Is Email the Achilles' Heel of Cybersecurity?

:: Steven R. Russo, CertainSafe ::

Rarely a day goes by without a new announcement of yet another data breach at a well-known company.

Regardless of how many outer layers of protection are in place, stories of hacking continue to be prevalent. The exposure of sensitive data can result in punitive actions from regulatory agencies in addition to loss of reputation for a firm, or even destroying an entity's ability to continue operating. One overlooked area for data security is the same tool virtually every businessperson uses multiple times on a daily basis: email. According to a report by The Radicati Group, in 2013 there were over 100 billion emails sent and received per day for business purposes.

Despite many predictions of its demise, email has continued to be the original killer app due to its ease of use and high connectability. Email's ability to survive in an age where social media and instant messaging programs abound is a testament to its hardiness. However, protecting and securing sensitive information that travels through emails is a complicated challenge.

By default email is not encrypted as it travels across networks and maneuvers its way through the Internet. Being "open" in nature means anyone could potentially read or alter the contents of an email before it arrives to its destination or while in transit. "End-to-end" encrypting of emails has been introduced and widely adopted into the business marketplace. 

In today's world, email protection is an essential component of most brands' security landscape. The choice is not whether email protection services should be implemented but rather what is the best methodology and how to implement them.

Utilizing end-to-end encryption is similar to writing your mail in a special code that is only known to the sender and the receiving party. While end-to-end encryption provides a layer of security for data in transit, making the actual transmission of sensitive data more secure, it does absolutely nothing to protect the "data at rest." Extensive vulnerabilities exist today because people were led to understand that they had deployed the necessary safeguards to protect emails. This is where the vulnerabilities due to lack of understanding occur. 

Simply using end-to-end encryption exposes the user to "Trojan Horses," and it only protects data in transit. Data communication containing sensitive information must be secured not only while in transit but at rest as well. 

When an email is transmitted, an unsecured openly accessible duplicate copy of that communication is immediately stored within the "Sent" folder in the email program on the local device. For enterprise accounts (which most corporate accounts are), copies of this same information is simultaneously duplicated not only within their devices, but also in the cloud. Although appearing safe at first glance, a deeper inspection indicates exposures of potential threats.

For starters, few Microsoft Outlook users open and close their program more than once per day, some not closing it at all. When Outlook is left open, nothing is protecting the files left for months and sometimes years at a time in a user's "Sent" folder. Cybersecurity best practices need to address this potential treasure trove of confidential information that is ripe for the taking.

Additionally, tens if not hundreds of thousands of individual devices contain various forms of malware that will allow an outside threat access to that device. In today's mobile age, many users are permitted to physically remove their device from the network and take it to a remote location, including laptops, tablets and smartphones. During these times the protection afforded by a network does not exist, making security of mobile devices more critical than ever before.

These devices now become even more vulnerable to external exploitation in a variety of ways:

- "Pineapple" device: Can be purchased for less than $100, quickly and easily. Also known as the "Jasager," the Pineapple is Linux-powered and runs the open-source Karma Wi-Fi attack program. Within seconds, access to a vast majority of Wi-Fi devices can be obtained. While there are some defenses, very few users deploy them. WIPS (Wireless Intrusion Prevention System) defenses are the most common; however, very few make use of them. "Already-connected" devices are not safe either, given how a de-authentication attack can be conducted to first disassociate them from the legitimate AP. Today with Pineapple, an absolute amateur hacker can buy a piece of hardware that allows them to become a proficient hacker without ever downloading or installing any software. 

- "Evil Twin": A comprehensive wireless version of the "phishing" scam; an attacker fools wireless users into connecting their laptop or mobile phone by posing as a legitimate access point (such as a hotspot provider). When a victim connects to the Evil Twin, the hacker can listen in on all Internet traffic, grab email sitting at rest or request credit card information in a standard pay-for-access deal. Simple tools for setting up an evil twin are easily available (e.g., Karma and Hotspotter). 

Knowing where vulnerabilities lie is half the battle in shoring up weak spots. The time and cost to prevent common cyberattacks is well worth the potential downside of being a victim of a mass data breach.  

Steven R. Russo is Executive Vice President of CertainSafe, an award-winning developer of ultra-secure file sharing and messaging platforms. CertainSafe has developed a new method to secure sensitive data at the Micro level using the long-established tokenization process. This newest technology is changing the way businesses and governments are managing security.