1

TheDynaSisEducationSeriesforC-LevelExecutivesEmailSecurity

ThreatstoyourITnetworkabound,manyofthemdeliveredthroughemail.Fortunately,therearecosteffectivetoolsavailabletoprotectyourhardware,software,data,andultimately,yourbusiness.Effectivemailsecurityusedtorelyona“hardexterior–softinterior”model,meaningthatifyoumadeittoughforhackerstogetin,everythingfromthenonwouldbeokay.Butintoday’sworld,maintainingasecureperimeterisbecomingmoreandmoredifficultaseverydefenseweerectisquicklychallengedbytheever-advancingtechnologiesofthecyber-criminal.Thisincludesanever-increasingabilityofhackerstocreatewhatseemlikelegitimatesafeemails,butareactuallyverysophisticated“phishing”1and“spear-phishing”2tools.Becauseofthis,insteadofthesecuritymodelinwhichwetrustedincomingemailsfromseeminglyknownsources,theadoptionofanew“ZeroTrust”modeliscritical.Wealsoknowthatuseofthecloudinbusinesscontinuestogrowandwhilethecloudoffersgreaterspeed,flexibility,availability,securityandmobility,itisimportanttounderstandthatthisusagecanalsocomewithlossoftheeffectivenessofouronpremises,office-basedsecuritysolutionsthatweredesignedfortheapplicationsyouwereusingfiveyearsago.Thisincludes___________________________________________________________________________________________

2

TheDynaSisEducationSeriesforC-LevelExecutives

___________________________________________________________________________________________web-basedemail.Inotherwords,ifyouareusingweb-basedemail,thesecurityyouseekmustprotectweb-basedemail.Addtothisthefactthatournetworkperimetersarerapidlybecomingfuzzyasouremployeesbecomemoreandmoredependentonthecloudfrombothbusiness-operationalandpersonalperspectives.Yourbusinessprobablyhasasignificantnumberofemployees–maybeevenyou–whousebothpersonalandcompany-owneddevices,bothinandoutoftheoffice,soyoucanbegintoseehowthe“hardexterior”inamobileworldcanberiddledwithholesbyaccomplishedprofessionalthieves.Whenyouthinkaboutthegrowingnumberofhigh-profilesecuritybreaches,manyofwhichwereinitiatedthroughemailphishing1andspear-phishing2schemes,youbegintounderstandtheneedtopaircurrenttechnologywithcurrentsecurity.TheneedissorealthatinadditiontoaCIO(ChiefInformationOfficer),manylargecompanieswillalsoemployaCISO(ChiefInformationSecurityOfficer)tooverseethisimplementation.Whenbudgetstodonotallowthisposition,CIOswillbetaskedwiththeeffort,and,unfortunately,inmanytypicalsmalltomidsizedbusinesses(SMBs)thiswillfallintothelapsofbusinessownersorothersalreadyburdenedwithawidevarietyofotherduties.Tobetterunderstandhowtothwarttheseattacks,onemustfirstunderstandtheattacksthemselves,solet’stakealookatthevariousthreatscurrentlyoutthere.

Spam:Althoughoftenjustanuisanceandnotarealdanger,spamemailcandistractemployeesduringworkhoursandaffectproductivity.Enterprisesolutionsthesedaysgenerallyhaveproperdefensessetupagainstspam,soifthisisaprobleminyourcompany,thisissomethingthatcanandshouldbeaddressed.1Phishingistheattempttoobtainsensitiveinformationsuchasusernames,passwords,andcreditcarddetails(andsometimes,indirectly,money),oftenformaliciousreasons,bymasqueradingasatrustworthyentityinanelectronicenvironment.Thewordisanadaptationof“fishing”andderivesfromthefactthat“bait”isputouttheretoluretheunsuspectingrecipientintoprovidingthisinformation.Communicationsappeartobesentfromcommonsocialwebsites,auctionsites,banks,onlinepaymentprocessorsorITadministratorsandmayincludelinkstowebsitesthatareinfectedwithmalwareand/orasktherecipienttodisclosepersonalinformation.Anadvancedlevelofthistacticiscalled“spear-phishing.”2Spear-Phishing:Thisisprobablythehighestdangerfacedbytoday’sITsecurityprostoday.First,criminalsneedsomeinsideinformationontheirtargetstoconvincethemthee-mailsarelegitimate.Theyoftenobtainitbyhackingintoanorganization’scomputernetworkorsometimesbycombingthroughotherwebsites,blogs,andsocialnetworkingsites.Thentheysende-mailsthatlookliketherealthingtotargetedvictims,offeringallsortsofurgentand/orlegitimate-soundingexplanationsastowhytheyneedyourpersonaldata.Finally,thevictimsareaskedtoclickonalinkinsidethee-mailthattakesthemtoaphonybutrealistic-lookingwebsite,wheretheyareaskedtoprovidepasswords,accountnumbers,userIDs,accesscodes,PINs,etc.Viruses:Likespam,mostlargecompanysecurityprogramsareveryeffectiveagainstviruses,sothecyber-criminalfindsmoresuccessagainsthome-basedPCsandsmallbusinesses.Thisiswhyattacksagainstsmallcompanieshavesky-rocketedinrecentyears.

