Time for a real security response

I’ve seen a number of people and blogs address the recent breaches at some large ESPs make recommendations on how to fix things. Most of them are so far from right they’re not even wrong.
One group is pointing at consumers and insisting consumers be taught to secure their machines. But consumers weren’t compromised here.
Another group is pointing to senders and insisting senders start authenticating all their email. But the failure wasn’t in authentication and some of the mail is coming through the ESP systems and is authenticated.
Still others are claiming that ISPs need to step up their filtering. But the problem wasn’t with the ISPs letting too much email through.
The other thing that’s been interesting is to watch groups jump on this issue to promote their pet best practices. DKIM proponents are insisting everyone sign email with DKIM. Extended SSL proponents are insisting everyone use extended SSL. But the problem wasn’t with unsigned email or website trust.
All of these solutions fail to address the underlying issue:
ESPs do not have sufficient security in place to prevent hackers from getting into their systems and stealing their customers’ data.
ESPs must address real security issues. Not security issues with sending mail, but restricting the ability of hackers to get into their systems. This includes employee training as well as hardening of systems. These are valuable databases that can be compromised by getting someone inside support to click on a phish link.
Not everyone inside an ESP needs access to address lists. Not everyone inside an ESP customer needs full access to address lists. ESPs must implement controls on who can touch, modify, or download address lists.  These controls must address technical attacks, spear phishing attacks and social engineering attacks.
What’s happening here actually looks a lot like the Comodo certificate attack or the RSA compromise.
It’s time for the ESP industry to step up and start taking system security seriously.

Related Posts

Phishing protection

Last week Return Path announced a new service: Domain Assurance. This service allows companies who send only authenticated email to protect their brand from phishing attacks. Participating ISPs will reject unauthenticated email from domains participating in this program.

Read More

Is your data secure?

Not just secure from outside forces, but also secure from employees?
In a recent survey published by Help Net Security, approximately half of all employees said they would take data, including customer data, when leaving a job.
This has major implications for ESPs, where employees have access to customer data and mailing lists. There are at least 2 cases that I am aware of where employees have walked out of a company with customer mailing lists, and I’m sure there are other incidents.
ESPs should take action to prevent employees from stealing customer data.

Read More

Domain Assurance by Return Path

As often happens during MAAWG, email companies are announcing new products. One of the interesting ones is the new Domain Assurance product from Return Path.

Read More