User’s is the most vulnerable asset for any organization. We can deploy security controls for any other vulnerability, but not user behavior. User ignorance or negligence has always had a high role in any data breaches or financial frauds in most of the reported cases. So, what to train them for effective email security?
1. Make them aware of your domain/domains:
At a glance, the domain “yourcompany.com” and “yourconpany.com” looks similar. On a closer look, we can see the difference. Its essential to train each user in the organizations to identify an email poses as originated from your domain while it’s not. Users should know each of the domains your email can be originated from. They have to train their muscle memory to look at the origin email address each time the open an attachment.
2. Email address and Display name are DIFFERENT
When an email account is created, it has a “Display Name” or “Your Name” field and “Email Address” field. Display name can be configured as anything we want. Most of the email clients fetched this Display name and shows it in the “From” field of the email. So even if my email address is firstname.lastname@example.org I can still set the Display name as “HR Team” and highly likely the email client will show the Display name in the “From” field. Users must be trained to click on the “From” address if it shows the Display Name and verify and verify the email address before opening an attachment. It’s bit inconvenient at first, but can be a habit with a bit of practice.
3. Make them aware of all possible ways their accounts can be compromised.
There are various techniques used and evolved every day to compromise an email account. professional Spear Phishing, Identity theft, sniffing and Virus based attacks are the most common ones. Users should be always vigilant about all these techniques each time they open an email. Security team should arrange demos on real attack scenarios and make then understand the risk.
4. Have one common Secured email client
All users should be forced to use company approved email clients with the latest high security encryption suites. They should be aware of the implications of using unsecured email clients.
5. Secure password awareness
I would say, this is the most important training every user must go through. Passwords are built for security. But ironically, passwords that make applications insecure at times. As memorizing passwords for each application is rather difficult. Users tent to use the same password for all the applications, no matter it’s a public domain or company applications. Compromising one of these accounts virtually give access to all the applications where the user has used the same credentials.
Train the user on creating strong and secured, at the time easy to remember, and unique passwords for each application. There are many techniques a security consultant can share to create such passwords phrases. Also, they must be forced to change the password often for all the applications.
A sample technique would be let a user create a secret algorithm in their mind to generate password strings including some identifier for the application they are using, month when they create the password and a long secret string. They can change the password first of every month, so that they don’t forget the password for any of their applications.
As an extra security measure, they can hash the password string with MD5. The only caveat is they would have to use an MD5 hashing software each time they login. But it’s so secure.
6. Pass on the responsibility to the user:
Is your user email security Active or Passive? Most of the organizations have Passive user email security, where the end user considers the sole responsibility of their email security is with the Security team. They don’t really care what happens when they open any email attachments. This is the primary reason why users don’t follow healthy email security practices even after all the security training they go through.
So, make the user held responsible or pay for their negligence. Looking harsh… Well if the company loses millions of dollars or credibility due to one user’s mistake, it’s the user himself and all others in the company are to suffer with a lay off or business shutdown. So, its everyone’s responsibility to secure their own email account and other assets given to them.
Stringed security policies should be enforced and user should be made aware of the consequences of their negligence.
This post is written by Ranjith Kesavan, Sr. Cyber Security Lead – Operations Center (SOC and Blue Team) at DTS Solution