Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
April 13, 2020
Email Security: Best Practices for the Remote Workforce

In this time of pandemic and uncertainty, organizations’ network perimeters are being redefined and may actually disappear. This could lead to potential increases in certain types of security threats such as email phishing attacks. Phishing attacks are commonly used in times like these because they are highly effective in taking advantage of the fact people are more disconnected than they’ve ever been.

Now is a great time for a refresher on practicing basic email handling procedures. CBI recommends the following steps for individuals and organizations to increase email security.

Remote Users

A recent challenge with maintaining email security has been remote and more recently at-home users. The endpoints (laptops/desktops) being used by remote and at-home users may not have the same layers of protection as they do when they are connected to or working within the corporate network.

Users are bombarded with an increasing number of sophisticated phishing emails.  Technology definitely plays a part in the email security program, but we find a well-educated user is the single best deterrent when thwarting a phishing email.  Organizations should continue to develop and promote a security-minded culture. A major component when developing this culture is end-user security awareness training, specifically, how to identify a phishing attack. The content and structure of these phishing emails varies greatly, but they all have certain components that can be identified if you know what to look for.

  • First, look at the overall context and grammar. Is this written in a format that makes sense?
  • Consider the timing of the email. Cybercriminals tend to take advantage of organizations in times of pandemic, mergers and acquisitions, foreclosures, etc.
  • Hover (DO NOT CLICK) on any links in the body of the email. Hovering will reveal the full URL/Address. Study the link and see if it makes sense or is familiar to you especially if the email is asking you to click the link and provide credentials.
  • Immediately report an email if it is asking for your credentials or any personal information.
  • Follow your organization’s email security policies. Most organizations should have basic email information protocols. For example, you should have a policy that forbids all but a very limited number of employees from sending requests for payment, bank transfers, etc. Additionally, you should have a process for approving any large dollar amount only with verbal/written confirmation from more than two approved agents of the company.
  • Take a close look at the “FROM:” address. Has someone created an email that looks familiar to you? You may see a small discrepancy such as the letter “l” being inserted for the number ‘1” or a number “0” substituted for the letter “O.” Often, there’s a tell, such as a bizarre “FROM:” address (e.g. service145@mail.145.com), unusual links (e.g. amazon.net.ru), or a high number of typos or formatting mistakes in the text. If it looks suspicious, employees should report it.
  • Does it have a generic sounding attachment such as “Payment Request” and does the filename match your organizations conventions.
  • Communicate to your peers. Ask if anyone else has seen the same or very similar email and or attachment. Phishing attacks usually target more than one person to increase their odds of success.
  • Trust your gut. If it doesn’t look right, contact your organization’s helpdesk and call the person that supposedly sent you the email if that makes sense.

Consider the Cloud

The organizational workforce continues to work remotely. Cloud-based email security offerings offer a distinct advantage to their legacy-based counterparts. Cloud-based solutions provide much less administrative overhead while continuing to provide a much-needed level of granular control and visibility for email security.

Cloud based solutions tend to be more stable, while providing a much higher limit on scalability. They also scale down to smaller and medium-sized businesses via their cost-effective pricing models.

Keep a Clean House

When employees leave the organization, you need to make sure to complete disable or ideally remove their user accounts as quickly as possible. These accounts pose an ongoing risk. Cybercriminals have ways to identify these accounts and launch highly effective email phishing campaigns.

Don’t overshare

Organizations should not share any personal information including email addresses on public facing websites. Don’t publish non-essential contact details on your website or on any public directories, including phone numbers or physical addresses. All of these are pieces of information that can help attackers engineer a more effective email-based attack.

Pre-Flag Incoming Email

Organizations can do themselves and their users a big favor by inserting a small sentence at the top of all incoming email. One way to ensure your email domain is kept secure is by adding an external tag line or message warning the recipient that the email originated from outside of the organization. If a user receives an email from an internal user and it has the external tag it should be an immediate red flag.

Implement SPF, DKIM and DMARC

Don’t let the technical names scare you. These are things all organizations should implement immediately. There are many technical solutions that can be purchased that enforce these critical email security components.

