22.1.19

Email Security does not end with your password



Email is a crucial part of most people’s daily lives, but few people consider how it’s secured, apart from entering a password to access our accounts. What options are available or even advisable to use for securing email?

What is email security?
For the purposes of this post, I’ll define email security as pertaining to both the content of messages, as well as the accounts people use to access their emails.
Email security does not end with authentication for accessing our accounts: message content can be validated and secured, sender identity can be authenticated, authorization of email senders can be maintained, and the integrity and functionality of the email app itself can be better secured. 
If you’re the administrator of your email account, you’ll naturally have a different subset of options than if your account is being administered by someone else. Depending on your threat model, which options are needed may vary somewhat, but most of us could benefit from adding more methods to our repertoires.

Securing message content
Few people seem to be aware that sending an email can be as open to eavesdropping as sending a message on a postcard. Fortunately, there are a variety of ways to add layers of security to the process of sending a message. One method is akin to putting a message in an envelope; people can still see where the message came from, and where it was sent to, as well as the content of the message if an eavesdropper is able to intercept it at some point in the process (especially after the envelope is opened). This type of protection is considered “transport-level”, as it helps protect the message in transit across the internet.
It’s also possible to secure the message from “end to end”, meaning the message is encrypted at the source before it ever hits the network, and then decrypted by the recipient. This shortens the time that a message might be read even by an eavesdropper, as it can’t be read when it’s in transit or until its contents are decrypted. The eavesdropper would also need to have the decryption key as well as the email to access the data within an intercepted message.
Administrators often choose to implement transport-level protection, as it’s the type that’s most transparent to users and because it usually doesn’t require their direct interaction. If end-to-end encryption is needed, it’s a good idea to choose technologies that make this process simple, and to create policies that dictate when this type of encryption must be used.

Ensuring valid, appropriate content
It’s a fact of modern life that much of what arrives in our inbox is not anything we want to receive. When you add up the amount of spam, scams, phishing and malware that’s being sent, there’s a lot of traffic that is wholly unwelcome. Most organizations and email service providers have some manner of filtering for this sort of detritus in place already, to help stem the flow. Depending on our own levels of risk tolerance, there are a variety of ways that this can be done.
Most email providers operate a simple blacklist of known spam, phishing and malware to decrease the amount of unwanted and malicious email that reaches their customers. But many organizations would be wise to be more proactive with their filtering. You could also limit messages by attachment type; either allowing only those files from an approved list of safer or more common file types or excluding unusual or more-risky file types.
Keep in mind that while many popular file types may seem safer, they can still include powerful macro code or malicious, embedded files. No file type should be considered completely safe. It may be more helpful to view file types less in terms of their potential danger, and more in terms of their level of risk versus potential impact on workflow. While many people send things like documents, spreadsheets, or presentations, very few people have valid work-appropriate reasons to send or receive executable file types via email, so these can be excluded in most organizations with a minimum of hassle.
Some organizations also choose to screen emails before they’re sent out from their network too, for malware and/or confidential company data. Most companies maintain some sort of sensitive files or information such as payment or ID card details, healthcare information, or confidential company data and would do well to log its whereabouts. It can be useful to set gateway anti-malware scanners to more “paranoid” settings, as a potentially slower scan of files going through email will be less noticeable or disruptive.

Email authorization and authentication
Spoofing email is trivially easy for miscreants, and while there are ways to limit this, the available options are not yet widely used. These techniques help authenticate message content, indicate which users and accounts are authorized to send from your domain, and can help verify that email headers are internally consistent.
Because these authorization and authentication techniques are not commonly implemented, the best-use case for most companies is to deploy these methods to help protect your brand integrity or prevent certain types of Business Email Compromise (BEC). You can also use them to log emails that fail to authenticate properly, for forensic purposes.
Use of email authentication and authorization should be considered part of good administration hygiene, like promptly removing (or at least changing the passwords of) accounts that are no longer in use (such as those formerly belonging to employees who are no longer with the company).

Account protection
Most of us are aware of authentication for our email accounts, as this is the type of email security most of us have. Several of the other types of email security we’ve discussed in the previous paragraphs exist in part to help mitigate the damage caused by stolen login credentials, which is to say it’s a huge problem that causes a cascade of other woes. But multi-factor authentication is another very effective level of protection for access to our email accounts.
Rather than just providing a username and password, which is one single “factor” of verifying that you are who you say you are, multi-factor authentication combines these credentials with another method. The most common example of a second method is a one-time key – often sent by email or SMS, or created by an app or dongle – that is input after you’ve successfully entered your username and password. Multi-factor authentication can either be tied directly to the login process for an email app, or to a network login process, depending on your specific needs and threats.

Software protection
Last but not least, it’s also important to protect your email by regularly updating the software you use, including your operating system and the app or browser you use to access email. This will help address vulnerabilities that could allow attackers to access your emails. You may wish to do this with automatic update capabilities in the software itself or in your operating system, or by going directly to the vendor’s website for downloads.

Final Thoughts
Whatever methods you choose to incorporate – be it for email or computer security in general – it’s important that they be things people in your organization can and will use. This means observing the workflow of the people who will be using these technologies, choosing options that are either applied automatically or are easy to use, and then training users about how and when to use protection methods.