Email Security

Email has been around since 1971 and still fulfills its basic purpose of sending a message between two computers.  The concept of keeping any such information secure came later and has left email with features that are easily exploited or misused.

There have been cases of the misuse of BCC and CC.  CC is ‘Carbon Copy’ and BCC ‘Blind Carbon Copy’.  All recipients can see CC address details; this is a good choice when the sender wants recipients to know who data has been shared with; such as members of a group.  BCC addresses are not shared with the email recipients, they will only see their own address and that of the sender.  This is the setting that should usually be used with bulk emails.  An email address will be considered as personal information in law.  It will often include a first and last name, possibly a company name as well; for example ‘firstname.lastname@company.com’.  Revealing data such as this without the clear permission of the individual involved is a GDPR breach and a fine is almost certain.   A notable example is the £200,000 fine imposed on the Independent Inquiry into Child Sex Abuse imposed by the Information Commissioner’s Office in 2018 for just such an offence.  In the case of promotional mass mailing there is a strong case for using a reputable online service to handle marketing emails.  This puts some of the GDPR responsibility on that service and reduces the risk of CC address errors.  There will, however, be the issue of ensuring that only minimal details of customer data are shared with the service as it becomes another potential avenue for a data breach.

Email client programs may offer the option to recall emails.  This does not necessarily mean that this can happen.  The process should result in deletion of the message from the recipient’s inbox.  In reality it is only going to happen if the sender and recipient are both using the same email server.  This would be the case in an internal company email where the company has full control of the email server.  With many organisations now using cloud services such as Office 365 this scenario is becoming less likely.  Another apparent email client feature is the ability to set priority or flag emails in some way.  Out of the box this is no more than colouring-in the messages.  It aids the recipient with sorting or prioritising messages but does not make them any more secure.  There are dedicated applications to filter and secure messages but these need to be set up within an organisation’s email server structure.  A client email system is not capable of doing this on its own.

When a business sets up a domain name and website they will also have access to web based email linked to that domain name. Addresses are relatively easy to set up and any costs are usually bundled within the domain and email package.  The individual email accounts can be accessed through a web interface or the settings linked to a local email client allowing them to be read without opening a web page.  An important security issue is that the web account administrator will have full access to create and monitor email accounts.  This includes seeing the contents of all sent and received emails as well as changing passwords and sending new messages.  Access credentials to such a system need to be kept secure.  Organisations should consider more secure dedicated email solutions for linking to their domain name.

Cloud based servers may be more secure than private solutions because the cloud provider dare not risk the consequences of a data breach across multiple clients.  Gmail accounts for example run through a https connection so any emails are encrypted when they leave the sender’s machine. This would protect the sender from a man in the middle attack unless the attacker were to spoof the entire Gmail interface including details of historic emails to that account.  Gmail confidential mode offers some additional security as the recipient only a receives a link to an email message.  Gmail will display the content to authenticated users but can prevent forwarding or have a message expire after a set time limit.  It suffers from the issue that any message requiring acting on a link or SMS code could be harmful and may not be acted upon even if benign.  Further issues with Gmail are that Google terms and conditions could allow its use of confidential data plus the use of a free service might imply a lack of funds within an organisation.

Many organisations have moved to Office 365 email server solutions rather than hosting their own Outlook server.  Messages are encrypted when they leave the sender but there is the additional option to encrypt the email at source.  This requires the recipient to be in a position to decrypt the message.  Ideally this will be set up at the organisation level with access to the relevant signing certificates being strictly restricted.

Options exist to encrypt messages ‘at rest’ so that only someone with the linked key can read them; this would include locking out system admins.  In most other cases there will be a global user of the system with the ability to see all messages on the email server system.  In some cases this may be necessary for an organisation to work properly although the potential high volume of messages on the server could make reading them all unlikely.  Such a privilege could be of use as part of an investigation of a hack or mis-practice but any organisation would need to be aware of possible legal consequences.  Carmarthenshire College was fined €3,000 for breaching the human rights of an employee in 2007 following unjustified monitoring of emails and other personal communications.

More from Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories