In the course of my systems engineer duties at FireEye, I get the chance to speak with security professionals at a lot of organizations. Many of them seem confident that their email security gateways or email software-as-a-service (SaaS) providers can safeguard them from spear-phishing attacks.
Here are some of the typical comments I hear from companies:
- “My email security provider has specific phishing filters, so we’re confident that we have eliminated the risk of an infection via a spear-phishing email.”
- “Our users receive virtually zero spam, so the solution works just fine.”
- “The contents of the email quarantine are so accurate that we don’t bother checking any more.”
- “We have a strict attachment policy and multiple AV engines within our email security solution. That adds a very high level of protection from malware threats.”
In general, people believe that the email security headache has been solved. So they tend to relegate it to a secondary concern, far below Web security.
That could be a huge mistake. While spam filters and other email security tools have defanged many high-volume campaigns, they’re futile against some of the most dangerous targeted, personalized attacks.
