FEATURE
for sanitising emails of malicious content
are very powerful; generic SPAM or junk
email isn’t such a big deal any more as
the majority can be removed relatively
easily. The more dangerous threats
can be countered with advanced anti
malware, sandboxing and URL analysis
features found on most modern email
security platforms.
However, an often-overlooked issue
is spoofing of email addresses that is
part of a growing problem within the
catch-all of Business Email Compromise
(BEC). Although BEC has many
variants, the most common attack is a
supplier seemingly asking for payment
of an outstanding invoice and using a
spoofed email address or a look-alike
address to trick a victim into making
a bogus payment. BEC relies on the
misconception that email is secure when
in reality it is no safer than paying a
random bill that has turned up in the post.
For organisations trying to reduce the
risk of BEC, there are two routes that
can and should be used. The first is to
stop deceptive messages ever reaching
end users who might unwittingly divulge
sensitive information or make a bogus
payment. This is the job of the spam
filter but a few well-crafted BEC attacks
may well get through the net, at least
on the first pass before the anti-spam
algorithms catch up and block the
following waves.
The other option is to set up
authentication for all email using
technologies such as Sender Policy
Framework (SPF), DomainKeys Identified
Mail (DKIM) and Domain-based
Message Authentication, Reporting
and Conformance (DMARC); with the
latter supported by most of the Internet
bigwigs such as Google and Microsoft.
However, these standards cannot be
deployed in isolation. Unfortunately, they
require correct deployment from both
the sender and recipient email systems.
Rarely are signed SSL certificates
deployed on gateways, relying on self-
signed or out of the box certs, meaning
a recipient cannot verify the authenticity
of the sender. Likewise, if a sender email
domain has not configured records for
38
SPF or DKIM, a recipient cannot use
them to verify the sender.
An equally bad but unfortunately
common occurrence is that many
organisations do not maintain these
records after infrastructure changes
leading to emails becoming incorrectly
blocked or quarantined. In many cases,
it’s not uncommon to see organisations
with SPF or DKIM records that are
badly misconfigured. However, email
authentication is gaining in popularity.
For example, eBay and PayPal publish a
policy requiring all their messages to be
authenticated to appear in someone’s
inbox. In accordance with their policy,
Google rejects all messages from eBay
or PayPal that aren’t authenticated. This
trend is spreading across large senders
and receivers but is not yet absolute.
Security and access to email is no
different to any other private resource
and strong encryption and authentication
Email was not
designed with any
privacy or security
in mind, making it
highly vulnerable to
attackers.
access methods should be deployed.
Administrators should ideally be required
to go further with such controls as
multi-factor authentication, along with
the ability to remotely wipe corporate
content from mobile devices should they
be stolen or misplaced.
The best advice for business users
worried about email security is to make
Issue 07
|
www.intelligentciso.com