Modernizing Authentication — What It Takes to Transform Secure Access
Im keenly aware of email security when it comes to protecting myself and my company from incoming nasties. We run a couple tiers of anti-spamming and anti-virus screening on the incoming side, and then I make sure we all follow a policy of if I dont recognize it, delete it without opening the (potentially) offending message. Im really careful about screening incoming emails based on where they are from and why they were sent. My basic litmus test is whether I know the person and whether I expect to hear from the person and whether the subject line makes sense in the present context? If not, we delete, with prejudice.
So yes, Im really careful about incoming messagesbecause I know what they can and often do contain.
But what were they thinking? Allow me to explain
|Recent Alignment Articles|
Google's Race to the Bottom
Will the iPhone be a Security Nightmare?
Taxes, The Internet, and the Government: Be Afraid
The Secrets of Laptop Encryption
The second such message came from a big green credit card company that we all know. The message, with a subject line of SecuritySnapshots: Reducing the Risk of Identity Theft provided guidance from their security department on how to protect you (the customer) from identity theft.
Now, all of this was good sound advice from the two companies. And make no mistake about it, I get a lot of this sort of emailwe all dobut these messages really jumped off the screen at me as being especially and profoundly ill-advised.
Why? Let me count the reasons They were unsigned. They were HTML only. And to exacerbate matters, each of them contained links to their respective security pages and contact points.
Im willing to believeindeed hopethat the emails were otherwise legitimate. They probably were. Well, they looked legitimate. Hmm, come to think of it, perhaps they werent legitimate. I dont know.
Thats the real problem. As a security professional of several (ahem) years, I have no way of knowing if the messages were legitimate or not. Lord only knows what their other customers thought about the emails. The very thing that the messages were trying to help protect against for their respective customers is completely destroyed simply because of the way they delivered the messages. (And that, Alannis, is ironic.)
What on earth were they thinking?
I spend a lot of time riding my mountain bike around the trails in my neighborhood. On an almost daily basis, I encounter deer, foxes, rabbits, and even the occasional snake, among other creatures. I wouldnt dream of doing anything that would encourage them to think of me as anything but dangerous. Not because I am dangerous to themIm notbut because I would be crushed if they developed even an iota of trust in humanity that later lead to their demise at the hand (or trigger) of someone who is dangerous to them.
Weve got to start treating emails in the same way that those deer ought to think of humans: pure evil, to protect yourself from at all costs. Perhaps thats more than a little melodramatic, but you get the point I hope.
Until and unless we start treating all emails as potentially dangerous unless proven otherwise, weve got to think of them as toxic. Digital signatures can go a long way to help us establish that the message were looking at really came from where it purports to come from. They do nothing to help ensure the content itself will be correct, not dangerous, etc., but theyre a good starting point, and they completely eliminate the threat posed by spoofing emails that contain deliberately malicious links, attachments, etc.
Companies that use email to communicate with their customers have got to do better. Id go so far as to say that not signing those emails is tantamount to negligence. Perhaps those of you with backgrounds in the law will object to my choice of words, but at the very least, unsigned customer communications are downright foolhardy. All they do is teach your customers to trust the untrustable.
I, for one, sure expect more from reputable companies.