Endpoint

5/9/2018
05:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Email Security Tools Try to Keep Up with Threats

Email has long been a prime vector for cyberattacks, and hackers are only getting sneakier. Can email platforms and security tools keep up?

No matter how many messaging and collaboration apps clutter the enterprise space, most (if not all) employees will continue to use email. Cybercriminals know this, and they're increasingly leveraging this reliance to their advantage, finding new ways to bypass protective measures.

Bob Adams, cybersecurity expert at Mimecast, explains how email-based threats have evolved. "It's important to understand the history of these attacks to understand where they're going," he says. Older phishing scams were easy to detect, with poor spelling and grammatical mistakes. The people who fell for them were likely to give attackers what they wanted.

"One of the reasons it was so successful is it was targeted in a way that intelligent people wouldn't respond," he says. Today's threat actors have resources to make their attacks credible to a broad range of victims. Now, the people who could recognize obvious phishing scams are getting hit with spearphishing attempts and business email compromise (BEC) attacks.

In its Email Security Risk Assessment (ESRA), Mimecast passively scanned 95.9 million emails that went through email security systems and were received by a business email management portal. The ESRA caught 14.2 million spam messages (5.1 million rejected; 9.1 million quarantined), nearly 10,000 dangerous file types, 12,500 malware attachments, and 23,000 impersonation attacks.

Spam is annoying, sure, but most people know what it looks like and it isn't lethal. Impersonation attacks, on the other hand, are sneaky. "What's making these attacks even easier and have higher ROI is the sheer amount of information publicly available on every company and individual within its top ranks," says Wickr CEO Joel Wallenstrom.

"All attackers need to do is pick a target; tailor messaging based on data gleaned from Facebook, LinkedIn, obscure data brokers, and exposed PII databases; and voilà, the scam works as intended," he adds. Business email compromise has become a hugely profitable industry, with $5 billion in profit and categorization as a separate crime type by the FBI starting in 2017.

"What we're seeing more and more is spearphishing attacks, hearing much more of attackers using social engineering in a variety of different ways to get people to give up their account credentials," says Reena Nadkarni, group product manager at Google.

BEC attacks rely on simplicity, credibility, psychology, and urgency to convince victims to act, Adams points out. They won't use too many details: "It was great talking to you the other day" is more likely to convince a target than "It was great meeting you at Starbucks last Wednesday." Attackers may capitalize on employees' hesitation to question managers. "I can't talk right now, but I need you to do this immediately" is another line they may send a BEC target.

Of the 12,500 malware attachments that bypassed email security systems in the ESRA test, 11,653 contained known malware and 849 contained unknown malware. Failing to detect unknown malware in an email can be hugely detrimental because most common antivirus systems won't notice it, and an attacker can gain or extend their presence on the network.

Can Email Security Keep Up?
Major email providers Microsoft and Google have been stepping up to build stronger security into their platforms. Nadkarni explains how the evolution of cyberattacks has made email security a challenge; now, attackers are spoofing websites and creating lookalike domains.

"What's interesting about some of these emails is they don't have an attachment," she says. "Many of the traditional methods of being able to catch these just don't work."

Google recently added a few new Gmail security features as part of a broader redesign. Users can protect sensitive content by creating expiration dates for their messages or revoking sent messages before or after they're viewed. Recipients may be required to provide additional info view messages, a measure intended to protect data even if the receiving account was hacked.

Microsoft, to its credit, has also added new security features to its email platform. However, some security experts note there's much more to be done on the data security front. Gmail's confidential computing is "a step in the right direction," says Wallenstrom. Users must know to implement data expiration settings for each email, but only on the recipient's end. He points out that it would add helpful protection to minimize data on the sender's account also.

Adams says "it's a little bit late and it's also, in my mind, a little bit lacking," with respect to the recent Gmail updates, specifically referring to enterprise security. It might be good for smaller businesses, he says, but for major corporations "I don't see it being secure and effective enough at this time."

