" email security Archives - Page 2 of 6 - LuxSci

Posts Tagged ‘email security’

Preventing Email Forgery Part Two: DKIM

Tuesday, December 19th, 2023

In our next post in this series, we look at another way to prevent forged email: DKIM. By using encryption techniques and digital signatures, the sender’s servers can transparently “sign “a message so that you can verify the source and ensure the message has not been modified. DKIM works together with SPF to stop fraud and improve email security.

email alert warning

DKIM – Domain Keys Identified Mail: A Simple Explanation

DKIM stands for “Domain Keys Identified Mail.” Actually, the acronym can be further expanded to “Domain-wide validation Mail Identity through use of cryptographic Keys.” To understand DKIM, we need to pause and look at what we mean by “cryptographic keys” and how they can be used.

Cryptographic Keys

In security, there is a concept called symmetric encryption. Users pick a password and use a cipher to convert a regular (plaintext) message into an encrypted (ciphertext) message. Someone else who knows the password and cipher can reverse the process to get the regular message back in plaintext. 

Another prevalent but more complex concept is asymmetric encryption. Using this method, one can create a key pair or a combination of two keys. A message encrypted using Key One can only be decrypted with Key Two and vice versa. We typically call Key One our “private key” because we keep that safe and secret. Key Two is our “public key” and can be accessed by anyone.

What are the benefits of asymmetric encryption?

  1. Signatures: Anything encrypted using Key One can be decrypted by anyone. If they can decrypt it, that proves that you sent it. Only you have the private key, and thus, only you could have encrypted it in the first place.
  2. Encryption: Anyone can use your public key to encrypt a message that you can only open (using your private key).

How DKIM Works

DKIM uses asymmetric encryption for signing email messages. This validates the sender’s identity and ensures the message contents are not altered in transit. Below is a simple overview of how it works.

Message Sending:

  1. Make a Key Pair: The owners of the sender’s servers create a cryptographic key pair.
  2. Publish the Public Key: They publish the public key in the DNS records for their domain.
  3. Sign Messages: Using the private key, the sender’s servers look at selected message headers (including the sender’s name and address, the subject, and the message ID) and the message body, and they use a cryptographic “hash” function to make a unique fingerprint of this information. Any change to that data would change the fingerprint. This fingerprint hash is also encrypted using the private key. Then, it is added to the message as a new header called “DKIM-Signature.”

Message Receipt:

When you receive a message signed using DKIM, you know the purported sender, their IP address, and the additional DKIM-Signature. However, you cannot trust that the signature header is real or has not been tampered with. Fortunately, you do not have to trust it unquestioningly; DKIM allows you to verify it. Here is what happens on the recipient’s side:

  1. Receipt: The recipient’s inbound email server receives the message.
  2. Get the Signature: The encrypted DKIM fingerprint is detected and extracted from the message headers.
  3. Get the Key: The recipient’s server looks in the sender’s DNS settings to get the public DKIM encryption key.
  4. Decryption: The fingerprint is decrypted using the public key.
  5. Fingerprint Check: The recipient then uses the message body and the same headers as the sender to make another fingerprint. If the fingerprints match, the message has not been altered since it was sent.

As a result, you can verify the sender’s identity because:

  1. We know that the message has not been modified since it was sent. The sender’s name and address (among other things) are the same as when it was sent.
  2. We know the message was sent by a server authorized to send emails for the sender’s domain, as that server used the DKIM private key.

So, through encryption, we have a way to verify that the message was sent by a server authorized to send email from their domain, and thus, we have a solid reason to believe the sender’s identity. Furthermore, this validation does not rely on server IP addresses alone and thus does not share the weaknesses of SPF.

Setting up Domain Keys Identified Mail

It is up to the domain owner to configure their DNS settings for DKIM to be checked by the recipients. You must have access to the domain and the ability to update your DNS records to implement DKIM. 

DKIM is set up by adding unique entries to the published DNS settings for the domain. You can use a tool like this DKIM Generator to create your DKIM cryptographic keys and tell you what you should enter into DNS. Your email provider may have their own tools to assist with this process. The private key must be installed on their mail servers, and DKIM must be enabled. We recommend asking your email provider for assistance.

We will not spend time on the details of the configuration or setup here. Instead, we will look at the actual utility of DKIM, where it fails, and how attackers can get around it.

The Benefits of DKIM

Once DKIM has been set up and is used by your sending mail servers, it does a fantastic job with anti-fraud. It is more robust than SPF. It also helps ensure that messages have not been modified since they were sent. We can be sure who sent the message and what they saidwhile SPF does not provide any assurance that messages were unaltered.

DKIM is highly recommended for every domain owner and every email filtering system. However, as we shall see next, it’s not time to throw a party celebrating the end of fraudulent emails.

The Limitations of DKIM

While Domain Keys Identified Mail is significantly stronger than SPF on its own, it continues to have limitations in the battle against email fraud.

Identifying Email Sending Servers

To properly use DKIM, all servers that send emails for your domain must have it set up and have keys for your domain. This can be challenging to implement if you use vendors or have partners send emails on your behalf. If DKIM cannot be used, emails should be sent using a different domain or a subdomain so that the primary domain can be fully DKIM-enabled and its DNS can tell everyone that DKIM signatures must be present on all messages. You want to be strict with DKIM usage in a way that is hard to do with SPF.

If you cannot be strict, then DKIM allows you to be soft, which indicates that signatures may or may not be present. In such cases (like with SPF), the absence of a DKIM signature does not make a message invalid. However, if your DKIM setup is soft, it makes forgery simple. 

Inter-Domain Forgery

DKIM checks only the domain name and the server. If there are two different people in the same organization, Fred and Jane, either can send email legitimately from their @domain.com address using the servers they are authorized to use for domain.com email.

However, if Fred@domain.com uses his account to send a message forged from Jane@domain.com, the DKIM will check out as okay, even if DKIM is strict.

DKIM does not protect against inter-domain forgery at all. Note: using separate DKIM selectors and keys for each unique sender would resolve this problem (and the next one), but this is rarely done. 

Same Email Provider: Possible Shared Servers Forgery

If Fred@badguy.com and Jane@goodguy.com were using the same email service provider and servers, Jane’s goodguy.com domain would be set up with DKIM. The email provider’s servers are also set up to sign messages from @goodguy.com with appropriate DKIM signatures. What happens when Fred@badguy.com logs in to his account and sends a message pretending to be from Jane?

 The answer depends on the email provider:

  1. The provider could prevent Fred from sending emails purporting to be from anyone except himself. This would solve the problem immediately, but it is very restrictive, so many providers do not do this.
  2. The provider could associate DKIM keys to specific users or accounts (this is what LuxSci does). Fred’s messages would never be signed by valid the “goodguy.com” DKIM keys, no matter what. This also solves the problem.

However, if the provider’s servers are not restrictive in one of these (or a similar way), Fred’s forged email messages will be DKIM-signed with the goodguy.com signature and appear DKIM-valid.

Legitimate Message Modification

DKIM is very sensitive to message modification. DKIM signature checks will return invalid if even one character has been changed. This is generally good, but email filtering systems may break DKIM. They often read and “re-write” messages in transit where the actual message content is unchanged, but specific (MIME) metadata is replaced with new data. This breaks DKIM, and it can happen more frequently than expected.

Good spam filters check DKIM before modifying messages. Still, if you have multiple filtering systems scanning messages, the DKIM checks of later filters may be broken by the actions of earlier filters. 

DKIM does not protect against Spam

This is not a limitation of DKIM, but it’s worth noting anyway. All DKIM does is help you identify if a message is forged or altered. Most spammers are savvy. They use legitimate domain names and create valid DKIM records to look legitimate.

In truth, this does not make them look less spammy; it just says that the messages are not forged. Of course, if the spammer tries to get by your filters by forging the sender address to pretend that they are you or someone you know, then DKIM can help.

How Attackers Subvert DKIM

So, in the war of escalation where an attacker tries to get a forged email message into your inbox, what tricks do they use to get around sender identity validation by DKIM?

