What are the best practices and resources to help secure your organization’s email system?
More than a third of the cyber attacks experienced by Corvus policyholders to date began with a phishing email. We have observed phishing emails as an attack vector for ransomware, theft of credentials, malware (such as keyloggers), remote access trojans, stealing of sensitive information, fraudulent funds transfers and more.
The FBI Internet Crime Complaint Center (IC3) received over 23,000 Business Email Compromise (BEC) complaints in 2019 with total adjusted losses of $1.7 billion. With the increase in remote work over the past year, businesses have become even more reliant on email to continue operations, and threat actors have seized on the opportunity. Below are key email security controls and resources to help you explore them further.
- Employee Security Awareness Training
- Multi-factor Authentication
Employee Security Awareness TrainingNo matter what security controls your organization invests in, some phishing emails will still get through. As such, there is no replacement for employee security awareness training, and in particular, targeted training for those that can transfer funds or regularly interact with sensitive employee, customer, or corporate data.
- Wizer offers a free version of their security awareness training here. The free version allows your organization to assign the training to employees, track who takes it, and receive certificates of completion. The paid version (Boost) has thousands of additional videos as well as phishing testing functionality.
- KnowBe4 offers Corvus policyholders (that are new customers) a 25% discount, and the offering is available here. KnowBe4 also has a free phishing tool that is accessible here. Should your organization use the free phishing tool without first requesting information through our landing page, you will need to tell the KnowBe4 salesperson who reaches out to you after the test that you are a Corvus insured and want to take advantage of the discount.
Multi-Factor Authentication (MFA)
Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more credentials in order to gain access to an account. Rather than just asking for a username and password, MFA requires additional verification factors, which decreases the likelihood of a successful cyber attack. Typically MFA involves something you know (a password or PIN), something you have (a hardware token or cell phone), and something you are (a fingerprint or face scan). Major email providers like Microsoft and Google are now providing MFA solutions for free with their email offerings, regardless of the subscription level purchased.
- Tetra Defense's Whitepaper: The Importance of MFA in the context of ransomware
- LMG Security’s Blog post: Not all Two-Factor Authentication is Created Equal
- For Microsoft Customers:
- Official Microsoft documentation: https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide.
- LMG Security post discussing MFA in the context of hardening MS 365: Microsoft Office 365 Security Best Practices to Protect Your Organization
- For GSuite Customers: https://support.google.com/a/answer/175197?hl=en&ref_topic=2759193&visit_id=637497379390208209-3223698227&rd=1.
Disable Legacy Email Protocols (IMAP, POP)
Threat actors have circumvented MFA by brute forcing (or using credentials obtained through phishing) on legacy protocols. We recommend moving away from mail clients such as IMAP and POP, and if your organization still needs them in use, be sure to follow instructions for properly securing them.
- For Microsoft Customers - To protect your Exchange Online tenant from brute force or password spray attacks, your organization will need to Disable Basic authentication in Exchange Online and only use Modern authentication for Outlook in Exchange Online. Disabling Basic authentication will block legacy protocols, such as POP and IMAP. If you've enabled “security defaults” in your organization, POP3 and IMAP4 are automatically disabled in Exchange Online.
Out-of-Band Authentication for funds transfers
Out-of-band authentication means that a transaction that is initiated via one delivery channel (email) must be verified via an independent delivery channel (phone) in order for the transaction to be completed. Your organization should document an out-of-band authentication policy and train employees that could affect funds transfers on the policy. If your organization does not transfer funds regularly, confirm every transaction via a known phone number. If your organization conducts a significant volume of funds transfers that would make verification of each one unfeasible, confirm any new or change in existing payment instructions via a known phone number -- do not rely on the phone number in the email thread!
Secure Email Gateway (SEG)
A Secure Email Gateway (SEG) is software used to monitor inbound and outbound emails to prevent spam, phishing or malicious emails. Well-known vendors in this space include Mimecast, Proofpoint, and Barracuda. To help research and find the right solution for your organization, see https://www.gartner.com/reviews/market/email-security.
Adopt Email Authentication - SPF, DKIM, and DMARC
Email is inherently insecure - from its inception, email transferred clear text to unauthenticated recipients unencrypted. This left email prone to spoofing, phishing, and man-in-the-middle attacks. Email authentication protocols followed to add more security. Sender Policy Framework (SPF) hardens DNS servers and restricts who can send emails from a domain, preventing domain spoofing. DomainKeys Identified Mail (DKIM) ensures that the content of emails remains trusted and has not been tampered with. Domain-based Message Authentication, Reporting and Conformance (DMARC) ties SPF and DKIM together with a consistent set of policies.
- For a high-level overview of email authentication protocols, see https://www.csoonline.com/article/3254234/mastering-email-security-with-dmarc-spf-and-dkim.html.
- For more information on SPF, DKIM, and DMARC, see https://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.1945.pdf.
- For a company that can assist with email authentication implementation, see https://www.agari.com/solutions/dmarc-email-authentication/.
Understand and enable email audit logging
Audit logging can provide helpful data to forensics firms investigating an email account compromise. But it is not always enabled by default. Understanding what audit capabilities are available in your email system is important, and then making sure they are enabled is key.
- For Microsoft Customers - Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organizations. This includes organizations with E3/G3 or E5/G5 subscriptions. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell. See https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide.
Embed tagline identifying email sent from outside
Many organizations use red taglines within emails as an effective tool to help employees identify if they are replying to an email originating from outside their organization. Seeing the tagline encourages the user to pause and think critically if they truly intend to send the email externally.
Looking for hands-on help to secure emails? Our consults with blue-chip vendors can help.
Corvus policyholders can access support services through the Vendor Marketplace in their Policyholder Dashboard.
Brokers, request a Security Controls Consult.