Social engineering – How hackers get at your data without programming skills

Social engineering – How hackers get at your data without programming skills

“There’s no technology today that can’t be overcome through social engineering.” (Kevin Mitnick, former hacker and social engineering expert)

Even with the best technical security precautions, every company has a risk factor that is difficult to control: the human one. To get hold of important data or gain access, a hacker needs to understand not only computers but also people. What exactly is social engineering and how can you protect yourself? We will answer key questions about this in the article below.

What’s behind “social engineering”

Social engineering is all about manipulating individuals on an interpersonal level. It involves the hacker trying to gain their victim’s trust and persuade them to reveal confidential information, for example, or to share credit card details and passwords.

The method is not something that only occurs on the Internet, but a scam tactic that has been used for many decades. One of the best-known ploys is the “grandparent” scam, where a fraudster telephones an elderly person and passes themselves off as a relative in desperate need of money (German police program for crime prevention, 2017).

Criminals also regularly use social engineering for financial gain through online dating services. A seemingly young, attractive woman will contact a man who is obviously looking for a new partner. The imposter plays their single-woman-in-love role well enough to win the victim’s trust in a relatively short time. Then the criminal asks the victim to help them with money for something like visiting their “new partner” – after which they often cut off contact.

Social engineering attacks on companies

If social hacking works in the private sphere, then businesses are the next target up for criminals – chiefly because there are often higher sums of money up for grabs here. Hackers follow much the same approach as with private individuals, although obtaining the information needed for a professional attack takes significantly more time. This makes the following information especially relevant for cybercriminals:

  • Who is the head of the company (CEO) and which individuals are in leadership positions?
  • Who is authorized to make bank transfers?
  • When is the CEO on vacation or out of town for a work trip?
  • What business activities are currently happening?

Hackers will usually target an employee who is authorized to carry out financial transactions, sending them an urgent message from a fake email address that looks like it has come from the boss.

Examples of Social Engineering:

Due to the apparent urgency of the request, the email recipient then finds themselves rushing to follow their superior’s instructions without asking any significant questions. Once the data has been sent, the cybercriminal goes straight to work or money is transferred directly to the social hacker’s account. In 2016, large enterprises like Austrian aeronautics supplier FACC and Nuremberg-based cable manufacturer Leoni learned hard financial lessons about this modus operandi when they suffered losses of several million euros.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

But be warned – CEOs and people in accounting are not the only ones who are vulnerable:

“Hey,
Felix from IT here. I’ve noticed a couple of irregularities with your account on our system. Can you give me your login details so that I can check it out?

Regards, Felix”

How would you react to a message like this? Would you reply? You may not know everyone in IT, but Felix appears to be a coworker and looking to help you safeguard internal IT security.

In large firms especially, most employees will not be familiar with the whole IT team. Anyone trusting such an email makes it possible for sensitive data to be stolen and puts many other areas of a business besides IT security at immense risk.

Phishing: the impersonal form of social engineering

A less laborious type of social engineering is the classic phishing email. This usually involves fake PayPal emails containing a link to a simulated website so much like the original that it is difficult to notice any deception. The email will ask people to update or verify their login details on this website, but doing so delivers the data directly into the hands of the scammers.

Unlike a personalized email, these messages are highly generic. The classic phishing email is based on a simple and less costly method, which means huge volumes of emails are sent. Even if only a fraction of the recipients fall for the ruse, hackers will have found the social engineering attack worthwhile..

Social engineering needs no programming expertise

Technical obstacles are overcome simply by employing psychological tricks, with hackers exploiting people as the weakest link in the IT security chain. Even the most secure vault in the world can be opened if the access details are handed over to unauthorized individuals. This saves the criminal a great deal of technical effort and lessens the chance of them being detected by IT security measures.

If you had replied to the email from Felix above, the hacker would have infiltrated the company network within a few minutes. No effort, no programming skill, no great risk. Criminals leverage employees’ fundamental trust and curiosity in order to steal data or money.

How can I protect myself and my company against social engineering?

Organize preventive training sessions on a regular basis to educate yourself and your colleagues about the dangers of fake emails. Regular information emails can also help to raise awareness of the issue.

