Technology

Email Security Risks Hiding in Plain Sight


Despite a series of high-profile data breaches in recent years, many companies remain reluctant to increase their investments in email security or training.

 As companies shore up defenses against more sophisticated cyber-attacks, security professionals say there’s a risk of overlooking basic practices and remaining exposed to serious breaches that take advantage of email vulnerabilities to circumvent corporate cyber-defenses, or unauthorized email access that exposes sensitive or embarrassing corporate data.
“In a recent survey around advanced persistent threats, many of which get started through email, 67 percent of the organizations had no plans to increase their security awareness training for staff in the next year,” says Rob Clyde, CEO of Adaptive Computing and international vice president of security organization Information Systems Audit and Control Association (ISACA).
“To me this is a real missed opportunity because we’ve seen a lot of attacks where the initial infiltration actually comes through spear phishing attacks through emails to employees, especially employees who have access to key data or administrators,” Clyde added. “So it would seem additional awareness training is needed, but we’re not really seeing that play out yet.”
“Phishing,” in security parlance, refers to sending email messages designed to look like those from legitimate senders, such as banks or social networks, in the hopes a user will follow a malicious link. In the next step, the malicious site captures their login information and uses it for identity fraud or, in some instances, the malicious site installs software designed to record the user’s keystrokes.
“Spear-phishing” is a more sophisticated variation designed to capture log-in details from a specific person, such as a senior executive or a company’s email administrator. These attacks harvest personal information from publicly available websites and social networks, and craft a message designed to fool someone into logging in to a false site.
“Often when email systems are breached, they’re usually breached through the use of a privileged account, through system administrators or other insiders either having their accounts compromised or doing this themselves,” says John Pironti, president of information security consulting firm IP Architects, LLC. “Many times we find people don’t realize their emails have been compromised unless they show up on a website some place, or somebody sends them emails they shouldn’t have.”
“Today’s attackers are very sophisticated,” Clyde says. “You have to assume they will figure out who that small group of people might be that have access to those email archives. And they would be the targets that might be spear-phished. The goal of the initial part of that attack might be to gain access to one of those individual’s accounts or computer systems.”
A Basic Tool
In part because email is ubiquitous for our corporate and personal communications, most people treat email as a basic tool that’s always going to be available and reasonably secure — until it isn’t.
“Email has been around for so long, I think many people think attacks are more likely to infiltrate their organization through some new and exotic means, not realizing that even in this day and age, email is still the most likely initial point of attack,” Clyde says.
Despite breaches and a growing understanding of the potential risks, many companies aren’t investing enough in making sure this critical communications tool, and entryway into the company’s data infrastructure, is protected effectively. Similarly, many users aren’t armed with a basic understanding of the steps they can take — and avoid — to help keep their email communications secure from unauthorized access and away from unwanted public scrutiny.
In too many instances, security feels like a burden, Pironti says. Companies may think they should be doing more to address email security risks, but often hesitate because they feel the cost and complexity isn’t justified by their perception of a low risk.
“It’s hard to demonstrate the value of security to people if they haven’t been affected, and even those who have been affected often have short memories,” Pironti says. “With the senior executives I work with after an incident, for the first six months after the incident, it’s common for the checkbook to fly open. Everybody has interest, everybody wants to hear about everything and to see everything. After about that, attitudes shift and it goes back security feeling more like a tax.”
In addition, many companies figure that since information security is a technology problem, there should be a technology solution. But while technology plays a role in cyber-security, user behavior is a more important aspect in helping to prevent networks and data from being breached.
Defining the Risk
In addition to its ubiquity, another part of the challenge in securing email is that, by its nature, email communication is open to anyone who has a given address (or is able to guess an address by reviewing an organization’s email alias structure).
“The difference between email and other types of data is that anybody can reach out and send us stuff, and that stuff might include dangerous links, viruses, or other types of malicious code that if we were to click on and execute, would infect our devices and from there, perhaps, infect our organizations,” Clyde says. “That’s fairly unique compared to other types of data.”
According to the 2014 edition of the Internet Security Threat Report prepared by Symantec Corp., 1 in 196 email messages contained malicious software in 2013 (compared with 1 in 209 the year before), and a quarter of all email traffic includes a link to a malicious website.
Windows executable files remain the most common form of malicious threat, with the use of Java attachments growing among hackers — in part because most users are less familiar with extensions such as “.jar” or “.class,” and therefore more likely to double-click on the attached file.
Understanding the Risk
Despite these statistics, however, many organizations have a false sense of security based on the assumption other companies will offer a more attractive target for hackers.
While companies in regulated industries, such as financial services and healthcare, have a clearly defined compliance obligation to protect data from unauthorized access and to store (and retain) documents safely, many other organizations have taken basic security measures — but also rely on the idea someone else is more likely to be targeted than they are.
“The attitude of a lot of people says, ‘We haven’t been attacked before, so why would anybody attack us now? We’re not a financial institution, so why would hackers care?,’” Pironti says. “The regulated companies have examiners that show up all the time, so they’re very careful about not just the hackers, they’re worried about the auditors. They’re used to being scrutinized.”
Even companies in industries with an apparently low security risk remain susceptible to automated hacking tools that scan corporate networks for known vulnerabilities, and hackers who strike first and figure out later which networks their tools have breached.
Instead of hoping for the best, Clyde said organizations should be following risk-based standards issued by organizations such as ISACA. For instance, ISACA’s COBIT (Control Objectives for Information and Related Technology) framework provides guidance for enterprise IT management and governance. The framework addresses, for example, practices related to data encryption, process automation, password security, and other security recommendations.
