Email Security

Spam Filter

A spam filter is a piece of software that scans incoming emails to see if they have telltale signs of spam or malicious emails and prevents them from being delivered to employee mailboxes so that they don't fill up with junk or dangerous messages. This is a basic but core security control when considering emails, and whilst some emails will get through, this provides a frontline defense reducing the work for security analysts and other security technologies.

Data Loss Prevention

Data loss prevention (DLP) or data leak prevention is a security control that works to prevent sensitive business or personal information from leaving the organization in an unauthorized manner. This data can be categorized as files, banking information, account credentials, or PII; for the purpose of this module, we are focusing on the application of DLP technologies to email communication (we’ll cover the other applications of DLP later in the course). Depending on the DLP solution in use, it can monitor outgoing emails at different levels, such as:

• email body content

• email headers

• email attachments of various types

If the DLP solution deems important information is about to be sent out of the organization, these emails will not make it past the email gateway and will not be sent. Emails can be scanned for specific keywords or use regex queries to flag messages containing certain content. If a disgruntled employee wants to send business-critical information to a rival organization before they are fired, they could attempt to send documents outside the organization by email - DLP would detect this, alert the security team, and prevent the email from being sent.

Email Scanning

Typically phishing emails will contain either a malicious URL or a malicious attachment (or both), and specially designed scanners will read the email header and body, and work to identify malicious indicators either using patterns or signatures, or blacklists that include lists of known malicious email senders, file hashes, and domain names. When a suspicious email has been detected it can be quarantined so it's not delivered to an employee mailbox, and an alert is generated to inform the security team to investigate.

Security Awareness Training

Security awareness training should be a mandatory program that new employees must complete, as well as be completed routinely by all employees, with time frames often dictated under different compliance frameworks (which we cover in a lesson under the Management Principles section within this domain). While this will focus on all different areas of security, phishing should play a large role in this. Employees need to be told clearly how to spot suspicious or malicious indicators, and what steps the organization wants them to take, such as messaging or ringing the security team to alert them, or forwarding emails to a specific mailbox. Emails will get through technical controls, so it is crucial that employees who receive them know what to do, and don't click on any links or run any attachments. Security awareness training can also be paired with simulated phishing campaigns conducted by the security team, to highlight metrics such as the number of employees that have reported the email to security and employees that have clicked on the (harmless) malicious link.