The Art of Email Security: Putting Cybersecurity In Simple Terms

The Art Of Email Security: Putting Cybersecurity In Simple Terms

Although every precaution has been taken to verify the accuracy of the information contained herein, the authors assume no responsibility for any errors or omissions.

No part of the publication may be reproduced, distributed, stored in or introduced into an archival system, transferred or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise) without the prior permission of both owners and publisher of this book, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.

The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

© Copyright 2020 by StealthMail Software Ltd.

StealthMail.com

All rights reserved.

Table of Contents

What Others Are Saying About This Book

The Art Of Email Security Backstory

Acknowledgments

Introduction

The Unarguable Fact That Makes This Book A Must Read

To Make You Feel A Bit More Comfortable And Secure In The Digital Space

Hold Your Trojan Horses There, We Got A Few Examples

We Will Burst The Bubble We Live In By Getting Out Of It

Maybe It’s Time To Address The Elephant In The Room?

The Dark Side Of The Digital Age

We Also Befriended The Best Spies On The Planet

Not Everyone Picks Up On This Subject For Some Reason

9 Out Of Every 10 Successful Cyberattacks Start With Email

It Will Suck You In Like A Quicksand

Who Are They, Who Are Their Victims?

Same Lack Of Interest That Keeps People Blind

They Have Everything They Need To Collect Information Like Sponges Collect Water

There’s More To Hacking Than Simple Button Jacking

Punching Cards And Catching The Bus Like A Boss

Gamble Boy Cracks Feds, With Attitude

You Don’t Own Jeh-k, Dear Friend

Let’s Just Say Kane’s Little Gamble Didn’t Pan Out As He Had Hoped

What Motivates Online Criminals?

The Personality Of The Wearer And What Makes The Hat

Never Ever Underestimate The Importance Of Having Fun

Smart Hackers Know When It's Time To Change The Hat

Not Bad For A Part Time Job, Huh?

Even Drug Trafficking Doesn’t Hold A Candle To Cybercrime!

There Is No Honor Among Thieves, Even Extremely Online Ones

24 Million Dollars And A Ton Of Psychological Cargo

Hacking With Authority: Advanced Persistent Threats

They Don’t Have To Worry About Feds Standing Behind Their Backs

Data Is The New Oil And Email Is The Earth They Pummel To Get It

They Snoop Around The House You’re Moving Into

Digital Transformation Catches Users Between Stone And A Hard Place?

Can You Name The Biggest Weakness Of The Largest Companies?

Panama Papers Scandal Exposed 11.5 Million Documents

Email Was Not Created For This Tough World, It Didn’t Sign Up For This Either

How People Turned Email Into Their Mortal Enemy With No Malice In Mind

People Invest In Email Heavily Without Being Aware Of It

Email Is Open For Everyone, Everyone Is Welcome!

It's Like Grand Central Station In Here...

The Numbers Don’t Lie And They Spell Disaster For You

SMTP Should Really Stand For Simple Method To Peek

You Might As Well Write A Message On A Wall

Three Certainties In Life: Death, Taxes, Email Staying For At Least Another Decade

Email Is Like A Cockroach – It Is Tough To Kill…

...But It Still Holds Some Value

5 Of The Most Overused Attacks On Email

Man-In-The-Middle, Never Second Fiddle

There’s Strength In Numbers, And We’re Not Talking About Stats

What Can Be Worse Than A Crowd Of Hungry Uninvited Guests?

Pay Up $1000 And I'll Fix Your $300 Computer

WannaCry Me A River?

Healthcare Organizations Need Patient Data To Save Lives

Petya Or NotPetya? That Is The Question

How Laziness Makes Attacks Even More Lethal

Specialization In Integrity Doesn’t Make You Immune

People Jumping On Everything That Is Free

The Greatest Trick The Devil Ever Pulled Was Convincing The World He Didn't Exist

The Paranoid Is Never Entirely Mistaken

How Criminals Get Information By Using A Victim’s Hands And Manipulating Their Minds

The Type Of Phishing That Won’t Let You Relax

The Art Of Spoofing That Will Leave You Barely Hoofing

Does Email Security Strangle The Working Process?

Take Gmail’s Dot Problem For Example...

