Exploring Email Security - Part 1

In this first of two parts on what is a huge subject for businesses to tackle, we take a look at some of the important issues of email security and how businesses can try to strengthen this crucial area of their cyber-defences.

Most Breaches Involve Email

Over 90 per cent of breaches now involve email, and Proofpoint's Annual Human Factor Report figures, for example, show that social engineering is strongly favoured as a way in by cybercriminals. 99 per cent of these email attacks rely on victims clicking links.

Statistics like these reveal some of the key challenges that businesses and organisations face on a daily basis, such as how to defend effectively against the whole range of email attacks, how to spot and eliminate threats as they arrive, and how to ensure that staff are aware of email threats and know what to do when faced with suspicious emails and links.

Types of Email-Based Attacks

There is a vast array of attacks launched through email systems (often relying on social engineering) including targeted phishing schemes, business email compromises, and ransomware attacks.

- Ransomware is still a popular attack and extortion method, and Trend Micro reported a 77 per cent surge in malware attacks during the first half of 2019.

- Phishing is a cheap, easy and highly effective method for criminals to gain access to company systems, steal important data and money, and create a cornerstone of all kinds of other hacking campaigns. Just some of the high profile examples from the news this year include fake voicemail messages being used to lure victims into entering their Office 365 email credentials into a phishing page, Thomas Cook customers being targeted by phishing attacks in the wake of the travel company going into receivership, and news of Lancaster University being hit by a large, sophisticated phishing attack aimed at grabbing the details of new student applicants.

Verizon’s 2019 Data Breach Investigations Report showed that 32 per cent of data breaches involve phishing. Phishing threats to businesses are also evolving and becoming more sophisticated all the time. For example, PhishLabs recently discovered a tactic whereby attackers used a malicious Microsoft Office 365 app to gain access to a victim’s account without the need for the account holder to give up their credentials to the attackers - worrying!

The National Cyber Security Centre offers advice on how to protect your business/organisation from phishing attacks here: https://www.ncsc.gov.uk/guidance/phishing.

There are also a number of phishing test sites available online so that you (or staff members) can see if you're able to spot a phishing email.

- Malware attachments to emails. There are a now staggering amount of malware types that businesses and organisations have to protect themselves against. For example, over 800 million different types were encountered in 2018, and some commentators are predicting that variants will reach over 1 billion by 2020!

A Number of Sources

Email-based attacks aren't simply targeted just at your email system in a straightforward way but could come from sources such as supplier email systems that have been compromised or they could use details stolen from breaches elsewhere as part of the campaign.

Protecing Your Business Against Email Threats

There are many ways that you can try to protect your email system from email attacks and try to minimise the risk of human error that is so important in social engineering attacks. These include:

Help From the Big tech Companies :

Microsoft

Microsoft offers a number of ways that businesses and organisations can help keep their email secure, such as:

- Outlook's Junk Email Filter, and the Report Message add-in for Outlook.

- Office 365's Advanced Threat Protection (ATP) plans which offer a variety of leading-edge tools to investigate, understand, simulate, and prevent threats.

- Secure Score for Office 365 - a way to measure and get suggestions about how to protect your business from threats, all through a centralised dashboard.

- The "campaign views" tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

More information: The Microsoft blog here gives 6 email security best practices to protect against phishing attacks and business email compromise: https://www.microsoft.com/security/blog/2019/10/16/top-6-email-security-best-practices-to-protect-against-phishing-attacks-and-business-email-compromise/

Google

Google also offers a number of tools and suggestions, including:

- Advanced security settings for G Suite administrators to protect against phishing and malware (find out more here: https://support.google.com/a/answer/9157861?hl=en).

- Offering steps to identify compromised accounts (see https://support.google.com/a/answer/2984349?hl=en&ref_topic=2683865).

- Advice on Firewall settings.

You may, of course, already be using another email protection system.

Other Advice

Advice about ways in which you can protect your company now from email-based attacks such as phishing and malware attacks is widely available, and in addition to the measures already covered (e.g. using Microsoft security tools), some basic measures that companies take include:

- Always keeping anti-virus and patching up to date.

- Staff education and training e.g. how to spot suspicious emails and what to do/what not to do e.g. not to click on links from unknown sources.

- Disabling HTML emails if possible (text-only emails can't launch malware directly).

- Encrypting sensitive data and communications as an added layer of protection.

- Getting into the routine of checking your bank account’s activity for suspicious charges.

- Making sure important and sensitive company data is backed up and including business email compromise (BEC) in business continuity planning and disaster recovery planning.

- Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.

- Monitoring for any exposed credentials (particularly those of finance department emails).

- Using two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

- Not using the same password for multiple platforms and websites (password sharing). This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.

Looking Forward and Getting Prepared

In today's environment, attackers can adapt their campaigns and methods so quickly, and use methods that can evade the more common protection solutions ('polymorphic' attacks) that businesses and organisations find themselves in a position whereby known signature and reputation-based checks aren't enough, and that they need to be able to get a fuller picture and find solutions that can focus effectively on zero-day and targeted attacks in addition to known vectors. Looking forward, there is also the future threat of AI machine-learning software being able to possibly generate phishing URLs that can beat popular security tools, and of the threats posed (further in the future) buy the possible use of quantum computers in cyberattacks, and these are subjects that we will look briefly in part 2 of our look at email security. For now, stay safe.

Exploring Email Security - Part 2

In part 2, we focus on many of the email security and threat predictions for this year and for the near, foreseeable future.