______________________________________________________________________________________

3

TheDynaSisEducationSeriesforC-LevelExecutives___________________________________________________________________________________________

Malware:Thegoalofmalwareistostealasmuchinformationaspossiblefromthedatabaseofthecompanybeinghacked.Oncetheyobtainthelogincredentialsfromfinancialsites,creditcardcompanies,banks,etc.,theyusethistogainaccesstotheaccountsoftheirvictims,andtosetupnewaccounts,suchascreditcards,inthevictims’namesandmaxouttheaccountbeforethevictimisevenaware.Afairlynewmethodologythatfallsintothecategoryofmalwareisransomware.Ransomware:ThisvariationofmalwaredropsapieceofcodeintotheITnetworkthat“phoneshome”toletthecyber-criminalknowthatithasbeenplaced,thenusesthatlinktoencryptthecompany’sfiles.Oncethefilesareencrypted,theyarelockedfromusebythehackerwhothensendsaransomnote,ironicallybyemail,demandingpaymentbeforethefileswillbeunlocked.Oncetheyarelocked,thefilesarenexttoimpossibletounlockwithoutthehacker’skey.Fortunately,advancedmethodologynowprovides“crypto-containment”softwarethatquicklyidentifiesanencryptionintrusion,isolatestheinfectedfilesandpreventsfurtherencryption.(Note:encryptionofanentiredatabaseisnotinstantaneoussoawell-designedcontainmentsystemcanshuttheinfectiondownbeforeitdoesseriousdamage.)HereatDynaSiswehaveseeninstanceswherecrypto-containmentsoftwaredetectedandshut-downintrusionsinlarge10terra-byteenvironmentswithaslittleas5gigabytesbeingcompromised.Thisdatawasquicklydeletedandrestoredfromback-ups.SocialEngineering:Thisisthemodernequivalentoftheold“congame.”Itbeginsbygainingthetrustofthevictimbyphone,email,oreveninperson.Oftenitistiedinwiththehumandesiretohelpotherpeople,hencefalsecharitablerequests.Inthisway,thebadactorobtainsinformationaboutsocialmediaaccounts,andthenusesthisinformationtogainaccesstotheseaccountstocommithiscrimes.StateSponsoredHacking:Whilethiswon’taffectmostsmallbusinesses,yourcompanymaystillbeatriskifyouareinvolvedindefensecontracting,multi-nationaldeals,aerospace,orotherareasthatinvolvesensitiveinformation,ORifyouareasuppliertoalargercompanythatfitsthisdescription.RememberthattheinfamousTargetintrusionbeganwithasmallsupplierwhowashacked.TheintruderthenworkedhiswayintotheTargetsystemthroughthissupplier.

Rememberthis:alltheabovecyber-attackscanstartwithasingleemail.Onceuponatimecombattingthreatslikethesewasfairlysimple.Acompanywouldemployasecureemailgateway(SEG),andeverythingwouldbeokay.Butasrulesetsbecamemorecomplex,andanti-virusrequiredmultipledeployments,andenduserquarantinesmultiplied,thesesolutionsbecamethepointsoffailure.Thishasbeenfurthercomplicatedbythefactthatacompany’sownemployees,asend-users,havebecomeveryskilledatcircumventingtheoncehardenedperimeter,anditisstillfurthercomplicatedbythepotentialofbadactorswithinthecompanyitself.Today’sITprofessionals,andmanagedITserviceproviders,understandthatthe“hardexterior–softinterior”paradigmmustbereplacedbytheZeroTrustSecurityModel.TheZeroTrustSecurityModelWhilethismightnotsoundtoofriendly,inlightoftheadvancedqualityofthethreatsfacingustoday,adoptingazerotrustemailmodeliscritical.Itiswaytooeasyforbusinessemailuserstobelulledintoafalsesenseofsecuritybecauseofthehighlevelofprotectiontheyunderstandisinplaceagainsttraditionalmalware,etc.,butthetruthis,thebadguysneverstopworkingonnewerand“better”waysofhurtingussowecannever___________________________________________________________________________________________