The Netflix Scam That Forces You To Pay For Someone Else’s Fun

Phishing Scam Covers All Demographics

The Last Thing A Phish Would Ever Notice Would Be Water

The Poisonous Spear Touch That Derailed Hillary’s Campaign

Yet Another Reason To Leave Social Media Forever

Oh, You're Back. That Was Quick!

Spoofing Is Not Exclusive To Email, Far From It

The Travesty Of Whale Hunting Where Animals Luckily Don’t Get Hurt

How Full-Blooded Italians From China Fooled A Bunch Of Indians

You Juke The Numbers, And Workers Become Hopeless

Spicy Recipe For Receipt Disaster

How Cross Site Scripting Works And Dorks Poor Users

There Would Be No Actual Need To Fool The User Directly

This Is A Possible Reason For Your Machine’s Slow Starts

Why Nerve-Wracking Cryptojacking Is So Widespread?

And This Is Why It Overtakes Malware In Usage Rate...

Because Nothing Was Stolen From Them Directly

How Pay Rise Denials Deeply Burn Management Pockets

55% Of Organizations Globally Were Affected By Cryptojacking

Not-So-Common Attacks Affecting Our Emails

Now Picture That Mess Going Straight To Your Inbox

Unsubscribing From Spam Can Sign You Up For Fresh Malware Delivery

It Won’t Go Through Them, It Will Blow Up First

Sometimes You Don’t Even Have To Click On The Links To Get Caught

Why Losing Hash Is As Bad As Losing Cash

Spooky Tech Explanation Nobody Ever Asked For

Now They Can Steal Our Cookies Through Email!

Sometimes You Click On A Link Without Even Knowing Anything About It

Getting In The Crosshairs By Dancing Around The Malicious Link

Click-Click, BOOM! What Was That!? A Bad Hair Day

You Ignore It Once, Twice, But It Keeps Coming Back

Don't Sing It, Bring It!

That Can Actually Help You Defeat Web Beacons, Too

Information Is Power And Those That Have Access To It Are Powerful

How To Read The Emails Of Others Without Interacting With The Account?

Sayonara, You Shell-Backed Simpletons

Bringing Your Own Device Is Bringing Your Own Demise

Universal Serial Bus That Will Drive You To The End Of The Line

People Are Throwing Their Bodies Under The Bus

When Sticking Your Nose In Someone’s Business Hits You Back

Like Father, Like Son

A Gateway That Can Open The Floodgates

No, We Can’t Say That At All

This Pharming That Has Nothing To Do With Genetic Or Social Engineering

Those Routers Ain’t Loyal…

That’s Just Like Posting A Manual For Beginners

Data Breach Is Not A Figure Of Speech

When Customers Take Their Money From Your Business

Repeat Offender That Begs For A Defender

Out Of The Frying Pan, Into The Fire, And Still Off The Hook

Once Again, You Can’t Trust These Guys

Indirect Types Of Data Breaches That Still Hurt Like Hell

19,000 Different People, Carl!

Mesmerizing Carelessness To Sensitive Documents Is Not New

Smelly Goo On The Bottom Of Your Shoe

Abuse Of Power Or Official Position Is Never A Good Idea

Nobody Wants To Be The Next Target

Old Data Breaches Still Pose A Threat To Your Security

The Domino Effect Of Data Breaches

Criminal’s Post-Breach To Do List

Rocky Road To The Dark Web: You Will Be Amazed How Much Your Sensitive Data Costs On The Black Market

There Is A Profit To Be Made

Better To Hear About The Dark Web A Thousand Times Than To See It Once

Illegal Sites? Give Me Examples, Asking For A Friend

Cybercrime Is A Complicated Issue, But People Are An Even Bigger Issue

Taking Orders, Sharing Data

But First, Let Me Take A Selfie

That’s Physical Security, Let’s Get Back To The Digital One

Some People Can’t Live Without Communication, We Get It

We All Need Each Other To Fight The Real Threats

7 Expert Cybersecurity Tips And Directives To Regular Email Users

The Ultimate Security Is Your Understanding Of Reality

The Event That Put Us In The Mood To Write This Book

Directive #1: Make Passwords Strong, Keep Them Fresh

It’s A Foundation That You Build Your Security On

Human Beings Are Experts At Forgetting

Treat Your Password Like Your Toothbrush

How Your Best Internet Friend Tells Your Secrets To Malicious Strangers Around You

Not Everything That Glitters Is Gold

Who Has An Edge Among The Rest?

