The Layers of Email Security
Written by Jeff Orloff on February 27, 2013
Just recently, Twitter announced that if you receive an email from them you need not worry about the email being a phishing attack using a spoofed address. The email is authentic because of their use of DMARC email authentication.
DMARC, or Domain based Message Authentication Reporting and Comformance, is a standard that governs email authentication mechanisms like Sender Policy Framework and DomainKeys Identified Mail (SPF and DKIM respectively). Working with email clients like Gmail, AOL, Yahoo Mail and Microsoft’s Hotmail and Outlook, DMARC promises to authenticate outbound mail so that when it arrives in a sender’s inbox they can be assured it is not a fake.
However this looks again like a silver bullet hope that will solve the spam/phishing/malicious email plague that threatens so many people.
Businesses leaders often see these as signs that spam is no longer a problem. Much like the news reports that claim, “Spam is Dead” or even those that show spam levels are down do some serious damage to email security. The damage comes as a result of decision makers not seeing malicious email as a real threat. After all, if spam is dead and DMARC can prove that emails are real then the question of why do we need to spend money on additional security becomes a big question.
Educating Decision Makers
Cutting spam protection could certainly help your organization save a bit of cash. For those faced with budget constraints any type of savings is usually looked upon favorably.
However, if you are tasked with keeping spam out and email secure you might not want the person in charge of your budget to make decisions without a bit of input from you. To make the case for spending that money on anti-spam technologies, whether it is a new purchase, an upgrade or simply to maintain services, make sure that whoever is deciding on understands that fighting against email borne threats is an ongoing battle that requires a layered approach.
Layer 1 – The outside layer relies on variables that you cannot control, like DMARC. You have no say as to what outgoing security controls other organizations use on their outgoing mail.
Layer 2 – Email security solutions are the next layer of defense. Here, email messages are scanned to see if they pose a threat. Typical solutions will look at:
- The sender’s address to see if it is a known spammer
- The subject line of the email
- The content of the email to see if contains any flags that may indicate the message is spam
- Any attachments to see if they may be malware
These security solutions also dissect the message for many other indicators depending upon the level of protection offered. Like your overall security plan, any email security solution should provide multiple layers of defense to protect against the many different threats.
Layer 3 – Local security on the device comes next. Laptops and desktops should be running anti-virus software to protect against malware that may be delivered to the recipient as an attachment or through a link to a malicious website that was embedded in an email message. This solution should be centrally managed and frequently updated to keep systems free of harmful software. In addition to protecting laptops and desktops, mobile devices like smartphones and tablets should also have anti-virus software installed.
Layer 4 – The user should make up the final layer of your email security plan. They should know how to avoid malicious emails, how to spot them and most importantly – what to do if they receive them. Anti-spam solutions that make it easy for your users to quarantine and report suspicious emails go a long way in keeping your organization safe.
Of course setting up a security program that matches something like the one outlined here only works if the policies and procedures that govern it are in place. The moment that an organization decides they no longer need one, or more, of the layers described here they put themselves at serious risk.
As the email administrator is your responsibility not only to re-evaluate the products, policies and procedures that keep your organization safe; but also to keep your supervisors apprised of what they are doing to protect your assets from being compromised.
Posted in Email Management, Email Security | 5 Comments »
February 28th, 2013 at 5:26 am
If there’s one thing I’ve learned about IT security, it’s that you should never feel too relaxed. Usually, when you let your guards down, that’s when the phishers, spammers, and scammers attack. I think DMARC is a valuable tool to limit security issues, especially in the mail, but I also believe that like everything else it will never be considered as foolproof. It may be hard to break into now, but soon those criminals will eventually find out the best way to beat it. In other words, we still have to pay particular attention to the mails we receive regularly.
February 28th, 2013 at 7:34 pm
I agree with Andrew. DMARC might be very promising and secure for now but the worst we can do is accept it as the panacea to all our spam/phishing problems. As the article points out, it is just one layer in the security concept. Omit the other layers, and you are as vulnerable as you can be.
March 29th, 2013 at 10:47 am
For me the article has already done one of the most basic yet most important security measures: education. Ignorance definitely cures a lot of things and saves lives and a whole lot of things. It’s quite unfortunate, however, that up until now some still don’t know about spam or maybe they are aware of what it is but they have no inkling on what kind of potential damage it can do in their mail, in how they do business, or even in their own security.
March 29th, 2013 at 6:46 pm
David, I think that all systems are vulnerable. After all, there’s not one thing that can be considered perfect. And yes, you’re right. We’re simply talking of one layer. That’s why many are now adding more levels of protection, which is good actually. But if there’s a potential downside, it’s that the management of data is going to be a challenge, as a person, even when authorized, still has to go through these different methods just to get hold of important information.
June 2nd, 2013 at 10:05 am
Agree with Donald. All systems are vulnerable. No matter how big, established or small a system it, it is vulnerable. And this is exactly why we have more reasons to come up with an almost foolproof protection system. I believe that this constitutes a continuous process as there’s always a new form of threat coming our way. The best thing for us to do is build all the protection that we can to keep our forts safe and secure. Whether it’s just one layer of protection or a multi-layered one, the important thing is we’re doing something about the problem.