Views
11 months ago

CSLATEST

email security NOWHERE

email security NOWHERE TO HIDE WITH EMAIL UNDER CONSTANT ATTACK, WHAT IS THE BEST WAY TO PROTECT YOUR ORGANISATION'S COMMUNICATIONS? HOW DO YOU KEEP YOUR DATA VITAL AND EASILY ACCESSIBLE TO YOU AND YOURS, YET USELESS TO ANYONE OUT TO ACCESS/STEAL IT? on a laptop, which may not make it into the office for weeks at a time." SAFETY STEPS Securing email is not for the fainthearted, he adds. "If you want to go the whole hog, there are a few things that could be done to keep your information safe, including: Use of email encryption end to end for important communications (TLS, PGP or S/MIME) Use of Data Loss Prevention features to monitor emails with sensitive data that should not be left anyway (this goes back to knowing whom has access to what and where) End-user training and awareness to ensure employees are aware of things to do and not do. For example, clicking on attachments that emanate from unknown senders, etc. Regular backup of devices (ransomware, flavour de jour with attackers, encrypts all data on a device and this can be painful for several months to restore, if you have no backup). Email is built into almost everything - from phones and tables to traditional computers to gaming devices, to your car. And yet email was not designed with any privacy or security in mind, making it highly vulnerable to attackers out to infiltrate your systems. Keeping business email and data secure is none too simple a matter. The security of data depends on its importance, where it is stored, and whom can access it. As we learn more about public data breaches, often the case proves to be that attackers have had access to sensitive information for weeks, months or even years. "Over the years, many organisations have failed to protect data and intellectual property," comments Jason Steer, solutions architect, EMEA at Menlo Security. "The struggle to keep track of where it all is, and who does and doesn't have access to it, results in difficulties in ensuring that it is adequately monitored and protected. Email further complicates this, as a lot of sensitive data is stored in inboxes and other folders, perhaps However, the challenge remains that, despite all these guidelines, most of which are already followed by large organisations, employees will continue to be compromised via email. Why? Because they both look and seem so authentic. "Phishers and spammers no longer send tens of millions of the game message anymore, which makes it much harder to detect at the network and ISP level. Indeed, even top level anti-phishing gateway solutions cannot detect them accurately every time," says Steer. "Many of the low-level and professional phish mails are truly unique, like snowflakes, called 08 computing security May/June 2017 @CSMagAndAwards www.computingsecurity.co.uk

email security 'patient 0' in the industry. This means that it is impossible to create a rule to each unique version of every phish mail without slowing down email to such an extent that employees are no longer able to do their job via email." Anti-phish vendors have to balance being able to detect enough of the bad stuff without blocking too much of the good. This allows a grey area in which good targeted phishing mails can safely 'play' within. "Herein lies the problem - if my solution catches the majority of bad stuff, then it blocks too much of the good. But if I turn the detection down, then employees get inundated with junk and spam. "The net result is that bad mails end up in the inbox of an employee. Many employees have been told that their mail has been filtered for potentially unsafe content and assume that they can click on most things. Without thinking or questioning, they assume that security is doing its job. If we layer user education into this, then the employee will remember their training, hopefully." As Steer points out, attackers will always outsmart defensive layers. "Assume this. Be prepared for bad things to happen via email, because they will. With GDPR & NIS EU legislation being enacted in 2018, the time to start preparing is now." FIGHTING BACK According to David Peters, technical director for ANSecurity, the more insidious threats can be readily countered with advanced anti malware, sandboxing and URL analysis features on most modern email security platforms. "Correct configuration and deployment of email and messaging security tools is as important as always," he states. "A default 'out of the box' configuration will likely still leave users frustrated with a reasonable amount of spam and CISOs sleepless with the quantity of malicious content still arriving in corporate mailboxes. "Authenticity can still be a real headache, as in how to stop email spoofing and security of messages during transport. Thankfully, many additions to SMTP have been made, such as the ability to use SSL/TLS for transport security between mail relays and many additional features for verifying authenticity like SPF, DKIM and DMARC." However, these standards cannot be deployed in isolation, he warns. "Unfortunately, they require correct deployment at both sender and recipient email systems. Rarely are signed SSL certificates deployed on gateways; relying on self-signed or out of the box certs means a recipient cannot verify the authenticity of the sender. Likewise, if a sender email domain has not configured records for SPF or DKIM, a recipient cannot use them to verify the sender." An equally bad, but common, occurrence is that many organisations do not maintain these records after infrastructure changes, leading to emails becoming incorrectly blocked or quarantined. "In my experience, it's not uncommon to see organisations with SPF or DKIM records that are badly misconfigured." There is light at the end of the tunnel, he adds, but email administrators need to collaborate with their security counterparts at their own organisations and with partner companies to ensure all the right boxes are ticked. "Finally, security and access to email is no different to any other private resource, and strong encryption and authentication access methods should be deployed. Administrators should ideally be required to go further with such controls as multifactor authentication, along with the ability to remotely wipe corporate content from mobile devices, should they be stolen or misplaced." Jason Steer, Menlo Security: securing email is not for the fainthearted. Sam Elsharif, Echoworx: nothing beats the application of common sense. www.computingsecurity.co.uk @CSMagAndAwards May/June 2017 computing security 09