Cybersecurity Practice #1: E-mail Protection Systems

Next Article

Appendix B: References

Cybersecurity Practice #1: E-mail Protection Systems

According to the 2017 Verizon Data reach Report, “Weak or stolen passwords were responsible for 80% of the hacking related breaches”. 1 The report further identifies phishing

Cybersecurity Practice 1: E-mail Protection Systems

Data that may be Passwords, PHI affected

attacks (a type of hacking attack) as the most common first point of unauthorized entry into an

Medium SubPractices 1.M.A Basic E-mail Protection Controls 1.M.B MFA for Remote Access 1.M.C E-mail Encryption

organization. After monitoring 1,400 customers and 40 million simulated

1.M.D Workforce Education

phishing campaigns, the PhishMe 2017 Enterprise Resiliency and Defense Report concluded that the average susceptibility of users within an

Large Sub1.L.A Advanced and Next Generation Tooling

organization falling prey to a phishing attack is 10.8 percent.2 Though other areas of significant threat exist, including in the web application space, the effectiveness of phishing attacks allows attackers to bypass most perimeter detections by “piggy backing” on legitimate workforce users. If an attacker obtains an employee’s password via phishing, and if that employee has remote access to the organization’s IT assets, the attacker has made significant progress toward penetrating the organization. The two most common phishing methods are credential theft (leveraging e-mail to conduct a credential harvesting attack on the organization) and malware dropper attacks (e-mail delivery of malware that can compromise endpoints). An organization’s cybersecurity practices must address these two attack vectors. Because both attack types leverage e-mail, e-mail systems should be the focus for additional security controls.

1.L.B Digital Signatures Practices 1.L.C Analytics Driven Education  E-mail Phishing Attacks Key Mitigated Risks   Ransomware Attacks Insider, Accidental or Intentional Data Loss

1. Tin Zaw, “2017 Verizon Data reach Investigations Report (DIR) from the Perspective of Exterior Security Perimeter,” Verizon Digital Media Service, last modified July 26, 2017, https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-breach-investigations-report/. 2. Ian Murphy, “How Susceptible Are You to Enterprise Phishing?” Enterprise Times, last modified December 1, 2017, https://www.enterprisetimes.co.uk/2017/12/01/susceptible-enterprise-phishing/.

14