The protections afforded by DKIM are more significant than those provided by SPF. From an attacker’s perspective, it all comes down to what sender’s email address (and domain) they are forging. Can they pick an address to construct an email that will evade DKIM?

  1. If DKIM is not set up, it’s easy to forge the email. 
  2. If DKIM is set up as weak, the attacker can send a forged message with a missing DKIM signature, which will look legitimate.
  3. Suppose the attacker can send a message from one of the servers authorized by the DKIM for the domain. If that server does not care who initiated the message but will sign any messages going through it with the proper DKIM keys, then the message will look legitimate. If the attacker signs up with the same email provider used by the forged domain and that provider’s servers do not restrict DKIM key usage, they can send an email from the same servers and have their messages properly signed. This makes the attacker’s email look valid even if the forged domain’s DKIM records are strict.

 An attacker’s options are much more limited with DKIM. They can only send fraudulent messages from domains with no or weak DKIM support, send through non-restrictive shared email servers, steal the private key used by the sender’s DKIM, or compromise the email account of someone using the same email domain as the address that is to be faked.

The situation is better, but not perfect. Many organizations leave their DKIM configuration weak. They would rather take a chance on forged emails than have legitimate messages be missed due to accidental message modification or because they were sent from a server without DKIM.

We will see in our next post how one can use DMARC to combine the best features of DKIM and SPF to enhance forged email detection further and where the gaps that attackers use remain.

Read next: Preventing Email Forgery Part 3: DMARC

Send Secure Emails: Alternatives to Web Portals

Tuesday, December 5th, 2023

Digital technologies have entirely shifted how individuals want to interact with their healthcare providers. As consumers have become used to emailing or texting with their hairstylists, mechanics, and other providers to schedule appointments, they want to have the same level of interaction with their healthcare providers.

However, many healthcare organizations find it challenging to deliver the same experience because of their compliance requirements under HIPAA. They must balance usability and access with security and patient privacy. To send secure emails, they often resort to secure web portals. 

Problems with Secure Web Portals

One of the most common ways that healthcare organizations communicate securely with patients is by using the secure web portal method of email encryption. In this scenario, messages are sent to a secure web server, and a notification is sent to the recipient, who then logs into the portal to retrieve the message.

While highly secure, this method is not popular with recipients because of the friction it creates.

To maintain a high level of security, users must log in to a separate account to retrieve the message. This extra step creates a barrier, especially for individuals who are not tech-savvy. In addition to creating a new account, they must remember a different username and password to access their secure messages. If the recipient doesn’t have this information readily available, they will likely delete the message and move on with their day. Many users will never bother logging in because of the inconvenience. This creates issues for organizations that want to use email for standard business communications and patient engagement efforts. 

While this method may be appropriate for sending highly sensitive information like medical records, financial documents, and other valuable information, many emails that must meet compliance requirements only infer sensitive information and do not require such a high level of security. Flu shot reminder emails are not as sensitive or potentially devastating as sending the wrong medical file to someone. Healthcare organizations need to use secure email solutions that are flexible enough to send only the most sensitive emails to the portal and less sensitive emails using other methods.

How to Meet Compliance Requirements for Sending Secure Email

So, what other options do you have for sending secure emails? The answer will depend on what specific requirements you need to meet. Healthcare organizations that must abide by HIPAA regulations will find a lot of flexibility regarding the technologies they can use to protect ePHI in transit.

In addition to a secure web portal, three other types of encryption are suitable for email sending: TLS, PGP, and S/MIME. PGP and S/MIME are more secure than a web portal. They also require advanced technological skills and coordination with the end-user to implement, which makes them impractical for most business email sending.

That leaves us with TLS, which is suitable to meet most compliance standards (including HIPAA) and delivers an email experience much like that of a “regular” email.

Send Secure Emails with TLS Encryption

TLS encryption is an excellent option for secure email sending that provides a seamless experience for the recipient. Emails sent securely with TLS appear like regular, unencrypted emails in the recipient’s inbox.

