Security Basics: Email Security

This post is one in a series of blog posts on the fundamentals of an information security program. You can see the complete list of posts in this series here.

Of all the common applications in most organizations, email is perhaps the most basic and essential. Any systems administrator knows that if email goes down they will hear about it very quickly!

Email is also the very most common route for systems intrusions to begin in the modern enterprise. The most common example is "phishing" or "spear phishing" messages that lead to malware infections; the difference between the two is that general "phishing" is aimed at a broad audience (think of fishing with a tuna net) and spear phishing is aimed at one target or a small group of targets (think of fishing with, well, a spear). The malware can be anything from "ransomware" that tries to encrypt your files and hold them for ransom to a remote access trojan (RAT) that silently gives a hacker access to your system.

                  vs                  

                                                                         "Phishing" versus "spear phishing"

Malicious software is usually delivered via email in one of two ways. In the first case, an attached file contains code that exploits a vulnerability in the software used to open the file (e.g., Adobe Reader, Microsoft Word). In the second case, the email contains a link to a website or other online resource and that online resource delivers the malware, typically by exploiting a vulnerability in some element of the web browser.

The following are some key features and considerations to keep in mind with email security software or services:
  • Spam filtering. Spam is primarily thought of as a nuisance, but malicious emails are often sent out to broad lists of people and can be caught by spam filtering as well.

  • Malware scanning. Most scanning for malicious software depends on looking for known bad files as attachments and/or websites linked in an email based on their known "signatures." This type of scanning may miss new threats or those not previously identified, but it will detect the majority of malicious files and links. Some newer systems can dynamically check files and links for suspicious behavior, thus detecting many threats for which no signature would exist.

  • Anti-spoofing. Your email security system should make it impossible for someone to send email into your network that would normally originate from inside your network. One of the most dangerous types of email scams involves emails sent to employees that appear to come from someone else in the company (typically senior management) requesting information or a financial transaction. Companies have lost millions by making wire transfers in response to such emails.

  • Geo-IP detection and filtering. Email scams and attacks are often sent from servers that an attacker has gained control of illegitimately. However, many still originate directly from known trouble spots like Nigeria, east Asia, and eastern Europe. If you don't do much international correspondence, it may be preferable to filter out or flag email originating from unusual geographical regions.

  • Encryption. Some security solutions enable you to encrypt emails on demand. Some require a plug-in or add-on for your email software to do this. Others simply do it automatically if you include the appropriate keyword in the email subject and/or body.

  • Content filtering. Some email security systems have data loss prevention features. These allow you to set certain keywords or data types (e.g. Social Security numbers or credit card numbers) for the email security software to search for in emails. You can then block, re-route, flag, or (in some cases) encrypt emails that match the search.

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more