As long as criminals have not gained access to an employee’s or the CEO’s email account, there are several different ways to recognize fake emails:

  • Verify the sender address: Check the sender address carefully. Is the email address really correct? Have any letters been swapped, maybe? Or an upper-case I replaced with a lower-case L? There will often be an automatically generated and untraceable second email address behind the first one. If you think an email is suspicious, you can take a closer look at the header. Information like the actual sender and the server that the message was sent from can all be found in an email’s header. In most cases, the sender is the clearest criterion for identifying a fraud attack.
  • Check first hand: Contact colleagues directly if you’re unsure. Call the person in question or speak with them face to face.
  • Rhetoric: With CEO fraud attacks especially, it is important not to let yourself be intimidated. Ask yourself whether the boss really wants to transfer €20,000 into an unknown account without anyone’s knowledge. Or consider whether your IT colleague Felix could in fact have noticed “unusual activity” and why that would make him require your login anyway. And even as a private individual – if you receive a surprising email from a company where you are a customer, it can help to make a brief call to their support team.
  • Pay attention to spelling mistakes: Phishing emails, in particular, are full of misspelled words; from an incorrectly written name to sloppy language that suggests the text was not written by a native speaker but perhaps translated by automated language software.
  • Don’t click on links directly: If the content of an email leaves you in any doubt, the best thing is not to click on any links inside it and instead to access the website concerned directly through your browser. For example, if Amazon asks you to update your details, then you should go directly to Amazon.com and look for a corresponding message there. If there is nothing to be found, you have likely received a phishing email.
  • Hover over links: Before you open a link, mouse over it. With most browsers, a small window will open in the bottom left. This is the URL which will be accessed when the link is clicked. Checking the URL provides information about the true destination of the displayed web address.

Google phishing quiz: Your free awareness check

A few weeks ago, Google created a security quiz in response to the sharp growth in phishing attacks. This quiz challenges you to try and spot a phishing email. Can you see through any social engineering attack? Find out now!

Additional safeguards with Hornetsecurity Advanced Threat Protection

Classic phishing emails will generally be identified and weeded out immediately by a good spam filter. A personalized social engineering attack, however, is not much different from a perfectly ordinary email. These unwanted emails will therefore end up in your inbox in spite of spam filtering.

Advanced Threat Protection goes a step further: various deep filters and heuristic detection mechanisms will uncover almost any fake email. With the help of AI, the filter learns from every attack and thus improves its detection rate on a daily basis. Advanced Threat Protection covers many of the above points completely automatically.
Ultimately, though, you should always question every email and be cautious about sharing data.

High email security standard through SPF, DKIM and DMARC

High email security standard through SPF, DKIM and DMARC

Hornetsecurity offers secure protection against spyware and malware in email authentication through standardized sender reputation procedures.

Emails are still regarded as the most commonly used medium for the transmission of electronic messages. They are inexpensive, with unlimited distribution and offer the possibility of sending and receiving texts and file attachments in real time. Yet precisely these characteristics make email communication so vulnerable. Cyber criminals are constantly expanding their range of threats and developing new strategies to overcome security mechanisms. The authorization of permitted domains using a corresponding SPF record in the DNS zone is therefore no longer sufficient to successfully protect incoming email traffic from phishing and spam.

For this reason, Hornetsecurity’s email service has been expanded including further important sender reputation procedures in the fight against widespread attack patterns. In addition to SPF, procedures such as DKIM and DMARC are implemented against spam, spoofing, phishing and malware attacks as well as targeted CEO fraud attacks. Hornetsecurity has thus been applying the current recommendation for email security from the Federal Office for Information Security (BSI) and the Federal Association for IT Security (TeleTrusT) and thus offers a high security standard in email communication.

Secure from attacks with SPF, DKIM and DMARC

The SPF, DKIM and DMARC authentification procedures operate interconnected as a secure instrument to prevent from attacks on a company’s email communication. In the following, the used standards for sender and recipient reputation are presented and their functionalities are explained.

