All too often enterprise administrators follow best practices for numerous network infrastructure but forget the importance of email cybersecurity. You could argue that email cybersecurity is more important than any other OpSec strategy since many of the biggest data breaches start with a phishing email. With more employees working from home due to COVID-19, it’s more important than ever to ensure that email cybersecurity is configured and implemented across all communication channels.
Firewalls, access controls, user identity management, and other network fundamentals are all components in good cybersecurity posture. But EmailCybersecurity is equally as important in blocking and protecting you from malicious malware and you won’t even see suspicious emails because they are put in quarantine to be reviewed.
Email security is built on two things – Sender Policy Framework (SPF) and Domainkeys Identified Mail (DKIM). An SPF record is the easiest to implement and takes only a few minutes of the administrator’s time. The SPF record is added to the organization’s DNS server as a TXT entry. This TXT entry is a string with specific syntax that provides recipient email servers with a list of authorized IP address that can be used to send enterprise email.
DKIM is similar to en encrypted signature. A header is added to an email message with the senders own signature. The recipient verifies this signature to ensure that the message was sent by the recipients domain. With SPF and DKIM , cyber security validated the sender and completely stops the recipient email servers from sending spoofed phishing emails to that users inbox.
The recipient email server can be configured with Domain-based Message Authentication, Reporting and Conformance (DMARC) cybersecurity. DMARC rules determine how an email server should handle messages when SPF and DKIM are present. With strict DMARC rules, email servers might reject messages where no SPF record is present. For instance, organizations that use Google Suite might find their domain emails blocked if an SPF record is not present for the third-party sender.
Only one successful phishing email is all it takes for an attack to break into a network and send more and more of these to higher targets. A recent Ponemon report the average cost of any breach is $3.82 Million, and a lot of these breaches use text to trick the recipient into clicking on harmful links with a malware attachment.
Tech Radar has reported that a trillion emails are sent per year and that 3.4 billion are sent per day. With employees working from home there’s a high risk of them receiving one of these emails and could be the next vessel for a huge breach.
Even trained users can be susceptible to these sorts of attacks and if a phishing email is opened the large amount of data this person has been trusted with could be completely stolen and sold on Darknet markets to be used in a long term attack.
With many email attacks happening more and more often , cyber security should be part of all organisations’ networks. Firewalls to block these attacks are necessary and usage of DMARC , DKIM and SPF are basic cyber security tools that minimise the threat of severe data breach.
One of the main business successes of the Covid-19 pandemis is the Zoom video conferencing app, which registered over 300 million new users by the end of April thanks to the requirements of remote workers and long distance communications.
This new working routine means that some remote workers take a more haphazard attitude towards cybersecurity and what they do in front of their laptop cameras. This comfort zone has results in a new way for hackers to target staff and companies through of Zoom sextortion scams.
Sextortion has become a new vector of attack for hackers to steal money from unsuspecting individuals. The scam is largely email-based. The scam is blackmail based. Sextortion, also called ‘porn scams’ is not new to cybersecurity threats. A recent report released by Sophos discovered that millions of sextortion emails were broadcast in 2019-2020 earning the fraudsters behind the emails over $500,000. Hackers love successful scams, so they continue to come up with new campaigns based on a successful theme.
The sextortion emails normally include a threat to make public sexually explicit material, usually as a video. The hacker explains in the sextortion email that the video was recorded by malware downloaded on the user’s device. The threat continues that if the victim does not meet the ransom demand (usually in bitcoin) within a given time period, the compromising video will be shared to the user’s contact list.
An example of a sextortion email (received recently) is displayed here:
As always, hackers are talented at spotting an opportunity, and as Zoom has become a major part of our daily lives, so cybercriminals have perfected their sextortion tactics to the video conferencing platform. This most recent sextortion campaign, ‘Zoom sextortion’, has been connected to an incident that included TV analyst Jeffrey Toobin. Toobin was caught in a compromising position on a Zoom video conference with other media workers. Whilst Toobin was not specifically a victim of sextortion, in this instance. However, the fact such a famous person was captured ‘on camera’ in a compromising position, has permitted fraudsters to use the incident as added pressure in sextortion email campaigns.
Email is again the central vector in the Zoom sextortion campaign. As the Zoom app increased in use, security was quickly identified as a major area for concern. “Zoombombing”, involving Zoom conferences being invaded by uninvited users was a particular issue in the early days of COVID-19 lockdown. In March, the FBI released a warning about the hijacking of Zoom and other video conferencing services. Security vulnerabilities were focused on access control issues in the Zoombombing attacks.
This most recent Zoom sextortion targets two weaknesses, the fears of Zoom users in relation to security and being exposed do embarrassing things that are captured on Zoom.
The sextortion email claims that states that a zero-day flaw in the Zoom app has permitted access to the victim’s camera and other device metadata. The hacker continues by outlining that they have captured embarrassing footage of the user during a Zoom meeting, referencing to the Jeffrey Toobin case.
“I do not want you to be the next Jeffrey Toobin” — states the sextortion hacker scammer…
Most workers being sent this email will not feel threatened. However, a small number of people may feel bullied and concerned that even a minor misdemeanor may end in a warning or even a sacking. Due to this, the victim may decide to pay the ransom, which in this particular scam is $2000 in bitcoin.
