Working with a small business owner based in Pennsylvania last month, a question arose that serves as the title for the second article in the “Main Street Cybersecurity” series- “Can Email Be Safe?” When I heard the question, all the standard canned responses came to mind. But, upon further thought later that evening, it struck me that the “canned answers” are more suited for people working in the field to communicate with one another in a common lexicon. Too often, this lexicon gets lost in translation. Ever try to explain a ransomware attack to your mother or grandmother without getting a blank stare in return? The objective of this article is to confer knowledge about email safety to Main Street, from people working in the cybersecurity trade. The Main Street selected for the article is New Port Richey, Florida, population 15,527.
(Main Street, New Port Richey, Florida)
In the daily news cycle, reports of phishing and ransomware attacks are becoming more and more prevalent. These attacks leverage a technology that is an essential component of nearly every person’s life. You guessed it—email. Carrying sophisticated and carefully crafted payloads, these sometimes seemingly harmless emails can wreak havoc on a business or individual. Company data and computers become unusable, and ultimately the attacked entity either pays a ransom to get their data back, or unwittingly divulges financial resource information to the prince of country XYZ.
Can email be safe? Yes, but it will require new thinking across the board. Processes and technologies will continue to improve their ability to identify malicious emails, but attackers will improve their delivery methods and capabilities as well. For Main Street, the most affected recipients of potentially malicious emails, better education on how to discern good from bad emails (on their own) may be their first and best defense. What follows is an initial checklist for people on Main Street who read email to keep in mind before opening that next unknown email attachment. If you have questions or comment regarding this article please connect with us on twitter @Release2I.
Protect all of your devices
Keeping all your software and operating systems up to date is one of the easiest things that can be done to protect your computers. Almost all current operating systems have the ability to automatically download and apply patches on a regular basis- enable this capability. Malware delivered by email often attempts to exploit OS vulnerabilities, so if your system is “up to date” patch wise, you are less exposed.
Antivirus, and a system firewall are also essentials in making your system(s) as safe as they can be. Antivirus protects against malicious files executing unknowingly, but they are not perfect. Software based firewalls on computers can automatically flag (and/or block) suspicious network traffic, and many can be trained by the user for specific cases. Another useful tool is a specific anti-malware tool. Malwarebytes is a highly regarded and recommended solution.
One key thing to remember- with today’s technological advances come hidden perils. It’s no longer enough to worry about just your primary computer and email security. Our computers, phones, tablets, watches game systems and televisions are connected to the same wireless network in our houses and businesses and present a would-be attacker with additional entry points into our digital lives. Ensuring that all of these devices are secured, and that all computer users in a home or business are educated about proper usage techniques.
Protecting Me… from Myself
While passive defenses like the ones mentioned above assist in preventing many threats that come through email, end user carelessness or making a mistake in clicking on a malicious link or attachment. Even with these defenses, email is still the easiest way for an outsider to gain access to your computers. If an attacker can get you (or an employee) to click on a malicious link, they’ve potentially walked right through your network’s front door. As a result, at least one of the best defenses is in educating your family and your coworkers on email security. Does that mean that all links or attachments are bad? No, and here are some ways to differentiate between them.
Email Attachments
Today, most email providers proactively scan for, identify, and remove malicious content. Sometimes though, files do slip through and this is where antivirus (with on-access scanning) becomes important. Antivirus can automatically quarantine the malicious files, but a good rule of thumb in to never open ANYTHING that is from an unknown or unsolicited. Another good practice to get into is reviewing the filetypes of attachments before opening. Documents that can contain macros and PDF documents are some of the favorite tools of attackers. Keep your PDF and office software up to date, and NEVER enabling macros in documents when opening them.
A final thought on links and attachments- even though an attachment may come from a friend, family member or business contact, if their email security practices are not “complete,” they can act as an unknowing accomplice to an attacker’s phishing/ransomware came. If a known sender’s computer is compromised, malicious software can propagate virally by accessing/reading your address book and then crafting familiar sounding emails to friends, family and coworkers that sound authentic. As humans we tend to trust the familiar and go on “autopilot”- clicking whatever they sent. Often times, the content of the email will feel “off” when you read it. TRUST YOUR INSTINCTS, and when in doubt either confirm they sent the email, or delete it. Unexpected/strange emails from financial institutions and social media sites, along with misspelled words and poor grammar that convey a sense of urgency are also telltale signs that something might be amiss.
