Social Network For Security Executives: Help Make Right Cyber Security Decisions
Email Content Filtering
What Is It? Email could arguably be one of the most valuable tools of any organisation and likely the one that has been relied on the longest, but is probably one of the most overlooked and abused systems today. Ask anyone about email and what they like about it and you will probably get a grocery list of things they DON’T like about it. Whether it’s the pervasive use of the “Reply All”, the proliferation of spam and scams, the 3-AM-Demanding-A-Response message, the poor spelling and grammar, or even the inability to use it at all, we all have a beef with Email. By the same token it’s a love-hate relationship we’re unwilling to part with.
The fact remains email is here to stay and while other communication methods exist, it is still the go-to for most of us. One thing we really need to consider is the ability to cut down some of this noise with a strong focus on keeping out the potentially malicious content. There are many options available from the industry heavyweights, so rather than discuss them individually here, I’ll leave that up to you but am happy to assist in any way I can!
Cyber criminals are a study in evolving tactics when it comes to email-borne attacks. Spam will always be an annoyance and many of the service providers do a pretty good job flagging it as such, but we can never afford to drop our guard with regards to messages with malicious intent. Fraudulent invoices make you believe you owe money. False notifications from PayPal, your bank, eBay and more make you think there is an issue with your account. Bogus notices from the tax department and the police frighten us into thinking we’ve done something wrong but can somehow escape by paying an arbitrary fee.
All kinds of pain await you at the click of a mouse button. Ransomware, spyware, key loggers, and dozens of other nasties lurk in the background and can even fool the most vigilant among us in a moment of weakness. While we can never eliminate cyber threats completely, we can realistically mitigate the threat starting with Email filtering. I’ll cover Web filtering in the next article.
Where Do I Start? If you have email, you should filter it, so let’s get that out of the way right now. The how and where make it a bit trickier although with more and more organisations moving to the cloud rather than running on premise or even hosted email services, more and more options are available at price points suitable for any size of business. The trick is to not go too overboard and arrive at a point where you’re having to scrounge through deleted messages and spam to look for the legitimate emails. While one could argue a good case for filtering at the endpoint, I’d rather it not arrives at the business at all and have it all sorted at the server level.
Thankfully most modern solutions from major vendors are pretty good at filtering out the bad email before it gets the end user and coupled with additional techniques such as web filtering, sandboxing, application whitelisting and restricting local administrator privileges, we’re in a good position. Start by asking what products you currently use and if they’re fit for purpose. Make sure that whatever solution you do have is configured correctly, so calling in the experts for a health check is often a good idea. Static signature-based detection is losing effectiveness, so dynamic content analysis – especially of embedded media and links – is a must.
Speaking of leveraging experts, you can quite often acquire these type of consulting exercises as part of a managed services agreement. If you’re using purely cloud-based services, check in with them occasionally if you don’t think you’re getting the level of filtering you need. Sometimes it’s a simple adjustment or even a small license or software upgrade. Trying to manage the avalanche of malware and spam at the end-user level isn’t anything you should must deal with. People can and will click on links in emails when letting their guard down.
How do I make It Work? First, you should probably figure out what kind of an email consumer your organisation is because solutions can be priced based on use, so you don’t want to over or under-spec the system. Understanding what kind of emails, you handle, such as those with large attachments, if you embed links or media, and where your services sit (on premise, hosted, or cloud) are all factors in choosing an email filtering solution. Also consider if you can combine it with any other services such as sandboxing or web filtering to possibly save some money. Get the right people involved, trial solutions if you can, and then implement your email filtering system. Start simple and slowly ramp it up rather than starting with the highest level of filtering and slowly backing it off. Perform periodic assessments and adjust. Also, for any changes, ensure you use a solid change management process.
Pitfalls? Just realise that Spam and malware is still going to get through and you may accidentally block legitimate email. A good email management strategy is recommended to understand how you handle different situations, but it must be followed. If an executive demands his email is released by an administrator, process needs to be followed and not just released due to their position. Blindly assuming the email filtering will protect you 100% is also a mistake. Sometimes legitimate content can be redirected outside of the filtering process. You may also have extensive logging, alerting, and end user notifications but unless you use the information to refine your processes and monitor issues, it’s not very beneficial.
Ghosts in the Machine? Human error is the biggest ghost you’ll encounter. We all need to stop and think before we click on a link, open an attachment, or forward a message. If you’re not sure, ask. Education is crucial, and revisiting that with periodic updates is a must. Curiosity makes people do some funny things, so arming them with the right defensive knowledge and then reminding them is a good strategy.
Anything Missing? Make sure to get rid of any email addresses your organisation doesn’t need such as when someone leaves the organisation. The fewer points of presence you don’t need, the better. Make sure to keep your solution updated and your subscriptions and threat intelligence feeds current. Also, be sure to keep your personal and work emails separate as much as you can although these days, that line is very blurry. Your personal email may not have the same level of protection that your work email does.
It also doesn’t hurt to get outside organisations to test your email filtering solution, either through phishing testing or other means to gauge both the effectiveness of your system and the knowledge of the users.
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock