Email is a crucial part of most people’s daily lives,
but few people consider how it’s secured, apart from entering a password to
access our accounts. What options are available or even advisable to use for
securing email?
What
is email security?
For the purposes of this post, I’ll define email
security as pertaining to both the content of messages, as well as the accounts
people use to access their emails.
Email security does not end with authentication for
accessing our accounts: message content can be validated and secured, sender
identity can be authenticated, authorization of email senders can be
maintained, and the integrity and functionality of the email app itself can be
better secured.
If you’re the administrator of your email account,
you’ll naturally have a different subset of options than if your account is
being administered by someone else. Depending on your threat model, which
options are needed may vary somewhat, but most of us could benefit from adding
more methods to our repertoires.
Securing
message content
Few people seem to be aware that sending an email can be as open to eavesdropping as
sending a message on a postcard. Fortunately, there are a variety of ways
to add layers of security to the process of sending a message. One method is
akin to putting a message in an envelope; people can still see where the
message came from, and where it was sent to, as well as the content of the
message if an eavesdropper is able to intercept it at some point in the process
(especially after the envelope is opened). This type of protection is
considered “transport-level”, as it helps protect the message in transit across
the internet.
It’s also possible to secure the message from “end to
end”, meaning the message is encrypted at the source before it ever hits the
network, and then decrypted by the recipient. This shortens the time that a
message might be read even by an eavesdropper, as it can’t be read when it’s in
transit or until its contents are decrypted. The eavesdropper would also need
to have the decryption key as well as the email to access the data within an
intercepted message.
Administrators often choose to implement transport-level
protection, as it’s the type that’s most transparent to users and because it
usually doesn’t require their direct interaction. If end-to-end encryption is
needed, it’s a good idea to choose technologies that make this process simple,
and to create policies that dictate when this type of encryption must be used.
Ensuring
valid, appropriate content
It’s a fact of modern life that much of what arrives
in our inbox is not anything we want to receive. When you add up the amount of spam,
scams, phishing and malware that’s being sent, there’s a lot of traffic that is
wholly unwelcome. Most organizations and email service providers have some
manner of filtering for this sort of detritus in place already, to help stem
the flow. Depending on our own levels of risk tolerance, there are a variety of
ways that this can be done.
Most email providers operate a simple blacklist of
known spam, phishing and malware to decrease the amount of unwanted and
malicious email that reaches their customers. But many organizations would be
wise to be more proactive with their filtering. You could also limit messages
by attachment type; either allowing only those files from an approved list of
safer or more common file types or excluding unusual or more-risky file types.
Keep in mind that while many popular file types may
seem safer, they can still include powerful macro code or malicious, embedded
files. No file type should be considered completely safe. It may be more
helpful to view file types less in terms of their potential danger, and more in
terms of their level of risk versus potential impact on workflow. While many
people send things like documents, spreadsheets, or presentations, very few
people have valid work-appropriate reasons to send or receive executable file types
via email, so these can be excluded in most organizations with a minimum of
hassle.
Some organizations also choose to screen emails before
they’re sent out from their network too, for malware and/or confidential
company data. Most companies maintain some sort of sensitive files or
information such as payment or ID card details, healthcare information, or
confidential company data and would do well to log its whereabouts. It can be
useful to set gateway anti-malware scanners to more “paranoid” settings, as a
potentially slower scan of files going through email will be less noticeable or
disruptive.
Email
authorization and authentication
Spoofing email is trivially easy for miscreants, and
while there are ways to limit this, the available options
are not yet widely used. These techniques help authenticate message content,
indicate which users and accounts are authorized to send from your domain, and
can help verify that email headers are internally consistent.
Because these authorization and authentication
techniques are not commonly implemented, the best-use case for most companies
is to deploy these methods to help protect your brand integrity or prevent
certain types of Business Email Compromise (BEC).
You can also use them to log emails that fail to authenticate properly, for
forensic purposes.
Use of email authentication and authorization should
be considered part of good administration hygiene, like promptly removing (or
at least changing the passwords of) accounts that are no longer in use (such as
those formerly belonging to employees who are no longer with the company).
Account
protection
Most of us are aware of authentication for our email
accounts, as this is the type of email security most of us have. Several of the
other types of email security we’ve discussed in the previous paragraphs exist
in part to help mitigate the damage caused by stolen login credentials, which
is to say it’s a huge problem that causes a cascade of other woes. But multi-factor authentication
is another very effective level of protection for access to our email accounts.
Rather than just providing a username and password,
which is one single “factor” of verifying that you are who you say you are,
multi-factor authentication combines these credentials with another method. The
most common example of a second method is a one-time key – often sent by email
or SMS,
or created by an app or dongle – that is input after you’ve successfully entered
your username and password. Multi-factor authentication can either be tied
directly to the login process for an email app, or to a network login process,
depending on your specific needs and threats.
Software
protection
Last but not least, it’s also important to protect
your email by regularly updating the software you use, including your operating
system and the app or browser you use to access email. This will help address
vulnerabilities that could allow attackers to access your emails. You may wish
to do this with automatic update capabilities in the software itself or in your
operating system, or by going directly to the vendor’s website for downloads.
Final
Thoughts
Whatever methods you choose to incorporate – be it for
email or computer security in general – it’s important that they be things
people in your organization can and will use. This means observing the workflow
of the people who will be using these technologies, choosing options that are
either applied automatically or are easy to use, and then training users about
how and when to use protection methods.