Encryption techniques are not new, but with the exception of online transaction processing, remains fairly low profile. Advances in encryption technologies have made them easier and cheaper to implement. But when it comes to email, many organisations remain unsure about how to use encryption effectively, or whether they should bother at all.
So what are the options – and how should you proceed?Email encryption
End-to-end email encryption has been possible for some time using tools like PGP. Signed with a digital key, email contents are completely unreadable to anyone who does not have the matching decryption key.
The problem with PGP encryption however, is that recipients must have the necessary decryption key saved on their computer before a signed message is received or they cannot read it. Coordinating a roll-out across hundreds of third-party contacts would be hugely complex – assuming you could even get buy-in from all the other IT departments involved in the operation.
And the customer is then responsible for saving their copy of the public key, otherwise they need to go through the whole setup process again. The reality is that encrypted email is simply unworkable for most customer-facing communications.
That said, for internal messaging, encryption make perfect sense. Using a shared public key to digitally sign emails significantly increases confidence that the sender, and the contents, are authentic, and have not been tampered with in transit.
Microsoft Exchange offers support for S/MIME mail encryption, including the option for using identity verification certificates from third party providers for additional security. Enabling S/MIME will help to protect your business against email spoofing, as any forged mail addresses will lack the necessary encryption keys to verify identity, immediately flagging it as suspicious. It is also far easier to set up and manage than an internal PGP deployment.
To further protect your employees, consider configuring your email system to automatically quarantine or reject messages that fail the digital signature test. In this way, you can reduce the chances of them falling victim to a well crafted phishing email.
DKIM DNS records
Although it cannot encrypt the contents of messages, the use of a DomainKeys Identified Mail (DKIM) DNS record does use encryption to protect your email address against spoofing. As part of the email transmission process, mail sent from your server is checked against the public key associated with your domain name; if the key is absent or missing, email security filters will automatically quarantine or reject the message.
By including a digital ID in the message headers, your email is protected against tampering in transit, helping to verify its authenticity and provenance. Applying DKIM security prevents hackers from spoofing messages, reducing the risk of falling victim to a successful phishing attack.
DKIM can also be used to protect your customers against similar email-based crimes, as forging the necessary encryption keys is nearly impossible. Any message that purportedly comes from your domain but which lacks the necessary encrypted key will be rejected by the major internet spam detection services.
In the event that your business relies on POP3 for any part of its email service, your user accounts could be at risk of compromise. Standard POP3 connectivity sends user names and passwords in plain text.
There is a very good chance that your users’ email clients are already set up to use SSL/TLS encryption when connecting to the mail server, but it pays to check that this is the case across your entire IT estate – particularly remote users and those with BYOD devices. You should also ensure that your mail server is configured to reject unencrypted connections.
Transmitting usernames and passwords in plain text leaves them vulnerable to interception by hackers. Once in possession of valid logon details, they will then be able to take advantage of your own mailserver to send official-looking messages to other users as the basis for spear phishing attacks.
Attacks that exploit a lack of connection encryption are very easy to prevent, but equally very hard to detect.
Encryption – important but not the whole answer
Encryption can play a very important part in raising email security standards throughout your organisation. By applying the security methods outlined here, businesses can at least protect against most phishing and spear phishing attacks by proving authenticity of messages sent from your domain.
It is also important to note that encryption only protects incoming and outgoing email from known senders, doing little to protect against the huge volumes of spam your business receives each day. For ultimate protection you will still need a robust, scalable solution that automatically updates to catch and block emerging threats – like Topsec’s Email Security service.
Want to know more? Check out our eBook below: