This is part two is a series of articles looking at the STRIDE Threat Model to identify and mitigate the threats risks posed to Email security.
In this article we look at Tampering. If you missed Part 1, you can find the article here
Tampering (the Threat)
Tampering can refer to a form of sabotage, but the term is often used to mean the intentional modification of data, in this case Email. If a cyber criminal can infiltrate an email system and tamper with the information, the consequences can be severe.
Integrity (the Property)
Email Integrity is about ensuring the receiver of the email knows that the message has not been altered after leaving the control of the sender.
Business Email Compromise (BEC)
By compromising company email accounts, a cyber criminal can establish who has the credentials and authority to initiate payments (or wire transfers) and additionally who has the power to request them. Attackers often then impersonate a senior executive (a CEO for example) to initiate payments or to gain access to critical and sensitive information that can be used for identity theft.
BEC attacks rely heavily on social engineering tactics to trick unsuspecting employees and senior executives.
Countermeasures - Technical Controls
There are a number of technical controls that can be implemented to prevent email tampering and validate email integrity:
Sender Policy Framework (SPF), Domain Key Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) - can contribute to helping address integrity issues with email. These were covered in more detail in Part 1.
A Secure Email Gateway that enables recipients to use multi-factor authentication (MFA) when accessing messages will provide the highest level of confidentiality, security, and integrity of email message life-cycle. It will also provide email encryption capabilities to safeguard the contents of email.
Countermeasures - Administrative Controls
Security Awareness Training - BEC attacks often do not have any malicious links or attachments and can evade traditional solutions. Employee Security Training and Awareness can help organisations identify this type of activity.
Access Control - ensure mechanisms and policies are defined and in place around roles and privileges.
Monitoring and Auditing - reviewing audit logs and monitoring for signs that Email accounts may have been compromised is a useful detective control.
Indicators to look for include:
Password Changes
Unexpected password reset emails
Unusual or strange emails in sent folders
Email Contacts in your address book contacting you about emails you have sent
Logins / access from unusual or new devices
More Information
If you would like more information or would like StarSwift Information Security to support you with the implementation of Email Security or Security Awareness Training, please do not hesitate to get in touch.
Please contact us for more information.