I’ve seen a number of people and blogs address the recent breaches at some large ESPs make recommendations on how to fix things. Most of them are so far from right they’re not even wrong.
One group is pointing at consumers and insisting consumers be taught to secure their machines. But consumers weren’t compromised here.
Another group is pointing to senders and insisting senders start authenticating all their email. But the failure wasn’t in authentication and some of the mail is coming through the ESP systems and is authenticated.
Still others are claiming that ISPs need to step up their filtering. But the problem wasn’t with the ISPs letting too much email through.
The other thing that’s been interesting is to watch groups jump on this issue to promote their pet best practices. DKIM proponents are insisting everyone sign email with DKIM. Extended SSL proponents are insisting everyone use extended SSL. But the problem wasn’t with unsigned email or website trust.
All of these solutions fail to address the underlying issue:
ESPs do not have sufficient security in place to prevent hackers from getting into their systems and stealing their customers’ data.
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists. These controls must address technical attacks, spear phishing attacks and social engineering attacks.
What’s happening here actually looks a lot like the Comodo certificate attack or the RSA compromise.
It’s time for the ESP industry to step up and start taking system security seriously.
Time for a real security response
T
You are absolutely right about hardening of systems to prevent further breaches, those are the root causes alright. But our suggestions are for what the industry must do moving forward, so that receivers can protect end users from the inevitable spear-phishing that is going to come from this, and so senders can help them parse real, from fake mail.
Hardening is a given if you will. It is ‘duh’. It is industry standard elsewhere for the same data, time for all mail senders to treat it the same way. In the U.S. email addresses aren’t PII. they are, by jurisprudence in Canada. I wonder how that leaves Best Buy Canada (who were ripped off) exposed.
I’m not sure “hardening is a given” or a “duh.” From http://www.databreaches.net/?p=17340
“After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.”
I suspect you are correct. Most organizations have poor security practices. But do we know what happened in this case (i.e. what was the exploit)?
How else can we respond after a statement like that, but DUH!?
So what do you guys think of encryption? 2-factor authentication? (clearly there are policy matters like who has access to what that need to be explored; I’m told by a little bird that in the not-too-distant past, a ton of staffers would have had enough access to make them a viable target @epsilon, hopefully that has changed.)
Two factor authentication can be a useful tool in many cases. But as I hinted at in the other blog post today it’s not a magic bullet, and can significantly decrease security in some situations.
Encryption is much the same. It can be useful, but if it’s implemented by someone who doesn’t understand both cryptography and system level security it can easily leave you with a setup that’s not significantly more secure, while being less robust against day-to-day operational failures.
Any approach that concentrates on a technological magic bullet rather than a well engineered response to a realistic attack tree is probably more about window dressing or compliance than it is about actual data security.
Companies with sensitive data would be well-advised to conduct regular security assessments and policy reviews. At least some of the assessments should be conducted by external parties.
Laura:
I think you hit the nail on the proverbial head regarding limiting employee access. It probably is not possible to prevent every security fail, or even every human fail. It is possible to preemptively mitigate the damage if (or when) one should occur.
You write that “Not everyone inside an ESP needs access to address lists.” I would take this a step further and say that regarding those employees who actually do need access to address lists, any access should be limited to the least possible access privileges that would still enable them to do their job.
If the compromise of a single employee’s credentials (or even the credentials of a small handful of employees) is enough to cause massive data lossage to outside parties, its not a fail waiting to happen, its already an epic fail. (IMHO)
Neil:
Regarding email addresses as PII…. even for US based clients, if the client’s customer/subscriber/etc is Canadian, or if their email is hosted on Canadian servers, I wonder how that would impact things. (I can take a wild guess, but you probably know a bit more about the Canadian privacy implications that I do.)
[…] you start looking, you quickly find that these breaches occur with depressing regularity. As Laura Atkins points out, the problem is systemic in the ESP industry: “ESPs do not have sufficient security in place to […]
[…] compromises and their lack of security Apr 6, 2011 Over at Word to the Wise, Laura Atkins has a post up where she talks about the real problem with ESPs and their lack of […]
[…] ESPs are under attack and being tested. But I’m not sure much progress in handling and responding to the attacks has been made since the Return Path warning or the Epsilon compromise. […]