Matt Radolec, Security Architect Manager at Varonis, discusses the issues around unlimited access to email, the importance of appropriate levels of protection and what needs to change to prevent further government leaks of this nature, here
Email security in the civil service has come under the spotlight recently following a spate of high-level leaks that resulted in senior politicians and diplomats losing their jobs. In some of these cases, sensitive information, in the form of emails, was passed on to the press causing much embarrassment for those concerned. It has since been reported that the source of this leak was not an external threat actor, but an insider.
The most recent example involves the UK’s former ambassador to the United States, Sir Kim Darroch. Sir Kim was forced to leave his role after emails in which he was critical of US President Donald Trump made their way into the UK press. Although these emails were marked as “official – sensitive”, this was clearly no deterrent to anyone wishing to leak such information to outside parties. When data leaks can have such serious consequences – in this case leading to diplomatic tensions – high-ranking officials and business leaders have every right to question who can and does access their emails.
Too much trust, too much access
A report by Intelligent Protection International into previous sensitive UK Government leaks found that email accounts could be accessed by any number of staff. Such wide access can be attributed to various reasons both legitimate and illegitimate.
For example, due to the large number of correspondence they receive, and time pressures, many senior staff might allow subordinates to access, read and respond to emails on their behalf, known as ‘delegated access’. While this might be a legitimate way to handle a burgeoning workload, delegated access assumes that anyone who has access to the account can be trusted, which is evidently not always the case.
Similarly, an IT administrator with access to email accounts on Microsoft Exchange could abuse that privilege to pry into the affairs of colleagues. In working with public and private-sector companies, I’ve encountered several of these incidents every year. One common motivation: staff snooping on their colleague’s salary rates, in order to get a pay rise.
A real-world example would be if someone in the mailroom was opening up all the letters and packages regardless of who they were addressed to. They might read them, copy them, send them onto someone else, or even reply to them. This correspondence would then be resealed and delivered to the intended recipient, who would be none the wiser until it was too late.
Permission creep and the external threat
There is also the issue of permission creep. This is where employees, over time, are given permission to access accounts. The permissions are not removed when they changed positions or leave the organisation. Permission creep creates several access issues, particularly now that many systems are in the cloud; former users, and even past employees, can easily log on to any account they have not been removed from without raising any suspicion.
Aside from the insider threat, uncontrolled access makes life easier for external cybercriminals aiming to break into valuable executive accounts. Opportunistic threat actors often target the credentials of less security-savvy individuals with the goal of incrementally escalating their permissions until they can access more valuable accounts. However, when accounts are open to many or even all employees, privilege escalation is an easier prospect for cybercriminals.
The problem of unrestricted access to email accounts is not unique to the civil service. Many organisations have issues with over-exposed email accounts. However, if the information is to be kept confidential, this common practice must change.
A zero-trust approach
Organisations commonly use spam filters to protect them from receiving malicious emails, yet very few are successfully managing access permissions. Fortunately, there are several precautions organisations can take to prevent unauthorised people from accessing and misusing email accounts.
As a priority, an organisation needs to take a zero-trust approach. This increasingly popular cybersecurity framework means that nobody with access to the IT network, including mailboxes, should be automatically trusted.
There are three main principles to zero-trust. Firstly, all access to information on a system is authenticated and verified, this not only includes mailboxes but also files and folders. Then there is the application of the least privilege model, where access is only given to those that need it to do their jobs. Finally, all activity should be monitored and logged.
In regard to emails, the initial step is to audit who has permissions to access which accounts, particularly the more sensitive executive accounts, and remove rights from anyone that should not have them. While this is a good start, this information can become outdated very quickly, so the next logical step is to implement some form of monitoring.
IT security teams need to be continually looking for the digital warning signs, such as requests from an individual to access information that isn’t required their role, copying sensitive files or emailing these outside the organisation. Teams should also be able to see if someone has changed the permissions of a mailbox, either unintentionally or deliberately, so that anybody can access it – a serious risk to security.
Being able to monitor mailbox behaviour is also essential. Are ‘read’ messages being marked as unread? Is there an unusual volume of emails being sent to a single address? Is the mailbox being accessed by anyone unusual or from an unusual location? Being able to answer these types of questions will help negate the risk of mailboxes being compromised.
If there’s one thing the civil service must accept, it is that the days when information was kept safe based on a ‘face value’ approach to trust, are gone. A zero-trust approach is needed to protect emails from falling into the wrong hands.