With email security, every message counts. It only takes one message to inflict great harm on a business, large or small.
Email security vendors are forever focused on improving the protection they offer, while, at the same time, hackers are anticipating future protections and actively building ways to subvert them. So it's never a bad idea for security managers to come up for air and have a look at what might be in store for them.
To look into these challenges for email security professionals, the Tolly Group used its knowledge and reached out to a number of email security vendors -- both long-standing players and newcomers – to solicit their views on the topic. The good news is that the conversations about email security issues were highly consistent. Of course, the bad news is that defending against threats always seems to get harder.
To get ahead of the curve, check out the five primary email security issues and take action where necessary.
1. User behavior tops list of challenges
You wouldn't necessarily expect your end users to be at the top of the email security issues list, but, ultimately, the decisions they make can either prevent a bad situation or trigger one.
More than one expert brought this up as a major issue. The perceptions of users and IT security experts appear to be at odds in many organizations. Where security experts see sharks in the form of threats swimming around, end users perceive seaweed in the form of spam.
It isn't difficult to find results of ethical phishing studies -- or social engineering penetration testing -- run by corporations and assess the situation. In these studies, businesses hire security experts to run phishing campaigns on their employees to assess their security awareness.
In most cases, the results reveal that even after being warned to be aware of phishing, users take the bait anyway. While many end users receive email awareness training, it doesn't seem to be particularly effective at keeping them from clicking through on a phishing email.
2. Targeted phishing attacks make a comeback
In a blast from the past, targeted phishing attacks are making a comeback. Before the advent of automated attacks, work-intensive manual attacks were common. In contrast to the automated quantity over quality attacks that have become common, hackers are finding manual, targeted attacks can have a much bigger payoff, even though they require much more effort.
By studying the target and the target's company, a hacker can use public social media resources to learn who's who in the company. With that knowledge, it's easier to masquerade as the boss and launch a whaling attack, and it's a simple task to include a company logo and other information to make the malicious email appear even more realistic and credible.
The hacker might strengthen the attack by employing other communications channels. Security consultant David Strom recently wrote about a scenario in which a hacker impersonated the cellphone number of a boss and triggered an attack by sending a text message to an employee that referenced an email message.
Top email security awareness list
- End-user email click-through behavior
- Targeted phishing attack comeback
- Takeover account exploits
- IoT and mobile device security
- Over-reliance on perimeter security
3. Account takeover is a gateway to more exploits
Account takeover is more of an indirect challenge to email security professionals, but it is one to be aware of in any case. Hackers who penetrate less-than-secure computers -- perhaps laptops being used on public Wi-Fi -- are then able to weaponize them against the organization.
Open source tools like mimikatz -- and many others -- can be used to dump credentials once a computer is compromised. Microsoft's built-in Remote Desktop Protocol is frequently the preferred means with which to take over the compromised machine.
Microsoft Windows 10 contains many power components, such as PowerShell and the Windows Management Console. These powerful system utilities can also be used by hackers who take over one system to reach out and compromise other machines on the corporate network. Thus, one account takeover can lead to many more, as hackers can use powerful tools and services to find and exploit other vulnerabilities on networked computers.
4. IoT and mobile device security challenges
While not technically an email security issue, email security professionals need to understand IoT and handheld devices can become compromised, and thus form part of a phishing or other security attack.
On an iPhone or Android phone, a clean application that doesn't contain any malware can contain code that takes users to a phishing site that requests its credentials, which the hackers can use for a targeted phishing attempt or an account takeover. The recommendation is to communicate with your colleagues responsible for mobile security to make sure that you are both looking out for risks.
Be aware that IoT devices, like surveillance cameras and even Wi-Fi routers based on open source code, are open to exploitation. All IoT devices are little networked computers, and they can be used as jumping off points for security incursions.
5. Think beyond perimeter security
Finally, rethink the role of perimeter security. Businesses have spent significant time and money building highly effective security perimeters that contain all or many of the following: firewalls, web application firewalls, intrusion detection/prevention systems and email security gateways.
In many cases, these do the job so well that they discourage hackers from trying to find their way through the perimeter. That is why some hackers look to compromise email and users without having to do direct battle with the security perimeter. They will hack machines that might be outside the perimeter or use bland, harmless emails to lure inside users outside the perimeter.
The traditional perimeter is still essential, but be sure you don't focus on that to the exclusion of other potential attack surfaces.
The need for vigilance
With email security, vigilance is key in order to address email security issues, especially because the nature of attacks morphs endlessly.
We'll be delving into some more specifics of the various challenges and how to address them. Nothing is standard about the way hackers attack, and, for better or worse, security vendors don't have any standard method to identify and stop these attacks. We'll shed light on some of these detailed areas in upcoming articles.
Note: Experts at the following companies shared their opinions for this article: GreatHorn, Microsoft, Perception Point, Sophos Group and Symantec.
Email security strategies and tactics handbook
Improve protection for email security
Buying decisions guide on email and messaging threats