May 01 2006

Spam Fighters

As companies tame spam and viruses, new blended threats add Web content filtering to the mix of vital security tools.

Photo: Drake Sorey
Antispam software installed at Levine, Blaszak, Block & Boothby, LLP, saves the 35-lawyer firm $1.1 million above its outlay, estimates systems administrator Scott Kossack.

Word travels fast in the Internet age, but never as fast as when that word contains viruses, worms or leaked company data.

This is why small businesses should consider filtering the content entering and leaving their networks, security experts say. In addition to scanning incoming and outgoing e-mails and their attachments for viruses and spam, downloaded Web pages and instant messages should also be examined for security threats that, if not handled properly, could harm a small business, according to security experts.

The good news — and maybe the bad news — is that there are almost as many ways to filter content as there are ways to compromise it. For example, a small business can use e-mail and Web filtering software on in-house servers; pay a service provider to host filters on its servers; or attach dedicated filtering devices to the gateway between its local-area network and the Internet.

Most small businesses have gotten the message, and 80 percent of them now scan their e-mail for viruses, according to a 2005 survey by nonprofit advocacy group Small Business Technology Institute, in San Jose, Calif.

In response, small businesses are doing a little bit of everything. Why? Because that’s what hackers and cyber criminals are doing. These so-called blended threats are best treated with blended protection, says Ed Skoudis, co-founder of Washington, D.C.-based security consultant Intelguardians.

“You need to have multiple layers of defense,” says Skoudis. “Malicious code often tries to disable antivirus and anti-spam [protection].” Small businesses should have firewalls, plus content filtering and proxy servers to act as a gateway to the Internet and to shield company systems from mischief, he says.

Heading Off Hackers

Keeping ahead of hackers is no small task because they’re now mixing the very worst aspects of viruses, worms, Trojan horses and other malicious code. Using these blended threats, hackers can increase their odds of success.

Hackers also distribute these blended threats through instant messaging. For example, a relatively new nuisance, SPIM (spam over instant messaging), can carry innocent-looking links to a Web page that, when accessed, downloads malicious code to the user’s computer. While such tactics were fairly rare in 2005 — less than 10 percent of IM traffic was SPIM — it is likely to rise dramatically in 2006, according to a report by Symantec’s IM Logic Threat Center.

That does not bode well for small businesses, given another Symantec statistic: Small businesses were the third most-targeted sector during the second half of 2005, according to Symantec’s Internet Security Threat Report, released in March. That’s because small businesses are less likely to have a well-established security infrastructure, making them more vulnerable to attacks. About 7 percent of attacks were directed at small businesses; about 8 percent at schools; and about 13 percent at financial institutions, according to the report.

“Small businesses must be very careful, especially when it comes to online banking” says Peter Firstbrook, research director for Stamford, Conn.-based Gartner in its Information Security and Privacy practice. Hackers are now blending keystroke loggers and password sniffers with viruses to steal bank account passwords and other sensitive data, he said. “And small businesses generally have less online fraud protection than consumers.”

Blended, Not Stirred

The right blend of content-filtering defenses depends on the number and type of workers a company employs, the type of business, the critical nature of the data being protected and the company’s expectations for a return on investment, experts say.

3rd Small business’ rank among most frequently targeted industry segments for security attacks — behind No. 1 financial services and No. 2 education.
Source: Symantec Internet Security Threat Report, March 2006

Calculating ROI for content filtering and other IT security measures is particularly difficult for small businesses, says Skoudis. “In large organizations, it’s much easier to see. For example, you can calculate the number of calls you save to your help desk. But small businesses don’t have help desks,” he says.

“Assume that 50 percent of machines are infected, and it takes an hour to clean each machine, then factor in the money you pay IT workers, plus the loss in productivity,” suggests Gartner’s Firstbrook.

Using a similar formula, the Washington, D.C.-based law firm Levine, Blaszak, Block & Boothby, LLP, estimates that its antispam software saves $1.1 million above its outlay. Most of that money comes from productivity gains, says Scott Kossack, the firm’s systems administrator. The 35-
person practice specializes in telecommunications law and IT matters. As such, LBB&B can ill afford to let viruses — or client data — slip through the cracks.

And there are potential new cracks all the time. That’s why the law firm uses a SonicWall firewall to protect its internal network and Symantec’s Brightmail anti-spam software. All told, Brightmail screens 20,000 to 25,000 e-mails and their attachments that are sent to and from the law firm each day, says Kossack. Eighty percent of them are spam and are stripped of suspicious code before being redirected into users’ spam folders or quarantined.

LBB&B uses Brightmail on its in-house mail server, rather than leave that task to its Internet service provider or a hosted e-mail security firm. “That gives us much greater control over the settings and how stringent it is in filtering,” adds Kossack.

ISP Protection

Boston-based Skelly Insurance Agency relies on the e-mail and content filters used by its Internet service provider (ISP), according to the firm’s president, Thomas Skelly. While he doesn’t attempt to assess the dollar value of antivirus protection, Skelly says scanning is a critical function that helps preserve his business’ reputation by preventing it from unwittingly passing on virus-infected e-mails to clients.

“That’s important because a lot more of our clients send e-mails with attachments,” Skelly says, adding that the ISP-based filters have reduced spam to tolerable levels. “It has saved us a huge amount of time.”

For businesses that need maximum protection, there is a third option: a dedicated security appliance. One such appliance that’s growing increasingly popular is called a Unified Threat Management, or UTM, firewall. These devices combine standard firewall access controls and virtual-private network (VPN) capability with security measures typically found in separate programs or devices, including intrusion detection, content filtering and blockers for spam, viruses, spyware and phishing attempts. (See BizTech, March 2006.) Other dedicated security appliances are more targeted at specific threats, for example the Barracuda Spam Firewall 300, which primarily scans for spam and viruses, or the Barracuda Spyware Firewall 310, which scans for spyware and viruses and also provides Web content filtering. Even more targeted are dedicated e-mail filtering appliances, for example the SurfControl RiskFilter, which scans e-mail for viruses and spam and also inspects outgoing mail to block leaks of confidential data or other violations of company policy.

Like antivirus and antispam filters for e-mail, Web filtering tools come in various strengths and form factors. All are designed to monitor and block inappropriate Internet access and prevent harmful code from downloading from the Web.

Many of the multifunction security appliances include Web filtering capabilities. Software-only products include Websense’s Web Security Suite, which scans Web traffic for spyware and a variety of threats lumped together under the moniker “malicious mobile code.” It also can block spyware and keylogging transmissions back to their host sites. It also can protect employees from phishing attempts and monitor and control instant messaging (IM) clients, a security vulnerability that’s often underrated because most e-mail filters and antivirus software and appliances can’t scan IM traffic.

CEO takeaway
• Filtering e-mail, Web traffic and instant messaging can be done through software, a dedicated hardware appliance or an outsourced service. A mix of approaches often works best.
•Web filtering tends to cause latency because each click made on a Web page is sent through a proxy server to be scanned. Make sure your IT team tests a server or service for performance before signing on.
• Security appliances, which combine firewalls, intrusion detection, antispam, antivirus, content filtering and other security measures, are often cost-effective for businesses with a limited IT staff.
• You can invest in scanning your e-mail and Web traffic, but if your employees use instant messaging, you may still be at risk without a device that scans IM traffic, such as the Barracuda Spyware Firewall 310.