Like many security folks, I always grab and read the Verizon Data Breach Investigations report when it comes out, looking for trends and themes. One of the things that struck me this year is that email remains a broad attack surface. At that same time, my own conversations with security teams have seen a troubling anti-pattern: unmanaged devices, especially mobile and BYOD, because users ‘only get email’ on them. Combine the two, and it’s an attack vector in waiting.
Email is a broad theme across sections of the report – it’s the most common entry point for malware, phishing (almost always via email) is the top social action in a breach, sending data to the wrong people, attempts to compromise accounts either for or via email, fraud perpetrated by a man-in-the-middle attack in payment email chains, and a number of others. Part of the threat is that Email is the most common vector to reset passwords, bypassing most MFA systems – and attackers know this, and force fail back to that method. If they get access to your email account, they really do have the keys to the kingdom.
At the same time, there’s growing demand by employees to allow BYOD, especially on mobile devices. Coupled with financial pressures to reduce corporate assets, a highly mobile and remote workforce, and a blurring of traditional office hours, access to email is happening on a growing number of endpoints. Most BYOD is mobile which are a mixed bag in terms of built-in security, ranging from Apple’s hardened iOS environment and walled garden at one end, to cheap offshore android phones that come with free pre-installed malware. Validating email on mobile, as the report notes, is extremely difficult (ever try to view the raw headers on an iPhone?).
On the laptop side, allowing access to corporate email or systems isn’t as widespread, but it still happens fairly frequently. Even though it’s easier to validate email contents, it’s still not perfect. One company I work with had a C-level executive’s credentials stolen…by phishing his children, who clicked the link, installed malware on the personal machine, which then captured the executives credentials logging into the corporate system.
As an aside on personal email account, remember that free email accounts, along with the you’re-the-product privacy implications, can be very difficult to recover if they are compromised. A paid service, like Exchange Online, lets you have a separate administrator account which you can use to disable and recover control over your email account. Of course, you’ll also have access to actual people to help too. The services are cheaper than a latte, and worth every penny.
For both corporate and personal email our risk models need to change: email is a major threat vector that provides a foothold for credential compromise, account takeover, and malware installation, and we need to assess risk in that overall context, not just the risk of data leakage.
Put it more simply, the idea that we don’t need to manage endpoints that only get email is misguided – we especially need to manage them if they have email access.