Cyber-extortion is becoming more popular as hackers look for quick wins.
Universities and other higher education establishments are at risk of data breaches and possible malware threats , the same as all big organisations. From any cyber criminals perspective, schools and universities represent a big target. Personal and financial data within university data systems are very valuable to cyber criminals.
The possibilities of all data thefts are huge – reputational, legal , economic and operational. Future funding could be affected as well as a possible loss of student fees and associated income in the future. Prosecution and other penalties could also arrive, or losing sensitive data. Even the infrastructure could sustain significant damage that damages the activities of the institution.
A malware attack was so vicious a Minnesota ah lol had to shut down completely for a full day. Repairing this could take weeks and it could have been avoided.
A crypto-ransomware attack encrypted the entirety New Jersey school network very recently. The source the this infection is still unclear but it may have been that a someone opened a malicious email attachment or an unsafe app or even just visited a website with malicious advertisements.
The nature of the university campus and network is the huge differences between higher-education establishments and the corporate network. Made up of a lot of dispersed networks and the university network infrastructure is so often complex. There are certain environments where the concept of tight data security has traditionally been unhelpful or, in some cases , unwanted. When a big institute thrives on the free Exchange of data and ideas, it isn’t easy to apply the same high tech security measures larger companies can.
In the cases of cyber criminals targeting educational organisations timing is critical. The new school year always means scammers are segmenting their email data bases to launch calculated and planned attacks as soon as students and employees come back online. Every year scammers launch new spam and phishing campaigns , fake welcome emails , password reset emails, and banking notifications are just a small amount of ways spammers use to infiltrate your data.
The internet has provided the education sector with some great and unique opportunities and some major headaches. Educators continue to come up with the best way to help kids use the internet to do with school whilst protecting them from an array of online dangers.
And blocking inappropriate content doesn’t have to block learning too. As students spend a lot more time connected to the web ensuring this time is spent safely is vital. By scanning the page content , WebTitan’s content engine can keep up with the ever changing nature of the web.
The following are the main reasons for mitigating these attacks:
- Student safety – protection from dangerous, inappropriate or illegal sites
- Network security
- Identify cyberbullying
- CIPA compliance
- Application of Acceptable internet Usage Policies
- Control bandwidth
- Ability to monitor
It is your vital duty as an education establishment to provide a safe and effective learning environment. Schools are legally obliged to demonstrate reasonable and proper measures to control access to the internet. There is a fine balance on what has to be allowed and what possible security measures can be put in place. Security in all organisations, commercial of academic is a trade off between the likelihood and possible impact of an attack and the financial cost or loss of utility thay age incurred in defence.
Any possibility of losing email would be detrimental to the workings of a modern company. The vast majority of the information held in old emails is, typically, not saved elsewhere so losing emails due to a technology issues or having it stolen/locked by a hackers is not a desirable course of events.
Along with the inconvenience of business interruption there are also regulatory issues to take into account as you could be fined if a breach takes place. in addition to this email may be need in the event of an official investigation and not maintaining them on your databases could result in a costly mistake to make. Even though the majority of companies complete backups in order to be prepared for a disaster, there can be issues with this solution. These backups are not searchable in the same way that archives are. The best solution for backing up you emails is to establish a relaiable archives. here we have listed the 10 reasons for doign this.
10 Reasons Why Businesses Should Archive Emails
- Stopping Data Loss: Emails are placed in your archive for long term, safe storage. Emails can be easily retrieved from here should an employee accidentally accidentally remove something important from their inbox.
- Mail Server Performance: As emails make up so much of the correspondence that your company handles they place a massive strain on email servers. Moving a lot of email to the archive will release this pressure and can result in servers that are working better.
- Litigation and eDiscovery: In the event of a lawsuit, you are likely to be required to produce emails related to the case and you will only have a short period of time in which to respond. Finding emails in PST files and backups can be an extraordinarily time-consuming process, and you may have to search through several years of email data to find all the emails you need. You must also ensure that the messages are original and have not been altered in any way. An email archive makes responding to eDiscovery requests and finding and producing emails a quick and simple process.
- Less work for IT Departs: If employees delete or lose important emails, the IT support desk will be the point of call for addressing this. Placing emails in an archive eliminates email storage issues and makes the work that they have to do much easier, especially if staff members can access their own email archives.
- Recovery during Disaster: Email data can easily be lost if there is an issue with hardware or the theft of a device. When emails are moved to the archive they can be swiftly and simply retrieved.
- Regulatory Compliance: An email archive assists with all regulatory compliance tasks. Data can be categorized and retention periods can be created with emails automatically erased when the legal retention period is ended.
- Data Access and Right to be Forgotten Requests: The General Data Protection Regulation (GDPR) and other laws allow people the right to have access to all data that a company holds on them. If a request for access to personal data is registered, the data must be produced promptly. An email archive allows you to quickly review for email data and process right-of-access and right-to-be-forgotten requests.
- Internal Audits: An email archive makes the internal review process quick and simple and negates the need to include the IT department.
