What is email security?<\/strong><\/h2>\n\n\n\nFor the purposes of this post, I\u2019ll define email security as pertaining to both the content of messages, as well as the accounts people use to access their emails.<\/p>\n\n\n\n
Email security does not end with authentication for accessing our accounts: message content can be validated and secured, sender identity can be authenticated, authorization of email senders can be maintained, and the integrity and functionality of the email app itself can be better secured.<\/p>\n\n\n\n
If you\u2019re the administrator of your email account, you\u2019ll naturally have a different subset of options than if your account is being administered by someone else. Depending on your threat model, which options are needed may vary somewhat, but most of us could benefit from adding more methods to our repertoires.<\/p>\n\n\n\n
Securing message content<\/strong><\/h2>\n\n\n\nFew people seem to be aware that sending an email can<\/em> be as open to eavesdropping as sending a message on a postcard. Fortunately, there are a variety of ways<\/a> to add layers of security to the process of sending a message. One method is akin to putting a message in an envelope; people can still see where the message came from, and where it was sent to, as well as the content of the message if an eavesdropper is able to intercept it at some point in the process (especially after the envelope is opened). This type of protection is considered \u201ctransport-level\u201d, as it helps protect the message in transit across the internet.<\/p>\n\n\n\nIt\u2019s also possible to secure the message from \u201cend to end\u201d, meaning the message is encrypted at the source before it ever hits the network, and then decrypted by the recipient. This shortens the time that a message might be read even by an eavesdropper, as it can\u2019t be read when it\u2019s in transit or until its contents are decrypted. The eavesdropper would also need to have the decryption key as well as the email to access the data within an intercepted message.<\/p>\n\n\n\n
Administrators often choose to implement transport-level protection, as it\u2019s the type that\u2019s most transparent to users and because it usually doesn\u2019t require their direct interaction. If end-to-end encryption is needed, it\u2019s a good idea to choose technologies that make this process simple, and to create policies that dictate when this type of encryption must<\/em> be used.<\/p>\n\n\n\nEnsuring valid, appropriate content<\/strong><\/h2>\n\n\n\nIt\u2019s a fact of modern life that much of what arrives in our inbox is not anything we want to receive. When you add up the amount of spam, scams, phishing and malware that\u2019s being sent, there\u2019s a lot of traffic that is wholly unwelcome. Most organizations and email service providers have some manner of filtering for this sort of detritus in place already, to help stem the flow. Depending on our own levels of risk tolerance, there are a variety of ways that this can be done.<\/p>\n\n\n\n
Most email providers operate a simple blacklist of known spam, phishing and malware to decrease the amount of unwanted and malicious email that reaches their customers. But many organizations would be wise to be more proactive with their filtering. You could also limit messages by attachment type; either allowing only those files from an approved list of safer or more common file types, or excluding unusual or more-risky file types.<\/p>\n\n\n\n
Keep in mind that while many popular file types may seem safer, they can still include powerful macro code or malicious, embedded files. No file type should be considered completely safe. It may be more helpful to view file types less in terms of their potential danger, and more in terms of their level of risk versus potential impact on workflow. While many people send things like documents, spreadsheets, or presentations, very few people have valid work-appropriate reasons to send or receive executable file types via email, so these can be excluded in most organizations with a minimum of hassle.<\/p>\n\n\n\n
Some organizations also choose to screen emails before they\u2019re sent out from their network too, for malware and\/or confidential company data. Most companies maintain some sort of sensitive files or information such as payment or ID card details, healthcare information, or confidential company data and would do well to log its whereabouts. It can be useful to set gateway anti-malware scanners to more \u201cparanoid\u201d settings, as a potentially slower scan of files going through email will be less noticeable or disruptive.<\/p>\n\n\n\n
Email authorization and authentication<\/strong><\/h2>\n\n\n\n![\"\"](\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2019\/01\/Email_Security2.jpg\")