Sender-Policy-Framework (SPF)
[RFC 7208]

SPF is a method by which unauthorized sender addresses of domains can be recognized and the delivery of their mails can be prevented. Authorized servers that are allowed to send emails in the name of a domain are entered in the so-called SPF record of the DNS zone. When an email is dispatched, the receiving server takes the sender domain from the envelope sender of an email and uses a DNS query to check whether the domain is registered in the SPF record. If the domain is not registered, the server is not authorized to send emails in the name of the domain. Emails from unauthorized servers, for example, can be classified as spam. Due to insufficient cryptographic security mechanisms that could ensure the senders authenticity, SPF should not be used as spam or phishing prevention. Despite successful SPF authentication, the sender ID of the envelope sender can be changed in the Body-From field, making it easy to manipulate the sender address.

Sender-Policy-Framework (SPF)

Domain-Keys-Identified-Mail (DKIM) [RFC 6376]

For a more comprehensive email protection, SPF can be usefully supplemented with DKIM. The main intention is to prevent spoofers from accessing sensitive data. As a special feature for email authentification, DKIM adds a digital signature with cryptographic encryption (SHA-256) to the email header. This signature operates as a kind of fingerprint and must have the same hash value in the checksum as calculated before sending. Any change to the data, no matter how small, would change the hash value and indicate an intervention in the message during transport.

To decrypt the signature, a key pair is needed which consists of a public key and a private key and is required for successful authorization of the sending server. The public key is entered as a TXT record in the DNS zone analog to the SPF entry. The secret key remains exclusively on the server that is authorized to send emails.

In the authorization procedure, the receiving server first determines the sender domain of the email and then checks for the name under which the matching public key can be found in the DNS zone of the sender domain. A successful signature check ensures that the decoded hash value corresponds to the original checksum before sending and that the email has not been modified during transmission.

Domain-Keys-Identified-Mail (DKIM)

Domain-based Message-Authentification, Reporting and Conformance (DMARC)
[RFC 7489]

A constant verification of the authenticity of emails cannot be guaranteed by SPF and DKIM on its own. This gap is closed by the DMARC test procedure, which complements the SPF and DKIM methods in their combined appearance to form a safe test procedure for sender reputation. DMARC ensures that the envelope sender address matches the body form address. This verification is important because traditional email programs only display the body-from information of an email and the actual sender information remains hidden.

DMARC also establishes certain guidelines for the SPF and DKIM procedures, which are stored in the TXT record of a DNS zone in form of requirements. These guidelines determine the instructions for the further handling of received emails. Thus for SPF the verification must be positive and the envelope sender address of the domain must match the address stored in the SPF record. For DKIM it is required that the signature is valid and that the domain matches the body-from address of the mail.

Domain Based Authentification Reporting and Conformance (DMARC)

If one or more requirements are not met, the check is negative and the email can be quarantined or rejected depending on the matrix.

DMARC offers the option to send reports in the versions of “Aggregated Reports” and “Failure Reports” (The reports may only be transmitted in compliance with the Federal Data Protection Act in the context of the detection and limitation of spam and phishing as well as for the protection of telecommunications systems and in accordance with the principle of proportionality. An authentication and verification system must be used to avoid misuse. ) The reports can help the domain administrator to keep track of his own email traffic and to check the DNS entries for syntactical correctness. Furthermore, the results can be used to support other systems. For example, the ZIP file of an undisputedly identified sender can be delivered without further effort, while for unidentified senders it is quarantined or rejected. This way, Hornetsecurity supports its own product Content Filter for fast and secure delivery of attachments in emails.

*The reports may only be transmitted in compliance with the Federal Data Protection Act in the context of the detection and limitation of spam and phishing as well as for the protection of telecommunications systems and in compliance with the principle of proportionality. An authentication and verification system must be used to avoid misuse.

Further technologies and encryption methods at a glance

 

The so-called Domain Name System (DNS) is responsible for the connection with servers and can be used to convert host names into IP addresses. Sending and receiving messages to one or more recipients is made possible with the User Datagram Protocol (UDP). A connection between sender and receiver is not established and the data is delivered to the receiver without further control mechanisms. Therefore, even the sender is unable to determine whether his message has arrived successfully. Various security techniques such as TLS, DNSSEC and DANE are used to solve the security problem of outdated DNS. In the area of “secure email communication”, however, no standard has yet been able to establish itself. The latest standard is called MTA-STS and promises to successfully protect e-mails during transmission from electronic eavesdropping and manipulation.

