't
need it, and for those who have it, make sure they can't be sufing the
web while logged in as admin?

Leave no crisis unexploited.  :-) 

That said, what's acceptable risk to business will vary by business.
You can make the case with simple logic that no signature based
classifier will achieve 0 false negatives without also generating
false positives--ask if they're willing for business critical email to
get caught up in the spam filter, and if it does will your current
solution give end users a way to retrieve it?  The story is the same
in AV land -- if AV heuristics trying to catch unknown and suspicious
files are tuned too tight, legit files invariably end up getting
blocked.

The inconvenience of those 5 or 6 emails a day is the lesser concern
to the likelihood of compromise an email received by a typical user
that contains a malicious link or attachment. 

That said, I think it's safe to say that over the past weeks, the
incoming volume of phishing like this has surely been on the uptick. 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------