Worst Security Problem: Attachments

Security policies and education aren't enough

Want to ruin a security manager’s day? Open an attachment—any unknown attachment will do.

According to a written survey of 200 IT and security managers conducted by Watchguard Technologies at this year’s RSA Conference, about half of all IT managers say the worst security offense a user can commit is opening an unknown attachment.

Opening unknown attachments, of course, is exactly what can launch Microsoft Word and Excel macro viruses, viruses, and worms, as well as Trojan horse software. Given the prevalence of viruses and worms, it’s obvious many users do indeed double-click that attachment. In fact, about 80 percent of respondents indicated a virus had also gotten loose on their network within the last year. Many would be traced back to ill-advised attachment opening.

Of course, if organizations just adjusted their security policies to prohibit opening unknown attachments, or having IT take a look first, then educated users, the problem would go away, right?

Not so fast. A separate Watchguard poll queried security policy effectiveness by asking 200 IT managers at small- and medium- size businesses whether their users actually follow corporate security policies.

Unfortunately, while half of users adhere to the security policy, about a third only do so when it suits them. Worse, 12 percent only obey policies “by chance”; three percent ignore them altogether.

The results, while limited, call into question the effect training can have on users who do as they please. “These findings suggest that trying to enforce security policies only through behavior modification is a risky proposition,” notes Mark Stevens, chief strategy officer at WatchGuard.

How can security managers stop users from opening attachments? While one survey respondent suggested “electromagnetic shock via a USB port device,” human resources probably won’t buy into that. A better suggestion: block any suspect files at the firewall. That way users don’t have any incentives for opening a file attached to an “I love you” e-mail.

How to do that? Many firewalls can be set, via SMTP filtering, to reject documents based on extension. Other products, such as those from Cisco, Checkpoint, and Watchguard, can block not only suspect file extensions but also suspicious traffic, based on its behavior. Such tools can catch some so-called “zero day exploits,” or attacks for which no antivirus or anti-intrusion pattern, or software or hardware patch, yet exists.

Another trick respondents noted for keeping viruses and worms out of the enterprise: set Outlook’s or Outlook Express’s security tab to not allow suspect files to be saved or opened. That blocks a number of files outright; Microsoft maintains the precise list. Users of Exchange Server can also customize the policy and unblock specific file types if they’re needed.

Those approaches won’t solve all issues—files can still arrive via peer-to-peer file sharing and personal e-mail, for example—but by preventing many suspect attachments from arriving at end users’ computers, security managers will decrease the chance of a virus or worm getting loose on the corporate network.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.