Transport Layer Security (TLS)
[RFC 5246 ]

TLS is a popular encryption protocol that has been developed further and standardized on the basis of the Secure Sockets Layer (SSL). The TLS protocol is used to ensure confidentiality, authenticity and integrity when transmitting data in insecure networks. The TLS protocol, divided into two levels, is a hybrid encryption method that uses both symmetric and asymmetric algorithms. It encrypts an end-to-end connection using symmetric algorithms. The TLS Handshake Protocol is based on the TLS Record Protocol and negotiates security parameters between sender and receiver. Connections to email servers can be initiated and encrypted via STARTTLS. TLS is used nowadays in many applications in which data, in particular access data, PINs and passwords can be transferred securely. These include applications such as e-commerce, home banking and e-government.

DNSSEC (Domain Name System Security Extensions)

[RFC 4035 ]

DNSSEC is an extension of DNS. It verifies the authenticity of the information stored in the DNS zone and ensures that an attacker cannot manipulate the DNS responses in his favour. With two different keys and a corresponding signature, the DNS data is protected. The recipient can verify the sender on the basis of the signatures used. If the signature is not valid, the DNS server of the provider blocks the response. DNSSEC cannot be applied to every domain and is therefore not commonly used.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

DNS-based Authentification of Named Entities (DANE)
[RFC 6698]

The DANE protocol is another technique based on DNSSEC. This technique extends the basic protection of TLS connections by a cryptographic combination of certificates with DNS names. Thereby it should be verified whether an email server can establish and authenticate encrypted connections. This is to prevent a man-in-the-middle attack in which the message first reaches an attacker’s server. The DANE entry is stored in the DNS zone under a TLSA record which contains different characteristics of the respective TLS connection. These features define the certificate which a server must expect when connecting to the email service of the particular email server. For many domain administrators, however, DANE cannot be implemented since not every domain can be resolved via DNSSEC.

SMTP MTA Strict Transport Security (MTA-STS) [RFC 8461 ]

The connections between the servers so far are mostly unprotected. Thus, an important component for secure transport encryption is missing. This problem was apparently also recognized by large mailhosters such as Google, Microsoft and Verizon Media Company (Yahoo, AOL) as well as 1&1, which are participating in the development of the new MTA-STS standard. MTA-STS is intended to replace the often unrealisable DANE as well as the common STARTTLS, since attacks on the procedures cannot be excluded with absolute certainty. The new standard offers a similarly secure standard as DANE, but a much easier implementation than DNSSEC. For the implementation of the standard, email server operators can define a policy that can be retrieved by the sending mail transfer agent (MTA) using HTTPS [RFC2818]. The current version is displayed by a TXT data record in the Policy. In addition, these TXT data records contain an ID field which the sending MTA can use to check the temporarily stored policy for actuality without having to request an HTTPS connection. To find out if a receiver domain implements MTA-STS, the sender only needs to resolve a TXT dataset and identify the TXX record with the label “_mta-sts” (e.g. “_mta-sts.example.com”). The main difference to DANE and STARTTLS is that the results of DNS queries are stored in a cache so that manipulations by later connection attempts during the retention period are very likely to be detected.

Conclusion – Hornetsecurity offers highest email safety

Recent events show that widespread security protocols such as TLS by itself cannot guarantee safe connections between email servers. Previous improvements, such as DANE and DNSSEC, have so far not been applied worldwide, partly due to technical difficulties in implementation.

With standardized sender reputation procedures such as SPF, DKIM and DMARC, Hornetsecurity’s email service offers reliable protection against cyber attacks on email communication. The recommended standards of the BSI and TeleTrusT for secure email authentification have already been fully implemented and are successfully applied in the products of Hornetsecurity such as the spam filter and the content filter. For secure email communication, it is advisable to rely on the additional protection of content encryption using S/MIME (Secure / Multipurpose Internet Mail Extensions) or PGP (Open Pretty Good Privacy). The PKI-based email encryptions ensure the confidentiality of the transmitted messages between sender and recipient and protect the transferred data using cryptographic encryption methods. The Hornetsecurity encryption service offers this security solution directly in the cloud and thus completely secures the transmission process.

