Blog / Email Security Is More Important Than Ever
Email is an amazing tool that just about everyone is at least partly familiar with. Every day, millions of emails are sent across the globe. But that’s not even the most amazing thing about it. The truly incredible thing about email is its complete and utter lack of built-in security.
That’s right. When you boil it down to basics there is no actual security built into email beyond requiring the final destination address to actually exist. This is because of the when and where email was originally designed, back in the days of Warnet and Arpanet in the late ’60s. These networks didn’t have to worry about outside access since only military or large educational institutions even had access to them at the time.
The protocol that email was built on is called ‘Simple Mail Transfer Protocol’ (SMTP) and had a single goal in its design: to get a massage from one computer to another. To give credit where it’s due, the designers succeeded brilliantly because email accomplishes this very well. The fact that it’s still in use is a testament to how robust this method of communication really is.
The problem is that when the SMT protocol was designed the environment itself was secure. Both Arpanet and Warnet had limited access and the only people managing/administrating computers in those days had likely multiple PHDs. Adding security into the basic protocol would have been considered a waste of effort since the environment was secure.
Then decades later the whole thing went public and everyday people started using email, which of course is when the problems started. The lack of any built in checks meant spoofing and exploitation become trivial matters. There have been many extensions made to the protocol since the, but the fact is email needs to remain backwards compatible and most of the security flaws stem from its original design. Nowadays even though we could in theory simply replace SMTP with some new protocol, it would likely fail simply because of how invested in email we’ve all become and how persistent old technology can be. (Seriously, some places still use fax machines and don’t even get me started on that.)
But that’s enough doom, gloom and complaining! Email is still a great tool and its basic protocols aren’t changing any time soon, so what can be done? Well that’s simple really: EDUCATION!
There seems to be an assumption that any email we get is secure, but t’s not! It doesn’t matter if you’re setting up an on-premises server like Exchange or a cloud service like Office365, if all you do is setup email and made sure it’s working, then you aren’t doing enough. Just the basics won’t cut it when it comes to email setup security.
Email Security Item #1: Setup spam filtering
If you have a cloud provider, they’ve likely already got some kind of spam filtering setup. It needs to be generic because it can’t interfere with legitimate email from customers or other real contacts. Make sure you add a level of security beyond what’s provided by default. Make sure to ask about additional available security options available, or add a second layer of spam filtering somewhere.
If you are setting up your own mail server then remember it’s not going to have any kind of spam filtering enabled by default. Make sure you or your administrator enables all the spam filtering checks they understand. There’s no point in enabling something you don’t know because at that point you may as well be using magic, and magic is not a good way of blocking spam.
Email Security Item #2: Configure anti-spoofing technologies
There are three anti-spoofing technologies of note here: SPF, DMARC, and DKIM. They are free to use and help make sure that a 3rd party can’t send email pretending to be from your organization (in case you were wondering what ‘spoofing’ is). Not all email solutions make use of these checks as they are not generally enabled by default and there’s no outright requirement for them. We can’t guarantee they will be effective, but they are well accepted standards.
Email Security Item #3: Have a strict policy on email usage
There’s a common misconception out there that everyone understands email these days. This is garbage. It’s true that most people understand how to use email, but then most people also know how to drive a car (which is far different from knowing how they work). In order to protect your organization you need to have a policy regarding email usage that outlines things that users should and should not do with it.
I often read about security breaches caused because someone sent a mass email and used the CC option instead of BCC. The truth is there’s a solid chance that anyone reading this newsletter won’t even know about BCC option since it’s been hidden from the interface of almost every email client for over a decade now. Email also has limits when it comes to things like attachments. Having a policy in place will help serve as a reminder of good practices and to inform users about the setup of your own email system.
Email security item #4: Be proactive about your email security
It’s important to keep an eye on things. Email is no different from anything else in the world of computers in that it’s constantly changing despite its core protocols being a holdover from history. New checks do still get added to help improve security, and email software also needs to be kept up to be regularly updated whenever new patches become available.
It’s also important to keep an eye on your spam filters. Make sure you know which ones are working well and which ones aren’t. This is an advantage that on-premises email servers have over cloud ones because you can keep track of all the spam you’re actually blocking. Cloud providers have their own spam filters, but I’ve never seen any that provide in-depth details about what checks they perform and how well their filters work.
Email is one of many things that I have a great deal of experience with, so for today’s Shakespeare I’ll turn to King Lear in Act 1 when the Fool remarks “Have more then you show. Speak less then you know.”
If you have any questions about email security, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.