Email Security Tools Try to Keep Up with Threats

  /     /     /  
Publicated : 22/11/2024   Category : security


Email Security Tools Try to Keep Up with Threats


Email has long been a prime vector for cyberattacks, and hackers are only getting sneakier. Can email platforms and security tools keep up?



No matter how many messaging and collaboration apps clutter the enterprise space, most (if not all) employees will continue to use email. Cybercriminals know this, and theyre increasingly leveraging this reliance to their advantage, finding new ways to bypass protective measures.
Bob Adams, cybersecurity expert at Mimecast, explains how email-based threats have evolved. Its important to understand the history of these attacks to understand where theyre going, he says. Older phishing scams were easy to detect, with poor spelling and grammatical mistakes. The people who fell for them were likely to give attackers what they wanted.
One of the reasons it was so successful is it was targeted in a way that intelligent people wouldnt respond, he says. Todays threat actors have resources to make their attacks credible to a broad range of victims. Now, the people who could recognize obvious phishing scams are getting hit with spearphishing attempts and business email compromise (BEC) attacks.
In its Email Security Risk Assessment (ESRA), Mimecast passively scanned 95.9 million emails that went through email security systems and were received by a business email management portal. The ESRA caught 14.2 million spam messages (5.1 million rejected; 9.1 million quarantined), nearly 10,000 dangerous file types, 12,500 malware attachments, and 23,000 impersonation attacks.
Spam is annoying, sure, but most people know what it looks like and it isnt lethal. Impersonation attacks, on the other hand, are sneaky. Whats making these attacks even easier and have higher ROI is the sheer amount of information publicly available on every company and individual within its top ranks, says Wickr CEO Joel Wallenstrom.
All attackers need to do is pick a target; tailor messaging based on data gleaned from Facebook, LinkedIn, obscure data brokers, and exposed PII databases; and 
voilà
, the scam works as intended, he adds. Business email compromise has become a hugely profitable industry, with $5 billion in profit and categorization as a separate crime type by the FBI starting in 2017.
What were seeing more and more is spearphishing attacks, hearing much more of attackers using social engineering in a variety of different ways to get people to give up their account credentials, says Reena Nadkarni, group product manager at Google.
BEC attacks rely on simplicity, credibility, psychology, and urgency to convince victims to act, Adams points out. They wont use too many details: It was great talking to you the other day is more likely to convince a target than It was great meeting you at Starbucks last Wednesday. Attackers may capitalize on employees hesitation to question managers. I cant talk right now, but I need you to do this immediately is another line they may send a BEC target.
Of the 12,500 malware attachments that bypassed email security systems in the ESRA test, 11,653 contained known malware and 849 contained unknown malware. Failing to detect unknown malware in an email can be hugely detrimental because most common antivirus systems wont notice it, and an attacker can gain or extend their presence on the network.
Can Email Security Keep Up?
Major email providers Microsoft and Google have been stepping up to build stronger security into their platforms. Nadkarni explains how the evolution of cyberattacks has made email security a challenge; now, attackers are spoofing websites and creating lookalike domains.
Whats interesting about some of these emails is they dont have an attachment, she says. Many of the traditional methods of being able to catch these just dont work.
Google recently 
added
 a few new Gmail security features as part of a broader redesign. Users can protect sensitive content by creating expiration dates for their messages or revoking sent messages before or after theyre viewed. Recipients may be required to provide additional info view messages, a measure intended to protect data even if the receiving account was hacked.
Microsoft, to its credit, has also added new security features to its email platform. However, some security experts note theres much more to be done on the data security front. Gmails confidential computing is a step in the right direction, says Wallenstrom. Users must know to implement data expiration settings for each email, but only on the recipients end. He points out that it would add helpful protection to minimize data on the senders account also.
Adams says its a little bit late and its also, in my mind, a little bit lacking, with respect to the recent Gmail updates, specifically referring to enterprise security. It might be good for smaller businesses, he says, but for major corporations I dont see it being secure and effective enough at this time.
Eitan Bremler, vice president of product at Safe-T, points out how Exchange is still limited by the size of files (unless you send via OneDrive) and there is no integration with data loos prevention (DLP) and antivirus (AV) software. With Gmail, hes concerned about a lack of advanced security functions like file encryption and DLP or AV integration.
While hackers have grown more sophisticated and created more nuanced ways of getting into emails, email technologies themselves have not evolved much from a technology perspective over the last 20 years, Bremler says.
What Businesses Can Do in the Meantime
To improve email security, Wallenstrom advises businesses to make security and data minimization a default, something that employees dont have to opt into each time they communicate, he says. Further, enforcing a business-wide policy that bans sending valuable data — financial information, business intelligence — via email would also help build security hygiene.
What surprises me is even today, a large number of administrative accounts dont have two-factor authentication, says Nadkarni. If you have admin accounts in any system and thats compromised, thats a huge deal.
She also advises businesses to look into security keys. That makes such a huge difference, she explains, noting that even multifactor authentication codes can be phished. To introduce an element of physical security, that changes the game quite a bit.
Related Content:
Phishing Threats Move to Mobile Devices
Calculating Cloud Cost: 8 Factors to Watch
Microsofts Patch Tuesday Fixes Two CVEs Under Active Attack
Google Security Updates Target DevOps, Containers

Last News

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security

▸ Fully committed to the future world of technology. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Email Security Tools Try to Keep Up with Threats