Upgrade The Security of Your Email Integration: Mitigating Common Threats
Get a better understanding of common attacks in order to better protect your email and application against them.
David Ting | April 28, 2020
By the end of 2020, the number of business and consumer emails sent and received per day will total over 257.7 billion. The central role that email plays in both professional and personal capacities makes it a tempting opportunity for unscrupulous actors. And as email is frequently an intruder’s gateway into an organization, it is a top priority for tech leaders to stay abreast of email security. In this blog post, we’ll take a look at some of the most common threats to email security and how you can protect against them.
Common Threats to Email Security
One of the most common scripted attacks on email is an automated script that attempts to hack into an email account by systematically entering all possible combinations of keyboard characters until the correct one is found. Even sites that have a lockout policy in place that locks an account after the user exceeds a set maximum of failed login attempts is not immune from this. While having a lockout policy is better than not having one at all, scripted attacks can take the policy into account by allowing attackers to define the number of password attempts to try before stopping and waiting for the lockout timer to expire. For example, if the lockout threshold is five attempts and resetting the account lockout timer is set to 30 minutes, an attacker could guess up to four passwords every 31 minutes to bypass the safeguards in place.
SQL injection is a common attack on email security that can occur, for example, when an application requests user input, such as a login credential or username. A malicious actor can instead input a SQL statement that then gets run on the application’s database.
A distributed denial-of-service(DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. A DDoS attack can happen in several different places within the Open Systems Interconnection model, which is a conceptual framework that describes how computer systems communicate with each other by breaking down network communication into abstraction layers. Let’s take a look at two of the most common DDoS attacks.
DDoS Attacks at the Application Layer
The application layer (layer 7 in the OSI model) refers to the user interface responsible for displaying received information to the user; this is where HTTP requests occur. When a malicious actor makes the request to the targeted server, such as navigating to a website’s homepage or logging into an email client, this uses up relatively few resources. However, in order for the targeted server to respond to the client’s request, the server must load up the requested data from a database and then send back the correct response. In the case of logging into an email client, the server must also validate the password. All of this requires greater effort and uses up more resources of the targeted server than the client had to exert in order to make the request. This discrepancy is what malicious actors use to their advantage; when the server is flooded with multiple malicious actors, it can effectively take a web service offline by overwhelming it with requests it can not fulfill.
DDoS Attacks at the Network Application Layer: DNS Amplification
DNS Amplification attacks are a way for attackers to take advantage of two things:
- First, a query to an open DNS resolver can be set via a protocol that does not require a handshake, e.g. UDP.
- Second, the response to the query that DNS generates is significantly larger than the query itself.
Malicious actors wrangle an army of bots making requests, each bot making the kind of query described above. Queries being made from multiple sources makes it difficult to track down where the attack is coming from, and clogs the network with this malicious traffic, causing denial-of-service for intended users.
There are many more types of DDoS attacks, including ones like SYN Flood attacks which exploit the handshake process of a TCP connection; but what these attacks all have in common is that malicious actors work to overwhelm the available resources of the target in order to disrupt application or web service or even take entire businesses offline.
When it comes to email, the security threats are especially of concern since the purpose of an attack on email can be a targeted data breach of a specific email account or it can be to use the attack as a pathway to a larger data breach within the organization.
How You Can Protect Against DDoS Attacks
Successfully mitigating application DDoS attacks requires you to correctly distinguish between real incoming traffic from humans and traffic generated by bots and hijacked browsers. As you’ve undoubtedly experienced first-hand, one of the most common measures put in place to protect against attacks is CAPTCHA (“Completely Automated public Turing test to tell computers and humans apart”). But there are other ways to safeguard against such attacks.
WAF as a DDoS Mitigation Tool
A Web Application Firewall (WAF) is a protocol defense at the application layer of the OSI model. By putting a WAF in between the Internet and server, the WAF can help protect the server from malicious attacks as well as SQL injection, and scripted attacks by monitoring and filtering requests. One effective way this is done is by filtering incoming requests based on a series of custom rules used to identify DDoS attacks to quickly respond to an attack. One response to an attack can be to implement rate-limiting should any suspicious activity be detected.
WAF can also create user fingerprints to gauge whether the user is malicious or not. Since all application users, malicious and non-malicious, tend to behave in a consistent manner when using an application, a user fingerprint can be created by the way they move through the application in order to identify bad actors.
With the central role that email plays in businesses, the need for vigilant security practices is paramount. At Nylas, where security is our top priority, we invested in DDoS mitigation by joining up with Cloudflare, a CDN that provides a Web Application Firewall that allows for custom rules to detect malicious users and draws upon its expansive network to analyze behavior to filter out more sophisticated attacks.
Protecting your application against scripted attacks, SQL injection and DDoS attacks can be an overwhelming consideration, but with Nylas, you can have peace of mind that we have measures in place to keep you online and your customers’ data safe. Learn more about how Nylas handles security here, or if you’re ready to dive in and use our suite of email & scheduling APIs, you can create an account here.