Received wisdom regarding email security says – don’t trust email. Email is an unauthenticated, unreliable messaging service. The general advice was, and still is, use strong passwords, block spammers, don’t trust unrecognised sources and verify requests even from trusted entities.
Email hasn’t gone away and the stakes are ever higher as email has become an increasingly rich application capable of carrying messages with hidden links to malicious web sites as well as code and attachments that can be vectors for more sophisticated attacks
Email security best practices for users
As we shall see technical strategies to secure email have improved but regardless of the best technical strategies, people are still a weak point in any secure system. To be effective, email security best practices should become second nature to email users.
• Use good passwords for strong authentication.
• Add multifactor authentication if possible.
• Take phishing awareness training seriously.
• Take caution when opening email attachments and links.
The onus for providing secure email falls on the business, but attackers can find ways to bypass controls even at organisations that implement best practices for email security. That means users must act as the last line of defence, and they should be aware of the dangers of phishing, malicious attachments and malicious links in their email. Ultimately, users should rely on their best judgment when responding to suspicious messages.
Any type of email security practices requires participation of staff and conscientious employees can help their organisations improve email security a great deal.
Technical strategies for email security
Use of Domain-based Message Authentication, Reporting and Conformance (DMARC) for email authentication is becoming more common. When combined with the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols, DMARC enables organisations to do a much better job of eliminating or reducing spam, phishing and other email fraud.
Strong passwords for email accounts
One of the most important email security best practices is to use strong passwords that are changed frequently and not reused across different systems. Using password managers for online accounts can help enormously.
Taking a serious approach to email passwords may not entirely overcome poor practices on the part of the organisation, but it will help defend against attackers using dictionary attacks to target weak passwords.
Reuse of passwords across different systems means that accounts on any of those systems can be exploited, if an attacker gains access to passwords on any of those systems. It means that your systems, no matter how well-protected, can be exposed by an exploit of a poorly-protected consumer website. Attackers know that trying a re-used password associated with a person’s account on a breached system often will work to unlock other accounts.
Asking staff to change their passwords frequently is one tactic for password hygiene that has been reevaluated in recent years. The benefits of changing passwords quarterly or monthly must be balanced with users’ tendency to use weaker passwords that are easier to remember, and thus easier for attackers to exploit.
Multifactor authentication for email accounts
Organisations need to get serious about implementing 2FA and require all staff to use it where possible. Locking down all accounts with 2FA is an important tactic to reduce the risk of email account takeovers.
Users who use 2FA for their private accounts will be better prepared to use 2FA in their work accounts. They can also advocate for deployment of 2FA in organisations that have yet to take it up on their own.
Increasing numbers of enterprises are addressing email security through security awareness training, and staff should consider such training an important best practice. Email security training can be tailored to emphasise the types of email security threats targeting enterprises in different industries and specific threats facing your business.
You can use this type of email security training to help identify problematic messages, and learn how to avoid clicking on the wrong links or opening the wrong attachments. More importantly, such training can also be used to inform staff about the types of security tactics used in the organisation. For example, users can better understand which malicious messages might, or which might not be caught, by email filtering systems.
Beware email attachments
Many email attacks rely on the ability to send and receive attachments that contain malicious executable code. Malicious attachments may be sent directly by an attacker to target individuals, and many such attachments can be blocked by antimalware software that detects the malicious source. However, malicious attachments can also be sent by trusted sources that have been exploited by attackers.
Whatever the source, you should take care with attachments even when the organisation uses email scanning and malware blocking software. If an attachment has an extension associated with an executable program, like .exe (executable program), .jar (Java application program) or .msi (Microsoft Installer), extra care should be taken before opening it. Word processing, spreadsheet and PDF files can carry malicious code too, so you should be cautious when handling any type of attached file.
Be cautious with email links
Web links in email are also a risk, as they often connect to a web domain different from what they appear to represent. Some links may display a recognisable domain name like www.amason.com but in fact direct the user to some different, malicious, domain. One tactic you can use is to review the link contents by hovering the mouse pointer over the link to see if the actual link is different from the displayed link.
Attackers also use international character sets to create malicious domains that appear to be those of well-known brands. When in doubt, you should type the domains directly into their browsers, or just avoid using the link at all.
If you think your business could be affected by email security issues, KRYPSYS may be able to help. Please feel free to contact us at www.krypsys.com/contact-us/