Note: This article originally appeared at http://www.messagesystems.com/wordpress/?p=84
Anyone who follows the email marketing industry news is no doubt aware of the increasing number of well-publicized data breaches that have been occurring at the various major ESPs. In addition to the major ESPs, there are no doubt a number of less-publicized or even non-publicized data breaches occurring all the time at both smaller ESPs and in-house enterprise senders. The days when most of us in the email industry could watch from the sidelines and shake our heads have surely passed. Henceforth we should all operate on the assumption that we’re either now under attack as well, or will be shortly.
Email marketers have two valuable resources that malicious parties want to capture and exploit: information and infrastructure. Attackers want to access the information you hold, including email addresses, personally identifiable information (PII) and affiliation information (which organizations send to which recipients). Using this information the attackers can send spam or phishing messages and (in an unlikely worst-case scenario) even perform identity theft.
In addition to getting to the information you hold, attackers will also try to gain access to your infrastructure. In a recently reported breach at CheetahMail (http://blog.wordtothewise.com/2011/04/another-security-problem/) it was reported that an attacker had gained control of a customer account to send malware (UPDATE: The same thing just ocurred at Bronto: http://blog.bronto.com/2011/05/02/shared-security-responsibility-and-a-compromised-password-incident/). While many reports focus on attacks that result in data leaks, it’s also very common for attackers to access infrastructure to send their own messages from trusted systems, ruining reputation for the operator of the compromised infrastructure.
It’s time for all email marketers, whether sending themselves or through service providers, to make security a fundamental principle in their operations. The Online Trust Alliance (http://otalliance.org) recently published a set of guidelines (https://otalliance.org/resources/securitybydesign.html) that I highly recommend reviewing and following. I’d like to make a few additional recommendations of my own.
All the security technologies in the world can often be defeated by a simple phone call or a few dollars. There are multiple cases where attackers have been able to get into a system through social engineering: calling up someone in the target company and presenting themselves as a trusted co-worker and asking for the unsuspecting employee’s login credentials. In other cases a simple offer of cash in exchange for information or access can bypass any number of security measures.
Whether they are acting innocently or maliciously, your own employees (and customers) can easily be your downfall. There are a number of security measures that can help alleviate this:
- Educate your employees and users. Make sure they understand what social engineering attacks are and how to identify and prevent them. Teach them to never disclose their usernames and passwords, and enforce a policy of never asking customers for their credentials and make it clear to your customers that you will never do so.
- Do your homework. Employ best practices in your HR department. That includes performing background checks on your employees (at least the ones with access to sensitive customer information), including credit checks. Keep in mind that people in positions with access to sensitive data could be susceptible to enticement – this is particularly true if you’ve made it easy for them to act on that temptation.
- Apply the ‘need to know’ rule. Consider who really needs to be able to see customer information, and how much needs to be visible. Does someone who manages message templates really need access to your recipient list? Does someone who manages segmentation really need to be able to see both the user and domain portion of an email address? Perhaps they can do their job with access to the domain information only. Do customer service reps really need to be able to see lists of recipients or do they just need to be able to look up a specific recipient to do their job? There will always be people who need to access sensitive information, but not as many as you might initially think, and few need access to absolutely all the information rather than just a subset of it.
There are a number of best practices around securing the data you store, but I want to share a few ideas about what to store, to be used in combination with data security best practices.
- Store as little as possible. An attacker cannot steal information that you don’t possess. Do not ask for information you do not need or can’t use. Marketers tend to err on the side of over-collection because it ‘might’ come in handy. (Example: are you asking for a physical address when you do not send anything by regular mail?)
- Use encryption where possible. Consider a suppression list to prevent sending to people who have unsubscribed (hopefully you followed step one and purged everything but their address when they unsubscribed); you need to have their address in order to prevent sending to it, but you can store their address as a one-way hash and compare a one-way hash of recipient addresses to identify if a recipient should be suppressed. I’ve worked with senders who encrypt the user portion of every recipient address (firstname.lastname@example.org would be stored as email@example.com as an example) in the database, with a custom Lua script in the messaging server decrypting the user portion of the address on the fly just before sending. With this approach, they can still do domain reporting and segmentation, while making it much more difficult for attackers to extract useful information.
- Purge data as soon as possible. Again, you cannot lose what you do not have. Purge information as soon as feasible, both customer data and the various logs that can contain customer information. If you need a piece of information for a specific mailing, purge the data once the mailing is complete.
While I have no reports to date of email infrastructure as an attack vector there are still some steps you can take to better secure your email infrastructure.
- Secure the server. Implement security at the operating system level as well as at the network level. Restrict access to the web UI to internal machines only (use a VPN for external access). Strongly consider using two-factor authentication including password-protected SSH key-based authentication.
- Secure your logs. Remember that your logs will often contain address information, so you need to secure your logs with the same vigilance that you secure your database. Ensure that your file system permissions are properly set and that you retain your logs for no longer than necessary.
- Customize your logs. If your system supports customizable logging, consider trimming your logs down to the bare minimum data required for your purposes. Instead of storing the recipient email address, store a customer identifier that you can use to lookup the customer address (high-end solutions will let you store just the domain portion of the address so you can still do reporting on domain volumes and deliverability).
- Secure against being an open relay. Grant permission to inject mail on a per-IP basis if possible, use TLS and authentication if you need to allow relaying to external hosts.
- Scan your outbound mail streams. An effective way to mitigate infrastructure attacks is to filter all traffic as it leaves the server to prevent sending mail that contains viruses, spam or malware. The incident at CheetahMail I mentioned at the start of this entry could have been prevented with outbound traffic filtering. Keep in mind I’m speaking about AV/AS filtering on a per-message basis. It’s not enough to send a test message to a preview tool if you’re trying to protect your infrastructure; you need a messaging server that can filter traffic on egress.
- Implement Feedback Loops. While this may not seem like a security tool, I’ve worked with senders who were able to use a spike in incoming FBL messages to identify an unusual sending pattern coming from their servers, leading them in turn to identify that their network had been compromised and a malicious attacker was using their system to send mail.
- Implement authentication tools such as DK/DKIM/SPF/SenderID. Again, this does not directly secure your data, but if a list is compromised it will be harder for a malicious party to deliver mail from their own servers and make it appear to come from you (especially when making phishing attempts with your data).
- Monitor Block Activity. As with spam complaints, a sudden burst in rolling blocks could be a red flag that an infrastructure beach has occurred. Set-up alerting system for blocks and automated suspension processes to catch and shut down malicious mail streams before serious damage is done. The good news, if you’re running Momentum, is that our Adaptive Delivery product does this for you automatically.
The latest security breaches in the email marketing industry have re-enforced that an attack is a matter of when, not if, and senders need to plan accordingly. The recommendations of the OTA, combined with the recommendations above (and constant vigilance) should provide a good start at avoiding (and minimizing the impact of) a malicious attack.