“You could go crazy and spend way more than the risk actually would merit,” Clyde says. “But I can tell you a couple of key things to look at. One is, are you meeting the standard of due care? And part of that standard is, are you doing what your peers and others who are recognized as having best practices are doing? If you’re behind the leaders in your industry in terms of how much you’re doing, you’re probably not meeting that standard of due care.”
Training is Essential
Pironti and Clyde say user education and promoting security awareness are essential tools that too many organizations overlook. Many organizations believe they have offered sufficient training about security challenges such as not clicking on links in messages that haven’t come from trusted senders or making users change passwords every 90 days, but security breaches keep occurring with sadly predictable regularity.
“Many organizations believe they’ve done a ton of training, but even so, it’s not enough,” Clyde says. “In a study that the Enterprise Management Association did, they found that 56 percent of employees still receive no awareness training. And that same study found that a third of the employees they surveyed did admit to clicking on a link coming in through email from some unknown sender.
“So, as you look at that, the indication is, wow there’s probably not enough awareness training going on out there. Many organizations feel like they’ve done enough. I would totally disagree with that.”
Pironti says it’s also important for companies to realize technology alone won’t be able to address evolving security concerns.
“A risk conscious and security aware culture is the key to making this stuff work, because that’s how you help people to think of security not as a burden, but as a benefit,” he says. “The greatest tool I’ve had for years now is not the technology, it’s the people.”
Protecting the Archive
Another issue companies face with securing their emails is deciding how long messages should be retained. While regulated industries have compliance mandates for how long messages should be saved, others face a tricky balancing act with older messages.
On one hand, there are potential cost reductions available if companies dispose of messages on a scheduled consistent basis, and deleting older messages reduces the potential reputation risks if embarrassing messages are disclosed after a breach.
On the other hand, failure to produce email messages or other documents requested during litigation could harm the organization’s defenses or result in sanctions.
Either way, companies have to decide, based on their risk tolerance, how long messages should be stored and accessible.
“Organizations need a retention policy,” Clyde says. “If they decide, ‘We’ll keep emails for one year,’ that should be fairly automatic, in terms of enforcing that policy, whatever it might be. Now many organizations don’t do that. They leave it up to the individual and that causes a lot of issues. Maybe some employees delete their emails too fast and other employees may keep them far too long. Both can be a risk to the organization.”
One of the challenges with relying on employees to specify which emails to archive is that people take different approaches to designating messages to save. Ideally, they’d retain important messages (such as those related to preparing for a quarter close) and discard emails announcing the availability of leftover bagels in the pantry, but most workers generally take all-or-nothing approaches to email message retention.
“As long as you have a policy, and you rigorously enforce that policy, and it seems like a reasonable policy compared to others in your industry, and compared to any of the industry or government regulations that might require certain levels of retention, I think you’re in the best shape,” Clyde says.
Defensive Writing
Another behavioral aspect that can go a long way in preventing embarrassing disclosures following an email breach is stressing the importance of not including sensitive or embarrassing information in emails in the first place.
Because we are so comfortable using email, it’s easy to treat it as a casual medium and to share water-cooler conversations that could be taken out of context, or would be embarrassing to the participants or organization if the message’s content became public.
“One of the things that many people today still don’t realize is that when you write it down and it goes online, those bits can and often do last forever,” Clyde says. “And if it’s something you wouldn’t want the public to see, then you probably ought not to write it down.”
“We’re seeing more training in things like defensive writing,” Pironti says. “There’s more interest in ways of not writing things in email or teaching people what not to put in email. Don’t have general back and forth communication, or conversations that may have a bad context. Limit the level of detail you put in the email. That level of security is becoming popular.”
Avoiding Email
Another approach a growing number of senior executives are taking to reduce email-related risk is using other forms of communication to discuss sensitive issues.
“There is more interest in people looking for secure communication patterns that are not email-oriented,” Pironti says. “There are different technologies that essentially give users the ability to send retrieval requests or destruction requests to their messages. This might be text messaging or some sort of messaging platforms where the communication itself is secure, and you have the ability to delete it, or remotely wipe it, after you don’t want them to see that anymore.
“The challenge with this approach is that both parties have to agree to use this technology. And that’s where these things tend to fall apart.”
In addition to exploring messaging apps, some senior executives are eschewing smartphones in favor of basic handsets that only support voice calls, and are considered less vulnerable to data-driven threats. Some are taking older-school approaches such as saving sensitive discussions for landlines or, when practical, in-person conversations.
“I think right now, we’re still at the acknowledgement phase of the level of impact [email breaches] can have,” Pironti says. “I don’t think we’re at the true recognition and understanding phase. I think the answer is going to be a personal responsibility model, and a risk-based model where you as the individual have to understand the implications of what you’re doing and how fragile email really is. And based on that, decide to what degree you’re willing to change your behaviors.”
Email Security Basics
Rob Clyde and John Pironti offer the following suggestions for shoring up an organization’s email defenses:
User education is key. Train people to avoid clicking on links in emails unless they absolutely trust the sender, and avoid sending message they’d be embarrassed to have a stranger read. And reinforce the training with consistent reminders.
Require the use of strong passwords.
Participate in industry-based security organizations to remain familiar with leading practices and regulatory expectations.
Consider the use of encryption or alternative messaging platforms for sensitive communications.Develop and enforce an effective email retention policy, and consider the use of automated archiving platforms to streamline your efforts.

Limit who has access to sensitive information, and monitor their network activities. Explain such monitoring will protect them against false accusations if a network is breached and they’ve behaved appropriately.

Patch email servers. Many companies are victimized by known vulnerabilities for which patches are available.