Email has been around a long time. My early days of remote communication started in the “You’ve got mail” era, with AOL dominating the US market share of dial up internet as well as email. Other free email services emerged, and companies looking to expand globally saw email as a cheaper and quicker communication tool to conduct business. In the Early 2000s, it was common to see companies host their own internal email servers, often managing users through Active Directory, the dominate Identity and Access management tool at the time. Linux alternatives existed, however was limited to companies who could hire dedicated support to keep those systems running. One important thing to know is that email was not initially designed with security in mind. Since the very early versions of email dating back to the 1980s, we have been retrofitting new types of security on top of existing versions to adapt to modern technologies and protocols. However, many email configurations are purposefully designed to be backwards compatible which can often weaken an organization’s security posture.
In the modern evolution of email, we see that many organizations have switched to using “managed email” as a service provider. Common ones that stand out are Office365 by Microsoft, Gsuite by Google, Zoho workplace by Zoho. All of these services allow for maximum uptime and availability, while minimizing the cost of hardware and allowing for quick scaling across number of users. In addition to large providers, there are countless smaller providers who often bundle web hosting and email together, like Go Daddy or Bluehost, with a reduced feature set.
From corporate finances to daily tasks, many businesses rely on email to keep things running. It’s one of the few cross-business communication tools we have in place, other than phone or physical mail. It’s also one of the most targeted and successfully compromised systems in the world today. I’ll explain best practices on email, as well as common pitfalls in configuration.
Hosted vs. SaaS
Managed providers can offer varying levels of service at different price points. Most people would agree that using a managed provider outweighs the risk of hosting email within your business. You don’t have to worry about patching, taking a servicer down for maintenance, replacing certificates, or archiving mail to long term storage. A consideration that users should be aware of is the far-reaching implications of having access to one’s email. Email access often is connected with many other corporate tools through third party connections and processes. Some examples might include purchasing software, financial tracking, logistics, or private code repositories. This essentially provides a one stop shop for a malicious user to gain access to multiple systems at once.
Unfortunately, leaked passwords are still one of the most common ways malicious actors get into email. Password dumps are when commonly used websites containing user information are compromised, and the database of passwords were stolen. Actors will either sell or post these emails and passwords on public sites. The major problem here is not that the website was hacked, but that many users reuse the same passwords across other websites. This means a user could have the same password on a website as their corporate email. When this happens, all it takes is for an attacker to try the same password combination across multiple services until they get access.
Small details make a big impact
The biggest benefit with managed email providers is their willingness to implement security seriously and adapt to an organization. Typically, by default, these providers offer basic protection and enable most encryption features. Some other basic protection might include spam filtering and malicious URL filtering, and common settings around SPF, DKIM and DMARC. However, the users have the ability to override default settings, and may not understand the consequence. One example is changing the settings to increase compatibility across older devices or software, protocols known as POP3 and IMAP. These systems allow for email to be downloaded and replicated to a compatible device; however, the authentication mechanism only uses a username and password, and does not necessarily need to be sent over an encrypted channel. These open you up to a few weaknesses that you may be unaware of.
1) Password spraying – Guessing the passwords for users over months or years without any lockout period
2) Lack of MFA – These protocols do not support multifactor authentication
3) Lack of Encryption – These features may not support encryption in transit.
There are hundreds of settings that can have far reaching consequences. I encourage administrators to understand the settings through the service that they procure. To further protect email, some new security vendors are parsing emails to look for pig butchering or invoice scams, which look for behavioral clues compared to a standard baseline that an organization might have. These can help layer on protection to prevent fraud or deception early, often targeted towards certain users (such as your CEO or CFO).
Email continues to be the communication tool of choice with over 125 billion exchanged every day and Forcing users to use MFA can prevent 99.9% of attacks. Even with other remote tools growing in popularity, such as Slack and Zoom, we continue to see email as the dominate player in the communication space. Working remotely is here to stay and businesses should continue to make sure their basic forms of communication are properly configured and secured.