Email borne threats have increased exponentially over the last decade. Our dependence on the humble email has fundamentally changed the way we do business. The Radicati Group in their latest Email Statistics Report indicates that there are approximately 1 billion mailboxes in 2015 that send close to 200 billion emails per day. From the outset of its introduction in the 1990’s, cyber criminals saw email as an exceptionally easy method of breaching an organization’s environment. Spam, spear phishing, and malware are delivered via email.
The importance of email to business also changed dramatically. In the early 2000’s, email was an important business tool, primarily used for internal communication. Back then, organizations were less dependent on email’s availability than they are today. Today, communication to external businesses and customers is equally as important for order placement, loyalty programs, surveys and many more uses.
2. Identify and list authorized senders – SPF and DKIM, introduced between 2005-07 as simple email-validation tools built into your DNS that are designed to detect email spoofing. In fact, it is surprising at the lack of deployment of SPF and DKIM and even the incorrect configuration of SPF, making the records unusable by the receiving email platforms. In relation to adoption of SPF, my belief is that with the implementation of cloud based email secure gateways such as Symantec’s Messagelabs, negated the need for an SPF or DKIM record. But Golder Rule #1 states that the stakeholders of email include external recipients. The Messagelabs platform is fantastic to protect internal customers – SPF and DKIM also protect your external customers. Implement SPF and DKIM records.
3. Implement DMARC - Domain-based Message Authentication, Reporting & Conformance”. DMARC protects against email domain spoofing that is typically used against your employees in CEO email fraud, spear phishing and also against your customers with spam and phishing emails. Don’t believe that you need it ? Check out this great tool called the Phisholator - the tool will send you a simple non-malicious e-mail from, well, you. It's a great tool to demonstrate how you or your users may be at risk from spear phishing or email spoof attacks. DMARC can be considered an umbrella mechanism, as it checks for alignment with SPF and DKIM. Similarly with SPF, deployment is a initiated by creating a text record in your DNS. For those organizations without SPF records, DMARC would be an excellent starting point as it will identify ALL users of your email domains, providing you an initial list for the SPF record. Additionally, DMARC enhances the protection offered by platforms such as Symantec’s Messagelabs, by identifying emails that SPF misses – refer to a previous blog post – The Fundamental Flaw in Email.
4. Test and Report – Identify correct operation of the SPF, DKIM and DMARC records. Review the authorized email senders and their volumes and also the identified threat from un-authorized users of your email domains. There are many organizations with SPF and DMARC records that are in error state due to misconfigurations. An excellent dashboard that identifies these issues aswell as displaying some information on the email volumes is dmarcian’s Domain Lifter.
5. Implement cloud based email secure gateway. Many organizations deploy cloud based email secure gateways that provide the initial email filtering before email enters an organizations environment. Most importantly these platforms should be DMARC compliant.
6. Initiate Security Awareness Training – training your employees to identify what is a real email versus a fake one, could save your organization from financial loss, or even an awkward public acknowledgement of a security breach. Building a human firewall is the last layer of defence against cyber criminals targeting your organization. Security Awareness Training will provide you with the highest return of your overall security spending.
Although this is by no means a comprehensive list, I would classify these points as the neglected aspects of any deployed security controls.
by Con Lokos