September 15, 2015
Teachers Talk - Today's Email Security Landscape: What You Need to Know.
Colin Hill, Director of Computer Services, Burman University, Lacombe, AB

First, the good news.  For the first time in over a decade, the volume of spam has fallen below the fifty percent mark of total email that passes through the Internet.1  Likewise, the rate of virus infections has declined to the point where there are legitimate discussions among security professionals about the effectiveness of traditional virus scanners.2  But don’t let that good news lead you to a false sense of security; the risk of damage to or loss of your data and personal or institution property (real or virtual) is increasing.
 
You could say that the traditional scanners were too effective, thus causing the fraudsters to change their tactics. The type of attack that we now see on the rise relies much more on the human factor, and that is much harder to protect by technical means. This form of attack is known as phishing (a homophone of fishing, alluding to the use of fake ‘bait’ to catch the victim).  The attackers use social engineering to manipulate you into divulging the information they are looking for. It could be as simple as informing you that you have won a huge lottery and all you need to do is fill out this form (including your email address, bank account number, and so on) to claim the prize. Or they can be much more believable and appear to be from your bank, asking you to just change your password due to a recent security breach.  The web site you are directed to will then harvest the information that you type in, and they have the credentials needed to access your account. 
 
Taking this type of attack a step further is the ‘Spear Phishing’ variant. This is a phishing attack that has been crafted to be more successful by targeting a much smaller audience, or individual.  Here at Burman University, we recently had an email delivered to our accountant. It seemed to come from the president, who was away on the road, saying that he was wanting to do a money transfer and would be sending more details in a few hours.  This was followed by another email giving details on the transfer desired.  The attacker took enough time to research the names of our administrators, determined who would handle money transfers, and included enough information to look reasonably believable. Also be aware that means other than email may be involved in preparing or delivering the attack.  Attempts to get information by phone, regular mail, or browsing  institutional web sites can all give detailed information that can make the final attack more successful   Does your school have the checks and balances in place to thwart such an attack?  Don’t think that you are too small a target. The current trend is toward smaller organizations that have less protection in place.
 
Another attack that several of our users have fallen prey to recently is the CryptoLocker trojan (also known as RansomWare).  This is transmitted through an email attachment (the most common we have seen is the submittal of a resume, named as a PDF document but in reality is javascript code).  Once the users clicks on the attachment to open it, a script is run that will encrypt all of the files on the  local hard drive and any mapped network drives.  A message is then displayed stating that your files have been hijacked and are now encrypted. It will then give you instructions on how to send payment to the crooks. When payment is received you will be returned a code that can be used to recover, or decrypt your files. If you don’t want to pay for that solution, you have no choice but to re-format your hard drive and reinstall the operating system. Some have reported success in getting the files back after submitting a payment, but ideally, don’t let yourself get in that situation. 
 
Limiting administrator privileges on user accounts is one way to avoid bad scripts from being allowed to run. However, this step should also be included with the most effective method of surviving such attacks. This is education. Provide some training on how to recognize attacks and how to deal with them and this will result in much better protection than most technical solutions, and at a much lower price.  Instilling in your users that they have a huge role to play in the security of your systems will be worth all the effort you exert.  Following are some general guidelines that all users should be familiar with:

Emails:
- If you receive suspicious emails – do not risk your personal information by opening or responding to the message
- Do not open attachments, images, or click on links from unknown senders
- Do not respond to, or allow remote connection to your system from individuals or groups claiming to be software vendors or support staff
- Be cautions of any emails requesting you to update your account information, verify your identity, or activate your banking online
- Report suspicious emails
-Do not forward any suspicious emails
 
Phone:
- Scammers may try to trick you (a.k.a. social engineering) to perform actions or disclose confidential information
- Know that  criminals may have the ability to spoof their caller-ID and appear to initiate from a legitimate source
- Know that criminals may already have researched company information and have your name and other supportive details to sound legitimate
- You should not give out any personal or corporate sensitive information to unknown individuals
- You should not give out any confidential, account or credit card information over the phone to unknown individuals
- Verify the caller - do not give out information a known caller should already have3
 
A great resource is the Cyberheist newsletter provided by the company KnowBe4 and can be subscribed to here:  http://www.knowbe4.com/cyberheist-news/  This newsletter will update you on the latest attacks making the rounds and provide some practical information on preparing to survive them. Of course, they also provide  additional services to assist in education campaigns or enhancing email security.
 
So, as you begin another school year, take the time to review some basic email security tactics with your colleagues and students. The time is very likely to come when you will be glad you did.
 
Footnotes:
 
1 CBC News (2015, July 17) Spam email down below 50%, 1st time in a decade  Retrieved from
http://www.cbc.ca/news/technology/spam-email-down-below-50-1st-time-in-a-decade-1.3156850
 
2 dotTech (2014, May 6) Symantec admits anti-virus software is no longer effective at stopping virus attacks  Retrieved from http://dottech.org/157355/symantec-admits-anti-virus-software-is-no-longer-effective-at-stoping-virus-attacks/
 
3 Provided with permission of Scott Cohen, member SANS Advisory Board.
 
Some additional resources :
 
SANS OUCH Newsletter:  SANS is the recognized leader in security awareness training and monitoring of the security landscape.  This newsletter deals with overall security but often includes email related material as well.  http://www.securingthehuman.org/resources/newsletters/ouch/2015
 
TechRepublic is another more general technology site that provides great resources, including this one on email security tips:  http://www.techrepublic.com/blog/10-things/10-essential-e-mail-security-measures/
 
Mcafee, Symantec, Sophos, Kaspersky and many other antivirus software vendors have great information available on their web sites.