The Challenge of Spam An Internet Society Public Policy Briefing

Similar documents
HKISPA Response to the Consultation Paper on the Proposals to Contain the Problem of Unsolicited Electronic Messages.

Caribbean Cyber Security: Not Only Government s Responsibility

RESOLUTION 130 (REV. BUSAN, 2014)

COUNTERING COUNTERING SPAM IN A DIGITAL WORLD

Countering Spam. ITU-T Study Group 17 Geneva, Switzerland 11 October 2005

RESOLUTION 130 (Rev. Antalya, 2006)

3.5 SECURITY. How can you reduce the risk of getting a virus?

Fast Flux Hosting Final Report. GNSO Council Meeting 13 August 2009

Office 365 Buyers Guide: Best Practices for Securing Office 365

Security Gap Analysis: Aggregrated Results

Policy recommendations. Technology fraud and online exploitation

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Cyber Security and Cyber Fraud

CYBER RESILIENCE & INCIDENT RESPONSE

A Review Paper on Network Security Attacks and Defences

ITU Survey on Anti-Spam Legislation Worldwide

QUARTERLY TRENDS AND ANALYSIS REPORT

Are we breached? Deloitte's Cyber Threat Hunting

Promoting Global Cybersecurity

Chapter 6 Network and Internet Security and Privacy

NEW INNOVATIONS NEED FOR NEW LAW ENFORCEMENT CAPABILITIES

G7 Bar Associations and Councils

WORKSHOP CYBER SECURITY AND CYBERCRIME POLICIES FOR AFRICAN DIPLOMATS. Okechukwu Emmanuel Ibe

ITU-T Standardization on Countering Spam

Phishing: When is the Enemy

Canadian Anti-Spam Legislation (CASL) Compliance Policy. 2. Adopt Canadian Anti-Spam Legislation (CASL) Compliance Policy.

Resolution adopted by the General Assembly on 21 December [on the report of the Second Committee (A/64/422/Add.3)]

FAQ. Usually appear to be sent from official address

Acceptable Usage Policy

Protecting Against Online Banking Fraud with F5

Security & Phishing

Draft Resolution for Committee Consideration and Recommendation

Enterprise SM VOLUME 1, SECTION 5.7: SECURE MANAGED SERVICE

USE POLICY. iprimus.com.au

Internet Interconnection An Internet Society Public Policy Briefing

Security by Default: Enabling Transformation Through Cyber Resilience

European Union Agency for Network and Information Security

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

The Republic of Korea. economic and social benefits. However, on account of its open, anonymous and borderless

Multi-lateral and Bi-lateral Cooperation: the Australian Approach.

Cybersecurity for ALL

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

Phishing Activity Trends Report January, 2005

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

Cisco Security: Advanced Threat Defense for Microsoft Office 365

Securing Information Systems

EISAS Enhanced Roadmap 2012

INSIDE. Integrated Security: Creating the Secure Enterprise. Symantec Enterprise Security

Cyber Security Guide. For Politicians and Political Parties

Senator the Hon Stephen Conroy Minister for Broadband, Communications and the Digital Economy. Deputy Leader of the Government in the Senate

Cyber Security Issues

Privacy Dimensions to Canada's Anti-Spam Legislation (CASL)

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

A1. Actions which have been undertaken by Governments

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

RESOLUTION 67 (Rev. Buenos Aires, 2017)

The importance of Whois data bases for spam enforcement

Cyber Hygiene Guide. Politicians and Political Parties

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Service Provider View of Cyber Security. July 2017

CyberEdge. End-to-End Cyber Risk Management Solutions

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

Angela McKay Director, Government Security Policy and Strategy Microsoft

New Zealand National Cyber Security Centre Incident Summary

.rio Registration Policies 2016 Dec 16

2018 Edition. Security and Compliance for Office 365

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

Altitude Software. Data Protection Heading 2018

Unique Phishing Attacks (2008 vs in thousands)

Entertaining & Effective Security Awareness Training

Child Online Protection

Robert Holleyman, President and CEO, BSA The Software Alliance

Putting security first for critical online brand assets. cscdigitalbrand.services

The Spam Problem. Suresh Ramasubramanian, IBM Joe St Sauver, M 3 AAWG Senior Technical Advisor October 2012 New Delhi

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

Security Protection

CE Advanced Network Security Phishing I

RESOLUTION 45 (Rev. Hyderabad, 2010)

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Pending U.S. Anti-spam Legislation: A Marketer's Guide

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Cybersecurity & Spam after WSIS: How MAAWG can help

Phishing Activity Trends Report October, 2004

IBM Global Technology Services Provide around-the-clock expertise and protect against Internet threats.

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

INDEX. browser-hijacking adware programs, 29 brute-force spam, business, impact of spam, business issues, C

Australian Government Cyber-security Activities in the Pacific

Easy Activation Effortless web-based administration that can be activated in as little as one business day - no integration or migration necessary.

