Are you ready for the next attack?

ESPs are under attack and being tested. But I’m not sure much progress in handling and responding to the attacks has been made since the Return Path warning or the Epsilon compromise.
Last week a number of email marketers became aware that attacks against ESPs and senders were ongoing. The shock and surprise many people exhibited prompted my Spear Phishing post on Friday.
The first round of phishing went out on Wednesday, by Friday they were coming from a different ESP. Whether this was a compromised ESP customer or employee it doesn’t matter. ESPs should have reaction plans in place to deal with these threats.
It’s been months since the first attacks. This is more than enough time to have implemented some response to reports of attacks. Yet, many people I talked to last week had no idea what they should or could be doing to protect themselves and their customers.
Last time the attacks were publicly discussed I was frustrated with many of the “how to respond” posts because few of them seemed to address the real issue. People seemed to be pushing agendas that had nothing to do with actually fixing the security holes. There were lots of recommendations to sign all mail with DKIM, implement 2 factor authentication, deploy validation certificates on web properties, or adhere to sender’s best practices.
None of those recommendations actually addressed the gaping security hole: Humans.

Criminals aren’t just hacking networks. They’re hacking us, the employees.
“The security gap is end users,” says Kevin Mandia, chief executive of security firm Mandiant Corp. The majority of corporate security breaches his firm is currently investigating involve hackers who gained access to company networks by exploiting well-intentioned employees. Geoffrey Fowler, WSJ

An effective response to attacks must include improving employee and customer security. We cannot fix compromises by simply improving authentication, or buying access to pretty colored browser bars. We must teach users to think about security first when they get an unexpected email.
An effective response to attacks must include technical solutions that scan incoming mail for potential viruses. We cannot rely solely on the ability of users to not click on links, no matter how well trained and security thinking they are.
An effective response to attacks must include technical solutions that scan outgoing mail for potential viruses. We must minimize the ability of attackers to use our systems to attack others if our systems do get compromised.
An effective response to attacks must include virus resistant software and programs to read email and deal with hostile traffic. We must acknowledge that attackers will find any hole in an operating system or software program. More secure software is one way to protect our systems from attack.
An effective response to attacks must include clear response channels inside an organization. Employees who think they get a phishing or virus email must know who to inform. Once the attack is verified, specific responses should be activated, everyone notified and outgoing traffic monitored.
An effective response to attacks means security must be drilled into every employee. Employees should never consider using cloud storage or webmail in order to bypass filters or get access prohibited by firewalls.
An effective response to attacks doesn’t mean the end to compromise attempts. It does mean fewer attempts succeed.