TLS encrypts the message contents as they travel between mail servers to prevent interception and eavesdropping. Once the message reaches the inbox, it is unencrypted and can be read by anyone with access to the email account. For this reason, it is less secure than a portal but secure enough to meet compliance requirements like HIPAA.

If you’re wondering why this is, HIPAA only requires covered entities and business associates to protect PHI when it is stored on their systems or as it is transmitted elsewhere. After the message reaches the recipient, it is up to the recipient to decide what they want to do to secure the information. HIPAA does not apply to individuals. Each person is entitled to share and store their health information however they see fit.

Conclusion

Balancing security and usability is a significant challenge for healthcare organizations. If the message is too secure, it may be difficult for the recipient to open and engage with it. If it’s not secure enough, it is too easy for cybercriminals and other bad actors to intercept private information as it is sent across the internet. 

Choosing an email provider like LuxSci, which offers flexible email encryption options, allows users to choose the right level of encryption for each message to maximize engagement and improve health outcomes. Contact our team today to learn more about how we can support your efforts.

Understanding the HIPAA Requirements for Email Encryption

Tuesday, November 28th, 2023

If you are in the healthcare field, you may have wondered what HIPAA’s exact requirements are regarding email encryption. Understandably, not many people are willing to read the 115 pages of the simplified regulation text, so the question often goes unanswered.

The good news is that we have parsed them for you. We’ve trawled through the long and arduous document to identify the HIPAA regulations concerning email encryption. We also conducted some analysis to help you figure out just how your organization can comply with these requirements.

person composing email

What Does HIPAA Say About Email Encryption?

There are a few different segments of the HIPAA Security Rule that apply to email encryption. The first one we will discuss is section 164.306 Security Standards.

Security Standards for HIPAA Email Encryption

The general requirements state that covered entities and business associates must do the following:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
  4. Ensure compliance with this subpart by its workforce.

Let’s unpack some of these terms to understand how they apply to your obligations under HIPAA.

  • Covered entity – As a simplification, a covered entity is any healthcare-related organization dealing with protected health data.
  • Business associate – A business associate (BA) is a person or organization with which a covered entity shares electronic protected health information (ePHI). This relationship is governed by a business associates agreement (BAA).
  • Electronic protected health information (ePHI) – This is basically any digital information that is both “individually identifying” and contains protected health information.” Individually identifying information includes names, contact details, social security numbers, and more. Protected health information relates to a patient’s health, treatments, or payments. Check out our article on ePHI for the specifics.

To summarize: Under the Security Rule, healthcare organizations and those dealing with their protected health information are obligated to protect that data. Encryption is just one way that data can be protected when stored or transmitted electronically, like through an email account.

HIPAA Technical Safeguards and Email Encryption

The next place to find information about email encryption is in section 164.312 Technical Safeguards. The rule states:

“Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.”

Notice how it says “addressable”? HIPAA has two different specifications regarding implementation, “required” and “addressable.” Required means that a particular mechanism must be in place for compliance.

On the other hand, addressable means that there is flexibility in the mechanisms that can be used. HIPAA is intentionally vague and technologically agnostic on purpose. This gives organizations the flexibility to develop the best security measures for their unique situation. It is not an excuse to be lax about security. Some addressable standards may not apply to an organization because of the structure or technologies used. Whether or not you need to meet the standard is a question for your legal and compliance teams. 

Does HIPAA Require Encryption and Decryption?

At this stage, you may assume that since encryption is an addressable standard, it’s optional, and you do not have to utilize it. This assumption is almost correct– nowhere in the HIPAA documentation does it specify that encryption and decryption must be used.

But unfortunately, things aren’t that simple. Let’s return to the Security Standards of section 164.306, where it states that covered entities and business associates must:

“Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”

This time, we’ve put different terms in bold. So, while HIPAA does not state that covered entities have to use encryption, it does say that they need to ensure the confidentiality of any ePHI that is created, received, maintained, or transmitted.

The big question is, “If you aren’t going to use encryption, what techniques will you use to guarantee confidentiality instead?” Will you put all electronic data on flash drives and lock them in metal boxes for storage and transit?

