Earlier today, we reported on the TIFF-handling Zero Day exploit that is reportedly being used by Operation Hangover hackers to attack targets in the Middle East. The attacks utilize malicious code in email, instant messages or web pages, memory corruption, and a flaw in a graphics-handling component to get in and execute code remotely on a system that’s running a vulnerability version of Office applications or Windows.
A key point here is that in order to launch an attack based on this vulnerability, the attacker must persuade the user to take action by opening an email attachment, clicking a link in a message or clicking a link on a web site. That means educating users to safe email and web surfing practices will go a long way toward protecting from this exploit. However, we all know that users get distracted and forget – especially when clever attackers craft messages and sites in such a way as to make the users believe they’re opening links or attachments from a safe, trusted source.
These types of exploits and their growing popularity point up the importance of proactive email and web security to block the routine opening of attachments and links. It’s a fine line, because users may often need to send and receive attachments and links in order to most efficiently get their work done, but sometimes all that’s needed is to delay the process so that it makes the user stop and think about whether this attachment link has really been properly vetted before automatically clicking on it. Security awareness is your first line of defense.
Even better is an email security solution that’s smart enough to recognize email-borne threats, block attachments that contain suspicious code, and disable scripts that could be carrying a malicious payload. This takes most of the burden of responsibility off of the users – who, after all, are generally not security specialists – and frees them to focus on using their own expertise to benefit the company.
In so many cases, email security is all about anti-spam technology. Filtering for spam is important, given the time-wasting nature of the hundreds or even thousands of pieces of unsolicited advertising that pour into the typical company mailbox each week. However, the real threat comes from those messages with a motive much darker than simply to sell something. These truly malicious messages can also be harder to detect, because their creators put more time and effort into disguising what they really are.
Email-based attackers have a myriad of tricks up their sleeves, which means no one detection method will catch all of them. You need to view email as the “road most traveled” coming into your network, and set up different types of roadblocks at different points to ferret out the dangerous stowaways who may be hitching a ride along with all the business-critical mail that keeps communication flowing. Examination of both the sender characteristics and the content of the mail itself are essential elements, but false positives are always a problem so you might want to implement white listing and other mechanisms to reduce the possibility that your email security solution will end up throwing the babies (good messages) out with the bathwater of dangerous or unwanted mail.
Bottom line: As this particular exploit shows, you can’t assume that the software vendor will immediately issue a patch even after the problem is known. You can’t depend on your users to always remember not to click links and attachments even when they’ve been trained. You need to take steps to protect your network from email-borne threats if and when other measures fail. That’s what defense in depth is all about.