Safari That Shoots Down The Attackers

Having A Bad Password Isn’t A Crime, But It Could Lead To One

An Admin, A Monkey and A Princess Walk Into A Bar

The Longer The Password Is – The Better

How To Break The Walls Down Without Kicking Up A Fuss

Patience And Hard Work Will Conquer All

Directive #2: Use Two-Factor Authentication

Now That’s A Great Attitude To Have

Another Door Just In Front Of Them

Loopholes Still Exist, And They Need To Be Addressed

Deloitte Had No Clue About Two-Factor Authentication

There’s No Patch For Negligence Yet And Stupidity Yet

How Dare You Smear Security Over My Life?

Directive #3: Don’t Confuse Two Steps With Two Factors

Security Questions That Sell You Out In Two Seconds

How Many High Schools Are There In Alaska?

All You Need To Know About The Factors

Human Factor Can Knock Down Authentication Factors With Ease

Are You Impressed? It Doesn’t Matter

The Bottom Line Regarding Two Authentication Factors

Directive #4: Digital Content Must Always Be Encrypted

Tell Me More About This Encryption Stuff, It Sounds Crisp

But Don’t Be Afraid, That’s Not A Bad Thing, It’s A Good Thing!

Sounds Easy Now, Right?

Encryption Must Always Play A Signature Role

Does Encryption Really Put Your Data In Great Danger?

Why Exactly Do You Need To Keep Emails Encrypted?

Encryption Is An Amazing Safety Measure All Things Considered

People Created Safety Pillows, So You Might As Well Use Them

Good Luck Trying To Brute Force Encryption, Really

Or Just One Bored Kid From Finland

Math Is Hard, Let’s Listen To Some Music Instead

They Keep Their Ears Close To The Ground

Sometimes It Takes A Meltdown To Get Fired Up

Your Metal Gear Is Not Solid

Directive #5: Keys And Encrypted Data Should Always Be In Your Control

Bob –> Mallory –> Alice Example

Authentication! We Need It To Validate Reality

You Can Hide In The PIT

So, How Does TLS Encryption Transpire Step By Step?

A Handshake That Would Confuse Even LeBron James

Hierarchy Works Well In A Stable Environment, But Internet Isn’t Stable

Something Is Rotten In This State

Believe Nothing You Hear, And Only Half Of What You See

SSL In Particular Had A Very Hard Life

Someone Can Steal Your Cipher Faster Than You Can Say Bleichenbacher

DH Could Also Stand For Die Hard

Crimes That Make Our Hearts Bleed

Can’t Complain, And How Are You Doing?

It Could Be Your Most Sacred Corporate Secret

That’s Why You Don’t Squeeze In The Handshake!

All In All, Trust Is Hard To Come By

But How Good Is Pretty Good?

Trust Is Built When Someone Is Vulnerable

No Need For A Warrant Too…

Cloud Has Truly Changed The Game

Cloud Looks Fluffy, But We Need To Examine It Further

This Is What Can Happen If You Put All Your Eggs In One Basket

Directive #6: Data Protection Policy Should Be Legally Compliant

GDPR’s Materialization And Its Impact On Data Privacy

Factual And Actual Cases Triggered By General Data Protection Regulation

HIPAA Has No Data Mishandling Tolerance Either

Curiosity Killed The Cat And Can Possibly Kill Someone’s Career

It’s All About The Money With Sarbanes-Oxley Act

Self-Harming Overinflation Puts People In The Ground And Behind The Bars

So You Want To Be Compliant?

Directive #7: Remember That Security Is A Process And Not A State

If We Desire Respect For Policy, We Must First Make The Policy Respectable

Security Is A Team Effort, Plain And Simple

Proverbs 29:18 KJV – Where There Is No Vision, The People Perish

10 Indicators That Will Help You To Identify Phishing Emails

Half Of Victims Click On Malicious Items Within The First Hour

Final Words We Want You To Take Very Seriously

The Art of Email Security Epilogue

Let’s Look Back At What We’ve Done

What’s Better Encryption Than Doctor’s Prescription?