The new MTA-STS standard is supposed to provide better protection for the transmission process of emails with the help of already known techniques such as HTTPS and to provide methods for the detection of irregular access.

The ease of implementation and the rapid distribution are currently increasing the acceptance of this standard, which is currently being used by more and more mail administrators for its security potential.

Advanced Persistent Threats – The invisible threat

Advanced Persistent Threats – The invisible threat

What do the Olympic Winter Games, the Information Network Berlin-Bonn and large companies as well as SMBs have in common? They were and still are targets of highly evolved cyber-attacks that are aiming to spy on and sabotage internal processes and to steal and copy important and secret data. The realization happens as undetected as possible and over a longer period of time. These types of attacks are commonly known as “Advanced Persistent Threat” (APT).

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

The attacks are presumed as “advanced” because the attacker has large amounts of time and money available and thus gives himself an advantage in terms of access to information and development capacities. For victims, the infiltration of their IT infrastructure is hardly traceable and difficult to discover, so that the intruder can act undetected in the internal network for several weeks or even months. Cybercriminals are often a group of individuals that operate together, and it is not unusual that competitors, organizations or even states are the initiators of those ingenious attacks.

Their objectives differ and range from copying as much detailed information as possible about company internals as well as military and political facts to financial enrichment in terms of financial and credit card theft. In Germany, the Federal Office for the Protection of the Constitution recently warned against a renewed wave of APT attacks targeting German media companies and organizations in the field of chemical weapons research.

In general, cybercrime increases with the ongoing digitalization in companies. According to a recent study by Bitkom on digital espionage, sabotage and data theft, 68 % of the companies surveyed in Germany stated that they had been affected by cybercrime in the last two years (as of October 2018).

Five Stages of an APT Attack

Unlike “common” virus and spam attacks, in which hackers send a large number of infected emails to hit random victims, an APT grouping deliberately seeks a high-ranking target chosen for its objectives. The attackers proceed according to a classic pattern, which can be divided into 5 stages:

1. Exploring and researching

Once a target has been selected, the first phase of the attack is to gather as much information as possible about the company or organization. Hackers are particularly likely to access corporate websites, social media and other sources open to the public to find possible points of entry into the target’s systems.

2. Invasion of the system

If the attacker has gathered a conception of the structure of his target and knows which IP addresses, domains and systems are connected in which way, he will be able to search for vulnerabilities in detail. To finally gain access to the systems of the target, the hackers use various methods: Social engineering, such as CEO fraud & phishing as well as ransomware, blended and targeted attacks are among the best known. Cyber security is not just about computer systems and networks – APT groupings often use the “human factor” as a vulnerability by exploiting human traits such as helpfulness and trust. A recent survey conducted by the Federal Office for Information Security (BSI) revealed that one in six employees would respond to a fake email from the executive floor and disclose sensitive company information.

3. Spying out and spread

As soon as the hackers have access to the system, they usually operate as carefully as possible so as not to attract attention. The company’s security measures and deployed software are identified so that further security holes can be exploited to extend attackers’ access to the network. With the help of keyloggers and the found data, an attempt to find out passwords and thus gain access to other data records and systems is made.

4. Execution of the attack

The perpetrators access the unprotected systems and start to act according to their motivation and objectives for this attack. For example, sensitive company data can be collected over a long period and/or malware can be installed to the IT system. Also, the paralyzing of systems and thus of the operational procedures is an option.

5. Filtering and analysis of the data

The data and information collected is sent to the APT Grouping’s base for analysis. To have further access to the infected system of the company at any time and especially unnoticed, a kind of “back door” can be installed by the attackers.

Detecting and preventing APTs

Regarding such individualized and manual procedures in particular, the focus of IT security should rest on targeted detection and immediate reaction to possible attack attempts. With the daily flood of incoming and outgoing emails, manual monitoring of individual attachments or content indicating CEO fraud, for example, cannot be handled.