  • SPF (Sender Policy Framework)
    • In a simplistic sense, SPF lets you create an allowable list of IP addresses. If a mail server with an IP address that’s not on your list tries to send email using your domain, it won’t pass the SPF authentication test.
    • The biggest issue is that it has nothing to say about the address that appears in the From field of an email message.
  • DKIM (Domain Keys Identified Mail)
    • Unlike SPF, which uses rule sets to determine allowable IP addresses, DKIM uses public key cryptography to authenticate individual email messages. Think of it as a mathematical way for a sender to sign a message and for recipients to verify who it was signed by.
    • Unfortunately, it also suffers from the same issue as SPF in that it has nothing to say about the address that appears in the From field of an email message.
  • DMARC (Domain-based Message Authentication, Reporting and Conformance)
    • A widely accepted open standard that ensures only authorized senders can use your domain in the From: field of their email messages
    • SPF and DKIM should already be enabled.
    • Provides the highest level of protection from email phishing attacks.

Two-Factor Authentication

Some may say it isn’t a matter of “if” you or your organization will fall victim to an email phishing/malware attack, but “when.” In that case, you need to already be thinking about how you can protect your users and the organization’s sensitive data.

One of the most cost-effective ways to accomplish this is to implement a two-factor authentication (“2FA”) solution. Modern 2FA solutions can be rapidly deployed and have little impact on users.

2FA is already a part of our lives. Consider how you log into your own personal online bank account. Most banks and credit unions are using 2FA already. CBI recommends extending that same level of security to your organization. 2FA is most effective in stopping a cybercriminal from doing anything with your credentials. Consider the typical phishing attack. A user receives an email with short message asking them to click a link and provide their credentials. The user falls for the attack and unknowingly provides a cybercriminal with their credentials. With 2FA these credentials are useless.

Home and Public Wi-Fi

Recent times require all of us to work from less secure locations than we are used to. It is extremely important that you and your end users understand the risks associated with opening your local email client while connected to a remote Wi-Fi network.

Public networks (by design) are never secure, meaning cybercriminals have a variety of ways to steal information that passes through the network. It is far too easy for a cybercriminal to intercept the network traffic coming from and going to your remote endpoint. Users credentials can easily be obtained using what is known as a “man-in-the-middle” attack.

Fortunately, users and organizations have options to prevent this.

  • Using a Virtual Private Network (VPN) connection. A VPN allows the user to create a secure connection to another network over the Internet. VPNs can be used to access region-restricted websites, shield your browsing activity from prying eyes on public Wi-Fi, etc.
  • Installing an Endpoint Detect and Respond (“EDR”) agent on the endpoints. Modern attacks require modern defense tactics. Old school anti-virus technologies have been replaced by modern EDR solutions. Organizations should strongly consider deployment of an EDR solution that can be deployed rapidly.

The Email Security Bottom Line

Ideally, for an effective email security solution, you are going to want to deliver on some or all of these above listed recommendations—in some capacity—in a highly scalable, flexible way—with minimal impact to end-users and administrators.

Content Sponsored by
Proofpoint is a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint’s people-centric security and compliance solutions to mitigate their most critical risks across email, the cloud, social media, and the web. Learn more at www.proofpoint.com
About the Authors
CBI Dan Gregory
Dan Gregory
Senior Security Strategist
Dan has more than 15 years of field experience in performing regulatory compliance controls assessments and policy review. Dan has extensive experience in development and internal process audits with a focus on the financial, healthcare, manufacturing, and retail industries. Dan has performed countless controls assessments and efficiently deploys solution-based integrations designed to protect critical infrastructure, data, brand confidence, and reputation.
Remote Access Assessment
With more employees working remotely than ever, executives are concerned about fending off cyberattacks and ensuring system performance, all while defending employees, customers and data. Find out how CBI’s Remote Access Assessment can help. Learn More
I Need To...
S
Safeguard my data and my brand
Solutions
E
Envision my cybersecurity program
Digital Forensics & Incident Response
C
Comply with regulations
Strategic Services
U
Uncover what I have
Advanced Testing Services
R
Run my cybersecurity operations
Managed Security Services
E
Elevate my business
Why CBi