The text doesn’t say that you have to use encryption. Still, given the other requirements in the HIPAA documentation, encryption is the only reasonable solution if you want to communicate electronically about patients and their health conditions.

Is Email Encryption Required for HIPAA?

As stated above, HIPAA does not require the use of email encryption. However, if you plan to communicate PHI via email, you must take steps to secure that data. Without other suitable technologies, encryption is the easiest way to protect patient data in emails. 

So what can you do? The HIPAA text doesn’t include specific encryption requirements, so the documentation isn’t particularly helpful for organizations looking for ways to be compliant and secure. Thankfully, the National Institute of Standards and Technology (NIST), another government agency, has released its own guidelines for email and how to keep it secure.

The guide is extensive, but some of the key takeaways are:

  • Appropriate authentication and access control measures need to be in place.
  • TLS should be used to connect to the email server.
  • Mechanisms such as PGP or S/MIME should be used to encrypt sensitive data (such as ePHI).

If you don’t feel like reading such an exhausting document, you can turn to a HIPAA compliance specialist like LuxSci instead. Our HIPAA-Compliant Email includes email encryption as well as other features to help your organization stay both secure and compliant.

What is a Secure Email Gateway?

Tuesday, October 24th, 2023

As threats to email security are increasing, organizations are looking for ways to enhance their security and reduce risk. One option is a secure email gateway. In this article, we review what secure email gateways are and how they can be used to secure sensitive data as it flows into and out of your accounts.

secure email sending button on keyboard

Protect Your Accounts With A Secure Email Gateway

Secure email gateways are an excellent way to strengthen the security of your email accounts without a costly switch to a new email provider. They layer on top of your existing email accounts to encrypt messages, scan for threats, and even capture messages for archival or backup purposes. They can also hide the sender’s IP address because messages are routed through another email infrastructure before delivery to the recipient. If you are concerned about increasing risks to sensitive data, secure email gateways offer a simple and effective way to enhance your email security.

How Do Secure Email Gateways Work?

When using a secure email gateway, your messages are routed to a separate server before being sent or received. When sending an outbound message with LuxSci’s Secure Connector, it is routed through our SecureLine encryption before being securely delivered to the recipient. A copy of the message may also be sent to an independent email archive to help meet compliance requirements for message retention.

 

LuxSci Secure Connector

 

For incoming messages, the gateway can employ email filtering technology to quarantine suspicious messages. These technologies can scan incoming messages and prevent spammers and scammers from reaching employee inboxes and wreaking havoc. Just like with outbound email sending, the gateway can also capture a copy of inbound messages and retain them in an independent message archive.

The exact features of a secure email gateway will vary from vendor to vendor, but these represent some of the core functions that these tools provide. Simply put, a secure email gateway protects both incoming and outgoing messages to ensure that sensitive data is guarded from threats.

Why Choose a Secure Gateway?

There are two main reasons to implement a secure email gateway: the security and compliance benefits and their ease of use. Let’s look at each.

Compliance and Security Benefits

Many companies, like healthcare organizations, must comply with regulations for protecting patient or customer data. Many organizations grapple with the best way to secure potentially sensitive communications without interfering with or slowing down critical business workflows. Because secure email gateways layer on top of existing email accounts, they offer a speedy way to bring your organization into compliance with data security and retention guidelines.

As email continues to be an important channel for essential business communications, all organizations can benefit from protecting their employee accounts and reducing their risk and liability.

Easy to Administer and Use

Another benefit of using a secure email gateway is that your organization does not need to switch your primary email provider to enhance its security. Changing to a more secure email provider can be extremely challenging, especially if you have a lot of users with a lot of data that needs to be migrated to a new system. Add on the training time, and some organizations will find that switching email providers is a significant burden on the organization.

Installing a secure email gateway is very easy for account administrators and often does not require additional training or implementation for email users. Employees can continue to use their regular Microsoft or Google email accounts and do not need to take additional steps to learn an entirely new email program. With 73% of breaches in the healthcare industry caused by human factors, implementing tools that don’t rely on employee decision-making is essential.

