| by Shawn D. Stewart | No comments

The End of Email?

OR What Have You Done For Me Lately?

90% of breaches start with a phishing email.  Some reports say half of all the world’s bandwidth is wasted on the transmission of spam and phishing email.  Imagine being in a sports car on the interstate and every other vehicle is a garbage truck…in every lane.

Dear Email – Should we just dump email entirely?  We’ve become dependent on it.  You’ve had that address since college.  It was your coming of age symbol.  At first, it was a great relationship.  You spent hours on the phone together.  But then it all went wrong.  So, how do we move forward with this abusive relationship?  Time to make email that app we want to spend the rest of our lives with.

You Know What You Did – Every email client should have the ability to block a sender or report spam.  However, since spam, phishing attempts, and malicious malware or ransomware constitute 85% of all email, it’s time we reverse our thinking.  Instead of blacklists that block offenders once they’ve already skipped through multiple layers of defense, we must give the bouncer a list of only who we want. 

Limiting Trust – Of course, a master list of customers, partners, vendors, and government agencies should be built centrally to allow those domain names to pass.  Anything inside the organization would also be permitted.  Individuals would then only be responsible for personal or unique email contacts.  Don’t forget to limit outbound email to confirmed internal addresses to prevent becoming a spam source.

We Need Counseling  – Yes, it sounds daunting, especially for IT support.  But forcing every individual to create an allowed list of email communicants will accomplish more than just better security.  Do you really need a daily newsletter for rock-hard abs?  Shouldn’t you just admit defeat and unsubscribe?  Start by removing the email you can control.

VIP Treatment – Next step is the hardest.  Who do you receive email from daily, weekly, monthly, or just annually that should be allowed to pass?  What about those domain expiration reminders you only get in June?  Or those electronic invites for the company Christmas party?  The possibility of missing email is enough to prevent companies and individuals from the ‘block-first’ policy.  But weigh the cost of a ransomware attack that could close the company.

I Think We Should See Other Programs – If your email program can’t accommodate central and individual whitelisting, you should probably switch. While you’re confirming the capabilities, be sure your email supports domain-level and individual security certificates.  No bouncer worth his thick-neck, muscle-bound weight would dare allow someone in without the proper ID.

The Fault in Our SMTP mail servers – The main problem with email as it is today is the lack of security.  Standard POP, IMAP, and SMTP are plain text.  S in SMTP standard for ‘Simple’, not ‘Secure’.  Unless you use HTTPS, SSL, or TLS, anyone with access to the data stream can read all your emails and intercept your attachments.  Some providers offer no security for email and are not allowed for secure transmissions, such as government and military operations.  I’m looking at you, Google!

If you run your own mail server, install a trusted certificate and force the use of TLS transport security.  This significantly reduces spam/malicious email.

Attachment Issues – One sure-fire solution to stop the transfer of malware and ransomware through email is to prevent ALL attachments.  What?  How will I transfer files?  The Internet has come a long way since email first appeared.  Bandwidth has increased, as has the number of secure file sharing and collaboration options.  There are numerous file sharing locations for individuals and businesses.  No one should be sharing anything through email.  It’s not safe and, legally, breaches most corporate acceptable use policies.  Just shut it off already!

Be Honest With Yourself – Rats always find holes.  The only way to confirm an email is really from the sender, is through digital certificates.  Simple domain and email address whitelists won’t prevent spoofing attacks.  Email doesn’t require validation of sender or confirmation that the current sender received it.  Your auditing emails to let you know when your email was ‘read’ can be triggered by and Intrusion Prevention Service (IPS) or a virus scanner.

Love Notes – Start by adding digital certificates to corporate policy.  You can use them for signing documents and email.  Tech savvy companies use digital certificates to confirm devices connected to their network before allowing them access, even with a valid login.  Ask your contacts to enable and always sign their emails with digital certificates.  This ensures nonrepudiation (a $1 word meaning they can’t say they didn’t send it), authentication, and message integrity.

Shangri-La – In the perfect world, we save half the world’s bandwidth by blocking email not sent or relayed from a certificate-confirmed source.  Senders and receivers are validated by a seamless system of trust while spam, malware, and ransomware are starved out. 

OK, grab your sad little mail bag and get back in here.  No, it’s as much my fault as yours.  We can probably work this out.  Maybe.

Need help?  Reach out.  We are all in this together.Helping Hand

Images provided by pixbay

mm
Shawn D. Stewart

Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds or has held certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell and others. He also holds a BS in IT, a Minor in Professional Writing and is a published author. He is scheduled to complete his Masters in Cybersecurity in August 2021.

Leave a Reply