Ed Macnair
Director Content Security
Spam and beyond….
Agenda
Messaging Attacks Spam Phishing DOS
Other Internet Attacks Spy-ware
Legal Compliance External & Internal Content Security How can NetIQ help?
Evolution of Email
Email becoming important
Volumes growing
A desktop experience
Virus/Spam annoyance
Plaintext email
Basic archiving
Downtime common
More important than phone
Volumes growing faster
Desktop + mobile
Viruses can shut down businesses
Rich email, large attachments
Policy & regulatory compliance
High availability expected but operations are complex & costly
Cornerstone of collaboration
Volumes growing exponentially
Any networked device
Viruses impacting devices beyond server & PC
Integrated communications
Ubiquitous privacy, security & compliance requirements
High availability with simplified operations & reduced costs
Mid to Late 90’s TomorrowToday
Growth of Spam
Still the No1 driver for Content Security From 8 % of all Email in 2001 to 60%+ of all
Email in 2004 Average of 60% of all company Email is Spam Some companies as high as 95.8% NetiQ receives up to 9.2 Million Email per 24hrs
69% Spam, 4% Virus infected
Today 40% of all Spam sent by Zombie PC’s SoBig, MyDoom, Bagle all contained code
Worldwide Spam breakdown…
Top 10 Spam Countries
1. United States
2. China
3. South Korea
4. Taiwan
5. Canada
6. Brazil
7. Russia
8. Japan
9. Hong Kong
10. Argentina
Top 10 Spam Countries
1. United States
2. China
3. South Korea
4. Taiwan
5. Canada
6. Brazil
7. Russia
8. Japan
9. Hong Kong
10. Argentina
English - 89% Chinese - 5%
German - 2% Korean - 2%
Other - 2%
***Source NetIQ Analysis***Source NetIQ Analysis
2001 Spam…
2005 Spam…
Isn’t That Enough Bad News?
Spam Has Evolved, We Must Evolve Too…
Best solution Multi Layered approach using a selection of good
techniques Detect and block as early as possible If Quarantined, quarantine at the perimeter Provide users with selection of useful but simple tools Ability to exchange secure Email with more business
partners to reduce likelihood of False Positives Product that is more than just Spam to provide greater
chances of evolving further in future Also protects against other Email borne attacks
DMZ Perimeter deployment
DMZ
Trusted Network
MailMarshal SMTP Server Array
UsersI nternet
I nternal Servers
Flow of in-coming Email
Perimeter
Simple End User tools…
Some Spam Detection Techniques…
Bayesian Fingerprinting Database Lexical Analysis Heuristics Grey-Listing Optical Character Recognition Sender-ID Framework (Spam Prevention) Domain Keys (Spam Prevention)
Bringing it all together – Multi Pronged
End User Education
LegislationLegislation
Industry Self RegulationIndustry Self Regulation
International Co-operationInternational Co-operation
Technical SolutionTechnical Solution++
++
++
++
==
Problem Solved???Problem Solved???
Spam is a problem BUT there is a lot more you need to worry
about!
Phishing – Disguised URL
Visible link: https://www.bendigobank.com.au/banking/BBLIBanking/
Called link :http://www.bendigobank.com.au%6Cbanking%6C%6C%6C%6C@%32% 30%33%2E
%32%33%32%2E%32%36%2E%32%35%31:%32%37%34%35/% 69%6E%64%65%78%2E%68%74%6D
Resolved URL:
http://203.232.26.251:2745/%69%6E%64%65%78%2E%68%74%6D
Phishing – Over writing URL
Visible link:https://web.da-us.citibank.com/cgi-bin/help_desk/verify.asp
Called link : http://61.71.120.10/citi/index.php
Malicious Java application over writing address bar
United Kingdom is not exempt!
Phishing – What next?
