Join David Kruger for an in-depth discussion in this video Data theft and email, part of Cybersecurity Awareness: Digital Data Protection.
- [Instructor] Organizations use email every day to store, deliver, and discuss sensitive information. Things like financial data, their business plans, intellectual property, their client records, employer records, and a lot more. Current email security products consistently fail to provide the security and control businesses are looking for and consistently succeed at annoying IT administrators and their employees, and end users. As a result, many businesses have limited or delayed the implementation of email encryption services.
Among the various security risks you face, why should email security be a high priority? Every business would like to secure and control its critical digital information at all times, everywhere it exists. Digital information can be categorized in two ways. The first is structured information and that's information that is stored in large relational databases. The second is unstructured information and that's things like files, such as emails or Microsoft Word or Excel documents, or PDFs, or pictures, or movies, or sound files.
While database applications generally provide a means of controlling structured data, unstructured data is typically shared between multiple users on multiple systems across multiple domains. This makes it nearly impossible to know where your data is, who has access to it, or how it is being used at any given time. Email messages and file attachments are a type of unstructured data. While your organization may have some form of secure file repository, how many copies of sensitive email messages and attachments are stored on your email service provider's servers, as well as your employees', and as well as on their recipients' devices? From a standpoint of security control, email is likely the most out-of-control application used by your organization.
In essence, each time an employee sends an email, you are outsourcing the security of the communications and any attached files to the recipients, whether they are inside your organization or not. Securing and controlling email with existing email security products has proven possible, because they all use legacy email protocols. By legacy protocols, I mean the underlying rules computers must follow in order to enable email communications. Those protocols were never intended to be secure or to enable control.
Understanding the deficiencies of legacy email protocols is critical when selecting an email security solution. Let's look at some of those deficiencies. First, weak user authentication and permissions. Since you don't know and can't choose who is sending you email, you need spam blockers to keep inbound email from flooding your inbox, and anti-malware to keep hackers from using email to install malicious software. Those are called phishing attacks. Unfortunately, anti-malware vendors can't keep up with the pace of new attacks.
Two-factor authentication, such as requiring that a user verify their email address via a web link or a text on your phone, and various data loss prevention technologies that inspect outbound mail to make sure information like social security numbers are not in the email body, those are partial compensations for not being sure who is sending you email or who is receiving the email you send. Next is security when you transmit email. The HTTPS and TLS protocols that we commonly use only can work to the degree that the mail servers are properly configured and the encryption software that underlies HTTPS and TLS is actually up-to-date.
And it has to be that way on every link in the communication chain. Email messages are sent through a lot of different servers between the sender's device and the final recipient's device. Every one of those servers is vulnerable to attack and, often, email messages are only encrypted between the sender's device and the first server in the chain. Next, when you send an email, you don't have any control of intermediate servers. As I said before, email messages and attachments are sent through multiple servers between the sender's and the recipient's devices.
So, unencrypted email messages are often read or copied and stored by several of those intermediate services. None of the legacy email protocols provide visibility or audit records to know what is happening to email received by each server. Next, there's no protection of email and storage with legacy protocols. The vast majority of email messages and attached files aren't moving, they're in storage. So, the number of copies and where they are stored, not only it's unknown, it's unknowable.
So, major email breaches have often resulted from storage attacks, which are far easier to execute and result in greater volume of valuable information. They simply get into the email server and they copy everything out. Transmission security doesn't do anything to protect the emails and files that are in storage on some server. So, in an enterprise environment, using, say Microsoft Outlook, with or without Exchange, email messages and attachments are stored in clear text on the company's email servers, and on end user devices, and on servers in between.
Finally, senders have no control over redistribution. So, even if your email is stored and transmitted securely, once it's received, the sender has no control over how that email or any attachments get redistributed. They can be sent to anybody, the files can be saved anywhere, they can be altered in any way, and all of that happens in a process that's entirely invisible to the person who sent the email. To better understand the deficiencies of legacy email products, it's useful to understand all the places where email content may travel or be stored.
For email to be secure, it must automatically be secured everywhere messages and attachments exist: on the sender's device, on company servers, on servers in transit, on the email service provider's servers, and on the recipient's device. The sender also needs to be able to decide in advance what recipients can do with messages and attachments they send and know that the receiving email application won't reliably enforce those controls. That's not possible using legacy email protocols.
Just ask Hilary Clinton, the DNC, and Sony Pictures, to name a few. All three, according to news reports, thought their email conversations were secure, and they weren't. Clearly, they or their staffers misunderstood or were misinformed about email's security vulnerabilities. Believe me, Hilary, the DNC, and Sony are not alone, but stick with me, because we're going to talk about what's possible with a new email protocol designed to implement security by default and control on-demand.
This course was created and produced by Mentor Source, Inc. We are honored to host this training in our library.
- Cyber theft today
- Digital data theft
- Data theft and email
- Securing files