The risks facing email communication are widespread, ranging from individual hackers seeking sensitive information to nations engaged in economic espionage. The tools available to those seeking to undermine email security range from the mundane use of spam and phishing messages to sophisticated denial-of-service attacks designed to cripple an organization’s email infrastructure, preventing legitimate use.
These are as old as email itself and include unsolicited messages with a variety of intentions. Many seek to sell products or services to consumers, often providing the opportunity to purchase black market items, such as prescription drugs or counterfeit goods. These messages are more than a nuisance, as organizations must size their email infrastructure to handle the increased messaging volume that spam creates.
These represent a variation of spam with more dangerous intentions. These unsolicited messages don’t seek to sell products but instead attempt to fool unsuspecting users into disclosing sensitive information. Malware can be sent in phishing attacks attempting to trick the user to open a file. These files can look like legitimate documents – for example, PDF or Word documents — but there is a zero-day exploit waiting to be triggered when users open the file. Once the exploit is triggered, the malware is installed and compromises the user’s computer.
Email may also be used as a vector for the delivery of malicious code. Hackers seeking to infect a system with a virus, Trojan horse, spyware or other type of malware may simply attach the installer to an email message, hoping that recipients will open the attachment on a system lacking appropriate anti-virus software. Similarly, links provided in messages may direct users to a site hosting malware installers that jeopardize the security of infected systems. Once compromised, these hijacked systems may be used to send spam. They can also be used as entry points for attacks on an organization’s internal network.
Attackers may be able achieve their objectives without actually gaining access to the contents of email communication or the systems that send and receive messages. This type of attack, known as a denial-of-service attack, may involve exploiting a vulnerability in the organization’s email infrastructure, causing it to crash. Brute force DoS attacks may simply flood an organization’s email server with fake messages that consume all available server resources, causing network congestion that prevents legitimate messages from getting through.
When evaluating the risks to email communication, organizations should not overlook the insider threat. Employees with authorized access to the email system may, intentionally or accidentally, cause damage to the organization through misuse. One common way this occurs is the accidental leakage of information outside of authorized channels.
Employees may also misuse email in a manner that violates the law or company policies by sending or receiving inappropriate content. An email message containing a risqué cartoon may be amusing to some but offensive to others, creating a human resources issue and potentially exposing the organization to liability for sexual harassment.
Other potentially problematic email content includes pornography and hate mail. In some industries, organizations are bound by regulatory requirements that prohibit certain uses of email. For example, healthcare providers covered by the Health Insurance Portability and Accountability Act (HIPAA) must ensure that they do not send sensitive health information via unencrypted email.
Want to learn more? Check out CDW’s white paper, “Email Security: Defending the Enterprise.”