IT Pro Panel: Return to sender
Why is it so difficult to get email security right?
Much like cockroaches, black mould and disco, email has proven surprisingly resilient. People have been predicting the death of email for years, prompted at various times by mobile phones, instant messaging and video calls, yet here we are – almost fifty years after email’s invention – and it’s still the most widely-used business communication tool on the planet.
It also remains the source of a great deal of security headaches for IT professionals. As we discussed in a recent episode of the IT Pro Podcast, phishing and business email compromise (BEC) attacks are still among the most widely-used techniques employed by hackers. So why, with the plethora of tools on the market designed to counter this problem, is email security so tricky to get right?
When it comes to email security, the biggest debate tends to be whether to train staff to recognise potentially dangerous emails, or whether to rely on technical tools that catch malicious emails before they even hit employees’ inboxes. There’s logic to both arguments; people have certain psychological triggers that hackers know how to exploit, but on the other hand, it’s easier to improve a human’s ability to detect dangerous messages than it is to improve a software tool’s detection rate.
“In my opinion, staff training is the best line of defence against phishing,” says TempCover CTO Marc Pell. “There’s no perfect solution, but we most definitely work on educating staff as the best method of prevention.”
Alison Davis, CIO of the Natural History Museum, agrees with this, but also notes that it’s equally important not to demonise staff when they don’t get things right, and that building an open culture where people can ask for help is the most important element.
“Good awareness training is also important,” she says. “If it’s framed in the right way, it's beneficial at home as well as at work, and folks will appreciate that.”
One method of increasing staff awareness used by Pell and his team is to use any real-world phishing attempts detected by the business as examples. Any malicious emails that are caught by the tech team are shared in a dedicated Microsoft Teams channel, along with tips on how to identify similar attacks in future. As Pell notes, “What better way to learn how to spot them than by highlighting the clues in the real thing?”
“We have a similar approach,” says SmartDebit CIO, Gavin Scruby. “Since most of these are caught by the filters, it's actually a bit of a novelty for something to get through, and the compliance team (who are responsible for training on this) are very keen to highlight them.”
The general rule of not trusting an instruction delivered via email unless it’s been verified through another channel – effectively a sort of human two-factor authentication – has worked well, he says, and notes that while executives don’t necessarily have direct access to high-level systems, the nebulous nature of the relationships they work on can present other risks.
“The admin teams just have to be drilled on secure process and request validation, no matter who is requesting something.”
Another common training practice is running phishing simulations – a tactic that isn’t always popular with IT professionals. The corporate infrastructure team at Davis’ previous employer used to send its staff phishing tests that were so realistic, even she was caught out a couple of times. In her view, the goal of these tests is to train users to spot subtle clues, not to catch users out, and making them too hard to detect defeats the objective.
“It’s a good point,” Scruby says, “and shows the difference between insider threats and external threats. I suspect I could use personal knowledge of people or systems in my organisation to trick someone into doing something, so it depends on the aim of the test.”
“There is a risk when doing it internally that the team see it as a competition, like pen-testing, rather than a test of a likely scenario, which makes the test more like an insider threat test – and phishing is not really a vector an insider would use, as it's too easy to track back. This really shows that we need to concentrate a security team as much on the aim of the test as the effectiveness of the test.”
The importance of software-based tools, however, should not be understated; it’s only because various filtering and flagging technologies catch the majority of malicious emails that security teams have the bandwidth to train staff in catching those that slip through. Indeed, email filtering is a crucial tool in all of our panellists’ arsenals.
To protect Just Eat, CISO Kevin Fielder uses DMARC and DKIM tools to filter and flag messages that are trying to spoof a legitimate domain, and although the occasional particularly well-crafted spearphishing email does still make its way through, the protection offered by his software defences means that his team doesn’t have too much to worry about on a day-to-day basis.
“I think this is an area where consumer mail is actually leading the way,” he says. “The more aggressive things like Gmail get in putting email into the junk or spam folder if it isn't compliant, the more companies are going to have to implement these things if they want to reach customers.”