4

TheDynaSisEducationSeriesforC-LevelExecutives

___________________________________________________________________________________________assumethatjustbecauseit“gotthrough”youroldersecurityfilters,anemailissafe.Itisexactlythissenseoftrustthatthecriminalsexploitanditisuptoeachbusinessand/oritsITserviceprovidertotreateveryemailthatarrivesassuspiciousuntilasophisticatedemailsecuritysolutionhasclearedit.Todothis,wemustaddanewlayerofITsecuritythatchecksyourincomingemailsforthemaliciouslinksthatmaybeembeddedinthem,orintheirattachments,sothatnolinkistrusteduntilithasbeenclearedbyatechnologythatisadvancedenoughforthisdetection.Withmanycompaniesthatbelievetheyareadequatelyprotected,wearefindingthatinrecentyearstheyhaveinadvertentlyintroducednewvulnerabilitiesintotheirITnetworksthroughtheuseofwhatwecallBYOD,or“bringyourowndevice”intothepicture.Howmanyofyouremployeesusetheirownsmartphones,tabletsorlaptopsforcompanywork,andhowmanyofthesedeviceshaveaccesstoyourcompanyemail,nottomentionotherfiles?BestPracticesHereatDynaSis,afterevaluatingthetoptieremailsecurityproducts,wehavechosenMimecastforourclients,soforpurposesofillustration,wewillusetheirproduct,althoughthereareotherservicesavailable.AproperlydesignedSecureEmailGateway(SEG)willbedeliveredfromthecloudandaddagreatdealofvaluablefunctionalityalongwiththesecurityyouneed.Theseservicesshouldinclude3:

Allow-AutoListing:Your“goodcontacts”areprioritized.RFCCheckGreylisting:EnsuringthatincomingemailsareRFCcompliantforSMTPservers.GlobalReputationChecks:Employingthecommonlyusedglobalreputationservicestoblockemailaddresseswithbadreps.RecipientValidation&ActiveDirectory:Verifyinginboundaddressestothwartdirectoryharvestattacks.Anti-Spoofing:Lockingoutspoofedemailtoensureitneverreachesinternaldomains.EmailFirewall:Administrativelockoutofemailidentifiedbysender,recipient,IPaddress,domain,etc.PolicyControl:Dataleakcontrol,largeemaildistribution,encryption,andotherenhancedsecuritycontrols.3TheabovetermsarethoseusedbyMimecast.Otherservicesmayuseotherterminology.

AnotheradvancedtechniquethatservesanimportantfunctioniswhatsomeITserviceproviderscallTargetedThreatProtection,designedtoblockspear-phishingandothertargetedattacks.Whenarecipientclicksonalinkinareceivedemail,thelinkisactuallyrewritten,senttothecloudwhereitisscannedforsecurity.Ifcleared,thelinkcanthenbeopenedbytherecipient.Whilethetechnicaldetailsofthisareabitabovethescopeofthispaper,theprocessthatMimecastusesincludes:

Delivery:WhenanemailisreceivedbyMimecast,allURLscontainedinthatemailarerewritten,thendeliveredtotherecipient.

_________________________________________________________________________________________

5

TheDynaSisEducationSeriesforC-LevelExecutives

___________________________________________________________________________________________

UserReceipt:IftheuserclicksonaURL,theURLischeckedagainstallowandblocklists,andiftheURLisnotfoundonanyoftheselistsitissenttothescanner.URLScanning:Thelinkisscannedthoughseverallayersofdetectionandanyquestionableemailsareblocked.Link,Domain,andPhishingReputation:Thelinkisverifiedbyrunningitthroughinternalandthirdpartyintelligenceenginesandothersecuritychecks.WebpageDeepAnalysis:Thewebsitefromwhichthelinkoriginatedisscannedforspear-phishingandotherpotentiallymaliciouscontentthatmaybelaunchedthroughthatsite.BlockorAllowDecision:Ifallpagesrelatedtotheemailaredeemedclean,theemailispassedontotherecipient.Ifthereisanythingdeemedquestionable,boththeadministratorandtherecipientarenotifiedandgiventheopportunitytoreceiveorblock.

BestPracticeDefenseinDepthataMicroLevel–©Mimecast

___________________________________________________________________________________________ WhenyousignedupforanAOLemailaccount25yearsago,thetechworldwasamuchsimplerplace.Ifyouusedtheword“phishing”,itwouldbeassumedyousimplydidnotknowhowtospell.Buttimeshavetrulychangedandalongwithallthegoodthingstechnologybringsus,italsobringsasanever-growingvarietyofcyberthreatsandbadactorswhospendcountlesshoursdevisingtheirowntechnologytorob,cheatandsteal.Vigilancemustbecomeawayoflifeandemployingtoolsthatworkforyouandthatarecontinuouslyupdatedarevital.AsanAtlantamanagedITservicesprovider,wehaveseenitallandunderstandthecomplexities.IfyouhaveanyquestionsaboutemailsecurityorITsupport,pleasefeelfreetocontactus.

6

http://www.computerweekly.com/feature/Email-security-Essential-Guidehttps://www.mimecast.com/products/email-security/

http://www.digitaltrends.com/computing/can-email-ever-be-secure/http://www.darkreading.com/operations/how-many-layers-does-your-email-security-need/d/d-id/1325791http://www.inc.com/larry-alton/email-security-in-2016-what-you-need-to-know.htmlhttps://www.techopedia.com/definition/29704/email-security1,2www.Wikipedia.com