Email security risks hiding in plain sight.

• Author: Pelland, Dave
• Position: CYBER SECURITY - Report

As companies shore up defenses against more sophisticated cyber-attacks, security professionals say there's a risk of overlooking basic practices and remaining exposed to serious breaches that take advantage of email vulnerabilities to circumvent corporate cyber-defenses, or unauthorized email access that exposes sensitive or embarrassing corporate data.

"In a recent survey around advanced persistent threats, many of which get started through email, 67 percent of the organizations had no plans to increase their security awareness training for staff in the next year," says Rob Clyde, CEO of Adaptive Computing and international vice president of security organization Information Systems Audit and Control Association (ISACA).

"To me this is a real missed opportunity because we've seen a lot of attacks where the initial infiltration actually comes through spear phishing attacks through emails to employees, especially employees who have access to key data or administrators," Clyde added. "So it would seem additional awareness training is needed, but we're not really seeing that play out yet."

"Phishing," in security parlance, refers to sending email messages designed to look like those from legitimate senders, such as banks or social networks, in the hopes a user will follow a malicious link. In the next step, the malicious site captures their login information and uses it for identity fraud or, in some instances, the malicious site installs software designed to record the user's keystrokes.

"Spear-phishing" is a more sophisticated variation designed to capture log-in details from a specific person, such as a senior executive or a company's email administrator. These attacks harvest personal information from publicly available websites and social networks, and craft a message designed to fool someone into logging in to a false site.

"Often when email systems are breached, they're usually breached through the use of a privileged account, through system administrators or other insiders either having their accounts compromised or doing this themselves," says John Pironti, president of information security consulting firm IP Architects, LLC. "Many times we find people don't realize their emails have been compromised unless they show up on a website some place, or somebody sends them emails they shouldn't have."

"Today's attackers are very sophisticated," Clyde says. "You have to assume they will figure out who that small group of people might be that have access to those email archives. And they would be the targets that might be spear-phished. The goal of the initial part of that attack might be to gam access to one of those individual's accounts or computer systems."

A Basic Tool

In part because email is ubiquitous for our corporate and personal communications, most people treat email as a basic tool that's always going to be available and reasonably secure--until it isn't.

"Email has been around for so long, I think many people think attacks are more likely to infiltrate their organization through some new and exotic means, not realizing that even in this day and age, email is still the most likely initial point of attack," Clyde says.

Despite breaches and a growing understanding of the potential risks, many companies aren't investing enough in making...