Email security: guarding against the expected

By Euan Henderson

Cyber Security Apprentice

In order to secure an organisation’s emails, TLS should be enabled as best practice.

TLS stands for Transport Layer Security and is a security protocol that encrypts and authenticates data between services/applications and the end users.

TLS v1.1 is not considered safe, so ensure that you use v1.2 wherever possible.

When emails are transferred over untrusted networks, their integrity (to ensure that data has not been modified in an improper or unauthorised manner)  and confidentiality (to ensure that only the individuals, entities or processes that actually require access to the information are able to do so) need to be protected.

NCSC recommends a number of ways to achieve this.

  • configure all email servers, whether they are accessed via internet or private networks, to support TLS.
  • ensure email servers present a certificate with the correct cryptographic properties and that it is signed by a known certificate authority.

Email servers can be configured to prefer good cryptographic profiles, while also allowing support of lesser cryptographic profiles.

NCSC also recommends that email services are configured for TLS between organisations that communicate frequently.

Whilst there are other controls that can be used to encrypt individual emails using protocols (such as PGP), it is not always practical for both the sender and the recipient to have the right infrastructure in place.

For this reason, it is recommended that email servers are configured to support encryption regardless of whether or not the individual email messages are encrypted.

TLS can be enforced to ensure that a secure Simple Mail Transfer Protocol (SMTP) connection is established. If the parties regularly communicate, connections can be configured to force activation of TLS authenticate certificates.

This is more secure than the standard STARTTLS technique which can be susceptible to a downgrade attack by a ‘man in the middle’ sitting between the communicating parties.

It is important to note that the TLS method does not protect against untrained staff sending unencrypted documents to the wrong recipient – as it can be read by whoever receives it. In some circumstances it is still prudent to encrypt emails using shared or public key encryption.

This is the first of a two-part Blog on this subject and is based on an original Blog by NCSC.

For More information regarding the configuration and implementation of TLS please use the NCSC link below.

https://www.ncsc.gov.uk/guidance/email-security-and-anti-spoofing