Education Is Not The Only Gateway To Security

Filters Not Concerning Cigarettes Or Snapchat

The Sky Is Not All 'Rose', But Cloud Is Not Transient

A Farewell Gift To Our Most Diligent Readers

References

Glossary

What Others Are Saying About This Book

"What a book! – the guy who never finished one, beside CISSP exam book. Read it in bed, and I usually fall asleep after 20 pages. Not the case here!!

I am impressed by the tons of information gathered, I even discovered two or three new things. The style is very good, I love the concept of small chapters! At first, I didn’t understand why a book about email security gives ‘hackers’ so much attention, but then it all made sense."

Romain Bottan, Chief Information Security Officer at BoostAeroSpace.

"Lots of tease, plain English, captivating storytelling.

Appreciate how honest and straight-forward the authors are, they don’t hold back and have strong opinions. This book raises a lot of important questions, and of course answers a few too. This is something I would give to friends who don’t know a lick about cyber hygiene or how dangerous email is. It left me wanting more, and I expect authors to continue doing their good work."

Johan Nordstrom, Founder & CEO of Nordstrom Consulting.

"Amazing job by the authors, I am really impressed!

Hope it will find the deserved success and will help email users become safer. Read it while my family was sleeping, couldn’t do so myself after starting. Authors worked really hard to improve it under my review, and it showed.

Happy to be a part of it!"

Stephanie Buscayret, Chief Information Security Officer at LATÉCOÈRE Group.

"If you are worried that a cybersecurity book will be dry and technical, this one is a pleasant change. The book is a quick read, full of informative anecdotes mixed with cultural references to keep the reader interested. This book is really geared towards the individual, not just a corporate security professional, and is written in a very conversational and humorous way.

This book is good for the non-technical user, as well as the security practitioner—maybe one who might work for a small firm and has not been as exposed to a variety of cyber threats. I would recommend it to anyone who wants to understand current social engineering and cyber fraud schemes."

Rick Doten, Cyber and Information Security at Crumpton Group LLC.

"A great read for non-technical executives!

Informative and enjoyable, even entertaining read on a critically important topic. I think the way the subject is discussed makes the topic very easy to understand. Readers would feel comfortable investing their time in reading this book, without being overwhelmed with technical jargon! Highly recommend."

Tom Patterson, Senior Manager, Information Assurance at Cotton & Company LLP.

"No hard teaching, lots of engaging material for security professionals and regular users alike. This book is a good mix of data, statistics, quotes, insights and recommendations for users.

I think that makes it appealing to a broad audience, which is smart as cybersecurity is a global issue. It puts human beings in focus and that makes it different from technical books you might have read before.

Will certainly promote it in my network, I think it will get some love."

Niels Trads Pedersen, Deloitte partner, former Business Unit Leader at IBM.

The Art Of Email Security Backstory

To start us off on the right foot, we need to introduce ourselves, provide you with our background, share our goals and aspirations.

The Art of Email Security is a collective labor of StealthMail.com Team - a company working over professional email security solutions. After working on mission- and time-critical projects in professional telecommunications for more than 13 years, Team StealthMail have devised core principles enabling the development of secure and reliable communication systems.

These principles make it possible to manage critical infrastructure facilities and coordinate personnel in situations where human lives are put on the line.

In professional telecommunications, in addition to the principles of systems development, special attention is paid to employee education and regular training. This approach is implemented in every major intelligence service — Police, ESM, Fire Department, etc.

The same cannot be said about the commercial sector.

Most companies either believe that their employees already know how to use the Internet and communicate over email safely or just close their eyes, preferring to ignore the problem altogether. Even though employees working for those organizations have to access, use and share confidential data all the time without getting prior education.

Based on that knowledge and years of experience, we knew that just covering the technological part of the problem wouldn’t be sufficient, as people already get enough training and guides concerning application interfaces and services. However, they don’t get enough information about safe ways to operate within them.

We knew that we had to do much more to reach the critically important audience, and our point was reinforced after we’ve provided training courses, seminars and webinars to Ministers of Defense, Ministers of Finance, C-level