Cyber security frameworks play an integral role in ensuring organisations have adopted the latest and best practice standards and strategies to safeguard their information systems and data. The most commonly adopted industry standard frameworks include the NIST Cyber security Framework, the CIS Controls, and ISO/IEC 27001/2. But, of these industry frameworks, only the ISO/IEC 27001/2 standard can be certified.

For organisations with well-developed cyber security strategies, often led by industry-leading CISOs, email security controls form a core control in preventing unauthorized information system access.

But the relationship between industry standard cyber security frameworks and the importance of email security can often appear to be subsumed by higher order security controls. For example only the CIS Controls explicitly mentions email security (control 09). 

Read on to see why email security deserves higher priority in your security controls environment.

The market is once again signaling email security as a priority security control

Email security has, until recently, been seen as a low-priority “solved-for” cyber security challenge. Many of the analyst firms even stopped providing market coverage on the email security vendorscape, with market maturity cited as the leading reason. This world view saw a handful of legacy email security monoliths, built for an on-premise world, dominating the market on what appeared to be a rather straightforward cyber security challenge – filtering unsophisticated phishing attempts and spam.

The threatscape however did not stop evolving.

In fact, over the past 12-24 months there has been a marked shift in the sophistication of social engineering based attacks, which is placing renewed emphasis on email security as a high priority security control.

In spite of mature email security vendor offerings, breaches continue to proliferate. Phishing, Business Email Compromise (BEC) and account takeover (ATO) incidence are growing year-over-year and are responsible for 70 to 90% of all cyber security breaches. Malicious emails were also responsible for 54% of successful ransomware attacks in 2020. A further cyber security threat vector that has until recently been unaddressed, is unauthorised data exfiltration, either accidental or malicious – seen as a leading reported incident.

The growing threat reality of poorly secured email has called into question legacy email security vendors and approaches, with increasing displacement taking place by a new breed of advanced email security solutions.

Cyber security Frameworks 

Given this evolving threat landscape, it’s worthwhile revisiting the mainstream adopted cyber security frameworks and the centrality of email security as a core element of cyber security resilience.

CIS Controls 

Dating back to 2008, the CIS Controls dating back is seen by many in the industry as the gold standard of cyber security controls. In fact the NIST Cyber security Framework references the CIS Controls as an “informative resource,” with most practitioners using the CIS Controls in conjunction with the NIST Cyber security Framework.

The CIS  Controls undergo periodic review; currently there are 18 controls:

1. CIS Control 1: Inventory and Control of Enterprise Assets
2. CIS Control 2: Inventory and Control of Software Assets
3. CIS Control 3: Data Protection
4. CIS Control 4: Secure Configuration of Enterprise Assets and Software
5. CIS Control 5: Account Management
6. CIS Control 6: Access Control Management
7. CIS Control 7: Continuous Vulnerability Management
8. CIS Control 8: Audit Log Management
9. CIS Control 9: Email Web Browser and Protections
10. CIS Control 10: Malware Defences
11. CIS Control 11: Data Recovery
12. CIS Control 12: Network Infrastructure Management
13. CIS Control 13: Network Monitoring and Defence
14. CIS Control 14: Security Awareness and Skills Training
15. CIS Control 15: Service Provider Management
16. CIS Control 16: Application Software Security
17. CIS Control 17: Incident Response Management
18. CIS Control 18: Penetration Testing

Control 9 is of specific relevance to this discussion, calling for the hardening of email and web browser protections, and underscores the susceptibility of falling victim to successful social engineering attack

NIST Cyber Security Framework 

First introduced in 2014 and revised in 2018, the NIST Cyber security framework version 1.1 is premised on five key security controls:

• Identify – developing an organisational understanding of cyber security risk to systems, people, assets, data and capabilities. Activities include Asset Management, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management.
• Protect – developing and implementing safeguards to ensure the safe delivery of critical services. Activities include Identity and Access Management, Security Awareness Training, Data Security, Information Protection Processes and Procedures, Maintenance, and Protective Technology.
• Detect – develop and implement capabilities that enable early cyber security event detection. Activities include detecting Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
• Respond – develop and implement capabilities that enable a well-managed response after an incident has occurred. Activities include Incident Response Planning, Communications, Analysis, Mitigation, and Improvements.
• Recover – develop and implement capabilities that enable the ability to recover after a cyber security incident has occurred. Activities include Recovery Planning, Improvements, and Communications.

The hardening of email security controls relates directly to:

• Security controls 2 (Protect): Providing advanced Data Security and Information Protection Technology
• Security control 3 (Detect): Providing Anomalies and Events, Continuous Monitoring and Detection Processes capabilities

ISO/IEC 27001 and ISO27002

ISO 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements, commonly referred to as ISO 27001, is used in conjunction with ISO 27002:2013 Code of Practice for Information Security Management, commonly referred to as ISO 27002.

