by Orlando Scott-Cowley
As the torrent of malicious content and spam moved away from our enterprise inboxes to more consumer and social platforms, we were perhaps lulled into a false sense that we’d finally beaten the spam problem.
But this simply isn’t the case. The risks to our enterprise inboxes and data have morphed into more harmful and effective security threats.
Forrester and Mimecast Webinar ‘Protecting Against Targeted Attacks’ – join us next Tuesday, September 30th, at 10am Eastern (1500 UK, 1600 RSA). Register free here: http://mim.ec/Zdm7qY
Spear-phishing, or targeted attacks by email, is the next generation of threat our IT teams are scrambling to deal with. Plus, as more high profile security breaches hit the headlines, where spear-phishing is often the initial point of entry, it’s a threat that has got the attention of the C-suite.
So Mimecast is hosting another webinar in our series of ‘Expert Webinars’ to share essential advice on how to protect your business against spear-phishing and targeted attacks - the webinar is next Tuesday, September 30th, at 1000 Eastern (1500 UK, 1600 RSA) and you can register for free here.
I’ll be joined by two industry experts; Rick Holland, the well-known Forrester Research analysts and IT security commentator, as well as Steven Malone, Mimecast’s own Security Product Manager.
Spear-phishers are specifically targeting you and your business in an effort to steal your intellectual property, customer lists, credit card databases and corporate secrets.
Whereas old style phishing was a scatter gun attack, spear-phishing is specifically targeted at a handful of individuals within a business. The attackers research their targets over many months, often using social media platforms to gain useful information about you. Like phishing, email is the main attack vector for spear-phishing, with well-crafted social engineered emails being the tool of choice.
During the webinar we’ll be discussing: the biggest threats and most dangerous attack tactics. Recent high profile case studies. The real life cost of attacks and the practical steps you can take to protect and educate your users.
Do leave a comment under this post or @reply me at @orlando_sc if you’ve any particular areas you want us to cover next week.
by Orlando Scott-Cowley
It’s been years in the making and has had its fair share of media hype, but according to Gartner’s August ‘Hype Cycle Special Report for 2014‘ the concept of Big Data has now entered its aptly named ‘Trough of Disillusionment’.
It’s been years in the making, but according to Gartner’s August ‘Hype Cycle Special Report for 2014′ the concept of Big Data has now reached the point where we’re now in the ‘Trough of Disillusionment’.
And it’s not Gartner alone. Talk to industry stalwarts and a clear message comes back – the honeymoon is over. No longer is it a positive buzzword in meeting rooms. It’s becoming tangible…real people with real salaries and real job titles are now associated with the discipline of managing and making the most of a company’s big (or small) data, both locally and in the cloud.
We’ve come to realize there are a number of opportunities for big data and it’s management, as outlined in IBM’s August report titled ‘The New Hero of Big Data and Analytics‘. In it, a new C-suite role is outlined, along with five areas are a Chief Data Officers (CDOs) can optimize and innovate in:
- Leverage: finding ways to use existing data.
- Enrichment: existing data is joined up with previously inaccessible (fragmented) data either internal or external.
- Monetization: using data to find new revenue streams.
- Protection: ensuring data privacy and security, usually in collaboration with the Chief Information Security Officer.
- Upkeep: managing the health of the data under governance.
It’s a great list of general outcomes for those who manage data to plan around over the coming years, but what might be even more useful is a planning framework to help develop these plans now.
Obviously this framework will evolve, and to some extent there will be a degree of trial and error as organizations try to wrangle increasingly large data-sets. But I thought it’d be useful to make some suggestions for considerations against these outcomes. So I’ve come up with some key questions to gather information to help in the CDOs strategic planning. Answering yes to most, if not all of these questions is a good indication a CDO in your organization would have a beneficial business impact.
- People: as mentioned in IBM’s report – is the CDO’s office a guiding, enforcing authority? Is the office fully aligned to the business and scalable? Are the skills available appropriate? Is the business giving the CDO authority or permission to operate?
- Compliance: not just with regional and industry regulation but with the company culture.
- Intelligence: how can the right information reach the right people in a digestible form that catches their attention? Does the information remain useful throughout its lifecycle?
- CIA: Confidentiality, Integrity and Availability. The triangular cornerstones of any information security policy, no less important. Can your CDO guarantee data CIA, and have board level authority therein?
- Technology: which technology providers can help support these outcomes today, and well into the future? Does the chosen technology scale in line with the parabolic growth of data, or is it linear or worse, unpredictable?