- Business Continuity: No matter what happens you can simply access old emails with the advanced search capability of an email archiving solution, you will be able to ensure business can continue as you always were.
- Addressing Costs: Looking for lost emails, managing email servers, answering eDiscovery requests, and producing email data for audits can take a massive amount of time. An email archive will cut the amount of time that needs to be dedicated to these issues and allow you avoid unnecessary expense.
Solution: Use ArcTitan
ArcTitan is a strong, safe, cloud-based email archiving solution provided by TitanHQ that means emails will never be lost. Quick searches can be completed when you need to find old emails, with emails sent to the archive automatically at a rate of 200 emails a second with searches of 30 million emails taking less than one single second. There are no restrictions on storage space, no onsite hardware needed and you only pay for the number of active mailboxes. Companies that use ArcTitan normally save up to 80% of email storage space.
A recent Symantec has indicated that Palmerworm attacked are on the rise for the first time since 2013.
It was recently discovered that the malware has had more persistent activity in 2020 and even remained on an unnamed corporate network for almost six months. Hackers behind Palmerworm have added new malware to the advanced persistent threat (APT) aimed at mainstream media and financial groups in the US, Japan, Taiwan, US, and China.
Even though Symantec was unable to discover the initial attack vector, it is thought that these attacks have begun with a phishing campaign. Palmerworm uses a unique approach to fooling users into running malicious content. Included in the malware is stolen signed certificates making users believe that the software is genuine.
Code-signing is a way to inform operating systems and users who developed the software. When users attempt to download software, the operating system shows the publisher. The publisher employs a signing method using specific keys only available to the publisher. An example of a code-signing message is included here:
In this image, the user can see that the publisher is Microsoft and will allow the program to be installed. Palmerworm authors use stolen code-signing keys to sign software, which makes it highly likely that users will install the malware.
Palmerworm uses custom malware and some freely available software to send the payload. The malware is a group of backdoors giving the hackers access to the network and allows them to remain on a corporate network even after administrators think that it’s been deleted.
The custom malware sent with Palmerworm are:
The software included that assist Palmerworm install and scan the network includes:
- Putty – gives hackers remote access
- PSExec – used to run commands on a Windows network
- SNScan – Scans the network to find other possible targets.
- WinRAR – archiving tool to transfer data to the hacker, hide malware and extract it to a new target.
The backdoor malware gives hackers a high level of access across devices. Once an attacker has full management of one device, the malware can be shared across other devices on the network. The network reconnaissance and administration tools assist the hacker find additional vulnerable devices so that backdoors and remote control can be created.
Palmerworm is not a new advanced persistent threat. It has been inexistence since 2013, so strong anti-malware programs can detect and prevent the backdoors from downloading to a device. Groups with enterprise-level anti-malware should have it downloaded on all devices including desktops and mobile devices.
As it’s presumed that Palmerworm starts with a phishing campaign, it’s even more important than ever to use email filters. Content filters will also prevent users from accessing malicious sites where hackers could host Palmerworm malware and trick users into installing it. Email filters will prevent malicious emails with attachments that could contain Palmerworm malware or macros that will download it form an hacker-controlled server.
Training users on the dangers of phishing and identifying red flags linked with phishing also helps. Users with adequate education are less likely to install malicious content or open attachments. They will also be aware of suspicious links from unknown senders.
TitanHQ supplies a cloud-based solution for email filters that blocks Palmerworm and other advanced persistent attacks. By implementing the cloud-based WebTitan platform, your organization will be safeguarded from Palmerworm and other web-based attacks that need users to initially access a hacker-controlled site where malware can be downloaded and downloaded.
Businesses have been forced to change their working practices as a result of COVID-19. The lockdowns introduced by governments around the world have meant businesses have had to rapidly change from an office-based workforce to having virtually everyone working remotely.
The restrictions on office work may have now eased, and employees are starting to be encouraged to return to working from the office, but remote working to some extent is now here to stay.
Most businesses have coped well with the new remote working environment. Many report that their employees have been just as productive, if not more productive, working from home. However, remote working is not without its challenges. Many businesses are concerned about how to ensure compliance with regulations with a remote workforce and how to ensure business and email continuity.
On Tuesday, September 22, 2020, TitanHQ is hosting a webinar to discuss some of the key challenges faced by businesses with a remote workforce and to introduce a solution to keep businesses moving forward when employees are working remotely and ensure business continuity.
During the webinar TitanHQ experts will discuss the following topics:
- The Current 2020 Technology Landscape
- Security & Compliance in a time of Global Remote Working
- Increase in Companies Relying Solely on Office 365
- Protecting Business Critical Data
- The Importance of Continuity in the Era of Remote Working
Attendees will also be given a live demo of TitanHQ’s cloud email archiving solution, ArcTitan.
Title: How to Ensure Business Continuity with Email Archiving for your Remote Workforce
Date: Tuesday, September 22, 2020
Time: London/Dublin: 5:00 pm (GMT +1) ¦ USA: 12:00 pm ET; 09:00 am PT
Hosts: James Clayton, ArcTitan Product Specialist ¦ Derek Higgins, Engineering Manager, TitanHQ