eMail and Web Browsers, the blind side of IT Security.

Posted on December 11, 2015


Addiction is the mother of all evils; something not confined to controlled substances and individuals but Corporations and commonly adopted practices. As with any addict, denial is a common trait…. And in this instance I am not talking about Social Media 😉

“I don’t click on unknown emails or browse dodgy websites, it’s not my fault it got on my system, I am always so careful?”

If there was a backing track to such exclamations, it would likely be saying something along the lines of ‘Another one bites the dust!’ resounding in that timeless rhythmic bass of ‘Killer Queen’ by the self-same Queen. The depth and frequency of the beat is as resonant as the Cyber and Data security problems introduced by email and Web browsers into corporate environments and the world of IT, impacting business every minute of the day.

As predictable as the sun’s daily progression more computer users and systems are and will fall foul to Malware delivered to the desk via email. Worst still hackers can rely on email as a veritable electronic front door to their targets, standing wedged open via email. Corporates and consumers will experience a degradation of brand, shareholder and personal value as a result of data compromises, and banks will continue to haemorrhage money due to email. Not to mention loss of privacy and in some cases identity with life debilitating consequences for individuals impacted by the health industry’s (Healthcare Industry: In Need of Security Medicine) poor security record and fallout on National Infrastructure (UK critical infrastructure at risk of cyber attack says IET report) , due to email and or web browsers.

As for the pronouncement of innocents and shock, by individuals and IT departments alike to the discovery of a malware infection or data compromise I would call them out as a blind fools to the obvious and inevitable.

I think it was Einstein who eloquently quoted insanity as ‘Doing the same thing over and over and expecting different results’.

The overwhelming majority of Malware and systems compromises gets onto and is transmitted between PC’s through user interactions via email. Yes there are other ways malware can get onto systems such a malicious web page or spreading like a worm/virus across devices connected to the same local area network. However the latter web browser network carrier scenario is invariably a stage 2 event. A direct consequence of user intransigence to follow basic sanitary practices when handling events relating predominantly to email.

For completeness there is always the outside chance that your horrified victim will profess or more unlikely actually be the target of a cunningly crafted attack tailored known as ‘Whaling’ specifically at them. Unlikely unless they are one of a limited class of target who could warrant a premium investment focused attack by a hacker or attract the attention of a nation state operator. In general the victims fall foul of a more mundane broad-spectrum impersonal attack of the most common order via spam email. Which makes it all the more inconceivable that email is still tolerated.

In every other industry where criminal activity or safety issues arise they are stamped out. So why not in IT?

It is little more than legacy traction that is stopping IT from simply taking email around the back of the building and shooting the dam thing in the head and bury it. If it was invented today it would get questionable adoption due to its high risk exposure. After all email servers by their very nature have to be connected to a public network and are full of the juiciest morsels known to hackers. From emailed password and financial information to personal identifiable information records and corporate intellectual property. Madness!

The bottom line is the ubiquitous user is not sufficiently disciplined to protect themselves and or their families or the organisations they work for when using email or a web browser for that matter. They click on things they should not and thereby invited the scourge on themselves and potentially anyone on a shared network. Corporates will lambast and even sack users for such off-roading, but still allow the conduit, email, to persist. All they are doing is proactively inviting the inevitable by handing their users the keys to systems they demonstrate on a daily basis they cannot be trusted to use safely.

I would go as far as to say that irrespective of anything written in an employment contract to the effect that a user could be sacked for clicking on a malicious email. The Company is in fact complicit in permitting such a comprisable channel of communications in the hands of employee’s in the first place!

So Big Co what do you expect if you put a gun in the hands of a child, forget gun, more like hand grenade with the pin already removed. If you are lucky the ‘innocent’ will relax their grip in isolation of others and only harm themselves. You cannot afford to be betting your future security, brand credibility or customer reputation on such blind luck. But that is what businesses and individuals do every time they fire up an email client or web browser, its Russian Roulette without an empty chamber.

