Six golden rules for enhanced email security
by Tina Siering
Rule 1: Plausibility check and correct DKIM configuration
Many attacks via e-mails can already be thwarted by the addressee performing a plausibility check before opening them. First check whether the sender is known and the subject makes sense, as well as whether an attachment on this subject is expected. It is best to delete obvious spam and phishing e-mails immediately - without looking at their content any further. Phishing e-mails can be recognized by phrases that are intended to create time pressure or threaten drastic consequences. If you do accidentally delete a genuine e-mail, the person you know will certainly try to contact you afterwards.
From a technical point of view, one of the most common email security vulnerabilities is in the area of Domain Keys Identified Mails (DKIM). These should definitely be configured. DKIM a method of email authentication that verifies senders, making forgery more difficult. If configured correctly. when an email is sent, the DKIM signature is added to the header, which is compared by the recipient with the public key from the DNS zone. This control verifies the authenticity of your e-mails and guarantees the integrity of your messages. Originally, the Domain Keys Identified Mail procedure was only intended to stem the tide of spam, but since it detects spoofed sender addresses, it also significantly improves your protection against phishing attacks! Consequently, the DKIM procedure can be used to detect forged sender addresses. So you should configure DKIM on your mail gateway and your DNS server, and if possible also enable DMARC (Domain-based Message Authentication, Reporting and Conformance). This allows you to specify how to deal with emails that have been identified as a threat.
Rule 2: Basic protection measures
Protect email accounts using classic protective measures. These include:
- Always use an encrypted connection (HTTPS) to the mailbox.
- Refrain from displaying and generating HTML e-mails.
- Disable the display of external content, such as images.
- Use a strong password to prevent access data from being guessed.
- In addition, make multifactor authentication the standard.
- Keep permissions for corporate mailboxes up to date and disable obsolete accounts.
Rule 3: Keep the operating system, virus protection and other programs up to date!
It is worth taking precautions in case an employee is inattentive or a mail system is poorly configured. Many an attempted attack can be stopped by security features of the operating system or anti-virus software. So be aware: your computer is as secure as your last security update - but cyber criminals are always coming up with new attack strategies and new malware. In addition, program developers often discover security vulnerabilities in their code only after targeted user notifications. Think about targeted and regular patch management in order to detect security gaps in time and - if necessary - to close them.
In addition to the operating system, all applications that communicate with the Internet should always be up-to-date. Newer versions of an application often have more security features and thus help to ward off criminal attacks. Your employees or IT specialists can also download software updates manually, but in this case they should come from the manufacturer's site. To ensure that an update installation is not overlooked due to vacation or illness, auto-update mechanisms that can be activated in the options of modern software have proven their worth.
Rule 4: Make sure you have correct server configurations!
With the appropriate server settings, you can reduce the frequency of phishing attacks. For example, you should limit the possible validation of mail addresses via your e-mail gateway or IDP system to a small number per day and then have the IP address of the requestor blocked. This is because some criminals use feedback about existing SMTP users on corporate servers to obtain personal addresses.
To avoid spoofing (identity deception) with your company's name, you should configure your SPF record properly. A Sender Policy Framework record specifies which are the valid mail servers for sending your domain. These should only be servers of the company, even when it comes to your newsletter.
To encrypt log-in and other personal credentials, please do not rely on self-signed certificates, but use certificates from external certificate authorities. This way the identity of your mail system can be validated by other users and servers. Many organizations are tempted to use self-signed SSL certificates instead of certificates issued and verified by a trusted certificate authority, mainly because of the price difference. Self-signed certificates are therefore not trusted by many receiving mail servers and consequently do not use TLS encryption or issue a security warning to users, such as when opening the mail system's web page (OWA). Often, the warnings advise visitors to leave the page for security reasons, which does not look very trustworthy. Potential customers might be driven away due to the fear that the website does not secure credentials correctly.
Last but not least: Attackers could host the web access under a different site, but users would receive the same certificate warning.
Rule 5: Encrypt your e-mails!
Non-encrypted e-mails are like postcards that are sent, transported and received in plain text. Accordingly, criminals can easily read or manipulate such mails, for example, by means of a man-in-the-middle attack. Since the adoption of the EU General Data Protection Regulation (EU GDPR), companies run high risks if they neglect email protection. To prevent this, there are the following basic encryption methods:
- TLS encryption: the minimum standard for secure email communication, where transport between mail servers is encrypted.
- End-to-end encryption: using methods such as S/MIME or OpenPGP, the e-mail is encrypted from client to client (end-to-end).
- Symmetric encryption: The sender encrypts its message with a secret key that the recipient must obtain in order to read the message. A way must be found to securely transmit the shared key to the receiver.
- Asymmetric encryption: it encrypts with a public key but decrypts with a private key.
We recommend that you implement TLS as the minimum standard for secure email communication. In addition, use end-to-end encryption via S/MIME or PGP to ensure that e-mail messages are protected all the way to the recipient.
Rule 6: Verify the sender with a digital signature
In the context of e-mail security, there is no getting around the topics of e-mail encryption and e-mail signing. Both are important tools for implementing information security objectives. It is also possible to verify the sender and the integrity of a message without encrypting the content of the mail (see Rule 5). This is done by signing the mail: A checksum is formed over the information contained in the message. The checksum is encrypted with the sender's private key. The recipient, in turn, uses the sender's public key to decrypt the checksum and verify that the message comes from the real sender.
If an e-mail has been signed but not encrypted, the message can be read in plain text. Signing is used for sender verification and to assess whether a message has been modified during transmission.
Emails are still one of the main gateways for malware and ransomware attacks! Phishing, virus-infected attachments and also spam pose concrete threats to your IT security. The key to a high level of IT security is a security strategy that takes into account all potential sources of danger. This also includes your own employees. With targeted social engineering training and security solutions such as a suitable solution for early attack detection, the level of IT security can be significantly increased.