

Is encryption the answer? (Story continues below) These difficulties notwithstanding, technology-based email security efforts have in recent months gained some momentum from the U.S. government. Department of Homeland Security Binding Directive 18-01 not only stipulated the use of Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM) for email authentication, but directed readers to consult a 2017 Federal Trade Commission document that underlines the decades-old vulnerability that still looms large: “Phishers and other spammers exploit a design decision made early in the history of the Internet. The Simple Mail Transfer Protocol (SMTP), the Internet protocol for email, was designed to make it easy for computers to send and receive messages, even if information was incomplete or corrupt.”Encrypted emails are often seen as the best means to mitigate the inherent risks of SMTP. But the difficulties in training users to handle encryption and the technical overhead has led many organizations to conclude that the use cases for such technology is limited. “We’ve set up secure mail tunnels between our servers and those of our best trading partners, so those messages will not travel un-encrypted over the Internet,” says Joe Rickard, CTO and CISO at Incapital, a Chicago-area bond-trading firm.Anthony Scarola, security consulting senior manager with Accenture and a former financial services CISO and CIO from Virginia now based in Cincinnati, makes a similar point. “Recipients’ email systems may not support [encryption] due to incompatibilities, or solutions may burden clients to the point of frustration,” he says. “For organizations like financial, insurance and others with highly sensitive or regulated information to protect, this can be addressed by notifying clients of new messages via email or text and offering them options” for secure links using multi-factor authentication and encrypted Internet connections via SSL/TLS.For Rushing, encrypted email has its place “in a certain portion of our supply chain that is deemed critical.” But the training required for the use of encrypted email discourages the organization from a more generalized deployment of encrypted email. “I can train all or some of my users to do this, but it is a daunting task,” he says.
In Olsen’s view, widespread adoption of encrypted email will come only if and when web email providers move in that direction. “As the web shifts from http to https encryption everywhere, it wouldn’t surprise me if email followed suit,” she says. But before that happens, the ongoing political battles over encrypted communications will have to be resolved. “Limiting encryption won’t stop criminals and terrorists from being themselves, it will only hurt law-abiding people,” she says.The upshot: Cybersecurity technology is only effective in securing emails if encryption is manageable and the tools can automatically detect threatening emails — methods that will be only partially effective at best. So the key line of defense against file-less attacks and phishing remains the end user, whatever their level of cybersecurity awareness or technical proficiency, the experts agree. Despite the tens of billions of dollars spent on cyber tech over the past decade, user training remains at the core of cybersecurity in 2018.Time to test
Cybersecurity awareness training is now standard at a growing number of large organizations today. Their effectiveness is another matter entirely. In some cases, there is no way to gauge whether end users skip through training as quickly as possible to comply with policy without internalizing basic points, nor is there any way to differentiate those who speed through the material because they are technically savvy from those who rush because they feel overwhelmed and intimidated. Online training, PowerPoint slides, memos and lengthy documents might contain all the key points highlighted in attractive formatting, but it is difficult to judge users’ ability to retain that information when they confront a suspicious email.To better focus employee attention on email security, some large organizations are increasingly resorting to penalties for employees who repeatedly click links on phishing training emails.“A quick way to increase user awareness is by instituting a companywide policy for employees that click on phishing campaigns generated by the company, up to and including losing their job, because they clicked on too many phishing emails,” says Olsen. “If the employee has direct ramifications for clicking they tend to be more careful about what they do. Cultivating a vigilant culture in the workplace can ultimately result in fewer phished corporate credentials and compromised machines.”Along with these punishing sticks come some carrots for cybersecurity policy compliance. Some large organizations use incentives, games and rewards — symbolic rather than monetary — to individuals who can both demonstrate their own mastery of email security essentials and act as a cybersecurity awareness leader within their teams.
That was the approach taken at the technology giant Cisco Systems in the early 2000s, where an information security team member at that time, Chris Romeo, led a program a “security ninjas” were ranked according to a martial arts belt system. The highest belt levels were brown and black belts; those who earned such designations were expected to forge relationships and mentor others.While the technology skill level at Cisco might well be far above the average for non-technical organizations, the methodology can be adopted by smaller organizations without the Cisco’s staff technical expertise. For example, cybersecurity awareness training can gain buy-in from users by including issues that they must cover in their personal lives, such as secure practices on social media, managing passwords and securing home internet access.The more employees internalize sound cybersecurity practices throughout their lives, the easier it can become to convey the must-dos for email security and other information management issues.Yet even if users can be drawn into a discussion of email security based on their personal concerns, there remains the challenge of focusing on such issues as they carry out their daily tasks. That is why it helps to make email security training as outlandish as possible, says Accenture’s Scarola.
