By Jim Blair
In February 2020, the Tech Council Current published our guest column headlined, “If You Think Your Email is Secure, Think Again.” Here is an update with more actions for businesses and individuals to take.
The pandemic and the social distancing that require remote work is further aggravating the existing security vulnerabilities that organizations face. Compromising users via email remains the top threat and can be prevented. In the last 90 days, Aberdean Consulting has seen an increase in the 200-300% range for phishing and spoofing messages.
Recent information published by ThreatPost.com suggests IT administrators are not securing their organization’s Microsoft cloud services. A few takeaways from their findings:
- Microsoft Cloud accounts are a treasure trove for cybercriminals looking for sensitive organization data.
- Attackers use email-based phishing or spear-phishing attacks, automated credential stuffing, or “brute force” password guessing attacks. The dark web contains 9 billion compromised user passwords that hackers are using.
- Ninety-nine percent of email attacks are preventable with multi-factor authentication (MFA), according to the SANS Software Security Institute. MFA is explained in more detail later in this article.
- IT administrators are not doing their part to implement MFA for their organization. An estimated 97% of companies using the Microsoft cloud are not using MFA.
- Overall, researchers found that organizations are failing to implement basic security practices.
We continue to learn how hackers are successfully compromising user accounts at an alarming rate. Once a user is compromised, the hackers use the account to help compromise other accounts. A few weeks ago, some investors using the “Robinhood” app had all the money stolen from their investment accounts. In the Oct. 29 news, we read $2.3 million was stolen from the Wisconsin Republican Party in what appears to have started as a phishing attempt.
We also hear from business owners that MFA is bothersome and adversely impacts end-user productivity. Some companies opt not to enhance their security, as they take a wait-and-see approach. Our response to this is it is the “new normal.” These measures are not only for companies but are also necessary for all individuals to secure themselves. The writing is on the wall, and you need to act now. Here are things you can do to make yourself more secure:
Email (Cloud) Security Recommendations
Email has been around since the 1960s, but its use expanded significantly in the mid-1990s. The ARPANET developed email for collaboration between research universities. The underlying protocol, Simple Mail Transfer Protocol (SMTP), became the standard that email systems use.
What makes email challenging to secure is the email protocol used by all email solutions is the same. Over time, hackers have been able to identify vulnerabilities around the SMTP protocol. Today, email poses the most significant security risk to its users. It has become the leading attack vector because hackers capitalize on advanced social engineering to get end users to give them their passwords.
Due to the risks involved, all companies and users need to take extra measures to protect their email and passwords.
Tips to Better Secure Your Email and Protect Your Team (as Well as Some Added Tips for Individuals)
Implement Multi-Factor Authentication (MFA)
- All email (work and personal) needs to be protected by MFA, also called two-factor authentication because it requires a second form of authentication.
- MFA is the new normal for email security. MFA has been around for well over ten years, but it is now more cost-effective to implement.
- The most common method makes use of a fob or smartphone for the second form of authentication. These other devices generate a code or notification through a mobile device you use.
- The MFA process requires you to approve your login activity from the other device. The hackers do not have control of the fob or smartphone, so they cannot log in to your account.
Disable Legacy Authentication Protocols (IMAP and POP)
- The primary reason for disabling legacy authentication protocols is these older technologies bypass multi-factor authentication. The older protocols do not support modern MFA solutions.
- Modern systems (from Microsoft) like the Exchange Server or Office 365 Exchange Online utilize ActiveSync. IMAP and POP protocols are default enabled for older Microsoft Office 365/Microsoft 365 accounts established before 2020. Your administrator should disable them if you do not use them. There are edge scenarios that require these protocols, so this recommendation does require further review on your end before making this change.
Disable Auto-Forwarding of Email Outside of Your Domain
- Hackers create email rules to auto-forward all your incoming email to them and further enable rules to make their actions untraceable, which can allow this to go undetected.
- At some point, it could be at the time your account is compromised or several months later, they will use your account to expand their phishing attacks. People who you communicate with will get an email they blindly trust because it came from you. They are unaware of your account compromise and will assist the hacker in furthering the attack because they trust you and think the email came from you.
- It would be best if you had your email administrator disable email auto-forwarding and make exceptions where needed.
- This does not prevent you from forwarding an email to someone else on your team, but it does prevent a forwarded email from being delivered outside of your company.