With Hornetsecurity Advanced Threat Protection, innovative forensic analysis engines provide real-time monitoring of corporate communications and immediately prevent attacks. The APT service is directly integrated into Email Security Management and offers protection mechanisms such as sandboxing, URL rewriting, URL scanning, freezing and targeted fraud forensics in addition to the spam and virus filter. In the event of an attack, it is important to that a company’s IT security team is immediately notified with specific details about the nature and target of the APT attack, the sender and why the email was intercepted. Thanks to Real Time Alerts, Hornetsecurity ATP is able to inform a company’s IT security team about current attacks. This up-to-date information can be used for countermeasures, so that security gaps can be effectively closed in the shortest possible time and additional protective measures can be set up.

Additional information:

 

Shortfalls in security professionals – turn to reliable managed security services

Shortfalls in security professionals – turn to reliable managed security services

Small to medium-sized businesses are faced with a two-headed beast in terms of cybercrime. To understand and defeat this enemy, you must examine its two main threats to your company’s cybersecurity.

Secure data transfer with Hornetsecurity’s Content Filter

The first part of this cybercriminal monster are the internal and external threats. Malware, phishing, DDoS attacks, and ransomware are just a few of the viruses and methods that hackers use externally to gain access to your site, software, or network. Internal data leaks stem from employees, either by intended sabotage (e.g. theft of IP by exiting employee) or accidental mistakes (e.g. an email sent to wrong recipient) that greatly open up every business to the potential of cybercrime.

Cyberattacks increase and become more and more dissipated

Both internal and external threats are more sophisticated in design than just 5 years ago, and they’re backed up by cyber criminals who simply just don’t stop. According to Gartner researchers, a survey of more than 3,000 CIOs found 95 percent of technology leaders expect cybersecurity threats to grow. In conjunction with this expectation is the fact most companies have no idea where their sensitive data is located, whether it’s secure or whether employees are mistakenly or purposefully misusing it.

The threats are real, and decision-makers know they must be dealt with, but it’s the second head of this cyber animal – the 3.5 million unfilled positions in the IT industry expected by 2021 – that causes alarm for SMBs.

IT security experts – the supply is low, the demand is high

This IT security employee shortage will leave SMBs in a tight spot, as security professionals are hard to find for any sized business and command top salary figures when available. Cybercriminals, of course, aren’t complaining. Small- to medium-sized business will face budget, HR, operations and financial issues when confronting a lack of skilled workers in the marketplace. Not being able to hire the right person with the right skills will cause culture issues with overburdened staff thinking about moving elsewhere. Projects will take longer to complete and end up being costlier in the long run.

According to Gartner researchers, only 65 percent of businesses have a cybersecurity expert on staff, and when a SMB looks to hire a security professional, the cost often exceeds their ability to reap any value from a large investment in talent. The culture fit and complex skillsets required also drive down the availability of affordable, qualified security staff for SMBs to hire.

So, if companies know the threats exist and realize the available talent pool has shrunk in size and risen in cost, why aren’t they taking a more proactive approach to tightening up their security defense right now?

There are solutions to overcome the ill effects of a smaller IT security talent pool, ones that are reliable, efficient and valuable to any SMB. Some companies have embraced the idea of creating “new collar” jobs in cybersecurity. These roles prioritize skills, knowledge and willingness to learn over degrees and the career fields they once worked in.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

The triumph of cloud security

And there are those businesses who have adopted cloud-based solutions. These cloud-based security solutions have grown in use and they’ve become known for extremely reliable service. According to a recent survey by Forrester, more than 50 percent of businesses will be adopting applications, platforms and services enabled by cloud-based technologies by the end of 2018. Half of IT spending will be cloud-based by the end of 2018, reaching up to 60 percent of entire IT infrastructure and 60-70 percent of all applications, technology, and services spending by 2020.

Cloud security has provided an affordable blanket of solutions that every SMB can adopt and rely on to relieve HR issues, financial concerns and operational constraints. Cloud-based security providers rely on their ability to quickly detect, contain, and mitigate any type attack.