“I have seen and even participated in both very active, and very passive campaigns over the years,” he says. “One of the best I’ve seen was from a small insurance organization whose CISO, a very passionate leader, would dress up like a fish on occasion and walk around the office, reminding employees of the best-practices for detecting socially-engineered emails and how to best handle them.”
Of course, a CISO at a multinational organization might not carry the same gravitas in a fish suit as someone you might know on sight in a small company — or perhaps they might be far too serious and become intimidating dressed as a trout, so adding pizzazz to email security training must take other forms.
“I think we are getting better with users,” says Motorola’s Rushing. “Videos and techniques are good but not always practiced. Sometimes we educate about the wrong things.” One key issue that deserves more attention is the likely timing of phishing attacks. “The bad guys know our schedule. It is between 6:30 am and 8 am when most [phishing attempts] come in, based on time zone. That is where people are in a hurry,” and most vulnerable to an email attack, such as an invitation to take action on a fake UPS delivery, he says.
Once assembled, the elements of email security in a medium or large organization look something like this: a set of policies and procedures developed by information security professionals and backed by C-level authority; a systematic and ongoing cybersecurity awareness training program with email security at center stage; a set of tools to detect and block threats and an incident response team poised to parse threatening emails; and — most important — users who are increasingly confident in their ability to spot suspicious emails, from scam personal offers, fake invoices or embedded links to ransomware.
There is a long way to go. Humans are the low-tech, weak link in the long chain of cybersecurity complexity. Yet unless and until we are better able to detect email-based threats and take appropriate actions, phishing will remain an ominous threat. Email security, once considered yesterday’s problem, remains a critical cyber challenge of today. Can email security culture go too far?Cybersecurity awareness trainers seek to maximize email security awareness. But sometimes their very success cause problems downstream as incident response teams grapple not just with phishing, but legitimate emails mistakenly deemed suspicious.“When employees do their part, and automated controls sit in front of the email system to weed-out the known-positives, the process can work very well,” says Anthony Scarola, security consulting senior manager at Accenture. “Unfortunately, it is not very scalable. Once institutions move past the 200-300 employee count and into the thousands, they will want more advanced (machine-learning-based) email scanning tools in place to ensure employees only get the least number of suspects.”Sometimes innocuous emails end up in automated phishing-flagging tools as users trained to be skeptical of good-news messages click to forward messages from company HR or executives straight to cybersecurity incident response team, kicking off an often time-intensive investigation of an email about an employee incentive program.A key issue, says Motorola Mobility CISO Richard Rushing, is that “there is a difference between phishing, spam, and a third party email compromise. Each has its own security channels, but it all goes into the same phishing” category, he continues.A typical DFIR (digital forensics and incidence response) team would almost certainly prefer to wade through false positive phishing emails then take up battle stations to contain ransomware or overcome a DDoS (distributed denial of service) attack. But systematic phishing attempts and a flow of legitimate email from overly vigilant users combine to create a “time sink” for incident response staff, Rushing says.If users do shift from laxity to overkill to their attempts to spot phishing, it is because humans are inherently unreliable in detecting phishing, says, Abhishek Vyas, security solutions architect at the Coventry Building Society in Coventry, England.“The social engineering spectrum — phishing, vishing, smishing — is based on an emotional response,” Vyas says. “It calls out, ‘this is urgent.’ As a result, trying to drive an outcome based on user training alone is nonsensical.” Phishing, he says, must be discredited by technical means.But even sophisticated cyber pros with all their tools cannot assume that with phishing, they always know ‘em when they see ‘em. The best resource for incident response teams is “education, the same as end user education,” says Dennis E. Leber, who serves as CISO and CSO at the Cabinet for Health and Family Services (CHFS) for the Commonwealth of Kentucky. “An understanding of the tactics and techniques of the attackers is key,” he says.And for small and medium-sized businesses, end-user awareness is the only means to resist phishing, says John Bussert, an independent cybersecurity professional in Chicago. “Outside of the endpoint security firms, most security tools are far too expensive to buy/lease and too expensive to implement,” he says.For that class of users, there is no such thing as overactive email vigilance, he says. “Companies need to have a strong internal or external partner evangelist to convince, prod, poke, and just push them into making it a priority.” —LS