RE: Spam prevention vs mitigation

["Joseph Laico" <LAICO () 0IS US>]

Sadly, you must be employed by a jackass company. Curtailing spam is
addressable, but eliminating it for good is analogous to telling the
computer it can never be compromosed in the course of its shelf life. As
with all things in life common sense does not always prevail and perception
is why some Bosses should be jelly donut stuffers rather than Supervisors.
Having dealt with so many who lack the skill set and the common sense in
business you learn to accept the dumb more frequently then the smart. SPAM
is an integral part of technology as are Infomercials, and Junk Mail from
the USPS. Whether you categorize it as a nusance, malicious, solicitation,
or just a plain waste of  time and productivity it all amounts to
acknowledging its part of the technology equation. Seldom does anything
change when it comes to the human psyche therefore its impossible to
eliminate it and if you try to hard you may why up creating more of a issue.
The unethical hacker is smart, very smart, do not underestimate his or hers
ability to compromise your platform, painting the target will challenge
someone a lot more savy to breach your platform. Dealing with the
infinitesimal amount of spam you receive daily is acceptable, Postini should
have only 3 to 6 a day let alone hundreds daily. You also run the risk of
the many listings from Grey to Black should you become a target for someones
desire to prove you otherwise, anything I repeat anything given enough time,
resources and passion are thrown at it can be compromised, for every move
there will always be a counter move, tell your Boss you truly don't want to
motivate a hacker to use your platform as the proving grounds. In summation,
tell your Boss he or she is truly a pathetic individual if that's all they
can focus on, surely there are more important issues at hand.

Good Luck,

Joe 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Todd Haverkos
Sent: Thursday, April 12, 2012 1:37 PM
To: Steve Sirag
Cc: security-basics () securityfocus com
Subject: Re: Spam prevention vs mitigation

Steve Sirag <stevesirag () gmail com> writes:

> Hi,
>
> My bosses are demanding 100% spam prevention,

Tell them some guy on the Internet said that the only way to do that
is shut down the email server.   I'll be your fall guy. 

> and I'd like to find some industry papers, articles, etc that explains 
> why that's not advisable (if even possible).  My understanding is that 
> spam mitigation is the goal, keeping spam down to where it's not a 
> distraction from business.  Our current spam level is roughly 3-6 
> spams received per user per day.  That seems manageable to me, but I'd 
> like the extra ammunition going into the meeting.
>
> Can anyone help?

If you were to try to make that argument, the counterpoint would be "Okay,
what if the 6 that get through are phishes that have malicious links to
recently registered domains or have malicious attachments that invariably
people will click on, that leverage exploits for things the machine isn't
patched against, and they lead to compromises of the local machine because
no one has done the hard work and planning it takes to strip users of local
admin rights?"

And then parlay this discussion into perhaps getting some funding to do user
education about security threats and how to respond, do some shootouts of
new gateway mail solutions (that may have AV and threat protection that
looks at more than just signatures of attachments), web gateway solutions
that look at IP, URL reputation as well as scan for malware, privileged
identity management solutions as well as political capital to wrestle admin
privs away from users who don't need it, and for those who have it, make
sure they can't be sufing the web while logged in as admin?

Leave no crisis unexploited.  :-) 

That said, what's acceptable risk to business will vary by business.
You can make the case with simple logic that no signature based classifier
will achieve 0 false negatives without also generating false positives--ask
if they're willing for business critical email to get caught up in the spam
filter, and if it does will your current solution give end users a way to
retrieve it?  The story is the same in AV land -- if AV heuristics trying to
catch unknown and suspicious files are tuned too tight, legit files
invariably end up getting blocked.

The inconvenience of those 5 or 6 emails a day is the lesser concern to the
likelihood of compromise an email received by a typical user that contains a
malicious link or attachment. 

That said, I think it's safe to say that over the past weeks, the incoming
volume of phishing like this has surely been on the uptick. 

Best Regards,
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------