Communicate securely by e-mail
E-mail security – E-mails are often the most important means of communication not only for companies, but now also for authorities, associations and private individuals. However, they are also the most important way of ingescation for malware. Corporate and government networks in particular urgently need to be protected from ransomware, virus-contaminated attachments, phishing and spam.
Basics of email security
An essential basis is the know-how of administrators: they need to know how to secure mail transmissions on their network. This includes not transmitting the mails unencrypted. In addition, it is important to prevent criminal malware by means of adequate virus and spam protection. Last but not least, employees need to be trained sufficiently to detect phishing links. In the case of company servers, virus scanners should be placed centrally on these and additionally on the clients. The Internet gateway is also suitable for centralized virus and spam protection. Spam protection must be considered separately from malware protection. Spam is always annoying, but rarely harmful. Nevertheless, they stop the work, and they may be a gateway to malware, disguised as “just annoying” advertising. Dealing with unsolicited mail is difficult: some advertising offers may be useful after all, which is why it would surely be wrong to immediately mark any advertisement as spam and thus block the sender for the future. Administrators must therefore define exactly which mails are delivered without further ado, which are marked, which are blocked and which are also quarantined due to possible dangers.
Client-based antivirus and anti-spam programs are considered essential in two cases:
- 1: The company has its own server, but wants an additional layer of protection on the workstations. Perhaps employees transport data to USB sticks or CD-ROMs and transfer it to their workstation, which poses a risk of contamination for the entire corporate network.
- 2: The company is already working with the cloud of an external provider. It has no influence on its server. It may be useful to protect your own computers, even if the provider of the cloud promises the highest level of security.
The BSI (Federal Office for Security in Information Technology) recommends additional client-based solutions for adequate security of e-mail traffic.
Email security – the biggest mistakes
There are many dozens of errors and misunderstandings about the security of emails. The BSI is constantly dealing with the phenomenon of these myths and currently lists them as follows:
Only a reputable email cannot do any harm. Malware can only be transmitted by opening an attachment. Unfortunately, that is wrong. Many e-mails are already sent in HTML format, in order to be able to design them in parts, for example, in colour and with different fonts or graphics. We have become accustomed to it and do not know that malware can be accommodated in the HTML source code. Their code is already executed on the recipient’s computer when the mail is opened. It works quite appendix. Spammers also like to use HTML mails. Your goal is to verify the validity of the recipient address. This is done via webbugs. Typically, these are invisible images that the spammer’s server detects opening. Such attacks can be prevented by disabling the possibility of a mail display in HTML format in the e-mail program. With a trusted sender, it can be reactivated because sometimes the mails are less readable when HTML is disabled.
You can reply to a spam e-mail calmly – preferably by following in this mail the link that should lead to the deletion of your own mail address from the sender’s mailing list. – Of course there are such links, of course there are also advertisers, who then really delete the mail address of the recipient from their mailing list. This is even legally required. But there are also highly dubious spammers who use this reaction of the recipient precisely to verify their mail address and subsequently bombard them with many more spam mails – of course from other senders. Therefore, the BSI recommends in its notes on the security of e-mails to delete spam mails in any case unopened and unread. As mentioned, they can be annoying, but they can still be harmless from the point of view of security. In many cases, it is unsolicited advertising, the advertised products and services can be sometimes dubious. In some cases, however, spam mails are also phishing emails and sometimes they are contaminated with malware. The boundaries between simply unsolicited advertising (even for reasonably reputable products), advertising for dubious products and criminal acts via spam are fluid. Therefore, the BSI recommends that you never open unsolicited e-mails, but delete them immediately. The fact that no one should open attachments of such mails has long been said. But also links in the mails should not follow, no matter what is promised with it (unsubscribe from the sender’s mailing list). As mentioned in #1, it may even be enough to simply open the mail to get malware onto the computer.
Who an e-mail comes from is easily recognizable by the sender. – Again, unfortunately, wrong, because senders can be forged by containing invisible characters or letters. This means that the sender really looks exactly like that of a known person, but the forger (mail sender) has smuggled in a tiny sign that is simply white and therefore not visible on most screens. It could be a point or even an accent aigu. The real sender may be called firstname.lastname@example.org, the wrong sender is called frank.múeller@gmail.com, the accent aigu is white above the u and therefore not visible on the desktop. Such tricks can be sifted through by allowing the recipient to view the source code in the email header. However, headers are also being falsified recently. Again, the BSI note remains valid: In case of doubt, such an e-mail should not be opened. Doubts could arise, for example, if the mail comes unexpectedly from this recipient for a variety of reasons and the subject line already seems strange.
Phishing emails I would recognize immediately. – Unfortunately wrong again. These emails, which entice a recipient to voluntarily disclose very important and secret information (passwords, PINs and TANs), are sent by deceptively real-looking supposed senders – including Paypal, eBay, Amazon or their own home bank. The news seems explosive. Thus, a serious damage is feigned, which should occur immediately if the user does not disclose his password, a PIN or TAN. Such messages trigger stress and time pressure. Users believe that they must now react quickly. This makes them take them by surprise and reveals this information. However, the fact remains that no reputable partner ever requires us to have a password, PIN or TAN.
3 E-mail Security Rules
The three basic rules for the security of e-mail are:
- Secure password
- Spam discipline
- Encrypt e-mail
Secure passwords are at least eight digits, better even ten to twelve digits, and contain upper and lowercase letters, numbers, and special characters. They have no semantic connection. This means that no years of birth, first names, terms, etc. appear in it. Such a password does not be easy to remember, but only in this way you get the necessary security. Spam discipline refers to the above notes: Do not open suspicious mails in the first place, but delete them immediately. An encryption program for your e-mails is considered absolutely essential as soon as you send sensitive information such as business data by e-mail. In some programs such as Outlook, the cryptographic encryption option is already included by certificate. There are also professional solutions that are considered to be even safer and cannot be cracked with normal technical methods. In principle, there is no absolutely secure encryption, but from a certain level the effort is simply too great for the criminals.
Check e-mail security
You can check if someone has cracked your password and hijacked your email account. Enter your e-mail address at haveibeenpwned.com or sec.hpi.de/ilc (Hasso-Plattner Institute). If you have been hacked, change your password immediately. If you use different passwords on multiple websites, as recommended, you may need to change them all. This is tedious, but unfortunately unavoidable, as the BSI also recommends.
Do you have questions or would you like an SAP System Demo?
We would be happy to advise you in a personal conversation.