Implementing network security is of paramount importance to secure your organization's information and internal systems from malicious attacks from inside and outside the network. Organizations spend millions of dollars a year on safeguarding measures via the implementation of firewalls and intrusion detection systems, and industry trends show this market is growing. According to Gartner, in 2005 and 2006, the market for intrusion prevention systems will consolidate as next-generation firewalls continue to evolve technologically. The majority of firewalls block access to certain network services and allow access to others. Some advanced firewalls offer options to monitor communications and look for specific information at the packet level to indicate unauthorized or malicious security breaches.

But what about the services the organization lets the outside world access? Many organizations support Web servers and FTP servers as part of their core business, and they usually have these systems safeguarded and isolated in separate network areas to mitigate the risks of successful attacks. E-mail is the one service virtually every single company supports and it's one of the few services that allows bi-directional communication from the outside world directly to the inner network, right down to the users' workstations.

Very early on, hackers began to exploit e-mail systems as an ideal way to distribute malicious software, known as viruses. To combat these threats, the industry responded by implementing anti-virus software at the user and network layers. The next attacks, which were deemed a nuisance by some and attacks against productivity and resources by others, were spam attacks: Thousands of unsolicited e-mail messages and advertisements flooded organizations' messaging systems and caused immeasurable productivity loss. The industry responded again by developing solutions to block or identify these unsolicited messages, but unlike viruses, which had a clearly malicious intent, spam represents a revenue-generating business for many dubious individuals and groups. As such, it has been a lot harder to control. Consequently, there has been an ongoing war against spammers and strong pressure for industry solution providers to stay on top of spam and continue to improve the technology designed to counter new spamming techniques.

If virus onslaughts and spam attacks were the only threats against your network and your organization coming through your messaging system, network administrators would sleep well at night. But the e-mail system is still the easiest way for unscrupulous individuals and shady businesses to conduct malicious attacks on your organization's services or steal valuable information. Consequences resulting from such attacks can translate into considerable financial and productivity losses for your organization and its employees.

Phishing

One of the new, increasingly serious attacks conducted against organizations and individuals is called phishing. Phishing is the act of misrepresenting an e-mail communication to trick the recipient into thinking the message came from a familiar or trusted source. The message then requires the recipient to respond with sensitive information or visit a false Web site through links in the e-mail message, where the perpetrators of this fraud can steal the victim's personal and sensitive information. Malicious individuals have designed this type of attack to extract financial information from unsuspecting individuals, such as bank account numbers and passwords, to access online banking resources. Phishing can compromise internal network security as well. More and more, organized criminal elements outside the United States are running these attacks, where it's harder to catch and convict them. Already more than half the financial institutions in the U.S. have fallen victim to phishing, leading to global losses between $150 to $500 million, depending on the source. Figure 1 shows the increased number of reported phishing sites from October 2004 to June 2005 according to Tumbleweed Communications and Websense.

Phishing attacks occur and succeed for a number of reasons:

• They can result in enormous monetary gain.
• It's easy to hide or spoof the sender's e-mail address in any e-mail message to disguise where the message originated from and thus, lend credibility to the message.
• It's relatively simple and doesn't take sophisticated knowledge to create a false e-mail message or counterfeit Web site.
• Gullibility and a lack of understanding of e-mail entice a small percentage of recipients to respond and provide personal information across unsecured networks without carefully inspecting from where the message came. Subversively employing social engineering techniques, phishing attacks usually impart some form of urgency such as "Your account will be terminated if you don't provide such and such information" to compel individuals to hastily respond.