Maksim Kabakou - Fotolia

Security Think Tank: Key things to consider to block malicious email attachments

What strategies should organisations follow to block malware attachments which continue to account for two-thirds of malware infections that result in data breaches?

There is a fundamental contradiction at the heart of current cyber security training. We tell people not to click on links or attachments, yet many employees have to do this every day as part of their jobs. Banning links and attachments is obviously a non-starter.

However, there are several methods an organisation can adopt to get round this problem.

First, focus on improving awareness. Instead of telling people who may already be overworked and stressed that they must decipher complex email addresses or links, employers should instead give them simple rules and an easy way to report their suspicions. Focus on rewards or praise to incentivise people to do this. To support this awareness, implement technology to help staff report suspicious emails and make it easy for them to use that system.

Second, it is vital to tailor your messages to your audience. For example, telling HR not to open external emails using webmail addresses probably won’t work, because most individuals contacting HR to apply for jobs, or sell products, will not be using the company’s internal email system.

At a structural level, consider how the organisation’s infrastructure can be made more robust and provide further protection. Using whitelisting can help manage email traffic by allowing all traffic through but blocking known email addresses that utilise malicious attachments. This can be tied into reporting, too, so that newly identified addresses can be added and blocked easily and quickly.

It is also important to consider application whitelisting. While it is difficult to lock down endpoints and run applications based on users’ roles, efforts can be made to identify trusted and untrusted – or blacklisted – applications. Greylisting, which stops unknown applications from running as admin users or accessing data, is also a very useful technique. 

Access control is also critical. Examine privileged accounts in an organisation and the type of access and the applications and data those accounts can access. Removing local administration rights on endpoints may cause users some problems, but the inconvenience is minor compared with cleaning up after an attack.

Implementing least privilege wherever and whenever possible will reduce the risk and minimise malware’s ability to spread and access data.

Lastly, look at outbound traffic and stop access to well-known command and control or other malicious sites. This may interfere or degrade the malware operation, reducing the impact of the attack.

As with almost all cyber security, the key is to adopt a multi-pronged approach, backing up the end-user with supporting technology and expertise. ............................................................ .....................................................................................................

This was last published in May 2017

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.