<\/a><\/figure><\/div>\n\n\n\nSpoofing email is trivially easy for miscreants, and while there are ways to limit this, the available options<\/a> are not yet widely used. These techniques help authenticate message content, indicate which users and accounts are authorized to send from your domain, and can help verify that email headers are internally consistent.<\/p>\n\n\n\nBecause these authorization and authentication techniques are not commonly implemented, the best-use case for most companies is to deploy these methods to help protect your brand integrity or prevent certain types of Business Email Compromise (BEC).<\/a> You can also use them to log emails that fail to authenticate properly, for forensic purposes.<\/p>\n\n\n\nUse of email authentication and authorization should be considered part of good administration hygiene, like promptly removing (or at least changing the passwords of) accounts that are no longer in use (such as those formerly belonging to employees who are no longer with the company).<\/p>\n\n\n\n
Account protection<\/strong><\/h2>\n\n\n\nMost of us are aware of authentication for our email accounts, as this is the type of email security most of us have. Several of the other types of email security we\u2019ve discussed in the previous paragraphs exist in part to help mitigate the damage caused by stolen login credentials, which is to say it\u2019s a huge problem that causes a cascade of other woes. But multi-factor authentication<\/a> is another very effective level of protection for access to our email accounts.<\/p>\n\n\n\nRather than just providing a username and password, which is one single \u201cfactor\u201d of verifying that you are who you say you are, multi-factor authentication combines these credentials with another method. The most common example of a second method is a one-time key \u2013 often sent by email or SMS<\/a>, or created by an app or dongle \u2013 that is input after you\u2019ve successfully entered your username and password. Multi-factor authentication can either be tied directly to the login process for an email app, or to a network login process, depending on your specific needs and threats.<\/p>\n\n\n\nSoftware protection<\/strong><\/h2>\n\n\n\nLast but not least, it\u2019s also important to protect your email by regularly updating the software you use, including your operating system and the app or browser you use to access email. This will help address vulnerabilities that could allow attackers to access your emails. You may wish to do this with automatic update capabilities in the software itself or in your operating system, or by going directly to the vendor\u2019s website for downloads.<\/p>\n\n\n\n
Final Thoughts<\/strong><\/h2>\n\n\n\nWhatever methods you choose to incorporate \u2013 be it for email or computer security in general \u2013 it\u2019s important that they be things people in your organization can and will use. This means observing the workflow of the people who will be using these technologies, choosing options that are either applied automatically or are easy to use, and then training users about how and when to use protection methods.<\/p>\n\n\n\n
Few people seem to be aware that sending an email can<\/em> be as open to eavesdropping as sending a message on a postcard. Fortunately, there are a variety of ways<\/a> to add layers of security to the process of sending a message. One method is akin to putting a message in an envelope; people can still see where the message came from, and where it was sent to, as well as the content of the message if an eavesdropper is able to intercept it at some point in the process (especially after the envelope is opened). This type of protection is considered \u201ctransport-level\u201d, as it helps protect the message in transit across the internet.<\/p>\n\n\n\n It\u2019s also possible to secure the message from \u201cend to end\u201d, meaning the message is encrypted at the source before it ever hits the network, and then decrypted by the recipient. This shortens the time that a message might be read even by an eavesdropper, as it can\u2019t be read when it\u2019s in transit or until its contents are decrypted. The eavesdropper would also need to have the decryption key as well as the email to access the data within an intercepted message.<\/p>\n\n\n\n Administrators often choose to implement transport-level protection, as it\u2019s the type that\u2019s most transparent to users and because it usually doesn\u2019t require their direct interaction. If end-to-end encryption is needed, it\u2019s a good idea to choose technologies that make this process simple, and to create policies that dictate when this type of encryption must<\/em> be used.<\/p>\n\n\n\n It\u2019s a fact of modern life that much of what arrives in our inbox is not anything we want to receive. When you add up the amount of spam, scams, phishing and malware that\u2019s being sent, there\u2019s a lot of traffic that is wholly unwelcome. Most organizations and email service providers have some manner of filtering for this sort of detritus in place already, to help stem the flow. Depending on our own levels of risk tolerance, there are a variety of ways that this can be done.