We previously had not only inspected attachments, but also restricted the types of attachments authorized to be delivered. We also had what is called Sender Policy Framework checking enabled, which verifies that senders are really who they say they are. When the email team migrated our email, they neglected to enable these critical security functions. And thus spam has become an issue of concern for me in 2013. Now, employees potentially could click attachments or links and execute malicious programs.
Luckily our endpoint protection software prevented most of the attachments from causing harm, but there wasn't 100% detection. As a result, I'm having my security team analyze the suspicious email attachments and links that have been identified and build rules in our security incident and event management tool to look for evidence that employees have clicked on any of them or downloaded nefarious software.
We have also recently enabled a really cool feature within our Palo Alto Networks firewalls called Wildfire, which redirects executable files to a secured sandbox, where it evaluates the program to determine whether it is malicious. Unfortunately, since this is a new functionality, we're simply monitoring the events and haven't yet enabled blocking.
We've had to take action a couple of times, but we've been lucky so far. For example, one attachment that was executed by several employees proved upon evaluation to be programmed to reach out to a server in China to download additional software. Luckily, the server in China had been taken down.
Now, we have to continue to monitor for suspicious activity, and I need to ensure that our current email architecture is deployed in a secure manner.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Join in the discussions about security! computerworld.com/blogs/security
Read more about security in Computerworld's Security Topic Center.