Web browser and email clients are the attack surface, the front and back doors into your houses that hackers, hackevists, criminals and yes nation states fire their digital weapons. Let me put this in context, a recent cursory audit of my home router showed a veritable deluge of attacks. In my case they are thwarted because I take proactive measures, I have double stacked firewalls and folded network address translation with active network packet scanning in the gap and a family who are mentored … frequently! The average small business and many large companies place too much reliance on their firewalls alone. Take 1 minute to review the Virus Calendar on the McAfee site to see the daily proliferation of new viruses. NEW, the compounding effect of this is staggering, and those are just the ones that are discovered and most launched at users through email and therefore get through corporate firewall systems. Yes you read that right, they get through the corporate firewall and hit their mail servers. So any NEW malware targeting a zero-day exploit on that mail server will compromise that server. The owning organization will be completely blind to the threat.

So why do we persist with email. Doesn’t sound such a daft question in this context. There are safer equivalents, so why don’t we use them? Instead we continue tap dancing in the minefield whilst playing catch with grenades on an unpredictable fuse.

The latest flavour of the month for the criminal hackers is Ransom-ware. Instead of just being malicious, stealing personal information or destabilizing a PC, this new type of malware is far more malicious. It encrypts data so it cannot be recovered without payment of a ransom, and then in some cases the ransoms are never paid or even more perversely they unencrypt one file at a time, which can take days if not weeks, or months to recover large batches of files. A single user can end up compromising all the data they have access to on their company or home systems. Even backups in the cloud are not safe. Linux and Mac OSX are just as exposed as Windows to this so there is no hiding.

A user or corporate compromised by malware invited into their worlds through email should be ashamed of themselves for inviting the inevitable into their midst. Followed by a frustration that they persist in supporting this compromised technology.

It is time we confession to the email addiction. It is the only conclusion I can come to. Addiction because the facts speak for themselves, we are persisting with a detrimental behaviour that is the conduit for untold damage until stopped, or it kills. That doesn’t worry me so much if the fallout can be confined to the party inviting the compromise, but the sad reality is that collateral fallout is almost inevitable on those caught up in an addict’s slipstream. Be that employee’s sacked for use of a tool not fit for purpose, or customers whose data is compromised due to a successful hacking attack via email. Or even worse larger groups of people falling victim to an industrial accident as a result of the failure of some class of industrial control system. The business needs to start looking at alternatives because we have tried patching and reinforcing with partial solutions inn a failed attempt to secure email with NO lasting success.

We need as an industry and individuals to start the detoxing process and adopt more secure, controlled and appropriate ways of engaging instead of via email.

eMail – It is an inappropriate and outmoded application. It represents a data jail for knowledge sharing, a shockingly inefficient medium for digital conversations and even worse for document collaboration. The most successful and reliably rewarding attack surface of choice for hackers since the dawn of the Internet. Yet we still persist with it!

Then there are Web Browser – We could launch space ships or more prudently feed starving nations with the budgets companies waste on supporting this archaic fragmented standards based application medium. Yes Hypertext mark-up language launched us into the digital information age and ecommerce revolution. Social media being the latest wave. But the new dawn has been rising for some time, as more users defer to mobile apps over the traditional web browser.

One ball I suggest that could be put in play to start a behavioural change, or at least stir discussion. The insurance industry could start to exclude any payments for an IT loss to individuals or organizations if it can be traced back to malware introduced through email or a Web Browser. If I had my way I would go further and state that any use of email or web browsers would exclude certain types of cover, or raise premiums to penury levels of cost that would validate organizations investing in change.

Or perhaps start EA (eMail Anonymous) for companies wishing to detox and come off email !

With Christmas just round the corner, we are entering a veritable storm of malicious emails dressed up as delivery confirmations and the like. So watch out or you may find more than you counted on in your virtual stocking!