Why your email is still a security threat

Danny Bradbury

Email may be over 40 years old, but companies seem no closer to securing it than they were before. Indeed, email is still the most effective delivery method for attacks that can siphon valuable data from a corporation’s servers. Just ask executives from Sony, which was most probably hacked when attackers scammed employees with fake emails.

Email-SecurityNew communications channels are admittedly major threat sources too. Skype, social media networks and even blog comments are all attack vectors. But email security threats are still the most prevalent. In its 2015 Data Breach Investigation Report, Verizon found that email attachments were the primary infection vector for malware installation in four of every ten cyber-espionage attacks. Links delivered via email accounted for a further 37%.

Phishing

The primary tool for email-based attackers these days is phishing. Email phishing scams persuade victims to do something they shouldn’t. They can be sent en masse in a trawl for victims, or they can be customised for specific targets, often by researching their company’s organisational structure for information to make them sound more legitimate.

Originally focused almost entirely on consumers, phishing has become one of the top threats to business email security. Especially when initiated by state-sponsored attackers, phishing mails are often used as a foothold to gain access to a company’s network. From there, the attacker can play a long game, quietly exploring the entire infrastructure and siphoning off information in the process.

Phishing may be a well-established activity, but people are still falling for it. According to Verizon, 23% of recipients are still opening phishing messages. When they do so, almost half of them open emails within the first hour.

What’s old is new again

Over the past few years, email phishing scams have evolved to include the installation of malware as a second stage in the attack. It’s worrying, then, to note that 11% of phishing email recipients appear to be clicking on the attachments delivered along with the mail. All it takes is one employee to fall for the ruse. If more than one in ten are doing so, then the attackers are winning.

The malware delivered by email is changing, too. Email threats are like diseases: we may quash them for a while, but we never truly get rid of them. Sooner or later, they’ll pop up again somewhere and begin to re-infect. Even the bubonic plague is making a reappearance.

So it is with macro malware. Popular in the late 1990s, it is becoming a popular attack vector again, leading to attacks such as the $5m Bitstamp bitcoin exchange breach. Emails arrive with attachments claiming to be courier notifications, resumes, and sales invoices. When opened, the document asks the victim to enable macros so that it can run, giving it the opportunity to attack the host.

There’s a key difference, though: in the old days, macros infected computers themselves. These days, they serve as downloaders, opening the floodgates for an ocean of other malware, delivered from malicious servers. Clearly, secure email attachments are something that we should aim for.

Outbound information

All of these threats are inbound, but let’s not forget email as a vector for outbound threats, too. Employees, whether maliciously or unwittingly, can render a company vulnerable via email. An off-color comment or inappropriately forwarded email can encourage a lawsuit, or at the very least embarrassment. If the data contains sensitive information, then the organization could incur mitigation costs.

Companies can also run into problems when emails are compromised as a result of security breaches. For example, Sony executive Amy Pascal left the company after hackers exposed her embarrassing emails online. And Noel Biderman, CEO at hacked adultery site Ashley Madison, had to step down after stolen emails suggested that he advocated hacking and stealing emails from the firm’s competitors.

"The main problem with email is that we tend to think of it as ephemeral conversation, but it has the weight and permanence of correspondence,” pointed out security guru Bruce Schneier, who is a fellow at the Berkman Center for Internet and Society at Harvard Law School.

Even emails sent internally can be potential danger points. “It's the record of the conversation that can come back to bite us, whether it's stolen and published emails like those of Sony and Ashley Madison executives, or subpoenaed email like so many modern litigations," Schneier warned.

As long as we have email, then, organizations will be vulnerable to security risks. Email data protection involves a combination of anti-malware scanning, anti-phishing technology, and web protection to help guard against these attacks. Use it, and minimise your risk.