Recent security incidents reminded me of an important rule that often doesn’t make it on to security checklists:
Separate work and personal email.
In these incidents, workers used forwarding rules to send work email to personal accounts. Attackers used those rules to collect sensitive information. This is an example of exfiltration. Company security teams can do a lot to protect the email accounts they administer, but there’s not much they can do when data is forwarded from those accounts to outside services.
Here are (just a few) common examples of sensitive information attackers might get from email:
- Password reset links. Most accounts that aren’t protected by MFA can be accessed by a password reset process that only requires you to click a link in an email. Inboxes are the gateway to many other systems.
- Bug reports. Information sent between engineers, project managers, or other team members about flaws in your products can help attackers craft exploits.
- Upgrade notifications. If you get an upgrade notification about any tool your company uses, that tells attackers you’re still using an old version of that tool. They can look for known vulnerabilities in that version and use them in attacks.
- Personal information about workers who have privileged access. Phishing and other forms of social engineering are still common. Phishing was used in the incidents that prompted this post. The more attackers know about you, the more real they can pretend to be. They only need to fool one person who has access to production.
- Personally identifying information (PII). Customer error reports, for example. They might contain names, email addresses, real addresses, IP addresses, etc. All it takes is a copy/paste of one database entry by an engineer trying to track down the root cause of a problem with the product and you can have PII in your inbox. PII can be valuable to attackers (e.g. for scams) but it’s also subject to regulation. Sending it outside the company can cause big problems.
This applies to everyone, not just engineers. Project managers get bug reports. Customer service staff get customer error reports and any PII they contain. Upgrade notifications are often blasted out to distributions lists that include half the company. Even if you don’t have an engineering role, it’s still important to keep company email within the company.
Need more than just this article? I’m available to consult.
You might also want to check out these related articles: