Best Practices for Minimizing Hacking of Email Systems

Software solutions that combat email hacking

• Use antimalware software on the email server — better, the email gateway — to prevent malware from reaching email clients. Cloud-based email systems such as those offered by Google and Microsoft often have such protection built in. Using malware protection on your clients is a given.
• Apply the latest operating system (OS) and email-server security patches consistently and after any security alerts are released.
• Encrypt (where it's reasonable to do so). You can go old-school and use S/MIME or PGP to encrypt sensitive messages, or use email encryption at the desktop level or the server or email gateway. Better (easier), you can use TLS via the POP3S, IMAPS, and SMTPS protocols. The best option may be to use an email security appliance or cloud service that supports the sending and receiving of encrypted emails via a web browser over HTTPS, such as G Suite and Office 365.

  Don’t depend on your users to encrypt messages. As with any other security policy or control, relying on users to make security decisions often ends poorly. Use an enterprise solution to encrypt messages automatically instead.
• Make sure that encrypted files and emails can be protected against malware. Encryption doesn’t keep malware out of files or emails. You just have encrypted malware within the files or emails. Encryption keeps your server or gateway antimalware software from detecting the malware until it reaches the desktop.
• Make it policy for users not to open emails any attachments, especially those from unknown senders or untrusted sources, and create ongoing awareness sessions and other reminders.
• Plan for users who ignore or forget about the policy of not opening unsolicited emails and attachments. This will happen! Certain software such as Microsoft Outlook and Windows SmartScreen can help alert users to the bad stuff.

Operating guidelines for minimizing email hacking in your organization

• Put your email server behind a firewall on a different network segment from the Internet and from your internal LAN — ideally, in a demilitarized zone (DMZ). Or, use a mail gateway.
• Harden by disabling unused protocols and services on your email server.
• Run your email server and perform malware scanning on dedicated servers if possible (potentially even separating inbound and outbound messages). Doing so can keep malicious attacks out of other servers and information in the event that the email server is hacked. Look for solutions that test embedded links and test them and provide safe links.
• Log all transactions with the server in case you need to investigate malicious use. Be sure to monitor these logs as well! If you can’t justify monitoring, consider outsourcing this function to a managed security services provider.
• If your server doesn’t need certain email services running (SMTP, POP3, and IMAP), disable them — immediately.
• For web-based email, such as Microsoft’s Outlook Web Access (OWA), properly test and secure your web server application and operating system.
• Require strong passwords. For stand-alone accounts as well as domain-level Exchange or similar accounts, any password weaknesses on the network will trickle over to email and be exploited by someone via Outlook Web Access or POP3.
• Be sure to include your email server(s) in your vulnerability scanning and penetration testing efforts.
• If you’re running sendmail — especially an older version — don’t. Consider running a secure alternative, such as Postfix or qmail.