Out-Law News 2 min. read
19 Mar 2013, 9:12 am
A briefing note (3-page / 373KB PDF) issued by the European Network and Information Security Agency (ENISA) said that although email was "universally used" as a communication method, most email systems did not "provide any kind of authentication" around where a message originated. The note analysed recent cyber attacks, and concluded that attackers were making more targeted use of traditional methods, such as spear-phishing.
"It is very hard for users to understand where the message originates from and whether or not the sender is a trusted party," ENISA said. "This makes it very easy for attackers to send fake messages or to pretend they are someone else (spoofing)."
ENISA said that organisations operating in "critical sectors" should investigate encryption and authentication packages for their communications in the short-term. Industry, government and businesses should investigate alternatives which "better protect users from spoofing or phishing" in the long term, it said.
'Spoofing' occurs where an attacker successfully manages to impersonate an individual. It often happens in conjunction with 'phishing', which is where the email contains a link to an internet page containing malware or that can trick the user into entering usernames, passwords or credit card details. Targeted attacks against specific individuals are known as 'spear phishing'.
ENISA said that although many organisations had phishing filters and antivirus products in place to protect them against attacks, these measures were not always effective when attacks were performed over a long period of time. Recent cases involved attacks that had gone unnoticed for years, probably because the limited number of victims meant that the particular vulnerabilities exploited had not been brought to the attention of anti-virus companies, it said in its note.
The switch from email was one of a number of recommendations the security agency made in its note, in which it said that prevention "should be the primary defence against attacks". ENISA also called on businesses to reduce the complexity of software installed on user devices, pointing out that it was more difficult to ensure that complex software was "free from vulnerabilities".
"Organisations and businesses should proactively reduce the attack surface by reducing the complexity of software installed on user devices and reducing the permissions of users to access other devices, services and applications by applying the principle of least privilege," ENISA said.
Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that ENISA was right to place the emphasis on "prevention" as part of its note. However, he pointed out that organisations should adopt preventative measures as part of a fuller IT security strategy.
"It goes without saying that in placing the emphasis on 'prevention', ENISA is not discounting the importance of effective threat monitoring or thorough security breach response processes," he said. "Both should be seen as important elements of an IT security strategy that seeks to protect against unauthorised access or processing in a way that meets the standards of care currently representative of best practice."
