Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
TheDynaSisEducationSeriesforC-LevelExecutivesEmailSecurity
ThreatstoyourITnetworkabound,manyofthemdeliveredthroughemail.Fortunately,therearecosteffectivetoolsavailabletoprotectyourhardware,software,data,andultimately,yourbusiness.Effectivemailsecurityusedtorelyona“hardexterior–softinterior”model,meaningthatifyoumadeittoughforhackerstogetin,everythingfromthenonwouldbeokay.Butintoday’sworld,maintainingasecureperimeterisbecomingmoreandmoredifficultaseverydefenseweerectisquicklychallengedbytheever-advancingtechnologiesofthecyber-criminal.Thisincludesanever-increasingabilityofhackerstocreatewhatseemlikelegitimatesafeemails,butareactuallyverysophisticated“phishing”1and“spear-phishing”2tools.Becauseofthis,insteadofthesecuritymodelinwhichwetrustedincomingemailsfromseeminglyknownsources,theadoptionofanew“ZeroTrust”modeliscritical.Wealsoknowthatuseofthecloudinbusinesscontinuestogrowandwhilethecloudoffersgreaterspeed,flexibility,availability,securityandmobility,itisimportanttounderstandthatthisusagecanalsocomewithlossoftheeffectivenessofouronpremises,office-basedsecuritysolutionsthatweredesignedfortheapplicationsyouwereusingfiveyearsago.Thisincludes___________________________________________________________________________________________
2
TheDynaSisEducationSeriesforC-LevelExecutives
___________________________________________________________________________________________web-basedemail.Inotherwords,ifyouareusingweb-basedemail,thesecurityyouseekmustprotectweb-basedemail.Addtothisthefactthatournetworkperimetersarerapidlybecomingfuzzyasouremployeesbecomemoreandmoredependentonthecloudfrombothbusiness-operationalandpersonalperspectives.Yourbusinessprobablyhasasignificantnumberofemployees–maybeevenyou–whousebothpersonalandcompany-owneddevices,bothinandoutoftheoffice,soyoucanbegintoseehowthe“hardexterior”inamobileworldcanberiddledwithholesbyaccomplishedprofessionalthieves.Whenyouthinkaboutthegrowingnumberofhigh-profilesecuritybreaches,manyofwhichwereinitiatedthroughemailphishing1andspear-phishing2schemes,youbegintounderstandtheneedtopaircurrenttechnologywithcurrentsecurity.TheneedissorealthatinadditiontoaCIO(ChiefInformationOfficer),manylargecompanieswillalsoemployaCISO(ChiefInformationSecurityOfficer)tooverseethisimplementation.Whenbudgetstodonotallowthisposition,CIOswillbetaskedwiththeeffort,and,unfortunately,inmanytypicalsmalltomidsizedbusinesses(SMBs)thiswillfallintothelapsofbusinessownersorothersalreadyburdenedwithawidevarietyofotherduties.Tobetterunderstandhowtothwarttheseattacks,onemustfirstunderstandtheattacksthemselves,solet’stakealookatthevariousthreatscurrentlyoutthere.
Spam:Althoughoftenjustanuisanceandnotarealdanger,spamemailcandistractemployeesduringworkhoursandaffectproductivity.Enterprisesolutionsthesedaysgenerallyhaveproperdefensessetupagainstspam,soifthisisaprobleminyourcompany,thisissomethingthatcanandshouldbeaddressed.1Phishingistheattempttoobtainsensitiveinformationsuchasusernames,passwords,andcreditcarddetails(andsometimes,indirectly,money),oftenformaliciousreasons,bymasqueradingasatrustworthyentityinanelectronicenvironment.Thewordisanadaptationof“fishing”andderivesfromthefactthat“bait”isputouttheretoluretheunsuspectingrecipientintoprovidingthisinformation.Communicationsappeartobesentfromcommonsocialwebsites,auctionsites,banks,onlinepaymentprocessorsorITadministratorsandmayincludelinkstowebsitesthatareinfectedwithmalwareand/orasktherecipienttodisclosepersonalinformation.Anadvancedlevelofthistacticiscalled“spear-phishing.”2Spear-Phishing:Thisisprobablythehighestdangerfacedbytoday’sITsecurityprostoday.First,criminalsneedsomeinsideinformationontheirtargetstoconvincethemthee-mailsarelegitimate.Theyoftenobtainitbyhackingintoanorganization’scomputernetworkorsometimesbycombingthroughotherwebsites,blogs,andsocialnetworkingsites.Thentheysende-mailsthatlookliketherealthingtotargetedvictims,offeringallsortsofurgentand/orlegitimate-soundingexplanationsastowhytheyneedyourpersonaldata.Finally,thevictimsareaskedtoclickonalinkinsidethee-mailthattakesthemtoaphonybutrealistic-lookingwebsite,wheretheyareaskedtoprovidepasswords,accountnumbers,userIDs,accesscodes,PINs,etc.Viruses:Likespam,mostlargecompanysecurityprogramsareveryeffectiveagainstviruses,sothecyber-criminalfindsmoresuccessagainsthome-basedPCsandsmallbusinesses.Thisiswhyattacksagainstsmallcompanieshavesky-rocketedinrecentyears.
