The RM Unify team are constantly monitoring the performance of our service and we use the insights garnered to help us to deliver the best possible customer experience. This may be through product updates or, as in this case, user guidance to keep your users and data secure.
The recently deprecated RM Easymail product was an email platform to over 2 million users for around 15 years. During this time, we were able to build high levels of knowledge and understanding of email security issues. One key lesson learnt was that the incentive for bad actors to compromise email is always there for a number of reasons including:
- Sending spam, malware and phishing emails – people are far more likely to click on a link if they recognise who it is from.
- Setting forwarding rules to direct password reset emails.
- Downloading address books of further email addresses.
As such, it’s no surprise that there is a vibrant black market trade in compromised email accounts.
How might they get in?
Once raw email addresses have been gathered, attackers can very quickly auto-discover who hosts the email for the domain - in education this is now likely to be Microsoft Office 365 or G Suite. From here it is likely they try to brute force the account by systematically guessing the password over multiple attempts. RM Unify seeks to defend against this by not allowing the use of common passwords and by reducing the number of bad password attempts before the account is locked out. This reduces the risk significantly, but relies on:
- The password being strong.
- The password not already being known - for example not leaked through a data breach such as Yahoo. This shows the importance of using a different password per online service.
Faced with the type of defence offered by RM Unify, we have seen some efforts by attackers to use ‘cheap’ connections such as IMAP to test passwords. IMAP is a legacy email protocol used to connect desktop/smartphone mail apps to an email service like Office 365, but is increasingly being used by attackers to test thousands of user passwords in the hope of getting one right.
What can you do to limit your exposure?
Whilst law enforcement agencies are trying to take down gangs conducting these operations, there are simple things that you can do. We recommend that you:
- Encourage the use of strong passwords throughout your school.
- Encourage a unique password for each online service. Password Managers can be used to save users needing to remember each one.
- Apply Multi Factor Authentication (MFA) on as many accounts as you can, but especially admin grade accounts.
- Disable IMAP, POP and SMTP in Office 365 - these protocols represent the 'low hanging fruit' in terms of brute force guessing of passwords. See the link below.
- Talk to RM about the Office 365 security configuration service.
Finally, use an SSO capable identity and access management system like RM Unify. In addition to the lock-out policy and blocking of common passwords, this reduces the number of passwords a user needs to remember (so they can make it stronger) and SSO removes the need for online services to store the user password at all; thus removing the risk that passwords are compromised if a service you use suffers a data breach.
Useful Links
- Disable IMAP and POP in Office 365 -https://support.microsoft.com/en-gb/help/2416434/how-to-enable-or-disable-pop3--imap--mapi--outlook-web-app-or-exchange
- RM Unify password policy and tips on creating strong passwords (http://support.rm.com/technicalarticle.asp?cref=tec5943089)
- RM Unify v3.32 (https://www.youtube.com/watch?v=qBgQtLnILgU) , due for release in December 2017, offers MFA for Apps within.