Eitan Bremler, vice president of product at Safe-T, points out how Exchange is still limited by the size of files (unless you send via OneDrive) and there is no integration with data loos prevention (DLP) and antivirus (AV) software. With Gmail, he's concerned about a lack of advanced security functions like file encryption and DLP or AV integration.

"While hackers have grown more sophisticated and created more nuanced ways of getting into emails, email technologies themselves have not evolved much from a technology perspective over the last 20 years," Bremler says.

What Businesses Can Do in the Meantime
To improve email security, Wallenstrom advises businesses to make security and data minimization a default, "something that employees don't have to opt into each time they communicate," he says. Further, enforcing a business-wide policy that bans sending valuable data — financial information, business intelligence — via email would also help build security hygiene.

"What surprises me is even today, a large number of administrative accounts don't have two-factor authentication," says Nadkarni. "If you have admin accounts in any system and that's compromised, that's a huge deal."

She also advises businesses to look into security keys. "That makes such a huge difference," she explains, noting that even multifactor authentication codes can be phished. "To introduce an element of physical security, that changes the game quite a bit."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JTEmailSec
50%
50%
JTEmailSec,
User Rank: Apprentice
5/29/2018 | 2:06:36 PM
The challenge is human behavior - not the technology
Ultimately there's not much that technology can do when people are going to click through to malicious websites, go into spam to open russian bride offers, or wire someone money without using MFA. 

The tools are really powerful, filter in the 99.9%+ of spam or even emails that are questionable.

 
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
5/10/2018 | 4:04:36 PM
We made email the vulnerability it is today
Thanks for the article on BEC.  

As mentioned, attachments were a principle source of compromise; but no longer necessary, because of other features added for our convenience.  We still refer to these communications as email (electronic mail); though the reference to letters exchanged by post retains little relevance. 

Each letter was an item traveling from one address to another; each email is packet-ized and the packets disseminated to countless waypoints to be copied and forwarded to countless more; in a process that only ends when the addressee (an IP address node device, not a person), informs the internet that at least one copy of each packet in the parcel has arrived at its destination - effectively, emails are broadcast.  Thinking of email, in terms of postal mail (with all our assumptions and experience with that), was a misconception from the get-go.  Maybe "pradio" (personal radio transmitter/receiver), would have given us a clearer picture of what we would be dealing with. 

Postal mail attachments were harmless (unless dipped in poison), at least until any forms were filled out and returned.  Email attachments can carry malware, but imbedded  images (blocks of binary we take to be interpreted as a picture), can serve just as well.  Yes, we can be warned that "images were prevented... "; but legit senders want us to see them, and we want to see what "they" sent - so we revert to the postal mail assumptions that the sender is who they say they are, and download the images. 

What would today's email be without hyperlinks - a lot less of a vulnerability.  With a single click, we can be whisked away to who knows where, or agree to who knows what.   

Maybe the way to make email safer is to make it less 21st century.  At least with business emails, treat the process of sending and accepting them more as we would have with business letters:  Be a little more formal.  Always include specifics in the subject line.  Be more sparing in how many emails you send (pretend it cost you postage and the pay of a secretary to take dictation, correct your grammar, and type it on to your company's stationary).  Offer to send attachments - if they request them in a reply. 

If we keep in mind that email is not mail; yet treat it a little more as if it were, we'd all have less to worry about. 
6 Ways Greed Has a Negative Effect on Cybersecurity
Joshua Goldfarb, Co-founder & Chief Product Officer, IDRRA ,  6/11/2018
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12026
PUBLISHED: 2018-06-17
During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in tur...
CVE-2018-12027
PUBLISHED: 2018-06-17
An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of said ...
CVE-2018-12028
PUBLISHED: 2018-06-17
An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates an e...
CVE-2018-12029
PUBLISHED: 2018-06-17
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard passenger_instance_registry_dir with insufficiently strict permissions is configured. Replacing a file with a symlink after the file was created, but befor...
CVE-2018-12071
PUBLISHED: 2018-06-17
A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.