Email Security Protection Loay Alayadhi Abstract: Email is the most important business communication tool. Security has been an issue in mail from ancient times. Therefore, email security protection has become a hot topic in information technologies domain. Discuss how email as technology is working and what protocols are used (SMTP, MX, Etc. ) become very important for security practitioner to know the threats, issues and weakens of email solution. Going through the most well-known and updated email threats will help to understand more what threats was in the past, what is still exist and what is new? Examples: Phsihing, SPAM, Malware,..etc. Prevention and protection techniques for emails is one of points that helps in organization to know what and how chose the right solution. Also, some new features that most email security nowadays come with such as Encryption and DLP (Data Leakage Prevention). Best practices for government is very important and what is the best way to use emails in secure manner. Introduction Email remains the single most important communication tool in today s business world. Each day, billions of corporate email messages are exchanged between computers, phones and tablets. Because it s so widely used, it s also the number one threat vector. As email usage has increased, so have email related threats. Currently, 86% of all global email traffic is spam. Email Technology? Email is much older than ARPANet or the Internet. It was never invented; it evolved from very simple beginnings. In 1975 John Vittal developed some software to organize email. By 1976 email had really taken off, and commercial packages began to appear. Within a couple of years, 75% of all ARPANET traffic was email. The first important email standard was called SMTP, or simple message transfer protocol. SMTP (RFC 821) was very simple and is still in use - however, SMTP was a fairly naïve protocol, and made no attempt to find out whether the person claiming to send a message was the person they purported to be. Forgery was (and still is) very easy in email addresses. These basic flaws in the protocol were later to be exploited by viruses and worms, and by security frauds and spammers forging identities. SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol used in sending and receiving e-mail. However, since it is limited in its ability to queue messages at the receiving end, it is usually used with one of two other protocols, POP3 or IMAP, that let the user save messages in a server mailbox and download them periodically from the server. In other words, users typically use a program that uses SMTP for sending e-mail and either POP3 or IMAP for receiving e-mail. SMTP designed around the
idea of cooperation and trust between servers. Since most SMTP servers would be asked to handle a certain number of intermediate transfers, each server was required to accept mail from any originator to be delivered to any destination. Cyber criminals are smarter and more creative than ever in their tactics, coming up with new and inventive ways to breach your network. Some of the latest attacks include phishing, spoofing or ransomware. Another subject in email technology is routing. How to deliver email from sender to receiver? MX (Mail exchange) is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. The MX record uses preference values to specify the routing order (low value = high priority). when mail is sent to example1.test.sa the MDA (Mail Delivery Agent) tries to reroute the mail to mailhost.test.sa which has the lowest value, and therefore the highest priority. If that fails, it tries mailhost2.test.sa and finally mailhost3.test.sa. example1.test.sa 86400 A 192.168.10.10 example1.test.sa 86400 MX 10 mailhost.test.sa example1.test.sa 86400 MX 20 mailhost2.test.sa example1.test.sa 86400 MX 30 mailhost3.test.sa Authentication still one of the issue when talking about Email security. Next section will discuss some of email authentication methods. Enhancing Email Security (SPF,DKIM,DMARC) An SPF record is a type of Domain Name Service (DNS) record that identifies which mail servers are permitted to send email on behalf of your domain. (SPF) is an antispam approach in which the Internet domain of an e-mail sender can be authenticated for that sender, thereby discouraging spam mailers, who routinely disguise the origin of their e-mail, a practice known as e-mail spoofing. SPF and other anti-spoofing initiatives, such as Domain Keys, work by making it easier for a mail server to determine when a message came from a domain other than the one claimed. when we look into SPF record for example mail.test.sa which we will pretend looks like below: mail.test.sa TXT "v=spf1 a -all" This record tells us that the only host that can announce itself as mail.test.sa is mail.test.sa (indicated by the "a"). So in this case: If the IP address of the sending server matches the IP address of mail.test.sa, we have a Pass result for SPF. If the IP address of the sending server does not match the IP address of mail.test.sa, we proceed to the next part of the SPF record, -all, which yields a Fail result. An DKIM (Domain Keys Identified Mail) is a process to validate sending domain names associated to email messages through cryptographic authentication. It achieves
this by inserting a digital signature into the message header which is later verified by the receiving host to validate the authenticity of the sending domain. The process of setting up DKIM involves serval tasks. The main two steps are: Create Policy record This is a DNS TXT-record with the name "_domainkey" prefixed to the domain name - for example "_domainkey.test.com". The data of this TXTrecord contains the policy which is basically either "o=-" or "o=~" "o=-" means "all e-mails from this domain are signed". "o=~" means "some e-mails from this domain are signed". Create Public Key Record The public key will be used in your public-facing DNS TXT record along with what s called a policy record. The private key will be used on your sending MTA. When an outbound message is sent from the sending MTA, it will add the private key to the message header for identification and validation by the receiving domain by way of the public key. This uses a new domain name identifier to digitally sign the message _domainkey TXT o=~; r=postmaster@test.com test.com._do mainkey TXT k=rsa; t=y; p=gimfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcfvzzoj6y Zph/1oTroL1NhkfHmMgZy uuynbrvvpkxzqaezmhmc+s+kxvp7tuppqyz6ckselzqdwjv9jz 10u3zx1eB+Bmqc8cYA2oxZdda3EaJ/LEYtI A1auXxHzY2qaElIToSLrV97il19F3m4p6V5M6Yho9zxfIfrlTHSECLsrQI DAQBA DMARC (Domain-based Message Authentication, Reporting and Conformance) is empowers SPF and DKIM by stating a clear policy which should be used about both the aforementioned tools and allows to set an address which can be used to send reports about the mail messages statistics gathered by receivers against the specific domain. DMARC s alignment feature prevents spoofing of the header from address by: Matching the header from domain name with the envelope from domain name used during an SPF check. Matching the header from domain name with the d= domain name in the DKIM signature. Email Security Threats When you are searching for the most email security threats in the last three years you will find it falls into three main threats SPAM Phasing Malware (Ransomware )