Learn More About LuxSci’s Secure Connector

LuxSci’s Secure Connector is unlike other secure email gateways in that it encrypts every email automatically to reduce the risk of breaches caused by human errors. LuxSci provides the flexibility to opt-in to more secure methods of encryption for highly sensitive messages. Email filtering and archival tools are also available to reduce risk and improve resilience in the case of a cyber incident. Contact our sales team to learn more about our email security tools.

AI Threats to Email Security

Tuesday, October 17th, 2023

Artificial intelligence is a buzzy topic in the tech industry right now. Many experts are looking to AI to help solve some of the complex challenges of our times. However, besides this technology’s helpful and practical applications, there are some concerns that AI can be used for malicious purposes. In this article, we review some of the top threats to email security posed by AI and what you can do to prevent them.

person using ai tool

AI Threats to Email Security

In general, the biggest threat artificial intelligence poses to email is the ability to easily scale and increase the effectiveness of existing threats. The power of AI can be used to craft more effective phishing and business email compromise attacks and potentially cost businesses billions of dollars. Let’s review how artificial intelligence can increase the success of these types of cyberattacks.

AI and Phishing Attacks

In today’s world, phishing emails are often easy to identify. They are typically launched by criminals outside of the United States and use poor grammar, contain misspellings, or are poorly formatted in other ways. As a result, they are straightforward for the average email user to avoid. Artificial intelligence can help correct some of these common errors and make it easier for cybercriminals to create more convincing emails. As a result, we could see more phishing attacks succeed, wreaking havoc on our online security.

Let’s look at an example. Say a hacker from Russia wants to launch a ransomware attack on an American hospital. To do so, they need an email recipient to click on a link in the email that will install malware on their computer, enabling the hacker to gain access to restricted systems. The hacker does not speak English but has been able to launch attacks on other systems using an email drafted to resemble a password reset. Previously, he may have taken this email, ran it through an online translator, and then hit send on the email, unaware of any typos or strange translations that made it into the text. With AI, he can craft a much stronger email that will fool a busy hospital administrator into clicking on the link.

Some AI text generators have taken steps to prevent people from entering prompts that directly ask for prewritten phishing emails. However, artificial intelligence makes it incredibly easy to translate text from other languages in a grammatically correct manner. Scammers can create unique messages at scale that are more likely to fool email recipients.

AI and Business Email Compromise

Business email compromise attacks are one of the most effective email security threats. Still, because of the time and research they take to deploy, they don’t garner as much attention as phishing and ransomware. Artificial intelligence can help speed up essential research about a target to craft business email compromise attacks.

Let’s take another example. Say an individual wants to steal from a major corporation. The attacker decides to impersonate a company vendor and fool them into routing payments to the attacker instead of the legitimate contact. Artificial intelligence can reduce the time it takes to identify potential targets and possible attack vectors. Cybercriminals can use AI prompts to identify profitable companies, locate lists of vendors, and even research individuals in the roles that are likely to interact with the target.

AI can also use prompts like “generate an email asking for payment on a business invoice” to create legitimate seeming business emails. Using these technologies lowers the barriers to executing a successful business email compromise attack, meaning that more cybercriminals will likely attempt them more frequently.

How to Prevent AI Email Attacks

The good news is that the introduction of AI technology has not changed how we fend off these attacks. The first place to start is with policy and training. Business email compromise thefts are easily thwarted by having policies and procedures in place to prevent unusual cash transfers to unauthorized individuals. Ensuring your staff knows the types of threats and raising awareness of the risks can help protect your business.

Secondly, you can implement email filtering technology to help protect your inboxes from emails sent from suspicious sources. Although scammers can craft persuasive messages, they can’t hide their origin. Organizations can use email filtering software to quarantine or stop suspicious messages from reaching employee inboxes. This technology can prevent email domains without SPF or DKIM records from passing through your inboxes, alleviating a common spam tactic.

Conclusion

The threats to email security posed by artificial intelligence are quite serious. Nevertheless, organizations can take steps to protect themselves by implementing the proper defenses. Contact LuxSci today to learn more about our advanced email filtering solutions.