______________________________________________________________________________________
3
TheDynaSisEducationSeriesforC-LevelExecutives___________________________________________________________________________________________
Malware:Thegoalofmalwareistostealasmuchinformationaspossiblefromthedatabaseofthecompanybeinghacked.Oncetheyobtainthelogincredentialsfromfinancialsites,creditcardcompanies,banks,etc.,theyusethistogainaccesstotheaccountsoftheirvictims,andtosetupnewaccounts,suchascreditcards,inthevictims’namesandmaxouttheaccountbeforethevictimisevenaware.Afairlynewmethodologythatfallsintothecategoryofmalwareisransomware.Ransomware:ThisvariationofmalwaredropsapieceofcodeintotheITnetworkthat“phoneshome”toletthecyber-criminalknowthatithasbeenplaced,thenusesthatlinktoencryptthecompany’sfiles.Oncethefilesareencrypted,theyarelockedfromusebythehackerwhothensendsaransomnote,ironicallybyemail,demandingpaymentbeforethefileswillbeunlocked.Oncetheyarelocked,thefilesarenexttoimpossibletounlockwithoutthehacker’skey.Fortunately,advancedmethodologynowprovides“crypto-containment”softwarethatquicklyidentifiesanencryptionintrusion,isolatestheinfectedfilesandpreventsfurtherencryption.(Note:encryptionofanentiredatabaseisnotinstantaneoussoawell-designedcontainmentsystemcanshuttheinfectiondownbeforeitdoesseriousdamage.)HereatDynaSiswehaveseeninstanceswherecrypto-containmentsoftwaredetectedandshut-downintrusionsinlarge10terra-byteenvironmentswithaslittleas5gigabytesbeingcompromised.Thisdatawasquicklydeletedandrestoredfromback-ups.SocialEngineering:Thisisthemodernequivalentoftheold“congame.”Itbeginsbygainingthetrustofthevictimbyphone,email,oreveninperson.Oftenitistiedinwiththehumandesiretohelpotherpeople,hencefalsecharitablerequests.Inthisway,thebadactorobtainsinformationaboutsocialmediaaccounts,andthenusesthisinformationtogainaccesstotheseaccountstocommithiscrimes.StateSponsoredHacking:Whilethiswon’taffectmostsmallbusinesses,yourcompanymaystillbeatriskifyouareinvolvedindefensecontracting,multi-nationaldeals,aerospace,orotherareasthatinvolvesensitiveinformation,ORifyouareasuppliertoalargercompanythatfitsthisdescription.RememberthattheinfamousTargetintrusionbeganwithasmallsupplierwhowashacked.TheintruderthenworkedhiswayintotheTargetsystemthroughthissupplier.
Rememberthis:alltheabovecyber-attackscanstartwithasingleemail.Onceuponatimecombattingthreatslikethesewasfairlysimple.Acompanywouldemployasecureemailgateway(SEG),andeverythingwouldbeokay.Butasrulesetsbecamemorecomplex,andanti-virusrequiredmultipledeployments,andenduserquarantinesmultiplied,thesesolutionsbecamethepointsoffailure.Thishasbeenfurthercomplicatedbythefactthatacompany’sownemployees,asend-users,havebecomeveryskilledatcircumventingtheoncehardenedperimeter,anditisstillfurthercomplicatedbythepotentialofbadactorswithinthecompanyitself.Today’sITprofessionals,andmanagedITserviceproviders,understandthatthe“hardexterior–softinterior”paradigmmustbereplacedbytheZeroTrustSecurityModel.TheZeroTrustSecurityModelWhilethismightnotsoundtoofriendly,inlightoftheadvancedqualityofthethreatsfacingustoday,adoptingazerotrustemailmodeliscritical.Itiswaytooeasyforbusinessemailuserstobelulledintoafalsesenseofsecuritybecauseofthehighlevelofprotectiontheyunderstandisinplaceagainsttraditionalmalware,etc.,butthetruthis,thebadguysneverstopworkingonnewerand“better”waysofhurtingussowecannever___________________________________________________________________________________________
4
TheDynaSisEducationSeriesforC-LevelExecutives
