While you try to lock down your windows, your door could be wide open.
Many of my friends ask me if I get bored
writing about encryption day-after-day. Well, this question is quite
understandable as they think of encryption as some boring, nerdy topic. It
might look lifeless on paper, but it’s actually full of new developments,
debates, allegations, and controversies. In the last week or so, we’ve
witnessed all of it. Yes, I’m talking about the controversy around Zoom, the
popular videoconference app.
But while Zoom’s security holes dominate
the headlines, there’s an elephant in the room: millions of unencrypted emails
are sent every day, many with sensitive data inside. So, what are the security
risks with Zoom, and could the lack of email encryption be an even bigger risk?
Let’s hash it out.
Zoom’s Not-So-Secure Encryption
After a report by Bill Marczak and John Scott-Railton revealing a few Zoom security vulnerabilities came out on April 3rd, it’s become quite a hot topic–it’s quite likely that you’ve heard about it even if you don’t follow cybersecurity news closely. The security researchers discovered several critical security issues in Zoom, and all of the problems are related to encryption – one way or the other, including:
- Insecure encryption mode
- Encryption keys routed through
servers in China
All of this has come at the time when people are working remotely, and they’re using video conference platforms like Zoom more than ever before. Thanks to these revelations made against Zoom, giants such as Google and Space-X have already banned the use of Zoom. This has had its ripple effects, and many small and medium organizations, too, have stopped using Zoom.
This security awareness is definitely a good thing, but it has irony written all over it.
Irony: Concerned About Zoom but Not Email Encryption
Thanks to the scary headlines and the
current pandemic the world is going through, this news about Zoom has reached
far and wide. (And that’s a good thing—we’re always excited to see increased
security awareness!) As a result, even ordinary users have started looking for more
secure alternatives. But unfortunately, many of the people (rightly) concerned
about Zoom don’t encrypt their emails despite that the fact that many emails contain
much more sensitive information compared to video conferences.
Wait, Emails Aren’t Encrypted?
Now you might ask: aren’t emails encrypted by default? Well, they are, and they aren’t. According to Google’s Transparency report, 90% of outbound & 93% of inbound emails recorded by Google are encrypted by installing SSL/TLS certificates on the web servers. There are some concerns regarding Google’s methods of recording the data, but let’s assume the real number is around 90-95%, which is undoubtedly a good thing.
However, encrypting email transmission is just one part of the email encryption story. The other part, which many organizations with private servers ignore, is encrypting emails at rest. So when emails are resting on your email server without encryption, they are being stored there in plaintext. So, if a hacker breaches your server they can extract your sensitive information such as organizational information, financial information, research, etc. If you recall the Hillary Clinton email controversy, that’s part of what happened there.
Encrypting email transmission is good, but it doesn’t encrypt the email itself. The email remains completely vulnerable to hackers when it’s sitting on the server.
Why Email Security Should be on Your Top Priority List
Email might be one of the oldest modes of
virtual communication, but it’s still the most preferred method when it comes
to business communication. Around 293
million emails are sent every day, and it’s been found that 86% of business
professionals prefer using emails when they communicate for business purposes. So
it’s no surprise that emails are the foremost way hackers like to breach the
security of an organization. Here are some email security statistics that show
why you should take email security at least as seriously as you do Zoom,
Facebook or WhatsApp security:
- According to Verizon
2018 Data Breach Investigations Report, 92.4% of malware is delivered via
- The latest email trends report by Barracuda
shows that, on average, more than four-fifths (82%) of organizations claim to
have faced an attempted email-based security threat in the past year.
- 66% of organizations claim
that attacks have had a direct monetary cost on their organization in the last
year. Nearly a quarter of them have reported damage of these attacks to be
$100,000 or more.
These statistics are just the tip of the
iceberg. Email attacks are a double-edged sword—hackers often attack via email,
and emails are often the target they’re trying to steal as well. Ask anyone who
has suffered an email attack, and you’ll know why it’s such a big deal.
Most email servers won’t be filled with
government secrets that could trigger international diplomatic incidents, but
most company email servers do have more than enough passwords, employee data,
and customer data for a hacker to wreak havoc with—that’s why email encryption
is so important.
S/MIME Certificates: A Wall to Protect Your Emails
When you’re storing every email
conversation on your server in plaintext, you’re basically sending an
invitation to an attacker to attack your emails. There are lots of ways hackers
get their hands on emails–they could get your emails by taking control of your
server, by infecting your server with malware, by fooling one of your employees
through phishing, by attacking the recipients of your emails, etc. Not only could
they steal your emails, they could tamper with your emails if you haven’t
protected them. You might not be able to stop all these attacks, but one thing you
can do is store these emails in an encrypted form so that even if they’re stolen,
they remain undecipherable, thereby increasing overall security and protecting
your organization’s privacy.
That’s where S/MIME (Secure/Multipurpose
Internet Mail Extensions) certificates come in. These certificates work vie the
S/MIME protocol to increase email security.
An S/MIME certificate…
- Facilitates email
authentication by showing the verified sender of the email. Therefore, an
S/MIME certificate makes sure that both the parties — recipient and sender —
know who they’re communicating with.
- End-to-end encrypts the emails (including
while stored on email servers) so that no unauthorized 3rd-party can
see or tamper with your emails.
In simple words, an S/MIME certificate builds a wall around your emails that hackers will find challenging to cross. Want to start protecting your emails? Here’s everything you need to know about S/MIME certificates, or you can get your certificate(s) right on our website:
Sometimes, there’s so much buzz surrounding
one specific topic that we forget to look at the bigger picture. That’s exactly
what happens whenever a controversy surrounding encryption on platforms such as
Zoom, Facebook, WhatsApp, etc. comes up. I’m 100% in support of improving
security on these platforms, but let’s not forget to also secure our emails,
which are probably a much bigger vulnerability for the typical organization.
There’s no point in locking down your windows while keeping the door open.
*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Jay Thakkar. Read the original post at: https://www.thesslstore.com/blog/zoom-encryption-whatsapp-encryption-wait-lets-not-forget-about-email-encryption/