- If your firm uses the Google G Suite for email, you need to review the advanced security settings. G Suite added other security features to protect their users in March 2018, and your administrator should double-check the settings and make appropriate changes.
Implement Advanced Threat Protection (Email Filtering)
- Email filtering solutions have been utilized for many years to address SPAM email. Still, in many cases, these older style filtering technologies do not work effectively against the newer attack methods used in phishing messages.
- Microsoft and Google both offer an Advanced Threat Protection service. These services incur additional costs (monthly or yearly) and are vital to protect your users from the onslaught of phishing messages.
Tag Messages That Originate Outside of Your Domain (Company)
- Email spoofing has been around for over ten years. This is when the hacker is trying to impersonate someone, so the return email does not match the username you see.
- Since spoofing is getting harder to detect, you will want to tag messages that originate outside your domain.
- The purpose of this is to help you and your team from interacting with a message from someone they think is a co-worker or boss, but it could be a phishing message from someone who is impersonating them.
- Noting the message originated from outside your company will help protect your team from believing these spoofed emails are legitimate.
Do Not Put Email Addresses on Your Website
- While this seems like a very customer-focused, friendly thing to do, you are doing yourself a disservice and helping potential hackers.
- Some companies publish email addresses that include names and job titles. This information is pulled from websites by all types of software that crawls and scrapes information from sites. By listing your accounts payable person, CFO, or president, you help the hacker connect the dots and personalize the attacks to these specific individuals.
- You should use information requests with captcha requirements if you want someone to contact you via your website. This will protect your email addresses from being scraped off your website.
Never Click on Email Links to our Bank or Other Cloud Accounts
- This requires education and discipline from the end-user but can protect you from clicking on potentially harmful links.
- For instance, if you get an email from your bank, do not click on any links in the email. Instead, type the bank’s URL in your web browser and log in to your account that way.
Do Not Reply to Suspicious Emails from People You Know
- If an email from someone you know seems suspicious, do not reply to the message. Make a phone call to verify the email is from the person.
- Unfortunately, we have seen people get a suspicious message, and they reply, asking if the attachment or link is safe. The end-user is not aware that the person responding may be a hacker who can access the other person’s account.
- If you use email services from third-party providers like Charter/Spectrum or TDS (for example), you cannot secure these accounts, so we recommend replacing them with secure email options.
- Your personal information, finances, etc. are linked to email, and if that email is insecure, your transmission is insecure. We saw an incident where an end user’s Charter email was compromised allowing the hacker to attempt to compromise people who worked at the same organization as the person.
- Google, Yahoo, and Microsoft (Office 365 or Outlook.com) offer MFA protection, but you must enable it in your advanced security options.
- While reviewing MFA, not all MFA is the same; you should only use SMS texting as a last resort for the second form of authentication. We advise using an authenticator app (Microsoft and Google both offer Authenticator apps).
- You should enable MFA for every cloud service you use. Examples include: Amazon, Facebook, Instagram, LinkedIn, PayPal, Snapchat, Venmo, Twitter, etc.
- We recommend you start using a password manager application to manage and secure your passwords.
- A password manager allows you to create unique and challenging (long) passwords without remembering them or writing them down. It also provides feedback on how good your passwords are. Some services will even also alert you if your information shows up on the dark web.
- It would be best to secure your online passwords using MFA, or someone can log in to your password manager and steal your information.
- Companies that provide these services include 1Password, Dashlane, LastPass, Keeper, RoboForm, etc.
- They protect your data using encryption while the data is at rest. This makes your data secure unlike the Equifax data breach a few years ago. Equifax wasn’t encrypting the data, allowing the data to be stolen and sold online.
More Information About the Author and Aberdean Consulting
Jim Blair is the managing partner of Aberdean Consulting and can be reached at firstname.lastname@example.org. Aberdean Consulting has been providing IT Managed Services for more than 17 years and supports more than 140 companies (who employ over 4,500 people) operating in over 20 states and two Canadian locations.
Aberdean Consulting was recently invited to join the inaugural Partner Advisory Council for Malwarebytes, a leading security application provider protecting organizations and individuals from malware, ransomware, and IT exploits. Malwarebytes provides security solutions for more than 60,000 businesses globally with sales exceeding $200 million and a team of nearly 1,000 employees. Aberdean Consulting is one of just seven companies asked to join the advisory council.