ISO 27001/2 is the only cyber security framework that can be certified internationally by the ISO  standards body. To achieve ISO 27001/2 certification requires that organizations build an Information Security Management System that among other requirements, entails adopting all 14 of the Security Control categories listed under Annex A.

In total there are 114 security controls in the 14 categories. The CIS Controls and NIST Cyber security  Framework can also be mapped to the ISO 27001 controls.

The 14 security control categories include:

1.   Annex A. 5 Information Security Policies
2.   Annex A. 6 Organization of Information Security
3.   Annex A. 7 Human Resource Security
4.   Annex A. 8 Asset Management
5.   Annex A. 9 Access Control
6.   Annex A. 10 Cryptography
7.   Annex A. 11 Physical and Environmental Security
8.   Annex A. 12 Operations Security
9.   Annex A. 13 Communications Security
10.   Annex A. 14 System Acquisition, Development and Maintenance
11.   Annex A. 15 Supplier Relationships
12.   Annex A. 16 Information Security Incident Management
13.   Annex A. 17 Information Security Aspects of Business Continuity Management
14.   Annex. 18 Compliance

Of the 14 security control categories, control A12 Operations Security and A13 Communications Security underscore the importance of having robust email security in place. The two sub-controls under A12 and A13 that have direct relevance to email security are:

• A. 12.2.1 Controls Against Malware – detection, prevention and recovery controls that protect against malware and also entail appropriate user security awareness.
• A. 13.2.3 Electronic Messaging – any information that is involved in any form of electronic messaging needs to be appropriately protected to prevent unauthorized access.

General Data protection Regulation (GDPR)

Although not a cyber security control framework, GDPR does outline legal processes and procedures to protect the data of European Union member countries’ citizens. Other similar data privacy and security legislation is being enacted around the world, calling for similar controls to be put in place. GDPR however is notorious for imposing the most stringent interpretations of its data privacy and data security regulations, along with handing out record setting financial penalties for infringements.

Chapter 4, Articles 25-43 set out the necessary legal stipulations for data controllers and processors, essentially calling for data protection by design and default.

Key information security principles listed in chapter 4  (Article 32) include:

• Pseudonymisation and encryption of personal data.
• The ability to ensure the confidentiality, integrity, availability and resilience of processing systems and services.
• Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A process for regular testing, assessing and evaluating the effectiveness of technical, and organizational measures for ensuring the security of the data processing.

Data loss, phishing, unauthorised access and ransomware are among the top reported incidents to the UK’s Information Commissioner Office (ICO) – the UK’s enforcing body for GDPR. Inadequate and ineffective email security controls is the leading cause of these incidents.

MITRE ATT&CK Framework

Popular with threat intelligence, security operations centres, as well as the cyber security vendor community, the MITRE ATT&CK Framework is starting to gain mainstream recognition in the enterprise. Developed in 2013 and referred to as the ATT&CK Framework, its utility for benchmarking the effectiveness of security controls is becoming increasingly apparent as attacks grow in sophistication and scope.

Although consisting of three matrices, the MITRE ATT&CK Framework for Enterprise is the most commonly used matrix. By offering an adversarial perspective on threat and attack vectors aka attack chain – starting with reconnaissance, resource development, initial access and ending with impact – enables security and risk leaders to gauge the robustness and breadth of controls in place.

According to the ATT&CK framework, social engineering based attacks, including phishing, remain one of the most common attack vectors enabling unauthorised access to information systems. The full matrix is available here.

Email security as a core control

 Email security vulnerability remains a significant threat vector and features as a core cyber security control in all of the most widely adopted cyber security frameworks. And, given the increasing sophistication of email-based attacks, the importance of having industry leading email security protection in place must be reemphasized. Only by prioritizing email security will the risk of an email-related breach be significantly mitigated.

How can HANDD help you lock down email?

This is why enterprises are replacing legacy email security solutions for the next-generation of intelligent email security protection from our partner Tessian. By using industry leading machine learning the dynamic real time protection is enhanced with each threat mitigated, guaranteeing unparalleled protection against all email-based attack vectors, including insider threats.

Key features include:

• Advanced Spear Phishing Protection
• Advanced Attachment and URL Protection
• Internal Impersonation & CEO Fraud
• Advanced Spoof Detection
• Counterparty & Vendor Impersonation
• Brand Impersonation
• External Account Takeover
• Invoice Fraud
• Bulk Remediation
• Automated Quarantine
• Threat Intelligence
• Insider Threat Management
• Accidental & Malicious DLP

To learn more about how Tessian can help strengthen your email security posture, book a demo now.

Further reading:

• Article: Tessian Recognised in Gartner Market Guide for Email Security
• Our solutions: Email Security