Email Links
Between attachments and links inside of emails, links can be the more difficult of the two to evaluate. Here are some time-tested guidelines that can help however. Reference the following image of an email message:
While reviewing a web link in an email, most mail applications will show you the actual link that will be followed if you hover over it. As seen in the above image, a malicious actor is taking advantage of a common HTML feature to try and trick the reader into clicking on a “safe” link, and being routed to http://www.iammalicious.com instead of http://www.r2i-llc.com. If the textual link does not match the hovered over text, do not click on the link.
Here are some tests to apply when trying to determine the validity of an email link. The following applies to the text between either the “http://” (or “https://”) and the next “/” :
- Do you recognize the domain, or is it something entirely different than what the display text was? If the link goes to an IP address (that is, the domain looks like a bunch of numbers separated by periods), don’t click it.
- Does the domain end in a country-specific domain like “.cn” (China) or “.ru” Russia? If so, this is a strong indicator that the link is malicious.
- If the domain looks safe, always double check. Buying up domain names that look like real domains but are slightly different or misspelled (ie. like “gooogle.com” or “facebook.cm“) is another malicious actor favorite. This is referred to as “ghosting” or “shadowing” and is a dead giveaway.
- A caveat to the above- subdomains are okay; subdomains like “mail.google.com”, “docs.google.com”, and “drive.google.com”. are probably safe as long as you trust the rest of the domain name.
In all cases, when in doubt, don’t click it. Other general email tips:
- If you get an email that asks you to log into your account from a link in the email itself, NEVER use the link in the email. Instead, open your browser, go to the website, and enter your credentials there. If you’re sure an email is maliciously spoofing one of your legitimate accounts, report the incident to the company.
- Unsolicited “humorous” email is usually at best junk mail, and at worst malicious. It’s not worth opening.
- With business emails, be instantly skeptical of any email conveying a sense of urgency or authority that seems out of normal process. “Do this now”and “Immediate Action Required” emails are attempts by a bad actor to get you to act without thinking.
- If you are really unsure whether a link is safe or not, there are sites that will actually verify the validity of a link for you! A good one is URLvoid: http://www.urlvoid.com/ Right click on the questionable link and choose “Copy link address”, then paste it into the search bar on URLVoid. URLvoid will scan the site and tell you if it’s safe to click.
Organizational Cybersecurity POC
If you are a small business and you haven’t done so already, designate someone to be responsible for cybersecurity; it could be you yourself, as long as it’s someone. We plan on devoting an entire article to this in the near future. A common mistake is to not devote the time or energy to thinking about ways in which your assets (personal or professional) might be vulnerable to cyberattack. You should concern yourself with anything that touches the internet (email accounts, email servers, financial systems, websites, shared drives, etc.); all those things are at risk. One item that is often overlooked are shared drives which often contain an organization’s most vital information; factor them into your planning. Keeping your server infrastructure safe will be discussed in future articles, but for now, let’s just think about best practices for you as a user, things you can do to keep yourself safe.
Always remember you are the best and last line of defense for keeping yourself computer resources safe. There are a lot of tools that prevent phishing and malware but being a responsible user of email is the most effective technique.
Please follow the Main Street Cybersecurity series and thank you to the contributors who assembled this article and those who protect this great nation we live in. Please note that my views are my own and not that of my team or my clients; I am the CEO/Founder of Release 2 Innovation (www.r2i-llc.com) which delivers a variety of products and services across the Computer Network Defense, Network Intelligence and Data Science domains. My gratitude to my wonderful team: Jerry Derrick, Chris B., Keith W., Brad L. and New Port Richey. Follow us on twitter at @Release2I.
More reading:
Discovering and proactively blocking malicious infrastructure