Maksim Kabakou - Fotolia

Security Think Tank: Key things to consider to block malicious email attachments

What strategies should organisations follow to block malware attachments which continue to account for two-thirds of malware infections that result in data breaches?

There is a fundamental contradiction at the heart of current cyber security training. We tell people not to click on links or attachments, yet many employees have to do this every day as part of their jobs. Banning links and attachments is obviously a non-starter.

However, there are several methods an organisation can adopt to get round this problem.

First, focus on improving awareness. Instead of telling people who may already be overworked and stressed that they must decipher complex email addresses or links, employers should instead give them simple rules and an easy way to report their suspicions. Focus on rewards or praise to incentivise people to do this. To support this awareness, implement technology to help staff report suspicious emails and make it easy for them to use that system.

Second, it is vital to tailor your messages to your audience. For example, telling HR not to open external emails using webmail addresses probably won’t work, because most individuals contacting HR to apply for jobs, or sell products, will not be using the company’s internal email system.

At a structural level, consider how the organisation’s infrastructure can be made more robust and provide further protection. Using whitelisting can help manage email traffic by allowing all traffic through but blocking known email addresses that utilise malicious attachments. This can be tied into reporting, too, so that newly identified addresses can be added and blocked easily and quickly.

It is also important to consider application whitelisting. While it is difficult to lock down endpoints and run applications based on users’ roles, efforts can be made to identify trusted and untrusted – or blacklisted – applications. Greylisting, which stops unknown applications from running as admin users or accessing data, is also a very useful technique. 

Access control is also critical. Examine privileged accounts in an organisation and the type of access and the applications and data those accounts can access. Removing local administration rights on endpoints may cause users some problems, but the inconvenience is minor compared with cleaning up after an attack.

Implementing least privilege wherever and whenever possible will reduce the risk and minimise malware’s ability to spread and access data.

Lastly, look at outbound traffic and stop access to well-known command and control or other malicious sites. This may interfere or degrade the malware operation, reducing the impact of the attack.

As with almost all cyber security, the key is to adopt a multi-pronged approach, backing up the end-user with supporting technology and expertise. ............................................................ .....................................................................................................

This was last published in May 2017

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.






  • How do I size a UPS unit?

    Your data center UPS sizing needs are dependent on a variety of factors. Develop configurations and determine the estimated UPS ...

  • How to enhance FTP server security

    If you still use FTP servers in your organization, use IP address whitelists, login restrictions and data encryption -- and just ...

  • 3 ways to approach cloud bursting

    With different cloud bursting techniques and tools from Amazon, Zerto, VMware and Oracle, admins can bolster cloud connections ...