Email is one of the most used communication methods in the world. It is amazing to me that in the 25 years of my use of email, it is still one of the most vulnerable methods that bad actors have to compromise your business. In part 1, I spoke of five ways that hackers use to take advantage of you or your employees/coworkers, and some examples of the impacts. Whether you are large or small, those vulnerabilities exist, and you need to be proactive in protecting yourself and your business.
I have experienced this firsthand, although we were not impacted by it fortunately. During my consulting career, I was working an engagement doing a Microsoft Modern Workplace implementation (migrating from GroupWise and on-prem SharePoint to O365) and during the migration some bad actors crafted a phishing and BEC campaign in which they tricked a user into providing their credentials by making it look like an email from Microsoft regarding their migration. Because change was happening and the user knew of the migration activities, they let their guard down and gave the criminals access to their email.
Once in, the hackers set up a rule to redirect email to the archive and watch the user’s mailbox for business process, moving email back to the inbox that the hackers did not need or care about. Once they figured out how business was conducted, they then took a legitimate email from a vendor and changed back account information for an invoice and forwarded it internally to accounts payable. Because the request appeared to be from an employee, the invoice was paid without question and no one the wiser until the real vendor sent a past due notice, claiming they were never paid. The criminals had been in the system a significant amount of time to figure out the business process and had 60 days to run with the money after!
Once the compromise was discovered, we participated in a Red Team investigation with Microsoft and an auditor that was a deep forensic look at all their systems, active directory, and devices. Fortunately for the organization, the criminals did not use the compromise to gain deeper access to the on-prem environment to then move laterally through the organization, or to steal more money using their existing compromise, or phish another higher-level employee. It could have been much worse for them.
Now this could have been mitigated through several simple methods we will discuss below. The client I was working with did not take our recommendations during the migration and did not want to implement any security that would cause additional steps or difficulties for their users. They felt that the change in the communication platform was going to be difficult enough for their end-users and they did not have service desk capacity, or want to spend to staff up, to handle the additional influx of support calls the security measures might create. They felt their employees were intelligent enough to know how to be safe and that since everyone using email was on internal systems, that they were safe behind their old security measures. This inevitably cost them much more in the long run and the decision in hindsight was the wrong one.
You may say, “But Jason, we already are in the cloud, and we have never had a problem before.” That may be, but don’t be like my previous client; review the tips below for ways to protect your email ecosystem and implement any you are lacking on. While these tips aren’t revelational, I find that we sometime need to be reminded of the basic things before we take heed. If you need help with any of the below topics, feel free to reach out to me to set up a call to talk about your needs and how I can help you.
Email Security Tips and Practices:
- Employee Training and Awareness:
Educate employees about email security best practices, including how to identify phishing attempts and the importance of strong, unique passwords. Regular training and testing can help reinforce these skills. There are many services available to assist you in running internal campaigns to help test your user’s awareness to detect phishing attempts and identify where you need to beef up your training. - Multi-Factor Authentication (MFA):
Implement MFA for email accounts (or all cloud used accounts). Even if a hacker obtains login credentials, MFA adds an additional layer of security by requiring a secondary authentication method, such as a code sent to a mobile device. This can be set up conditionally based on various criteria that evaluate the login for riskiness. - Email Filtering, Monitoring, and Antivirus Software:
Invest in robust email filtering solutions that can identify and block phishing emails, malware, and suspicious attachments at the cloud level. Implement auding/Monitoring solutions to identify anomalous behavior and alert you to investigate (like email redirects). Keep antivirus software up to date to detect and remove threats. Don’t just trust that a platform is safe because they claim not to be a target or previously hacked. - Patch Management:
This should go without saying and is much easier in today’s cloud environments. However, you should still confirm that you regularly update and patch email server software, email clients, and operating systems to fix vulnerabilities that hackers can exploit. Everywhere possible, automate patch management processes to reduce the risk of human error. - Secure Password Policies:
Enforce strong password policies, encouraging the use of complex passwords and regular password changes. Implement a password manager to help employees securely store and manage their passwords. Hackers can gain access to email accounts through brute force attacks. In a brute force attack, hackers use automated programs to guess common passwords until they gain access to the account. - Email Encryption:
Implement email encryption to protect sensitive information in transit. This ensures that even if intercepted, the content remains unreadable to unauthorized parties. - Incident Response Plan:
Develop and regularly update an incident response plan to address potential email system compromises. This plan should include steps for reporting incidents, isolating affected systems, and recovering data. With the recent news of the US SEC rules for companies to report cybersecurity incidents within four business days, this overlooked practice is more important now. - Regular Backups and Auditing:
Perform regular backups of critical email data. Store backups offline or in a separate, secure location to prevent ransomware attacks from compromising them. Two vendors that I like for this are Barracuda and Proofpoint for email archiving solutions, although there are numerous reputable vendors that provide these services. - Access Control:
Limit access to email accounts based on job roles. Ensure that employees have the minimum necessary access to perform their duties. Limit access to systems and data coming from unknown locations and unknown systems. As in my example, once credentials are compromised, it is easy for a hacker to move laterally within an organization. They don’t even need admin permissions in the domain to compromise your environment and set themselves up with elevated credentials or tokens. - Vendor Security Assessment:
If using third-party email service providers, conduct security assessments to ensure their email systems adhere to industry standards and best practices. Use a reputable vendor or reach out to me for advice or to perform, or to provide oversight for an assessment.
Implementing these measures can significantly enhance email security companies, helping to mitigate the risks associated with email system compromises. Additionally, staying informed about emerging threats and continuously assessing and improving security practices is essential to maintaining a strong defense against cyberattacks. Contact me if you would like help reviewing your solutions to make sure you are secure, or would like to discuss options for raising your cybersecurity capabilities .