SPAM is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender. Spam creators continue to persuade users to click attachments (such as PDFs carrying malware) or links within messages through clever social engineering. As Figure below, spam authors create attachments or links that purport to contain vital information about bills and invoices, travel arrangements, or business quotes. Spammers also create versions of their messages in other languages to snare more victims. Phishing is an attempt to fraudulently acquire sensitive information (such as usernames, passwords, and credit card details) by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email and often directs users to enter details at a fake website. As Internet users become more adept at detecting clumsy attempts to phish personal information, spammers are selectively phishing smaller and smaller demographics with content that appeals specifically to each group. This form of highly targeted, socially engineered email is called targeted phishing, or spear phishing, and can fool even the savviest of Internet users. DMARC, SPF, and DKIM can be very effective at detecting targeted phishing messages, but they have limitations. According to the Authentication and Online Trust Alliance (AOTA), about half of all legitimate email worldwide is currently authenticated. This level of adoption means that high-profile executives, who receive extremely high levels of spam and phishing emails, can benefit from additional email
filtering and blocking tools based on email authentication failures. So thinking for enabling a multilayered approach that involves monitoring worldwide email and web traffic, and using sophisticated web reputation filters in addition to authentication techniques will help in reduce this type attack. Malware Viruses, worms, Trojans, and bots are all part of a class of software called malware. Malware or malicious code. Ransomware is a type of malware that holds a large collection of data hostage on a victim's computer, including important documents, photos and videos. Once installed, the victim is shown a user interface explaining that the files will be destroyed unless the victim pays a bitcoin ransom to the hackers. Email is one of the famous delivery method for ransomware. Therefore, stopping ransomware before reaching the recipient become very important. Although it is not a new threat, it has evolved to become the most profitable malware type in history. In the first half of 2016, ransomware campaigns targeting both individual and enterprise users became more widespread and potent. Email and malicious advertising (malvertising) are the primary vectors for ransomware campaigns. Email Protection To start discussion about the different approach of how to protect email form advanced attacks is to set the right strategic on how to build your security controls. Referring to Lawrence Orans from Gartner Network security architects should accept the reality that, in 2016, it is unreasonable to expect that they can build perimeter defenses that will block every attack and prevent every security breach. Instead, they need to adopt new products and/or services that will enable the network to be an integral part of a strategy that focuses on detecting and responding to security incidents So, building threat-centric and operationalized approach to security reduces complexity and fragmentation while providing superior visibility, consistent control, and advanced threat protection before, during, and after an attack. For email part we can divide the type of mitigation by the email flow (inbound / out bound) Inbound Protection: Email reputation helps to take large amount of percentage of dirty before even start processing it. Anti-Spam solution by creating a rule that determines if this is spam or if it isn t spam or if this is suspected spam or if this is marketing email, etc. Anti-Virus solution where looking for infections and if its infected messages then can take action: drop them, clean them, quarantine, deliver, etc Threat Intelligent filters where update the email gateway with feeds and finding of new attacks. Content analysis where can do in real time URL analysis. Anti-Malware solution which include two techniques file reputation and advance behavior analytics (Sandboxing)
Outbound Controls: It s almost the same as the inbound solutions however there are mainly two important solutions that every email should support. Data leakages Prevention (DLP) Encryption Best Practices This section is the very important for any security practitioner as it helps him to build and implement controls that mitigate and reduce risk for his organization. Here we need to differentiate between the end-user best practices and security engineer best practices. Starting with end-user who is usually using email in his daily job he must adhere to the company email and accept use policies. In addition to that, below some most important practices: If you do not know the sender of an unsolicited email message, delete it Never respond to any spam messages or click on any links in the message Think carefully before you provide your email address on websites, newsgroup lists or other online public forum Never use organization email address for personal use. Don t open attachments in suspicious emails For security practitioner it s very important they make sure that user is aware and get the right training that make them capable to handle suspicious emails. In other words, awareness and training for non-it user is substantial. Beside that there are technical practices that also should following : implement authentication (SPF,DKIM,DMARC) Multilayer security controls (Reputation, Anti-virus, Anti-malware. etc.) Behavior analytics and Sandboxing solutions DLP and Encryptions Summary Cybercriminal business models have recently shifted toward low-volume targeted attacks. With email remaining the primary attack vector, these attacks are increasing in both their frequency and their financial impact on targeted organizations. As in the last Gartner report for Email security Gateway 2015 The secure email gateway market is experiencing renewed interest due largely to an increase in targeted phishing attacks. Vendors are responding with URL link protection and attachment sandboxing, but have not addressed social engineering attacks with no payload
Thinking what is the weakest ring in any organization is Human, therefore you see that social engineering is still important subject that must consider in any security solution.