momius - Fotolia
Email security issues: How to root out and solve them
Effectively tackling email security issues requires infosec pros to address a broad range of areas, including cloud, endpoints, user training and more.
Email: It's arguably the single most important business application. Practically every aspect of the business is dependent on something related to email. Finance, legal, customer acquisition, IT -- you name it. If it weren't for email, not much business would get done. The odd thing about email is that we don't hear much about its security. Discussion of email security issues was at the forefront maybe 15 or 20 years ago, when IT was much simpler. However, with the distractions of today's technologies -- from the cloud to mobile to social media -- we tend to not address email security issues like we used to. But we should.
There are plenty of email security oversights I see in enterprises today that are creating unnecessary business risks. The following are top areas of IT and security programs that raise email security issues in measurable ways. You need to be thinking about these and improving them continually.
Perimeter and cloud security
Many enterprises still host their own email internally. Others use cloud-based systems offered by Google, Microsoft and more. Both approaches have security exposures. In-house email systems can be a target for denial-of-service attacks and direct exploitation or penetration. Cloud services tend to be more secure when hosted at the big name brands, but they're certainly not immune to attacks.
Traditional firewalls and intrusion prevention systems combined with proper logging, monitoring and alerting will go a long way if they're implemented and executed in the right ways. Transport Layer Security, SSL and encryption cipher configuration weaknesses to and from email-related systems and endpoints shouldn't be ignored either. Look at your internal controls and ask third-party vendors how they're addressing these areas. Go beyond the security operations center report to see what's really at risk. There's always more.
Endpoint security
Many email-related security exploits start and end with users and the decisions they make on their computers and mobile devices. Are all your endpoint systems properly hardened based on proven security practices from Microsoft, SANS, and others? Are you using mobile device management or User Environment Management to keep things in check?
Patch management falls under this umbrella as well. Missing software patches combined with users choosing to open attachments, click links and provide information they shouldn't is quite likely your greatest risk -- email and beyond.
Weak malware protection that cannot address today's message threats is also common. You cannot afford to overlook newer technologies and approaches to malware protection. Stay old-school, and you're going to get hit old-school.
Don't forget about servers as endpoints either. I find missing (and exploitable) patches and misconfigurations on email servers, and that should never be the case. Make all endpoints, especially the critical ones, a top priority.
User awareness and training
A lot of users I speak with have no idea what's expected of them in terms of security. In fact, many people assume that their IT and security staff are the ones responsible for keeping incidents and breaches things from happening. Or, just as bad, they agreed to some policy or paperwork that IT or HR pushed on them that, in the end, means nothing and does nothing to help with security.
Most awareness and training programs that do exist stink out loud. That can be resolved if you make your approach and content interesting. Otherwise, it goes in one ear and out the other.
Ongoing email phishing testing is an excellent means for bolstering your security awareness and training. Another thing to remember about security awareness and training is that people who do things well need to be rewarded, not punished.
Penetration testing
None of what I've mentioned to this point can be properly acknowledged and vetted without in-depth security testing. Vulnerability and penetration testing -- with all email-related systems in scope -- is absolutely essential. Unnecessarily open ports, web interfaces with application flaws, spam relaying and myriad other issues can be uncovered on email systems. Proper social engineering testing via email phishing is arguably the most important part of testing the resiliency of your email environment. It's not super exciting to test email systems, but it is quite rewarding to uncover high-risk security flaws, some of which may have gone unaddressed for years.
Data management
Your email system is quite likely the largest and most important repository of critical business information. Is it being managed as such? Proper email data management involves classification, labeling and protective measures to enforce it all. Technologies include data discovery, content filtering and data backups. Are any classification policies that might exist actually being enforced? How? Are emails on endpoints being properly backed up and archived?
A sizable email risk I often see is email repositories and full .PST backup files being stored in areas that are completely exposed -- such as open network shares, unencrypted laptops, and random consumer-grade cloud file backup and sync applications. When a breach occurs in this context, there'll likely be no reasonable justification or defense. Newer technologies such as a cloud-access security broker can take email security to a whole new level by monitoring for sensitive content coming and going.
Here to stay
Email is everywhere. With its entrenchment in the enterprise, it's not going anywhere anytime soon. Clearly, these messaging-centric risks are not insignificant security challenges. But email security issues are also not insurmountable. When addressed in reasonable and methodical ways, the vulnerabilities associated with one of your most critical applications can be resolved, and the threats can be held back.
The important thing is to get -- and keep -- these things on your radar in the context of email security. Don't neglect your core business systems. Make sure that all the right areas of your network environment are being addressed on a periodic and consistent basis. You have email-related risks in your environment right now. Find them. Address them. Dealing with email security issues will always be boring. Just don't let them be neglected.