___________________________________________________________________________________________assumethatjustbecauseit“gotthrough”youroldersecurityfilters,anemailissafe.Itisexactlythissenseoftrustthatthecriminalsexploitanditisuptoeachbusinessand/oritsITserviceprovidertotreateveryemailthatarrivesassuspiciousuntilasophisticatedemailsecuritysolutionhasclearedit.Todothis,wemustaddanewlayerofITsecuritythatchecksyourincomingemailsforthemaliciouslinksthatmaybeembeddedinthem,orintheirattachments,sothatnolinkistrusteduntilithasbeenclearedbyatechnologythatisadvancedenoughforthisdetection.Withmanycompaniesthatbelievetheyareadequatelyprotected,wearefindingthatinrecentyearstheyhaveinadvertentlyintroducednewvulnerabilitiesintotheirITnetworksthroughtheuseofwhatwecallBYOD,or“bringyourowndevice”intothepicture.Howmanyofyouremployeesusetheirownsmartphones,tabletsorlaptopsforcompanywork,andhowmanyofthesedeviceshaveaccesstoyourcompanyemail,nottomentionotherfiles?BestPracticesHereatDynaSis,afterevaluatingthetoptieremailsecurityproducts,wehavechosenMimecastforourclients,soforpurposesofillustration,wewillusetheirproduct,althoughthereareotherservicesavailable.AproperlydesignedSecureEmailGateway(SEG)willbedeliveredfromthecloudandaddagreatdealofvaluablefunctionalityalongwiththesecurityyouneed.Theseservicesshouldinclude3:
Allow-AutoListing:Your“goodcontacts”areprioritized.RFCCheckGreylisting:EnsuringthatincomingemailsareRFCcompliantforSMTPservers.GlobalReputationChecks:Employingthecommonlyusedglobalreputationservicestoblockemailaddresseswithbadreps.RecipientValidation&ActiveDirectory:Verifyinginboundaddressestothwartdirectoryharvestattacks.Anti-Spoofing:Lockingoutspoofedemailtoensureitneverreachesinternaldomains.EmailFirewall:Administrativelockoutofemailidentifiedbysender,recipient,IPaddress,domain,etc.PolicyControl:Dataleakcontrol,largeemaildistribution,encryption,andotherenhancedsecuritycontrols.3TheabovetermsarethoseusedbyMimecast.Otherservicesmayuseotherterminology.
AnotheradvancedtechniquethatservesanimportantfunctioniswhatsomeITserviceproviderscallTargetedThreatProtection,designedtoblockspear-phishingandothertargetedattacks.Whenarecipientclicksonalinkinareceivedemail,thelinkisactuallyrewritten,senttothecloudwhereitisscannedforsecurity.Ifcleared,thelinkcanthenbeopenedbytherecipient.Whilethetechnicaldetailsofthisareabitabovethescopeofthispaper,theprocessthatMimecastusesincludes:
Delivery:WhenanemailisreceivedbyMimecast,allURLscontainedinthatemailarerewritten,thendeliveredtotherecipient.
_________________________________________________________________________________________
5
TheDynaSisEducationSeriesforC-LevelExecutives
___________________________________________________________________________________________
UserReceipt:IftheuserclicksonaURL,theURLischeckedagainstallowandblocklists,andiftheURLisnotfoundonanyoftheselistsitissenttothescanner.URLScanning:Thelinkisscannedthoughseverallayersofdetectionandanyquestionableemailsareblocked.Link,Domain,andPhishingReputation:Thelinkisverifiedbyrunningitthroughinternalandthirdpartyintelligenceenginesandothersecuritychecks.WebpageDeepAnalysis:Thewebsitefromwhichthelinkoriginatedisscannedforspear-phishingandotherpotentiallymaliciouscontentthatmaybelaunchedthroughthatsite.BlockorAllowDecision:Ifallpagesrelatedtotheemailaredeemedclean,theemailispassedontotherecipient.Ifthereisanythingdeemedquestionable,boththeadministratorandtherecipientarenotifiedandgiventheopportunitytoreceiveorblock.
BestPracticeDefenseinDepthataMicroLevel–©Mimecast
___________________________________________________________________________________________ WhenyousignedupforanAOLemailaccount25yearsago,thetechworldwasamuchsimplerplace.Ifyouusedtheword“phishing”,itwouldbeassumedyousimplydidnotknowhowtospell.Buttimeshavetrulychangedandalongwithallthegoodthingstechnologybringsus,italsobringsasanever-growingvarietyofcyberthreatsandbadactorswhospendcountlesshoursdevisingtheirowntechnologytorob,cheatandsteal.Vigilancemustbecomeawayoflifeandemployingtoolsthatworkforyouandthatarecontinuouslyupdatedarevital.AsanAtlantamanagedITservicesprovider,wehaveseenitallandunderstandthecomplexities.IfyouhaveanyquestionsaboutemailsecurityorITsupport,pleasefeelfreetocontactus.
6
http://www.computerweekly.com/feature/Email-security-Essential-Guidehttps://www.mimecast.com/products/email-security/
http://www.digitaltrends.com/computing/can-email-ever-be-secure/http://www.darkreading.com/operations/how-many-layers-does-your-email-security-need/d/d-id/1325791http://www.inc.com/larry-alton/email-security-in-2016-what-you-need-to-know.htmlhttps://www.techopedia.com/definition/29704/email-security1,2www.Wikipedia.com