Looking Forward

In part 1 of this ‘Email Security’ snapshot, we looked at how most breaches involve email, the different types of email attacks, and how businesses can defend themselves against a variety of known email-based threats. Unfortunately, businesses and organisations now operate in an environment where cyber-attackers are using more sophisticated methods across multi-vectors and where threats are constantly evolving.

With this in mind, and with businesses seeking to be as secure as possible against the latest threats, here are some of the prevailing predictions based around email security for the coming year.

Ransomware Still a Danger

As highlighted by a recent Malwarebytes report, and a report by Forbes, the ransomware threat is by no means over and since showing an increase in the first quarter of 2019 of 195 per cent on the previous year’s figures it is still predicted to be a major threat in 2020. Tech and security commentators have noted that although ransomware attacks on consumers have declined by 33 per cent since last year, attacks against organisations have worsened.  In December, for example, a ransomware attack was reported to have taken a US Coast Guard (USCG) maritime base offline for more than 30 hours. 

At the time of writing this article, it has been reported that following an attack discovered on New Year’s Day, hackers using ransomware are holding Travelex's computers for ransom to such a degree that company staff have been forced to use pen and paper to record transactions!

Information Age, for example, predicts that softer targets (outdated software, inadequate cybersecurity resources, and a motivation to pay the ransom) such as the healthcare services will be targeted more in the coming year with ransomware that is carried by email.

Phishing

The already prevalent email phishing threat looks likely to continue and evolve this year with cybercriminals set to try new methods in addition to sending phishing emails e.g. using SMS and even spear phishing (highly targeted phishing) using deepfake videos to pose as company authority figures.

As mentioned in part 1 of the email security articles, big tech companies are responding to help combat phishing with new services e.g. the "campaign views" tool in Office 365 and Google’s advanced security settings for G Suite administrators.

BEC & VEC

Whereas Business Email Compromise (BEC) attacks have been successful at using email fraud combined with social engineering to bait one staff member at-a-time to extract money from a targeted organisation, security experts say that this kind of attack is morphing into a much wider threat of ‘VEC’ (Vendor Email Compromise). This is a larger and more sophisticated version which, using email as a key component, seeks to leverage organisations against their own suppliers.

Remote Access Trojans

Remote Access Trojans (RATs) are malicious programs that can arrive as email attachments.  RATs provide cybercriminals with a back door for administrative control over the target computer, and they can be adapted to help them to avoid detection and to carry out a number of different malicious activities including disabling anti-malware solutions and enabling man-in-the-middle attacks.  Security experts predict that more sophisticated versions of these malware programs will be coming our way via email this year.

The AI Threat

Many technology and security experts agree that AI is likely to be used in cyberattacks in the near future and its ability to learn and to keep trying to reach its target e.g. in the form of malware, make it a formidable threat. Email is the most likely means by which malware can reach and attack networks and systems, so there has never been a better time to step up email security, train and educate staff about malicious email threats, how to spot them and how to deal with them. The addition of AI to the mix may make it more difficult for malicious emails to be spotted.

The good news for businesses, however, is that AI and machine learning is already used in some anti-virus software e.g. Avast, and this trend of using AI in security solutions to counter AI security threats is a trend that is likely to continue.

One Vision of the Email Security Future

The evolving nature of email threats means that businesses and organisations may need to look at their email security differently in the future.

One example of an envisaged approach to email security comes from Mimecast’s CEO Peter Bauer.  He suggests that in order to truly eliminate the threats that can abuse the trust in their brands “out in the wild” companies need to “move from perimeter to pervasive email security.  This will mean focusing on the threats:

- To the Perimeter (which he calls Zone1).  This involves protecting users’ email and data from spam and viruses, malware and impersonation attempts, data leaks – in fact, protecting the whole customer, partner and vendor ecosystem.

- From inside the perimeter (Zone 2).  This involves being prepared to be able to effectively tackle internal threats like compromised user accounts, lateral movement from credential harvesting links, social engineering, and employee error threats.

- From beyond the perimeter (Zone 3).  These could be threats to brands and domains from spoofed or hijacked sites that could be used to defraud customers and partners.

As well as recognising and looking to deal with threats in these 3 zones, Bauer also suggests an API-led approach to help deliver pervasive security throughout all zones.  This could involve businesses monitoring and observing email attacks with e.g. SOARs, SIEMs, endpoints, firewalls and broader threat intelligence platforms, feeding this information and intelligence to security teams to help keep email security as up to date and as tight as possible.

Into 2020 and Beyond

Looking ahead to email security in 2020 and beyond, companies will be facing plenty more of the same threats (phishing, ransomware, RATs) which rely on email combined with human error and social engineering to find their way into company systems and networks. Tech companies are responding with updated anti-phishing and other solutions.

SME’s (rather than just bigger companies) are also likely to find themselves being targeted with more attacks involving email, and companies will need to, at the very least, make sure they have the basic automated, tech and human elements in place (training, education, policies and procedures) to help provide adequate protection (see the end of part 1 for a list of email security suggestions).

The threat of AI-powered attacks, however, is causing some concern and the race is on to make sure that AI-powered protection is up to the level of any AI-powered attacks.

Taking a leaf out of companies like Mimecast’s book, and looking at email security in much wider scope and context (outside the perimeter, inside the perimeter, and beyond) may bring a more comprehensive kind of email security that can keep up with the many threats that are now arriving across a much wider attack surface. 

I like very much this iPage Hosting Review because this is based on customer experience. If you need reliable web hosting service check out top list.
Joomla Templates designed by Best Cheap Hosting