With email security, some things can’t be outsourced

While outsourcing email is right for many, if not most, enterprises, it’s not enough to ensure both inbound and especially outbound email is secure. For example, outsourcing email would not prevent this from happening:

“Dear [FirstName] [LastName],” the email reads, “Click here to register for the AcmeCorp holiday party. Don’t forget to RSVP!”

You check the return email address: HolidayParty@AcmeCorpHolidayParty.com. Not the usual corporate domain, AcmeCorp.com. Looks phishy. You forward it to your security department and wonder who clicked on the RSVP link.

Later, you find out it was a legitimate email from the event organizers and scratch your head. HR wants a head count ASAP. You click the link and pray the email from the ad hoc domain isn’t a phishing email and thus a major security risk. Will clicking on the link download and execute malware on your work computer, making you another victim of business email compromise (BEC)?

No, the email is legitimate and the link harmless, but now everyone in the organization who received that email is a little less vigilant about spotting phishing emails because they know not to expect a standard domain.

Far-fetched scenario? Not at all. 

For many — if not most — organizations today, outsourcing email is a no-brainer. Securing email is hard, and unless you have a team of email security engineers, outsourcing email security to the experienced folks at Google, Microsoft, Fastmail or another reputable email provider may well be the right choice. Unless you’re a large global conglomerate or you’re working on sensitive R&D that you want to protect from theft or espionage, outsourcing email is likely the right decision for your organization.

The organizational challenge of email security

Once you’ve decided to outsource your corporate email, your in-house security team cannot simply “set it and forget it,” as some risks, such as the event organizer scenario, remain. Securing outbound email quickly leaves the realm of technical security work and becomes an organizational challenge. Procurement and brand protection need to be involved to secure enterprise outbound email.

Procurement needs to work with the security team to develop standard contractual language to prevent vendors from spoofing a corporate domain’s email or setting up typosquatting domains like AcmeCorpHolidayParty.com. That anti-phishing training you give your employees? It won’t help much if you condition them to think those kinds of typosquatting domains are normal and legitimate.

Typosquatting domains like paypa1.com or g00gle.com are frequently used as phishing domains. Training employees to be wary of emails from such domains is important to prevent phishing. Therefore, using such typosquatting domains for legitimate reasons confuses employees, and potentially threatens brand reputation if well-meaning employees or vendors start sending email from those domains to clients, vendors, sales leads, etc.

“It becomes a procurement chain challenge to make sure the events group within the company, and the process that they use for procuring services, knows how to catch these things and direct them through the security team at the company, so all the vendors do the right thing,” Kurt Andersen of the M³AAWG (Messaging Malware Mobile Anti-Abuse Working Group) tells CSO.

Brand protection also needs to be involved to firmly remind vendors that such antics, while well-intentioned, are not acceptable, and pose a serious risk to both brand reputation and the security of the enterprise. “It’s still the Wild West as any salesperson can go out to Mailchimp or other marketing email provider and start spewing email,” Andersen says. “For outbound mail, make sure the security team is hooked into the right corporate processes [like procurement and brand protection], and make sure you have a DMARC record and are monitoring the reports so you have visibility.”

Are you checking those DMARC reports?

Configuring DKIM, SPF and DMARC correctly is critical to securing outbound email, but if you’re not reviewing those DMARC reports on a daily basis, you’ll miss early warning signs that something is amiss — especially if you’re still at the monitor only (p=none) stage of DMARC deployment.

If someone is spoofing your AcmeCorp.com email domain, for either good faith or nefarious reasons, your DMARC reports are going to let you know. It will also give you visibility into authorized marketing or accounting efforts to use Salesforce or Marketo or Mailchimp that have failed to alert the security team. Including those authorized third parties in your SPF record is key to ensuring your enterprise email doesn’t wind up in recipients’ spam folders.

All this holds true even if you are outsourcing enterprise email, including deploying SPF, DKIM, and DMARC. You need to understand how these technical security measures work in order to hold your vendors accountable.

The future of email security

It’s easy to fall into the trap of thinking email security is a solved problem. If you live and work in a walled garden like Gmail or inside a well-protected government network, teams of engineers spend enormous effort to prevent spam and abuse from reaching your inbox. The truth is dealing with the vast amounts of garbage email on the internet is a hard problem that’s been mitigated by a feudal security model of outsourced email, but has never been truly solved because of the insecurity inherent in the ancient design of email and the economics of spam that favor the attacker.

“I don’t know that we’re going to be able to change email as we know it, the network effects are so overwhelming,” Andersen tells CSO. “There continue to be discussions, very early discussions, in the IETF [Internet Engineering Task Force, the folks who bring you RFCs] around a next set of revisions to the basic standards for SMTP, none of them go as far as saying ‘we’re going to break backward compatibility’.”

One key sticking point, and it is OK to laugh while you read this, is the widespread deployment of email as a reporting mechanism for legacy industrial IoT devices that have decades-long life spans and send email using IP address literals instead of domain names. “These things still send email as a notification mechanism,” Andersen says. “How can we raise the bar for security for these devices that maybe can’t even do TLS? They still rely on SMTP and [their owners] are very vocal that we not break their world.”