Secure your email not just your email account

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/secure-your-email-not-just-your-email-account/article/388685/

The risks of having your email hacked are high, but the reaction of most
has been muted. Email security is a problem that continues to pop up in the
news every two weeks and something needs to change.

Email is a perfect target for hackers. If you want to find out everything
about someone all you need is their email account. Once you're in, search
for terms like password and hope that they've either sent or received an
email with a plain text password. Email is a great place to get more
passwords and private data.

Most people send passwords in email when they shouldn't and most people use
the same password everywhere. This makes life so easy for criminals, and it
also means that you can bank on the regularity of these news stories.
Recently news broke regarding “20 percent of internet users have been
hacked by a Russian gang” in addition to 5 million Gmail usernames and
passwords were leaked on a Bitcoin forum. The risk is very real.

Two-factor authentication: Close but no cigar

After all of these scandals and hacks the common wisdom is to write news
stories and blog posts encouraging everyone to turn on two-factor
authentication (2FA). Everyone should turn on 2FA for everything
immediately, this is true. Our systems leverage the identity services of
webmail providers such as Yahoo!, Outlook.com, and GMail so turning on 2FA
will provide more security and make it nearly impossible for someone to
hack your email account by guessing a password.

Turning on 2FA will secure your account from hackers, but it really doesn't
make your email any more protected than it is now. Yes, it will be
difficult for a hacker to break into your account: they would have to steal
your password and steal your smartphone. Your account may not be
compromised, but the emails you send to others are still very much at risk.

Email security: Lowest common denominator

When you send an email with sensitive information that email is only as
safe as your recipient's inbox. You can secure your account as much as you
want to, but if you send that sensitive, secret business plan to a friend,
you are trusting that they also run 2FA. The network effect of email, the
fact that your recipient can forward that attachment to others just
increases the risk.

2FA isn't for everyone

Given that email security is related not just to your own email account's
security but your recipient's you should be encouraging the people to whom
you send email to turn on 2FA.

After you turn on 2FA for yourself you should set aside the entire day to
call up everyone in your address book and ask them to also turn on 2FA.
Then ask all of these same people to call up the people they might forward
your emails to to turn on 2FA. If you really want your information to be
secure you're going to have to make sure that everyone between you and
Kevin Bacon has 2FA turned on.

Are you going to do this? Probably not. If you did this, maybe 10 percent
of the people you communicate with would think of turning on 2FA.  The
reality of 2FA is that normal people don't turn it on. They should, but
even though companies like Facebook and Google have made it very easy it is
still a hassle and many people still believe that “they have nothing to
hide.” It isn't until people get hacked that they realize how important it
is.

Assume that no one turns on two-factor even after reading all these blog
posts about email hacks.  What do you do?

Secure your email not just your email account

Email is plaintext. It can be encrypted when it is sent over a network and
it can be encrypted on a server, but the way email was designed relies on
the fact that a server is reading plain text headers to read a list of
email address, a subject, and a body. Attachments are encoded but not
encrypted and when a recipient gets an email nothing checks to see whether
someone has permission to read an email.

This is the real insecurity of email not the fact that email accounts might
have weak authentication.  Don't get me wrong, that's a bad thing, but it
isn't the fundamental problem that needs to be solved in email.  What needs
securing isn't your account it is the data in your account.

This is the real solution to securing email: an envelope that gives email
senders control over the messages they send.  It means that you no longer
have to fall prey to the network effect of insecure email accounts.  You
can limit your audience and exert some control over the data you share with
others.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!