As the threat landscape evolves, SaaS security providers continue to add new features into their platforms to address the latest concerns.Many cloud services contain native security controls that help companies improve their security posture by adding security controls not met in traditional environments and eliminating redundant controls, expensive appliances and burdensome overlap in traditional solutions.

What Hornetsecurity solutions offer you

For the past 11 years, one such cloud-based leader in security solutions has been Hornetsecurity. Its full suite of award-winning security solutions provides peace of mind for its 35,000-plus customers by delivering lowered administrative costs and 24/7 support. Hornetsecurity’s Advanced Threat Protection and Spam Filter Services are reliable, efficient and exemplify German engineered quality that SMB customers demand in protecting their data and email.

With Hornetsecurity working for your SMB, suddenly many of those internal and external threats are muted, your budget isn’t feeling the pinch, and the meager talent pool of IT security staffers is an afterthought. You’re not focusing administrative time on your security or budget, but on delivering positive business results.

Most importantly, cloud security today is simply better security, and it’s the best way to slay that two-headed beast of cybercrime.

CONTENT FILTER 2.0 – The security officer for your data transfer

CONTENT FILTER 2.0 – The security officer for your data transfer

The State Criminal Police Office of Lower Saxony is currently warning against an increase of emails with fraudulent application content. These emails are explicitly directed at companies with advertised vacancies and endanger in particular personnel departments that are involved in application processes. The seriously formulated emails are attached with alleged application documents in the form of archive data. If these files are unpacked, however, no application documents are revealed, but rather dangerous malware that infects the system.

Secure data transfer with Hornetsecurity’s Content Filter

With Hornetsecurity’s Content Filter, effective protection measures can be taken against unwanted file attachments. In addition to the general protection provided by the spam and virus filter, individual settings for attachments of incoming and outgoing emails can be made within the content filter. Updating the content filter to version 2.0 now also checks nested archives. Defined rules can still be applied for the entire domain or for certain user groups. This allows particularly vulnerable groups in the company to be deliberately protected against current attacks.

Easy setting – secure data transfer

The Content Filter offers an uncomplicated handling for the management of email attachments. Unwanted file formats, such as executable files, are grouped under the collective term .executable and can be selected from a predefined list with just a few clicks by the first time they are set up. Additional file formats that do not fall under one of the collective terms can be added if required. In addition, it is possible to individually configure the maximum permitted size for affected email attachments.

Hornetsecuity Content Filter 2.0

Fig. 1: Settings in the content filter for incoming emails

In case of application two actions can be set for handling the affected: Block email or cut attachment. In addition, encrypted Attachments, which are increasingly used in common formats such as PDF, ZIP, RAR etc., can be explicitly prohibited (Fig. 1). Furthermore, the content filter includes an automated comparison of file extensions with the supplied MIME type, which can differ significantly from the file extension in the case of suspicious email attachments. Archive Files that have internal nesting structures in the form of additional archives are analyzed and evaluated down to the security-relevant level.

If the content filter intervenes and removes a suspicious attachment, it changes the original state of the message. For signed emails, active intervention by the content filter causes the signature to be corrupted. If this occurs, the content filter informs the recipient and specifies whether the signature was valid before the change (Fig.2).

Hornetsecurity Content Filter 2.0

Fig. 2: Valid signature after truncating the content

However, if the certificate of the signed email is available on our systems, the email whose signature was broken by truncating the file attachment is re-signed and thus retains its validity.

The content filter can be activated for all Hornetsecurity partners and customers in addition to the spam and virus filter.

ATP – the interoperable complement for comprehensive protection

The current threat landscape of malware ranges from ransomware to cryptominers and is constantly changing. Spam, virus and content filters provide a solid basis against cyber attacks. These filters do not provide 100% protection against targeted and sophisticated attacks on companies. Further protection mechanisms are needed that adapt to the constantly changing types of attacks and malware. By combining Hornetsecurity’s interoperable filters, full protection against specific cyber attacks can be achieved and sustainably secured for companies.

