This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-Point Guide, click here to sign up and get the entire guide for free!
This week, we'll discuss Email systems and how they are being used by attackers to gain a foothold, perform reconnaissance, execute crippling financial attacks, and what can be done to prevent and respond to them.
Time and time again we get called into a cybersecurity incident that's all too familiar: a client discovered that tens to hundreds of thousands of dollars have been wired out to a foreign bank account, and the client has no record of ordering it. On further review, we discover that special inbox rules have been added to the Comptroller's or CFO's email account that automatically send any email with the words 'wire', 'fraud', 'security', etc. to another inbox controlled by an attacker and delete the message from the victim's inbox. After further investigation, we can trace the attack back to another user's email account that was initially compromised and then used to compromise the person's account who handles financial transactions. In one case, $10 million dollars was stolen by attackers inserting themselves into a conversation between the CFO and the companies bank to change the account and routing number that the funds were being sent to.
This sort of attack can be devastating to businesses, especially law firms who handle large financial transactions for clients. It is surprisingly easy to pull off and is being done by dozens of criminal groups around the world. How can companies defend themselves against it when 95% of successful attacks involve phishing attacks?
MFA for Remote and Cloud-based Email Systems
The most important thing you can do to secure email is to make sure that any Cloud-based or remotely accessible on-premise email solution (so, basically all email solutions) has Multi-Factor Authentication (MFA) enabled for all accounts. We discussed MFA back in a previous control (User Account Security) of this guide, so please go check it out if you need a refresher.
Auditing and Event Log Generation for Email
Another important way to control risk is to make sure that auditing is turned on for certain critical actions in the email configuration settings for either a Cloud-based tenant or the on-premise email server. Here are critical activities that should be audited and have a log event generated:
- An inbox rule is created;
- A forwarding rule is created on an account;
- An email client connects and downloads the entire inbox;
- An email account is logged into remotely;
- A settings change is made that allows new types of clients to connect and download email mailboxes;
- Delegation was added to an account (giving one account access and permissions to another);
Email Phishing and Social Engineering Testing and Training
Next, it's worth investing in email phishing and social engineering testing and training for all employees. By giving people training on the dangers of email phishing and social engineering awareness, and then testing them, an organization can understand what the likelihood that their employees will click on a phishing email or fall for a social engineering scam such as a phone call or SMS text-based con scheme. In addition to understanding the likelihood, the organization can know exactly which employees are phish-prone and can give them the chance to get more focused training or take steps to prevent them from causing a disaster by removing them from sensitive processes. Finally, performing training and testing regularly can show an organization how effective the training program is, and allow them to set goals and see meaningful reduction in the risk that social engineering and phishing presents to the business.
Out of Band Communications for Critical Business Processes
Another very important consideration when managing email system risk is to do a business process analysis on which critical processes (e.g. wire transfers, benefits and payroll onboarding, etc.) use email exclusively. Any process that deals with sensitive information, especially financial data, should NOT use email exclusively as the communication medium for employees to interact with each other in order to complete the process. Rather, anytime information is presented in the business process that requires a change to an information system that manages financial data, a confirmation request should be sent via another communication method. For example, if Shelley in HR gets an email request from Bob in Marketing to change his routing number and account number for his payroll direct deposit, she should be required to call or go physically visit Bob and confirm that he really did intend to send the request in the first place.
Phishing Email Helpdesk
A very powerful solution that we've helped many clients with is the Phishing Email Helpdesk. No matter how many email security filters and settings you place on an email system, somehow users still get spam and phishing emails. Training users to send suspicious emails to a team of cybersecurity experts who can analyze them and create intelligence products out of the actual phishing emails is invaluable in understanding why some phishing attacks are successful, who else in the organization got the phishing email but didn't report it, and who actually clicked or provided account information! This allows for a final line of defense to identify successful intrusions and stop account compromises from spreading. This information that is gleaned from the Phishing Email Helpdesk provides some of the most effective intelligence that we've used to get a handle on the epidemic of Business Email Compromises.
If your business or a client needs expert cybersecurity risk management and is concerned about email security, please contact us today to schedule an engagement with Ingalls Information Security!
Join us next week when we discuss why it's important to create and maintain a hardware and software inventory.
This article is part of our weekly series on how to manage cybersecurity risk for businesses. If you'd like to download the complete 8-point guide, click here to sign up and get the entire guide for free!