Email is a widely used and necessary tool, even though there are also alternative communication strategies that can be used to reduce the negative impacts in terms of direct and indirect costs given by the personal activity that each one must dedicate to discriminate between all the e-mails that are received, those that are really significant from those of lower priority.
When the e-mail was invented, this was thought of as a “collaborative tool”, security was not a requirement deemed important, the original characteristics of the e-mail were:
- No authentication of the sender;
- No content confidentiality;
- No integrity check along the way;
- No protection against unwanted messages.
The SMTP protocol is one of the oldest on the Internet and is deliberately kept simple – this results in vulnerabilities:
- The identifying information that the sending server passes to the recipient is not verified and can be falsified;
- The email can be intercepted (MITM);
- Due to the store and forward nature of the protocol, the subdivision into IP packets of an email is recorded on average about forty times in the path, on as many servers (nodes) distributed on the network;
- The possibility that packets are intercepted directly by the connecting data cables must not be excluded either.
Solutions for the aforementioned issues:
- Client-side solutions to the lack of encryption and authentication can be to use Secure MIME (S/MIME) or pretty good privacy (PGP).
- Require the usage of Secure Sockets Layer (SSL) for SMTP connections. The STARTTLS verb, which is part of the Extended SMTP set of commands, allows a SMTP client and server to negotiate the use of Transport Layer Security (TLS) for the connection.
- Authentication methods like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) or Domain-based Message Authentication, Reporting, and Conformance (DMARC) can prevent the abuse of fraudulent emails via phishing attacks or spoofed addresses.
- It would be appropriate to use a behavioral etiquette and education on the use of e-mail (training & awareness);
- Implement Multi Factor Authentication (MFA).
By the way, did you know that Sweden’s first e-mail was sent over the Internet to Enea in 1983? Yep, that’s cool.