Similarly, Davis praises the advances Microsoft 365 has made in this area, noting that when user accounts at a previous role were hijacked through credential theft and used for spam relay, Microsoft proactively detected and suspended the accounts automatically. Like Fielder, she also advocates thorough filtering, advising that IT professionals should look into deploying a good email gateway.
Scruby, meanwhile, is focused mainly on preventing hackers from making use of compromised accounts. His assertion is that if an email attack has got past antivirus defences, then the impact is effectively the same as any other intrusion, and is best fought with standard intrusion detection and prevention software.
“The main thing that helps against email attacks is ensuring the user rights under general accounts are as locked down and monitored for anomalies as possible. I would say the area where we are weakest is protection against data exfiltration, whether that’s back through email or other routes.”
There are numerous data loss prevention (DLP) tools designed to stop hackers exfiltrating any information, of course, but Scruby isn’t much of a believer in them. He revealed that several of the DLP tools he’s tested have failed to defend against some basic attack methods.
“For me, DLP systems have always been complex and hit-and-miss, and rarely plug all the gaps,” he says. “Algorithmic DLP is complex to set up and may miss things; AI-based DLP is a black box where you don't know if it works for everything. We end up coming down to hard walls and segregations, which become increasingly painful for staff when remote working.”
One type of security technology that was roundly endorsed by all of our panellists, however, was multi-factor authentication. A common defence against account takeover, multi-factor authentication – also known as two-factor authentication or 2FA – requires a secondary proof of identification like a hardware token or biometric scan in addition to a password before allowing access.
“We did see issues with credential theft a few years back – especially as Office 365 came in and people were getting emails with a link saying that they had a document for review, which looked similar to legitimate emails,” Davis said. “However, the ease and acceptance of multi-factor authentication has been a huge help in stopping this. 2FA is an essential element for me, and is so much easier to implement now that it’s used much more in the consumer setting and tokens can be served from the user's phone.”
“If you want to spend a lot, you can be really clever and use factors like device identification and user behaviour to reduce how often people are prompted to use multi-factor authentication,” Fielder expands, “but that's probably another topic! I'd be more punchy though – if you are remotely accessing anything of value, why wouldn't you use 2FA?”
Message in a bottle
Email, it seems, will remain as thorny a problem as ever for the foreseeable future. The lockdown has led to a huge spike in companies using tools like Zoom, Slack, Teams and Hangouts, but don’t be fooled; email is simply too big – and too useful – to die. It’s the essential communications infrastructure that the vast majority of online services are built on, and it’s not going anywhere anytime soon.
If we can’t get rid of email, then security professionals are going to need to continue working with it in a safe manner, managing the old threats appropriately while responding to new ones. After all, while the fundamental tactics used by email scammers haven’t changed all that much over the decades, that doesn’t mean that they’re not adapting.
As Pell points out, spammers and hackers across the globe have been taking advantage of the chaos introduced by COVID-19 to increase their output of malicious emails. While he hasn’t yet come across any campaigns specifically related to the virus, the amount of general invoice fraud and credential theft attempts have increased, which he suspects is attempting to exploit the lack of face-to-face contact caused by remote working.
The first and easiest step in keeping a handle on email security, according to all of our panellists, is multi-factor authentication, followed by robust filtering tools. Davis also notes that before investing in new tools, it’s worth making sure that you’re getting the most value out of the ones that you’ve already deployed - basic things like making sure IT teams are checking the logs.
However, when it comes down to it, the consensus from all of our panellists is that a mixed approach of tooling and training is the best way to ensure that you’re as defended as possible and, as Scruby identifies, no solution is foolproof.
“You can get away with almost no tooling if you have sufficiently sophisticated and trained staff, but in the real world, even the best people make mistakes and no tool is infallible. I'd put my finger in the air at a 70/30 split between staff ability to tool coverage in terms of importance, and even then, every industry is different.”
BCDR buyer's guide for MSPs
How to choose a business continuity and disaster recovery solutionDownload now
The definitive guide to IT security
Protecting your MSP and your customersDownload now
Cost of a data breach report 2020
Find out what factors help mitigate breach costsDownload now
The complete guide to changing your phone system provider
Optimise your phone system for better business resultsDownload now