Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Email Is Forever – and It’s Not Private

Why You Need to Think Twice on What you Put in Emails

Why You Need to Think Twice on What you Put in Emails

“Dance like no one is watching; email like it may one day be read aloud in a deposition.” – @Olivianuzzi, December 13, 2014

This “post-Sony attack” tweet from Olivia Nuzzi of The Daily Beast should have been framed and hung as motivational artwork on every office wall. Instead, a year and a half and numerous publicized email hacks later, it stands to remind us that people will continue to get caught with their pants down because they refuse to accept two simple certainties: Email is forever; and forever is a long time to keep anything truly secure. 

With more recent hacks on entities like the Democratic National Convention (DNC) and the State Department what’s particularly frustrating—beyond the hacks themselves, which are almost foregone conclusions in today’s connected world—is that people continue to send inappropriate emails. Why does it seem no one is learning from these blunders?

Permanent Record

There’s a reason top secret meetings take place in person. Email is a (relatively) public and permanent means of communication. Unlike in the old days of business letters and official government “cables,” email can — and does — take on a life of its own. Some things are better left unsaid — or, in this case, un-emailed. Translation: Anyone can read them; and anyone who feels like it can also forward them ad infinitum. And those with the time, know how, and gumption to wreak havoc will do so. Why make it easier for them?

Sure, one could argue that the recent opprobrious hacks strengthen the case for encryption as a means to protect against the increasing skill levels of criminal gangs — and, I suppose, from ourselves. The most reputation-damning DNC emails were ones that should likely never have been written, let alone sent, in the first place. So, in a way, that had less to do with encryption and more to do with poor judgment. Plus, for the foreseeable future, it’s unlikely that anyone will be able to count on email messages being encrypted. 

It’s time to look for alternative solutions. No doubt, it’d be great if we could always pick up the phone or meet in person to avoid sending sensitive (or potentially incriminating) communications via email. But because that can’t happen all the time — and email is so convenient — how about looking for a way to find the bad guys before they run off with and air your dirty laundry to the general public?

Common Sense Is Not So Common

Advertisement. Scroll to continue reading.

The federal government has been criticized for its lack of adequate cybersecurity protections and being slow to update its operating systems with the latest software. But it’s up against a number of significant challenges: cyber specialist workforce shortage; sophisticated nation state attacks; network complexity and obsolescence; increased need for encryption; legislative uncertainties. Oh, and the naiveté of its own employees.

Conventional email security solutions may defend against spam, viruses, and malware, but they don’t defend against ignorance or egregious stupidity. The DNC’s IT security team failed to protect sensitive information, but the people who sent the inappropriate emails were also at fault.

While phishing and other social engineering attacks loom large in IT security professionals’ minds, perhaps the hardest thing to control in security is the human element. We live in a world where people want easy, convenient, fast. Everyone loves short cuts. And anyone can become busy, distracted, or just plain lazy. Unintentional loss of sensitive data through employees’ lack of email security awareness is embarrassing at best. At worst, it has the potential to compromise a nation’s security or endanger its electoral process. But it doesn’t have to be this way.

Because personnel aren’t always savvy about what they share, it’s prudent for organizations to invest in cybersecurity education and training, but also to become more aggressive at policing their networks. The DNC hackers had been on the network for how long before discovery? (Over a year, in case you’ve been on a desert island with no Wi-Fi.)

At some point, people have to take responsibility for security breaches. Attacks aren’t just about clicking on a “bad” link or opening a malicious attachment. They are about human behavior, at all levels, from email to poor adherence to security policies and procedures. If you send the wrong thing, you’re opening your front door for all the world to see and, inevitably, someone will be waiting to take more than a peek inside. Know the risks. Close the door. Get a dog — a guard dog with a keen sense of smell.

Incremental Deterrents

Dogs, any police officer will tell you, are the biggest deterrent for burglars. Why? Because no matter their size, they’re unpredictable. And they can fill any security gaps left by fences, locks, and alarms. If your intent is to steal something, you prefer a controlled, predictable environment, meaning one without dogs. 

Security systems, like the networks they protect, are built by accretion — one product stacked upon another — in the hopes that each will do its specific job well enough so that, when taken as a whole, the stack will provide complete security. But what if there were something that could give that security stack a bit more bite?

There is. The more visibility organizations have into what’s happening across their networks, the better chance they have of uncovering anomalous, not-quite-right behavior, responding to breaches faster, and, of course, tackling the security challenges surrounding the nature of email (forever and not private) and humans (toward the path of least resistance). In an IT environment, a security delivery platform (SDP) can be the watch dog whose bark and bite comes through providing pervasive visibility of network traffic, users, and applications that enables any security solution—firewall, IDS, IPS, etc.—to focus on what it does best. Or, in other words, the dog who can and will hunt.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

Enterprise users have been warned that cybercriminals may be trying to phish their credentials by luring them with fake emails that appear to be...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

Proofpoint removes a formidable competitor from the crowded email security market and adds technology to address risk from misdirected emails.