In addition to the spam and virus filter, Advanced Threat Protection (ATP) from Hornetsecurity offers reliable protection against current malware attacks. ATP integrates seamlessly into the existing filters from Hornetsecurity email services and has, in comparison to the content filter, profound behavior analyses of file contents. Thanks to the integrated ATP engines such as the sandbox, URL Rewriting and URL Scanning , attacks such as targeted or blended attacks are detected early and the necessary protective measures are initiated in real time. For example, hidden links infiltrated in files can be recursively tracked in an isolated environment and the content hidden within can be subjected to forensic analysis. For content patterns that indicate malicious intent, the company’s IT security team is notified in real time for immediate protection.

Email encryption – A guide for implementation at SMBs

Email encryption – A guide for implementation at SMBs

Certificates, signed emails, symmetric and asymmetric encryption, S/MIME, TLS and PGP – for many who do not regularly deal with email encryption these terms are quite foreign. However, with the new basic data protection regulations (DSGVO) these terms have been pushed to the top of the to-do lists for many SMBs. Although, many companies lack the necessary knowledge to implement the new requirements in regards to the encryption of their email communication. In this article, Hornetsecurity aims to explain some of the basic terms and technologies around email encryption.

Asymmetric and symmetric email encryption – what are the differences?

If you take a closer look at asymmetric and symmetric email encryption you will very quickly discover that these two are fundamentally different. Essentially, they differ in the number and type of keys used.

Symmetric email encryption uses the same key to encrypt and decrypt the email. This means that the sender and recipient of an email share the same key. Thus, this procedure is very simple, but its security is essentially tied to the secrecy of the keys – if the key falls into the hands of a third party that person can decrypt the entire communication.

Asymmetric email encryption uses a total of four keys, one key pair each – a public and a private key per communication partner. The public key is accessible to everyone who wants to communicate and is transferred with the certificate exchange. It is used to encrypt the data, in our case, emails.

To decrypt the encrypted data again, the private key belonging to the public key is required. Although the key pair is mathematically interdependent and it’s practically impossible to calculate it.

S/MIME, PGP and TLS – what are the abbreviations?

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

PGP and S/MIME are asymmetric encryption methods. Both procedures have a decisive advantage and disadvantage. The advantage is that the email provider of the sender and recipient also has no insight into the email. The disadvantage is that only the message is encrypted. The sender and recipient as well as the subject can still be read.

The main difference between email encryption with S/MIME and PGP is the issue of certificates. While PGP (also known as OpenPGP) is an open source solution in which everyone can create their own certificates, certification at S/MIME takes place via official certification authorities, the so-called Certificate Authorities (CA).

TLS differs fundamentally from email encryption with S/MIME or PGP. Here it’s not the email itself that is encrypted, but only the connection between the two communicating servers. This means that the email cannot be accessed during transport, but it is not encrypted on the respective mail servers.

How to implement email encryption – there is no “one” way

All roads lead to Rome – but which ones lead to legally compliant email encryption? In fact, there are several ways for companies to implement legally compliant email encryption. The most prominent are on-premise and cloud-based solutions.

With on-premise solutions, the emails are encrypted directly on site, i.e. at the companies themselves. The email encryption software can be purchased, rented or operated completely independently from an external provider. Although this procedure offers the company a high degree of transparency and decision-making freedom, it involves an administrative effort that should not be underestimated. The costs for maintenance and operation are also quite significant. Today, on-premise solutions are considered a thing of the past and are increasingly being replaced by modern cloud-based computing.

E-Mail-Verschlüsselung bei Hornetsecurity

Graphic: Email encryption using cloud computing (click to enlarge)

With the cloud-based computing alternative, also known as “Software as a Service” (SaaS) solution, the security provider relieves the company of all expenses, such as administrative and operational costs. All of the company’s email traffic is then handled by the security provider’s servers, including Hornetsecurity’s email encryption service. The route between the customer’s mail server and the service provider is protected by TLS. This solution is characterized by the elimination of administrative work for any particular company. However, to fully ensure secure email communication, TLS and S/MIME can and should be used simultaneously. This is the only way to encrypt the email itself and its transport route.

Weiterführende Informationen: