How to Send Secure, Encrypted Emails (and Attachments) (Part One)

Email is insecure.

If you want to learn why you should consider encryption to secure emails, you may want to know where the threat comes from, to begin with. Such an approach will allow you to get things ahead of the curve and define the solution that will help to keep your business email correspondence protected.

In this quick series on How to Send Secure, Encrypted Emails (and Attachments), we will:

• Define the issues and review known email vulnerabilities,
  (Part One).
• Explore the ways and learn methods on how to secure emails,
  (Part Two).
• Summarize findings and take a bit closer look at encryption algorithms of the StealthMail email security solution,
  (Part Three).

Designating the Issues 

The sooner we realize our email accounts and data within it have to be protected, the sooner we start looking for the solution to secure sensitive information we share across-the-board via email. 

But have you ever wondered what danger you put your company's confidential data at when sending an insecure email?

More Than Just a Communication Tool 

In terms of the ongoing communication and easy-to-use way of an exchange, Email is arguably the most reliable business partner for the majority of enterprises.

Hence, the role of email increases several times and becomes highly important when you cannot tell the identity of the sender’s mail address. This is especially true if you are dealing with sensitive information.

Though Email was invented to deliver messages and share big volume of attachments between communication parties, 

It couldn’t ensure data security.

And, unfortunately, it cannot today.

It is crucial for further understanding of how information is being transferred nowadays. And to better acknowledge the overall role email security plays in modern business correspondence, firstly let’s state the email issues.

The Most Outrageous Data Breaches

Although email security has been an issue from the moment SMTP protocol was designed in the distant 1982, the concerns about protection of confidential data have come into existence relatively recently.

And when they (concerns) erupted, many organizations had сlipped their wings.

The following are the examples of the most famous and outrageous data breaches.

Phishing

Sony Pictures Inc. was damaged from a phishing attack back in 2014. Several executives clicked the link in the email and were redirected to the web page that criminals controlled. Hackers gathered Sony’s executives’ credentials and were able to access Sony’s internal network. By doing this, fraudsters stole 100 terabytes of sensitive data, and $100 million along with them.

Spear phishing 

The network of Democratic Party was hacked. Spear-phishing email campaign targeted the private mail servers of Hillary Clinton and email accounts of individuals associated with the presidential campaign of hers back in 2016. After gaining access to accounts, hackers stole 50,000 history emails with sensitive details.

Business Email Compromise (BEC fraud)

In 2016, after the successful whaling attack on FACC Operations GmbH company (an Austrian manufacturer of spare parts for aircrafts), which cost FACC €50 million, the company had sacked both CFO and CEO. FACC fell victim to an email fraud, called Business Email Compromise attack (BEC), that aims on targeting high-level executives with forged emails asking for urgent payments.

Outdated and Unpatched Security System

In 2017, Equifax announced that its systems had been breached and the personal data of 148 million Americans had been compromised.
The data included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers.
The credit card numbers of approximately 209,000 consumers were also breached.

“Equifax did not see the data exfiltration because the device used to monitor [the vulnerable server’s] network traffic had been inactive for 19 months due to an expired security certificate.”

From the House Oversight Committee report

These types of cyberattacks continue to dwell in the high-risk industries, such as financial, real estate, insurance, and especially law and healthcare businesses, where lots of sensitive data is being sent unencrypted over the Public internet.

Email on Its Way to Potential Threat

An unsecure email is the email in which content is transferred in plain text. Such emails are stored on a one mail server and transferred to the others through open email relays. That means that email contents can be easily exfiltrated, intercepted, exposed, and modified.

There are the weak points where emails can potentially be compromised:

• Outbound device. The sender’s device. 
• Internet. Each time you send an email you make a connection to your email provider through an Internet Service Provider (ISP).
• Servers. The place where your emails are stored. 
• Internet. The recipient’s ISP.
• Inbound Device. The recipient’s device.

Every unsecured -not to mention unencrypted- email is a potential target for an attacker: it takes only one unprotected server to gain access to your confidential information.

Every link and every connection in this chain must be secured. No exceptions.

Vulnerabilities of SSL/TLS protocols 

Secure Sockets Layer is a protocol where two devices initiate an encrypted communication channel. In other words, the protocol secures email content in transit (at the same time the content itself isn’t encrypted.)

When SSL establishes a connection to a server (which supports SSL protocol), the browser requests an authentication certificate firstly. 

Once the certificate is verified, computers negotiate on an encryption method to be used before secure connection to happen. 

But SSL/TLS have drawbacks and aren’t completely safe:

• the SSL/TLS protocols require support on both ends, the sender’s and the recipient’s;
• the TLS doesn't help with non-repudiation;
• an email is stored on the mail systems in the unencrypted state;
• copies of sensitive data can be disclosed and left in plain text on the servers as emails have to be decrypted and re-encrypted every time they are transferred from one message agents to another.

Unfortunately, transport protocols aren't a solitary problem of unsecure email.

Key Factor of Unsecure Email

There are several attributes that determine secure email:

• the sender and the recipient are the only ones who should be able to read an email content;
• the recipient should be certain that the email actually came from the intended sender;
• email content and its attachments should be protected and controlled by the supervisory of the senders, so in case of suspicious third-party activities, they could delete, deny, or revoke access rights;
• recipients and senders are the ones who should be the owners of encryption keys, so they fully controlled their data.

Nevertheless, all those attributes are negated with a single but crucial factor that indicates traditional Email is insecure — absence of cryptographic processing. 

This is the end of part one of the three-part blog series. Please read part two and part three.

You might also be interested in:

• How To Encrypt Outlook Email: Send Secure Emails The Easy Way
• How To Stop Being Afraid Of Data Encryption And Start Using It As Your Advantage