Worm applications controlling browser behavior Layered Anti Virus Protection In-depth desktop scanning
Internal user identity theft emerging Review your remote access technologies User Education
Users divulging confidential data User Training In-depth Content Security Protection
Worm applications controlling browser behavior Layered Anti Virus Protection In-depth desktop scanning
Internal user identity theft emerging Review your remote access technologies User Education
Users divulging confidential data User Training In-depth Content Security Protection
Phishing – How do I protect myself?
Heuristics Testing Optical Character Recognition suRBL Lookups Comparison & Testing of URL links User Education!!!
Heuristics Testing Optical Character Recognition suRBL Lookups Comparison & Testing of URL links User Education!!!
Other Internet Attacks…
What is Spy-ware? Hacker Tools
defined as programs that are intentionally run by a hacker, usually in the hacker's machine. All such tools have interfaces through which the hacker interacts with the program
Key Loggers Application running in the background recording all the keystrokes
Remote Administration Tools A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the
capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the victim's machine
Spy-ware Any product that employs a user's Internet connection in the background without their
knowledge, and gathers/transmits info on the user or their behavior Spy-ware Cookies
Any cookie that is shared among two or more unrelated sites for the purpose of tracking a user's browsing and/or gathering and/or sharing information which many users regard as "private.
Trojans Unwanted software which runs in a user's machine, as an agent of the attacker, without user
awareness Worms
A program that propagates by attacking other machines and copying itself to them
Hacker Tools defined as programs that are intentionally run by a hacker, usually in the hacker's machine. All
such tools have interfaces through which the hacker interacts with the program Key Loggers
Application running in the background recording all the keystrokes Remote Administration Tools
A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the victim's machine
Spy-ware Any product that employs a user's Internet connection in the background without their
knowledge, and gathers/transmits info on the user or their behavior Spy-ware Cookies
Any cookie that is shared among two or more unrelated sites for the purpose of tracking a user's browsing and/or gathering and/or sharing information which many users regard as "private.
Trojans Unwanted software which runs in a user's machine, as an agent of the attacker, without user
awareness Worms
A program that propagates by attacking other machines and copying itself to them
How do I Stop Spy-ware?
DMZ
Trusted Network
UsersInternet
Internal Servers
Detect & Block
Scan & Block Scan &
Block
Educate!
Denial of Service
NETIQ bought two new companies to complement the Web Trends business - Web Position and First Place software in May.
IT migrated from an old Unix based system (that did include Marshal - but all mail was handle by Unix mail gateways 1st) to 3 dual proc Windows 2003 servers running Marshal 6.0
The "business" was anxious that both these companies were integrated into the NETIQ mail system before the start of the next calendar month (June). This migration would involve changing their MX records to point to NETIQ.
Denial of Service
Our mail volume increased immediately after integration but just before month end First Place got hit by email "storm".
In 24hrs we processed over 11 million messages, stayed up(!) and got through month end. If email had gone deals could not have been closed !!! (the process in SAP is reliant on an automated email process - no rev rec otherwise).
Denial of Service
When we had previously been targeted by email "storm" (prior to the installation of Marshal) we had to ask our ISPs to stop sending us mail while we rebuilt out trashed systems. Don't have a financial impact of that episode but our CIO did change a few months later ;-).
Viruses, viruses, viruses!!!
