By Jim Blair
There are many things making the news headlines these days. There is one story that isn’t getting the attention it deserves; that being, the war to secure your email.
Attacks on email have been occurring for years, but the attack activity since March 2018 has been unprecedented. Hackers are successfully compromising user accounts at an alarming rate and expanding their attacks by making use of the accounts they compromise. The purpose of the attacks varies: Some are meant to steal money, some are meant to embarrass you, others are meant to extort you into paying a ransom to the hacker.
The sophistication is getting better, and the hackers are leveraging cloud-based technologies to aid them in their attacks. They are making use of data on the “dark web” about you to make their attacks more credible by piecing together information about you.
Email security recommendations
Email has been around since the 1960s but its use expanded significantly in the mid-1990s. The underlying protocol, Simple Mail Transfer Protocol (SMTP), became the standard that email systems use. It was developed by the ARPANET for collaboration between research universities. It succeeded in that goal, as it is the most common method of how people communicate with others, especially between businesses.
What makes email difficult to secure is the email protocol used by all email solutions is the same. Over time, hackers have been able to identify exploit opportunities or vulnerabilities around the SMTP protocol. Today, email poses the greatest security risk to its users. It has become the leading attack vector because hackers are capitalizing on advanced social engineering to get end users to give them their passwords.
Due to the risks involved, it is important for all companies and users to take extra measures to protect their email and passwords.
Tips to better secure your email and protect your team
Disable auto forwarding of email outside of your domain
- Hackers are using compromised emails to harvest (exfiltrate) your email to an account they control.
- They create email rules to auto forward all your incoming email to them and set up a rule to delete the sent items, so these outgoing messages go undetected
- At some point, it could be at the time your account is compromised or several months later, they will use your account to expand their phishing attacks. People who you communicate with, will get an email they blindly trust because it came from you. They are unaware of your account being compromised and will assist the hacker in furthering the attack, because they trust you and think the email came from you.
- You need to have your email administrator disable email auto forwarding and make exceptions where this may be needed for you company.
- This does not prevent you from forwarding an email to someone else on your team, but it does prevent your email from being forwarded outside of your company to a free email account (Yahoo, Outlook, Gmail, etc.).
Implement Multi-Factor Authentication
- All email (work and personal) needs to be protected by MFA, which is also called two-factor authentication, because it requires a second form of authentication.
- This is the new normal for email security: MFA has been around for well over 10 years, but it is now more cost effective to implement.
- The most common method makes use of a fob or smart phone for the second form of authentication. These other devices generate a code or notification through a mobile device you use.
- The MFA process requires you to approve your login activity from the other device. The hackers do not have control of the fob or smartphone, so they are unable to login to your account.
Disable legacy authentication protocols (IMAP and POP)
- The primary reason for disabling legacy authentication protocols is these older technologies can bypass the Multi-Factor Authentication. They are not supported by modern MFA solutions based on the age of these technologies.
- This recommendation does require if and how you use these older technologies. You may need them for certain functions to work, so you will want to review these protocols with your email administrator.
- Modern systems (from Microsoft) like the Exchange Server or Office 365 Exchange Online utilize Active Sync. The IMAP and POP protocols are enabled by default, so your administrator should disable them if you do not need to make use of them. There are rare situations where they may be needed, so this recommendation does require further review on your end before making this change.
Implement advanced threat protection (Email filtering)
- Email filtering solutions have been utilized for many years to address SPAM email, but in many cases these older style filtering technologies do not work effectively against the newer attack methods utilized in phishing messages.
- Microsoft and Google both offer an Advanced Threat Protection service. These services do incur additional costs (monthly or yearly) and are vital to protect your users from the onslaught of phishing messages.
Tag messages that originate outside of your domain (company)
- Email spoofing has been around for more than 10 years. This is when the hacker is trying to impersonate someone, so the return email does not match the user name you see.
- Since spoofing is getting harder to detect, you will want to tag messages that originate outside of your domain.
- The purpose of this is to help you and your team from interacting with a message from someone they think is a co-worker or boss, but it could be a phishing message from someone who is impersonating them.
- Noting the message originated from outside your company will help protect your team from believing these spoofed emails are legitimate.
Do not put email addresses on your website
- While this seems like a very customer-focused, friendly thing to do, you are doing yourself a disservice and helping potential hackers.
- Some companies not only provide email addresses, but they include managers (with their job titles) as well. This information is pulled from websites by all types of software that crawls and scrapes information off web sites. By listing your accounts payable person, CFO, or President, you are helping the hacker to connect the dots and personalize the attacks to these specific individuals.
- You should use information requests with captcha requirements if you want someone to contact you via your website. This will protect your email from being scraped off your website.
Never click on email links to your bank or other cloud accounts
- This requires discipline from the end user but can help protect you from potentially harmful links.
- If you get an email from your bank, for instance, do not click on any links in the email. Instead, type the bank’s URL in your web browser and login to your account that way.
Do not reply to suspicious emails from people you know
- If an email from someone you know seems suspicious, do not reply to the message. Make a phone call to verify the email is from the person.
- Unfortunately, we have seen people get a suspicious message and they reply to the message asking if the attachment or link is safe. What the end user is not aware of is the person relying to them may be a hacker who has access to the other person’s account.
If your firm uses the Google G Suite for email, you need to review the advanced security settings. G Suite added other capabilities to protect your users in March 2018 and your administrator should double check the settings and make appropriate changes.
Blair is managing partner of Aberdean Consulting. He can be reached at firstname.lastname@example.org