Clear and present danger: Combating the email threat landscape
Like it or loathe it, email is here to stay. Despite the ubiquity of file sharing services like OneDrive and Google Docs, email remains a fast and convenient way for users to review, communicate and collaborate. Almost 25 years since the first email attachment was sent, businesses around the globe remain heavily dependent on using email to send their files. Indeed, according to research firm Radicati, business emails are set to reach 116.4 billion a day before the end of 2016.
It’s no wonder then, that email represents a major security threat vector. Because, as long as organisations use email to send and receive files, malicious email attachments will continue to plague corporate inboxes. Cyber criminals have consistently proved adept at exploiting the ‘click first, think second’ behaviours of email-users, which have the potential to open the door to malware, or unintentionally expose the business to data loss.
Protecting the enterprise against such vulnerabilities is no easy task. Email threats aimed at exploiting risky user behaviours have evolved into highly sophisticated phishing and spam campaigns, targeted zero-hour attacks and data theft initiatives. But with 91% of hacks starting with a targeted email attack, organisations need to be certain that the actions they take will truly protect their users, data and assets.
Unfortunately, standard anti-virus (AV) software can only go so far, as a recent incident graphically illustrates. In August, a public domain AV signature provider wrongfully categorised all Microsoft .doc files as a virus. This led to a large number of legitimate Microsoft Word documents being blocked from transmission when they encountered an AV layer.
In order to maintain an acceptable balance between user productivity and user safety, many vendors took the decision to disable the piece of AV technology that was blocking documents affected by these false positives. This meant that documents could be transmitted to their intended recipients, where an AV system would have, in theory, defended users from malicious attachments.
It wasn’t long before cyber criminals picked up on this enticing opportunity and began creating malware files whose signatures changed and morphed in order to evade signature-based AV solutions. This resulted in surge in the number of .doc files being transmitted over email – at which time our security analytics found that approximately 80% of the files were malicious.
It’s a sobering example of how criminals are constantly monitoring the security industry in an effort to find vulnerabilities and opportunities to exploit – in this case, the reduced security for .doc attachments. It also highlights why organisations need to use multiple layers of protection. Because in this case, the false positives ‘loophole’ meant there was a greater need for non-signature based defences.
Protecting the organisation against email-enabled attacks is no easy task when users across the enterprise are opening up hundreds of emails every day. But with hackers constantly on the look out for ways of working around signature-based technologies, businesses need to ensure their email security is one step ahead.
That means adopting multi-layered threat protection and prevention technologies alongside ‘good hygiene’ employee training and email best practices:
1. Advanced detection and intrusion prevention
Sandboxing is a valuable technical control that delivers a powerful line of defence. Scanning emails at the endpoint is a good start, but attachments should be scanned again before opening so that the files and URLs can be analysed. Ideally, all incoming mail should be automatically scanned in real-time, with any suspicious attachments being forwarded to a cloud-based sandbox environment where they can be executed and thoroughly analysed to identify potentially suspicious and malicious behaviour. This guarantees that even sophisticated pieces of malware can do no harm to digital assets, as only safe files will be forwarded to users.
2. Monitor unusual spikes in file transmissions
Minimising the fallout of a potential malware attack is a priority. That means gaining full visibility of any identified malware activity, so that infected users can be automatically quarantined to prevent malware from spreading within the network, or creating unwanted communications to the outside world.
3. End user education
Representing the enterprise’s first line of defence, the workforce needs to be educated about their responsibilities when it comes to protecting customer and colleague data. Often viewed by security experts as the weakest link, employees are a target for hackers who know there are specific times when people are most susceptible to attack – at the start or end of the day, when the pressure is on to ‘get out the door’ or ‘get stuff done’ – and will send out bursts early in the morning and late in the afternoon.
For this reason, training needs to be an ongoing endeavour during which staff members are trained on how to spot a suspicious email and what to do if they receive one. This isn’t a once a year task – employees need to be regularly updated with the latest threats and approaches used by cyber criminals.
4. Stay on top of version control
Installing the latest versions of operating systems, applications and email platforms should be an essential good housekeeping practice, as vendors regularly release security patches that can help reduce exposure to some attacks.
5. Limit user access to critical IT systems
More often than not, user devices and business-critical databases are located within the same internal network. This means that infected devices could potentially going about their malicious ways while remaining undetected for a long time. Segmentation is a very effective way for businesses to detect malicious activity and contain the fall out of any attack. Data leakage prevention starts with inhibiting data collection.
Dealing with today’s modern and persistent email threats means reliance on antivirus protection or existing intrusion prevention systems is no longer enough. Today’s enterprise needs advanced threat detection technologies that not only detect targeted attacks, but provide sophisticated technical controls to detect and extract malware before it enters the organisation. Whether an organisation operates a cloud or on-premises email platform, email security is a multi-layered affair that involves taking a holistic approach to educating and protecting users and ensuring the enterprise network is constantly monitored and safe.