The virus problem remains
W32/Netsky.P-mm W32/Zafi.B-mm W32/Netsky.Z-mm W32/Bagle.Z-mm W32/Netsky.Q-mm W32/NetSky.D-mm W32/Mydoom.M-mm W32/Lovgate.W-mm W32/Netsky.C-mm W32/Netsky.B-mm
Legal Compliance
Controlling Confidential Data
I nternet I nternal Network
Content Security & Fingerprint
Store
Corporate Mail
External User
1. All Confidential Documents forwarded to Fingerprint Store
2. Confidential Documents recognized by checking finger print from store, report and block or allow depending on policy
X
Legal Compliance ISO 17799 / BS 7799
International Standards for the protection of Data Legal Admissibility and Evidential Weight
Standards for how electronic documents should be managed and stored for legal admissibility and evidential weight
Litigation/Discovery Support Costs Rapidly getting more expensive, major disincentive against taking legal action
Data Protection Act 1998 This act demands that any personal information is kept securely and not retained
for longer than is necessary, also individuals can ask for any information that may mention them
Regulation of Investigatory Powers Act 2000 This act allows employers to monitor messaging content
Freedom of Information Act – Jan 2005 Allows anyone to request information from public sector, Police etc
Securities and Exchange Commission (SEC) Coming to Europe
ISO 17799 / BS 7799 International Standards for the protection of Data
Legal Admissibility and Evidential Weight Standards for how electronic documents should be managed and stored for legal
admissibility and evidential weight Litigation/Discovery Support Costs
Rapidly getting more expensive, major disincentive against taking legal action Data Protection Act 1998
This act demands that any personal information is kept securely and not retained for longer than is necessary, also individuals can ask for any information that may mention them
Regulation of Investigatory Powers Act 2000 This act allows employers to monitor messaging content
Freedom of Information Act – Jan 2005 Allows anyone to request information from public sector, Police etc
Securities and Exchange Commission (SEC) Coming to Europe
External and Internal Content Security
Are all the Villains on the outside?
I nternet I nternal Network
Content Security & Fingerprint
Store
Corporate Mail
External User
•Competition•User Ignorance•User grievances•Legal Compliance
Requirement for Internal Content Security will increase
Email threats
Oracle facing £370,000 sex discrimination claimIT saleswoman says it went on 'at the highest level'http://newsletters.silicon.cneteu.net/t/38899/534480/15383/0/
So how can NetIQ help?
I nternet
End-userWorkstations
MailMarshal for SMTP
WebMarshal
MailMarshal for Exchange
MailMarshal 6.0 for SMTP External Content Security
MailMarshal 5.1 for Exchange Internal Content Security
WebMarshal 3.5 Internet Access Control
MailMarshal 6.0 for SMTP External Content Security
MailMarshal 5.1 for Exchange Internal Content Security
WebMarshal 3.5 Internet Access Control
2005 Reviews
SC Magazine - NetIQ has a long and successful name in email security so it is no surprise to see it dominating this group test with MailMarshal.
IDG - Net IQ MailMarshal wins due to first-rate performance and few weaknesses
Redmond Magazine - MailMarshal has an exceptional reporting system and its spam identification attributes were the best of the group
Market Overview
2004 – Spam was major market driver
Phishing became prevalent
Virus outbreaks continued to proliferate
Spyware is seen as an Enterprise threat
Appliances- the rise of the machines!
Market Direction ’05,‘06
Spam is still a driver……. but most Enterprises have solutions Mobile spam, PDA’s, etc VOIP vulnerable
Regulatory Compliance Sarbanes Oxley Basle II HIPPAA And more to come
Market Direction
Legal Liability will start to bite Cases becoming common
Encryption re-emerges
Spyware Needs definition Layered approach
Email Management Content Security Intelligent routing Archival and storage All need to be integrated
Market Direction
Vendor consolidation Fragmented market approaches
Greater degree of market segmentation Enterprise class solutions Differing solutions for different threat levels
Managed Services Battle for SME space
NetIQ Marshal Content Security Informationhttp://www.netiq.com/solutions/security/contentsecurity.asp
Microsoft Sender-ID Frameworkhttp://www.microsoft.com/mscorp/twc/privacy/spam_senderid.mspx
Microsoft’s Spam Pagehttp://www.microsoft.com/mscorp/twc/privacy/spam.mspx
Grey-listing informationhttp://projects.puremagic.com/greylisting/
Anti-Phishing Working Grouphttp://www.antiphishing.org/index.html
Singapore Anti-Spam Research Centrehttp://www.antispam.org.sg/
Useful Links…Useful Links…
Questions?