Broadband Internet Access Disclosure

Stakeholders Analysis

Global Alliance Against Child Sexual Abuse Online 2014 Reporting Form

Cloud Security & Advance Threat Protection. Cloud Security & Advance Threat Protection

21ST CENTURY CYBER SECURITY FOR MEDIA AND BROADCASTING

PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM

Managing IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services

Digital Health Cyber Security Centre

Transcription:

The Challenge of Spam An Internet Society Public Policy Briefing 30 October 2015 Introduction Spam email, those unsolicited email messages we find cluttering our inboxes, are a challenge for Internet users, businesses, and policymakers alike. Estimates vary, but some suggest that more than 100 billion spam messages are sent every day, representing up to 85 percent of global daily email traffic. 1 The term spam generally refers to unsolicited electronic communications (typically email) or, in some cases, unsolicited commercial bulk communications. 2 Some refer to this kind of email simply as junk email. While spam activity is largely concentrated in the form of email, spam is an evolving threat that has spread into virtually all types of electronic messages, including mobile Short Message Service (SMS) text messages, social media postings, instant messaging systems, and online forums. The proliferation of spam email presents a harmful, costly, and evolving threat to Internet users. Governments can help reduce the impact of spam by deterring offenders via effective laws and enforcement measures, multistakeholder antispam efforts, the adoption of best practices, and citizen education about the dangers of spam. Beyond the annoyance and the time wasted sifting through unwanted messages, spam can cause significant harm by infecting users computers with malicious software capable of damaging systems and stealing personal information. It also can consume network resources. Today, some of the most common types of harmful spam are financial scam messages, email messages with embedded phishing software 3, botnet malware 4, and/or ransomware. 5 Spammers are highly inventive and relentless. They are constantly creating ever-more-attractive bait to entice users to open malwarecontaining messages. And they continue to seek new email address lists and new communication media to target. 1 Cisco Systems, SenderBase real-time threat monitoring system, http://www.senderbase.org. 2 International Telecommunications Union World Conference on International Telecommunication s International Telecommunications Regulations Article 7, Unsolicited bulk electronic communication, http://www.itu.int/pub/s-conf-wcit-2012/en. 3 Phishing generally is an attempt to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. 4 Malware is a term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, and other malicious programs that will infect the users computer with forms of executable code, scripts, active content, and other invasive software. 5 Ransomware is a type of malware that demands a ransom payment in order to remove it from the infected computer. Internetsociety.org

2 Key Considerations Governments around the world are taking legal steps to combat spam, although so far these efforts are more prevalent in western and developed countries. This might be because those countries faced the spam threat earlier. Countries that have adopted legislation regarding spam also have defined what they consider to be spam. These countries have made spam illegal, provided consumer education on how to manage spam, and in some cases, enacted and used enforcement measures to deter spammers. The result has been a noticeable drop of domestic spam, as confirmed in the Netherlands in 2010. After the Dutch government enacted an antispam law, users in the country experienced an 85 percent decrease in domestic spam. 6 However, spammers might have moved to countries without antispam laws. In addition to individual national legislation, there exists an international spam enforcement community known as the London Action Plan (LAP), which works to collaborate on cross-border spam enforcement and related issues. 7 Network operators and the technical community have developed best practices for managing network security threats, including spam. For example, the Messaging, Malware, and Mobile Anti-Abuse Working Group (M 3 AAWG) 8 produces documents on approaches and tools available to address security issues, such as describing steps to better manage the impact of spam on a network. 9 The Spamhaus Project 10 tracks spam operations and sources to provide real-time network protection and works with law enforcement to combat spam. There are also national and international organizations that work on ways to better manage spam, including the Global System for Mobile Association (GSMA), Regional Internet Registries (RIRs), the International Telecommunications Union (ITU), and the Internet Society. There are a variety of spam-blocking tools that can improve the way users deal with spam. But no matter how effective spam-blocking technology becomes, end users will always need to be vigilant about the possibility of harmful spam messages reaching them because no tool is perfect and spammers are always inventing new ways to spam. Also, it can be hard for users to recognize whether a message is malicious. Verizon s 2015 Data Breach Investigations Report indicates that 23 percent of email recipients open phishing messages and 11 percent click on attachments, thereby compromising their computers and networked systems. 11 Challenges From a broad perspective, spam is a constantly evolving technical, economic, and security challenge for many countries. As such, a multifaceted approach is required to address its challenges. More specifically, the problem of spam offers the following challenges to consider: 6 Dutch antispam law success, https://www.spamexperts.com/about/news/dutch-anti-spam-law-hassuccess. 7 London Action Plan, http://londonactionplan.org. 8 Messaging, Malware, and Mobile Anti-Abuse Working Group (M3AAWG) information, https://www.maawg.org/published-documents. 9 In June 2015, M3AAWG and LAP published Operation Safety-Net: Best Practices to address online, mobile and telephony threats, https://www.m3aawg.org/sites/default/files/m3aawg_lap- 79652_IC_Operation-Safety-Net_2-BPs2015-06.pdf 10 Spamhaus Project information: https://www.spamhaus.org/. 11 Verizon Corporation s 2015 Data Breach Investigations Report, http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015- insider_en_xg.pdf

