Decision Maker

Building a Culture of Security: You Still Allow E-Mail Attachments?

When it comes to enterprise security, you're not paranoid -- everyone is out to get you.

In last month's column, I wrote about the need for organizations of all sizes to start developing a "culture of security" where IT security must permeate and pervade everything you do. You need to assume attackers are targeting you -- because they are. You need to make sure every element of your environment takes security into consideration.

In fact, let's stop calling it security. Let's call it protection. One sign of an organization that absolutely does not care about protecting themselves, their users or their assets is an enterprise that still allows inbound e-mail attachments. I know, I know, the horror of not being able to conveniently receive a file from a customer or business partner! But admit it: E-mail has always been the easiest vector for the social engineering that leads to an attack. Users are conditioned to open e-mail attachments and at best they give only a passing consideration for the source. It's easy to spoof e-mail headers, and users are rarely sophisticated enough to dive into those headers and see if the e-mail looks legitimate.

The recent "Black Magic" exploit is a perfect example. A Windows Shortcut file -- an .LNK, that is -- shows up in an e-mail attachment and, when opened, kicks off a chain of scripts and downloads that gives a virus access to a user's Internet Explorer and Outlook data. The great viruses of yore, including "Melissa" and "ILoveYou," were vectored into organizations via e-mail attachments. They remain a threat. Ars Technica recently reported on the "Cryptowall" ransom malware that took an entire New Hampshire police department offline, all from a seemingly legitimate e-mail attachment.

When are we going to learn? The logic here is simple and straightforward: Your users are your weakest link. They simply lack the interest, time, and sophistication to protect themselves against these kinds of pervasive social engineering attacks, and they become willing, albeit unknowing, accomplices in major attacks. So you have to take the users out of the loop, at least insofar as e-mail attachments go. Users simply trust attachments too much. What's worse is that, as you start to rely more and more on cloud-based e-mail services, you lose specific control over incoming threats.

This absolutely does not mean you have to give up on exchanging files with internal users by means of e-mail, if that's what you want to do. It simply means that you need to strip all incoming attachments at the edge of your network. Scanning attachments is no longer enough: There are simply too many potentially dangerous file types, and too many ways to work around scanners' restrictions. But dropping e-mail attachments removes a critical piece of business functionality, right?

Wrong. Managed File Transfer (MFT) has been around for years, and solutions are available at a wide range of price points and functionality levels. At their simplest, they offer your external users a Web page where they can enter an employee e-mail address and "drop" files. Employees can receive a notification via e-mail, and can quickly access the files. CAPTCHA and other techniques help protect against robots, and many solutions offer easy ways to set up a database of allowed external users -- all without IT involvement, once the solution is set up. The nature of the systems makes it easier to scan and quarantine incoming files before notifying the recipient, and even if your e-mail has been outsourced, this is one piece you can hang on to.

There are other approaches and solutions, too, designed to meet a huge range of business requirements. If you're thinking, "No, only the exact capabilities of e-mail attachments will work for us," then it's because you haven't done your research into what's out there. These systems offer better tracking and auditing, too, often making them superior to attachments for organizations dealing with legal compliance.

And the bigger point is that, if you're going to have a culture of protection, you need to take a hard look at where other organizations are suffering, and take steps to make sure yours doesn't suffer in the same way. Waiting until it happens is no good.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author Evangelist for video training company Pluralsight. He’s the President of, and specializes in the Microsoft business technology platform. Follow Don on Twitter at @ConcentratedDon.


comments powered by Disqus

Subscribe on YouTube