One of the more common attacks that we see is the compromise of an employee email account. Many institutions give employees the ability to access their email remotely via Outlook Web Access (OWA) or mobile devices, but this access often becomes a vector through which an attacker can access all of the messages in an email account or send fraudulent messages from the account.
Institutions should carefully examine their email practices to determine what the impact could be if an email account compromise occurred. Below are some of the things to consider when assessing email practices:
- Content: The impact of an email compromise is determined in part by what content you allow employees to have present in email. If you strictly prohibit customer account numbers and other PII in email, the exposure of this information in an email compromise should be minimal. If employees regularly accept wire transfer orders via email, the exposure will be much higher. Be sure to define and enforce a clear email content policy, and to build your email controls based on the type of allowed content.
- Access: Outlook Web Access (OWA) and access via mobile devices provide the convenience of remote email access for your employees, but also open the door to access by an outside party. Consider disabling OWA access. If OWA is needed, consider adding multi-factor authentication to ensure that the person accessing the system is your employee, and also configuring OWA to limit its capabilities on devices that you do not control. Also consider restricting mobile device access to only devices running an MDM solution that your institution controls. Finally, be sure to periodically review the devices that access Exchange user accounts to ensure the devices are all legitimate.
- Retention: Limiting the amount of email that is available in an email account will lower the impact of an email compromise. Consider limiting the amount of email that an employee can store in their mailbox. An email archive may be used to offload older email, but make sure that the archive is not accessible externally using the same credentials used for access to the email account.
- Monitor Email Rules: Instead of risking constant connections to a compromised mailbox, an attacker will often simply add rules to forward email to another email account that they have access to. A periodic review of user email rules will find these rules and allow the institution to disable them. Alternatively, many security tools will constantly scan outgoing email for abnormal amounts of outgoing email.
If email security is something you'd like to improve upon this year, we'd love to be the team that helps you make that happen. Just email us at support@bedelsecurity.com to get the conversation started and we'll get you headed in the right direction in no time.
If you found this information helpful, here are some other articles you might find helpful:
Is it time to rethink your email policy?