How to Stop Embarrassing Email Hacks
A popular social media meme reads something to the effect of, “Write every email as if it will one day be read aloud in a deposition.” One could also add, “…or publicly released by WikiLeaks.” With more and more sensitive data being sent via email now is the time to take a step back to understand the ways to best protect your organization and your customers from unwanted embarrassment over email data leaks.
Your email account contains all the personal information a cyberhacker needs to make one’s life miserable. Bank records, receipts, credit card bills and numbers, your address, confidential or even top secret information. Even passwords if you shared them with someone. It’s all there and is easy pickings – becoming one of the favorite avenues of attack for hackers.
The news is filled with the aftermath of email hacks. Hackers penetrated the email accounts of John Podesta, Hillary Clinton's presidential campaign chairman; the Democratic National Committee (DNC); and former Secretary of State Colin Powell.
Recently, internet giant Yahoo said information from at least 500 million accounts was stolen in 2014, information that may have included names, addresses, telephone numbers, dates of birth and security questions and answers.
Whether you are running for office or just trying to run a business, there are a number of best practices that can be employed to fend off email hacks:
Assign Different, Strong Passwords for Each System, and Require They Be Changed Periodically
The Houston Astros MLB team was hacked last year after a new employee decided to use a password that was nearly identical to the one he’d used when he worked for the St. Louis Cardinals – allowing a malicious Cardinals employee to break into his new email account with the Astros as well as the Astros’ database. Organizations should never allow users or employees to choose their own passwords; they should be randomly generated and assigned. Different passwords must be generated for every system, and the systems should require that the passwords be changed on a periodic basis.
Secure Mail Server Connections & Protocols
Email servers must be securely connected using SSL (secure sockets layer) and TLS (transport layer security) encryption and firewall-like rules. SSL and TLS encrypt the network traffic between the email client and the mail server. Without this encryption, anyone who intercepts the network’s traffic can access everything, including individual email passwords. Firewall-like rules at the server level are used to back up a firewall, offering redundancy if the firewall fails. They can be used to impose rules on hosted traffic and established connections.
After securing the connection, the next step is to secure the protocols by undertaking such best practices as:
· Establishing multiple listeners for each interface and correlating them with specific allow and deny rules.
· Limiting the number of connection and authentication errors and the maximum number of commands, and setting time-out periods for active sessions.
· Setting up client control rules based on the sender or receiver’s email address, including limitations regarding the size and number of email messages.
· Implementing several authentication methods, either simple (plain, login, CRAM-MD5), or complex (GSSAPI, Kerberos) to promote communication security and protect against DDoS attacks and unauthorized access.
Prohibit Open Relaying
A mail server’s relay rules are used to specify which IP addresses or domains the server will relay email for. These settings should be configured to prohibit “open relaying.” Not only are open relay servers unsecure, but also, hackers can use open relay email servers and network resources to send spam or phishing emails, resulting in the organization’s domain being blacklisted. Further to this, SMTP authentication should be used to prevent anyone from sending mail through the organization’s server without a user name and password.
Maintain a Local IP Blacklist & Spam Filter
Creating a local spam filter and blacklist of IPs allows organizations to block mail from domains that have been known to specifically target the organization, as well as messages containing language that is specific to spam and phishing emails sent to the organization.
Consider Outsourcing Email and/or Cyber Security Services
The DNC ran its own, private email server prior to their most recent email hack. This may not have been a good idea, as the DNC’s core competency is political campaigning, not email administration and security. It is likely the DNC did not have the resources in-house to set up and monitor their email server properly. While outsourcing email services to a third party, such as Yahoo or Google, will not eliminate all potential threats, third-party email providers have the in-house resources to set up email server connections and protocols securely, offer continuously updated IP address and spam filters to flag suspicious email messages and senders, and continuously monitor the network for anomalous activity, such as a user attempting to log in from an unusual location.
Another option for organizations is to employ the services of a managed security services provider (MSSP) to assess their data security needs. An MSSP can install the appropriate hardware and software to secure and protect not only enterprise email systems but also the rest of the organization’s network, as well as provide 24/7 monitoring of systems to detect anomalous user behavior and intercept confidential information leaving the network.
Don’t Forget the Human Factor
Technological tools alone cannot prevent email hacks. Hackers can easily get into an email server not by exploiting a technological vulnerability, but through a spear-phishing campaign. Because spear phishing emails are notorious for slipping through email spam filters, the best defense is simple employee training. Employees should be taught how to recognize the signs of a phishing email, such as emails that are worded oddly, use British spelling, or otherwise seem “off.” Additionally, since there is no such thing as 100 percent protection against a hack, organizations should prohibit employees from sending sensitive information, such as Social Security numbers and check images, through unsecured email.
Snail mail can be shredded or burned, but electronic communications are immortal. Even when proper email etiquette is followed, emails routinely contain proprietary information that could severely harm an organization if it were hacked.
Unsecured email is like walking around with transparent underwear. Organizations must be astute at protecting these communications or risk showing your “goodies” to anyone who wants a look.
Mike Baker is founder and Principal at Mosaic451, a bespoke cybersecurity service provider and consultancy with specific expertise in building, operating and defending some of the most highly secure networks in North America.