Every time we hear about another e-mail virus outbreak, it should
remind us of how easy it is to build software that's easy to use but
horribly insecure. E-mail viruses can be particularly upsetting when a
virus uses your address book to identify its next victims. Currently,
the primary solution for virus problems is some kind of content
scanning, whether it takes the form of an anti-virus or another tool
that inspects the contents of data packets. But this solution works
only as long as your business isn't one of the early victims of the
virus. If you manage to escape infection in the first 24 hours, you're
likely to avoid serious trouble: Most anti-virus products that depend
on pattern recognition will be updated in that time frame, so you can
download the updates.
Unfortunately, content scanning is a totally reactive process. It's
like installing a better lock on the barn door after the horses have
run away. Certainly it prevents future problems, but that's cold
comfort when a virus has already slipped past your defenses. Even
worse, it involves only the inbound traffic to your system, and that's
I've wondered for a while if anyone would tackle the problem of
outbound traffic. Unless you work for an event promoter or some other
mass-marketing firm, it's unlikely you send messages to more than a few
dozen people, much less everyone in your address book. Anything else is
something your e-mail tool should bring to your attention, not unlike
the way the Postal Service requires that you bring large envelopes to
the post office counter.
Fortunately, help is on the way. Some really clever people at the
U.K.'s Defence Evaluation and Research Agency (DERA) unveiled at last
month's InfoSec 2001 conference an application called SyBard/Mail that
can alert you to suspicious outbound mail traffic. I can't wait to see
how the commercial version performs when it's available later this year.
By that time, DERA will have split into two parts: a Ministry of
Defence agency that will continue to focus on military requirements;
and a for-profit operation, QinetiQ, which might win my award for
Trickiest Name of the Year. Judging from the information on DERA's Web
site, QinetiQ is going to inherit SyBard/Mail with the rest of DERA's
SyBard Suite in the early summer when the split takes place. According
to reports in The Industry Standard, the price for SyBard/Mail should
run approximately $7 or $8 per seat for a 1,000-user license.
Obviously, the target market for SyBard/Mail is the millions of systems
running Microsoft Windows, because they are the most vulnerable to e-
mail viruses, thanks to holes in Microsoft's MAPI (Messaging API),
office productivity software, and operating systems.
SyBard/Mail will ship in three versions, starting with a lightweight
version that provides a basic check on outgoing mail. The midrange
solution will be a Professional version that will hook into the
advanced security features of Windows NT and Windows 2000 (and
presumably Windows XP) and will also include content-monitoring
capabilities. And for those who must have secure end-to-end
communications, SyBard/Mail's Advanced Security Option provides a
digitally signed control at the firewall. Overall, it should prove a
pretty formidable set of countermeasures.
Besides its welcome security aspect, SyBard/Mail appeals to me because
it essentially asks: "Do you really want to send this e-mail?" It's the
e-mail sent "by accident," which has penetrated pop culture to the
point of becoming the subject of TV commercials. I admit to one or two
e-mails in my career that I'd like to retract, and I imagine that many
of you have similar stories that make you cringe when you recall them.
Whether your concern is e-mail security or job security, SyBard/Mail
and the inevitable "me-too" products could make it a little safer to
use e-mail. Obviously, no product will eliminate the need for end-users
to exercise common sense, as I've discussed previously. But when an e-
mail virus gets through your perimeter, as one eventually will,
wouldn't it be nice to know that it's going to have a much harder time
getting out of the systems that do get infected? If one extra click per
e-mail is all it takes, I'm for it.