<\/p>\n\n\n\n Most email providers operate a simple blacklist of known spam, phishing and malware to decrease the amount of unwanted and malicious email that reaches their customers. But many organizations would be wise to be more proactive with their filtering. You could also limit messages by attachment type; either allowing only those files from an approved list of safer or more common file types, or excluding unusual or more-risky file types.<\/p>\n\n\n\n Keep in mind that while many popular file types may seem safer, they can still include powerful macro code or malicious, embedded files. No file type should be considered completely safe. It may be more helpful to view file types less in terms of their potential danger, and more in terms of their level of risk versus potential impact on workflow. While many people send things like documents, spreadsheets, or presentations, very few people have valid work-appropriate reasons to send or receive executable file types via email, so these can be excluded in most organizations with a minimum of hassle.<\/p>\n\n\n\n Some organizations also choose to screen emails before they\u2019re sent out from their network too, for malware and\/or confidential company data. Most companies maintain some sort of sensitive files or information such as payment or ID card details, healthcare information, or confidential company data and would do well to log its whereabouts. It can be useful to set gateway anti-malware scanners to more \u201cparanoid\u201d settings, as a potentially slower scan of files going through email will be less noticeable or disruptive.<\/p>\n\n\n\n Spoofing email is trivially easy for miscreants, and while there are ways to limit this, the available options<\/a> are not yet widely used. These techniques help authenticate message content, indicate which users and accounts are authorized to send from your domain, and can help verify that email headers are internally consistent.<\/p>\n\n\n\n Because these authorization and authentication techniques are not commonly implemented, the best-use case for most companies is to deploy these methods to help protect your brand integrity or prevent certain types of Business Email Compromise (BEC).<\/a> You can also use them to log emails that fail to authenticate properly, for forensic purposes.<\/p>\n\n\n\n Use of email authentication and authorization should be considered part of good administration hygiene, like promptly removing (or at least changing the passwords of) accounts that are no longer in use (such as those formerly belonging to employees who are no longer with the company).<\/p>\n\n\n\n Most of us are aware of authentication for our email accounts, as this is the type of email security most of us have. Several of the other types of email security we\u2019ve discussed in the previous paragraphs exist in part to help mitigate the damage caused by stolen login credentials, which is to say it\u2019s a huge problem that causes a cascade of other woes. But multi-factor authentication<\/a> is another very effective level of protection for access to our email accounts.<\/p>\n\n\n\n Rather than just providing a username and password, which is one single \u201cfactor\u201d of verifying that you are who you say you are, multi-factor authentication combines these credentials with another method. The most common example of a second method is a one-time key \u2013 often sent by email or SMS<\/a>, or created by an app or dongle \u2013 that is input after you\u2019ve successfully entered your username and password. Multi-factor authentication can either be tied directly to the login process for an email app, or to a network login process, depending on your specific needs and threats.<\/p>\n\n\n\n Last but not least, it\u2019s also important to protect your email by regularly updating the software you use, including your operating system and the app or browser you use to access email. This will help address vulnerabilities that could allow attackers to access your emails. You may wish to do this with automatic update capabilities in the software itself or in your operating system, or by going directly to the vendor\u2019s website for downloads.<\/p>\n\n\n\n Whatever methods you choose to incorporate \u2013 be it for email or computer security in general \u2013 it\u2019s important that they be things people in your organization can and will use. This means observing the workflow of the people who will be using these technologies, choosing options that are either applied automatically or are easy to use, and then training users about how and when to use protection methods.<\/p>\n\n\n\nEnsuring valid, appropriate content<\/strong><\/h2>\n\n\n\n
Email authorization and authentication<\/strong><\/h2>\n\n\n\n
<\/a><\/figure><\/div>\n\n\n\nAccount protection<\/strong><\/h2>\n\n\n\n
Software protection<\/strong><\/h2>\n\n\n\n
Final Thoughts<\/strong><\/h2>\n\n\n\n