3 Spam is an expensive problem for both the Internet s infrastructure and its users. High volumes of spam consume valuable network resources, and are a particular burden on countries with limited Internet access and bandwidth. Internet service providers (ISPs) expend great effort to manage this traffic, and end users need to be vigilant of opening spam that contains malware or scams. For mobile data subscribers and those who subscribe to metered services, the cost of receiving or unwittingly sending high numbers of spam messages can be significant. In addition, there are remediation costs to repair systems infected and/or attacked by spam-enabled malware, as well as costs associated with stolen user data. In general, the economics of spam lean heavily in favor of spammers. Spam messages cost very little to send. In fact, most of the costs are covered by message recipients, ISPs, infected users, or network operators. The nature of spam changes as new applications and ways to exchange data on the Internet are introduced. Spammers advance in their ability to use those platforms to deliver more intrusive and damaging ways to steal personal data, damage networks, and infect systems. Spam affects a wide range of Internet users; no single organization can solve the threats from spam by itself. It takes a worldwide, multistakeholder community working together to address the problem. Beyond the direct harm to users and the burden on network resources, spam also insidiously creates a lack of user trust and is viewed by some as an obstacle to the use of the Internet and e-commerce. There is also the potentially negative impact on a user s reputation if their identity is stolen by spammers and used to send out spam. Communities involved in deploying antispam measures may be met with retaliation (e.g., victims of Distributed Denial of Service (DDoS) attacks, hacking), so it is important that members of the global antispam communities not only provide assistance on how to combat spam, but also provide technical and other support against retaliation attacks. Guiding Principles The Internet Society believes that a collaborative approach among all relevant stakeholders will provide the best spam-mitigation solutions and security protection. This general approach is emphasized in the Internet Society s Collaborative Security principles, which emphasize a shared and collective responsibility among online stakeholders to achieve desired outcomes. 12 Governments can help combat spam by: Understanding the changing spam landscape. Spammers are constantly evolving their methods for spreading malicious email. Governments should make efforts to be up-to-date on spam techniques, trends, and evolving threats. Governments can also play a key role by 12 Internet Society s Collaborative Security Principles, http://www./collaborativesecurity

4 supporting research into the identification, tracking, and mitigation of spam and other online threats, as well as the development of related metrics to support policy making. Governments can also encourage privacy-respecting methods for information sharing among stakeholders on real-time risks and threats. Partnering with stakeholders for success. Spam is a multifaceted problem. A range of stakeholders have a role and should be involved in developing strategies, best practices, and approaches to the implementation of antispam measures, including the development of spam- and malwaremitigation tools. Coordination and partnerships among private and public sector stakeholders should be developed in order to produce robust solutions to spam. Useful entities to engage include antispam coalitions and working groups (such as M 3 AAWG), computer security response teams, network operators, ISPs and online service providers, the Internet technical community, business and consumer advocacy groups, civil society, and others with an interest in combatting spam, malware, and other malicious online activities. Enacting appropriate antispam legislation and enforcement measures. As previously noted, antispam legislation, strong consumer protection laws, and strong enforcement measures can help deter offending players and reduce the amount of spam sent and received in a country. 13 Government agencies charged with enforcing spam laws and regulations should be well-resourced, publicize the outcomes of enforcement measures, and make it easy for Internet users to report problematic spam and malware distribution. Collaborating with international counterparts. Spam is a crossborder problem. Collaboration with government counterparts around the world in antispam efforts, including international enforcement actions, is critical to successfully addressing global spam proliferation. Educating and empowering citizens. Governments should support public- and private-sector initiatives that educate Internet users on how to recognize and protect themselves against spam and other online threats. Internet users also should be aware of their legal right to seek remedies for loss or damage caused by illegal spam and other malicious online activities. 13 A comprehensive source for tracking antispam legislation is available at http://www.spamlaws.com. Links to several national legislative approaches are also located in the Internet Society s Spam Took Kit at http://www./spamtoolkit.

5 Additional Resources The Internet Society has published a number of papers and content related to this issue. These are available for free download on the Internet Society website. Internet Society Anti-Spam Toolkit, https://www./spamtoolkit Internet Society Spam and Online Threats (e-learning course), http://www./what-we-do/inforum-learn-online/inforumcourse-spam-and-online-threats. A Short Guide to Spam, http:///spam/short-guide-spam A History of Spam, http://www./doc/history-spam Combating Spam: Policy, Technical and Industry Approaches, http://www./doc/combating-spam-policy-technical-andindustry-approaches

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback