Advertisment

Watch out! e-mail is still the weakest link of the security chain

author-image
Soma Tah
New Update
BSNL database found vulnerable to hacking

Soma Tah

Advertisment

Despite the onslaught of messaging and collaboration apps, e-mail has remained a preferred mode of communication for businesses across the world till date.

As per a Radicati Group estimate from February 2015, the number of e-mail users worldwide was 2.6 billion last year, and the amount of e-mails sent per day to be around 205 billion, which means almost 2.4 million e-mails are sent every second.

But the sheer popularity has also made e-mail a favorite target of spoofers and spammers to snoop on the confidential and crucial business data.

Advertisment

In the e-mail world, the networking protocols used for e-mail already support encryption (namely SMTP TLS) – although in the real world, these encryptions are not always used to secure mail transit. Additional technologies are also available for preventing unauthorized access to data sent in e-mails. But unfortunately, not many businesses invest in strong e-mail security solutions or access controls.

If we look at the ways information is exchanged over e-mail, we will be able to see the security loopholes in the e-mail transmission process which often makes it a weak link in the security posture of any organization.

The electronic transmission of e-mail happens mainly over three protocols. Simple Mail Transport Protocol (SMTP) which is used to deliver your e-mail to the recipient's mail server is often implemented without encryption. The other two namely Post Office Protocol (POP) and Internet Message Access Protocol (IMAP), which are the standards for retrieving e-mail from remote servers, are also often implemented without encryption.

So chances are there that the unencrypted e-mail messages transmitted over these protocols can be viewed by anyone snooping on the network connections.

Bhaskar Bakthavatsalu, Managing Director, Check Point, India & SAARC says, "From an attacker perspective, e-mail is the ideal medium for delivering attacks – it allows the attacker to reach out directly to victims - delivering text, links and files in the form of attachment."

Spear phishing and social engineering tactics in general cause you to trust individuals and lure you to take actions that otherwise you wouldn’t have done such as clicking on links or installing software you wouldn’t have installed. These techniques are becoming more prolific as it is a comparatively easier way to trap otherwise unsuspecting users or employees into handing over confidential or sensitive data.

"We encounter huge volumes of mail attacks of all sorts: classic phishing, ransomware infections, fraud and whaling. These attacks often rely on the use of social engineering tricks to get users to click through and get infected. Some of these mails are the first step in a more elaborate attack – sometimes referred to as APT (Advanced Persistent Threat). In an APT attack, an initial infection through e-mail will move around the network targeting strategic assets and often causing huge damage," said Bakthavatsalu elaborating on the security concerns further.

So how prevalent will be the e-mail attack concerns in the time to come and why businesses need to pay attention to it? The discussion is particularly relevant because, earlier this year we saw WhatsApp putting a 256-bit encryption layer to protect the chat and calls on its platform, while many organizations are still dilly-dallying with the idea of investing in a robust e-mail security solution.

Security solutions providers are watching the social engineering techniques closely to make the users aware so that they can identify manipulative content, avoid clicking on malicious links and opening unsolicited attachments, and protect themselves from other threats.

"An example we’ve seen several times of such a scam, is an e-mail which looks completely legitimate, coming from a company CEO and addressed to the CFO - requesting the CFO to make a money transfer. This sort of fraud, commonly referred to as whaling, is becoming increasingly popular and at the same time more sophisticated. I expect that future products will need to deal with this and similar attacks," warns Bakthavatsalu.

So, until the businesses decide on the best and right-sized e-mail security solution for them, here are some best practices for the e-mail users which will help them to identify the concerns and avoid them:

1. Before taking action on any e-mail received, always check that the e-mail came from a legitimated address/sender or not.

Advertisment

2. Many online threats trick the user into taking some action — like clicking an e-mail link, or opening an attachment, or installing a custom browser plug-in or application. Do not click on the links or install software or browser add-ons if you weren’t looking for them.

3. Last but not the least, change your mail passwords often and opt for strong passwords only.

security e-mail