It’s by no means a definitive list, but we hope it helps stimulate the conversation around this emerging discipline of curating data to a commercial end. I look forward to sharing ideas with our customers and partners on this over the next few months. And as always, I’d appreciated any comments under this post.
by Orlando Scott-Cowley
The mail you want, but just not right now. Seems like an odd way to talk about email, either you want it or you don’t. For years we’ve been talking about the unwanted types of email, like spam, that have grown to be a pest, but which have largely been dealt with by effective anti-spam services; but now there’s a less distinct line between good and bad as far as our users are concerned. The email that sits in this middle ground has become known as graymail.
Mimecast’s new Graymail Control automatically categorizes graymail and moves it to a separate folder – allowing end users to review the messages at their leisure and keeping the inbox optimized.
More specifically, graymail is email like newsletters, notifications and marketing email. The types of email marketing you are bombarded with receive when you buy something online or use your email address to sign up for something. Normally you are opted-in to these marketing emails unless you manage to spot the often well-hidden opt-out tick box. These emails are initially interesting, but grow tiresome quickly.
You’re unlikely to want them all in your inbox right now, but somewhere else that makes them easier to read later. Many consumer grade email providers offer a way of categorizing graymail, such as Gmail’s Primary Inbox and Promotions tabs.
Graymail isn’t new. The idea was first suggested by Microsoft researchers in 2007, at the now defunct CEAS conference. Graymail, or Gray Mail as it was called then, was defined as messages that could be considered either spam or good. It’s fair to say many end users consider newsletters that they opted-in to, mostly unknowingly, as spam even though they could easily unsubscribe from the sender’s distribution lists.
Graymail is also described by the phrase “Bacn”, (as in bacon). The first use of the term Bacn is thought to have been coined at PodCamp Pittsburgh 2, as a way to differentiate between spam, ham and bacn in your inbox.
The unwillingness of end users to unsubscribe, or understand the problem as being somewhat self-inflicted, has led many enterprise IT teams to look for a solution. As a provider of email security services, Mimecast’s Threat Operations and Spam teams know first-hand how users are inclined to report bacn or graymail as spam email. A large percentage of the email submitted to Mimecast for analysis as spam is in fact legitimate marketing email with valid unsubscribe links.
It has become increasingly obvious that end users will continue to be frustrated by this graymail problem. The most straightforward solution is stemming the flow in such a way that keeps an enterprise inbox free of bacn so legitimate business-related emails take priority. Mimecast’s new Graymail Control provides this capability, by automatically categorizing graymail and moving it off to a separate folder – allowing your end users to review the messages at their leisure and keeping the inbox optimized.
If you’d like to find out more technical detail about how to configure Mimecast’s Graymail Control please visit our Knowledge Base article here.
by Orlando Scott-Cowley
eBay seems to be coping with the hack of its user database. Weeks on from the announcement that its user database had been breached and we’re seeing millions of users change their passwords after receiving notifications from the online auction giant.
If you missed the news, around 145 million eBay users had their email addresses and encrypted passwords stolen when one of eBay’s databases was breached.
We now know that hackers were able to gain access to the user database by compromising three corporate eBay employees and using their credentials to access the eBay network. eBay has also told us that it believes there was no customer data compromised initially, but gives little more information than that.
We can speculate that the attack was most likely perpetrated through a targeted attack in email or a spear phishing attack. If this is right, the corporate employees of eBay who had their credentials compromised would have been sent a link in an email that tricked them into giving away their user details. We don’t yet know if those credentials were eBay’s website username and passwords or if they were network or corporate credentials.
Spear phishing and targeted attacks have become the de facto attack vector for anyone hacker trying to compromise an enterprise. Attackers know that most organizations have been lulled into a false sense of security regarding spear phishing – thinking that their existing legacy anti-spam and anti-virus systems protect them from spear phishing. While it would be true to say the majority of Secure Email Gateway vendors have started to build in protections for spear phishing; we also know that all the recent major and most public breaches have successfully snuck past major security vendors.
This week brings another personal data compromise. Office, a UK shoe retailer has admitted that its website has been compromised to the extent that customer personal data has been stolen. Office is asking all its customers to change their passwords.
Office and eBay are both quick to point out that no “financial information” was stolen. While this seems to be the case, stealing personal data, as in the Office hack, may give the attackers enough information to allow them to steal your identity. Once you lose that, you risk losing that key financial information.
The CIOs and CISOs I talk to are generally worried; none of them want to be the next big breach. They all understand the risks associated with spear phishing and are all trying to educate their users, but many worry constantly about those few users who still click the link in the email, or enter their user credentials in mystery websites.
Protecting against this human risk is a much tougher task, and until we solve that, these big breaches will continue. It’s why new security technology to counter spear phishing like our Targeted Threat Protection service must be combined with effective user monitoring and education if we are to successfully counter this growing threat to our organizations.