E-mail that uses html to enrich the images, the background, or the text opens the door for security problems, according to Rohyt Belani, managing partner with Intrepidus Group, a security consulting company.
Phishers are relying more and more on html e-mails, which also are known as e-mail with active content. Belani explained that html enables spammers or hackers to disguise their attacks by allowing them to mask the URL address to which the hyperlink points. The link may read www.yourbank.com, but it actually might point to a Russian hacking site. That helps the hacker con unsuspecting people into clicking on the link, which most likely will take them to a malicious site where their machine is infected with malware.
"You would not know this unless you viewed the source of the html e-mail, which non-IT-savvy won't know to do," said Belani, who noted that it's a simple step to block html e-mail at the gateway, just like many companies do with executable attachments.
Belani also said few companies need html e-mails. "E-mail may not look as pretty," he said jokingly. "It enriches the text, but also hackers' abilities."
Most of the security experts contacted recommended training. Yes, there's a cost involved but they either said there are ways to make it less expensive, like doing it in-house, or that in the long run the investment will more than pay for itself.
"That's my number one thing," said Dykstra. "No matter what you do, there's nothing cheaper than training up your personnel. You could even do it in-house if you have somebody who is willing to put this together. If I train somebody in what to be prepared for, or how to prepare for an incident that's going to happen, that one effort will have a long-term payoff. If I buy some box and put it on my network, I'm not sure I'm going to get the same level of continuous payoff. Making people smarter is always a smart move."
Dykstra also said that he would focus on giving his IT staff security training before he would move on to the users. He noted that many techies aren't given any, or enough, security training in college and it's often cheaper to train them because it's a smaller group than the company's mass of users.
"If they have a few classes on patch management, or security incident response, or how to secure users then you have this smart IT base and they're going to make better decisions," he added. "They need this kind of training."
Since Microsoft's applications heavily dominate the market, they're the main target for hackers and virus writers. It's not an issue of bugs. Mozilla's Firefox actually had nearly twice as many reported vulnerabilities as Internet Explorer in a recent six-month span, according to Symantec's Internet Security Threat Report. The issue is that hackers simply are targeting Microsoft's software and basically leaving Firefox and Thunderbird alone.
"Attackers are writing their malware to market share," said Ken van Wyk, principal consultant with KRvW Associates. "That is, they're targeting the big guys the most -- IE and Outlook. Switching to anything else will improve your security, not because those things are more secure, but because those other products aren't what the attackers are going after, by and large."
Keep in mind, though, that if enough people were to take van Wyk's advice, everything would change. "Of course," he added, "if the world changes to Firefox and Thunderbird, the attackers will go there, as well."