Editors' pick: Originally published July 28.
The breach of the Democratic National Committee's email by the website Wikileaks published a trove of over 20,000 emails. It reminds us of the urgency of concerns surrounding cyber security.
"No email that you've ever written is ever deleted. There's always a copy out there," says Stephen Ward, a vice president with Pinkerton, an expert in risk management and security who specializes (among other things) in electronic security. "So you should always use that common sense approach: If this is something that's groundbreaking for my company or it could change the world, should I send that in an email? Probably not."
One of the biggest problems with cyber theft, he explained, is the online data can't be destroyed. Once a user's secrets are released, they're gone.
Ask any security expert and he or she tell you email's single biggest point of vulnerability is its open platform.
"Email is the most popular tool for spreading malware, compromising organizations, or stealing personal information," said James Scott, a Senior Fellow with the Institute for Critical Infrastructure Technology. "A single compromised email account can be used to map the organization through mailing lists, to compile client lists and profiles through established correspondence, to accumulate sensitive information, and to target and compromise other user accounts."
The guts of this system have remained largely unchanged since the 1970s. While clients and interfaces have gotten more complex, the basic email architecture remains swapping plain text files.
According to Amir Husain, CEO if cyber security firm SparkCognition, most people broadcast highly sensitive information across a very public platform.
"Email is based on a text format. There is nothing about email that incorporates security or encryption," he said. "It's basically an open network based on trust. From that there is the huge benefit that anybody on the planet can connect with anybody else on the planet, but the downside is that you can have what many people perceive to be a trusted communication scheme contributed to by people with malicious intent."
Technical exploits account for only a small portion of a hacker's success. The biggest vulnerability on a network is us.
"Attacks that target the user, such as phishing or social engineering campaigns, have a ridiculously high success rate," Scott said. For example, when "phishing," thought to be how the DNC's server was attacked, hackers send out emails with a link to websites containing malicious software.
As part of his job, Ward often conducts threat analysis for Pinkerton's clients, helping them to determine the vulnerable points in their security and computer networks. He has found one of the biggest challenge is getting end users to appreciate the importance of their role in day-to-day best practices.
"In one case when we did a review of a client, we took dongles branded with the client's name and dropped them all over the parking lot," he said. "We dropped 25 of these and 20 were turned in to security. Five of them were plugged in to devices."
Yet, for all the system's openness, experts say email can be considerably improved. It starts with the users.
Education on best practices such as the importance of encryption, application of unique passwords, and opening links and attachments only from proven sources, is essential, Husain said. Don't use passwords that can be easily deciphered. "A little bit of responsibility and education goes a long way," he said. "It's such a big part of our lives. If anything else was such a big part of our lives, you'd think that we would take some time on it."
Also, an email server's security can be improved, Scott said. Filters can identify the server where an email originated based on its IP address rather than the message's header, sorting them into "whitelists" of trusted origins. Malware detection tools can check the content of attachments, and firewalls can help reduce the risk associated with spam and phishing links.
In the end, "some information will always be too sensitive for electronic communication," Scott said. "Ultimately, email is a useful tool when used correctly; however, it is the responsibility of the user to ensure that the security mechanisms are sufficient to their needs and requirements."