Cybersecurity in PSAPs – the Danger of Malicious E-mails

E-mail is still the most important means of communication in the business world. All companies and organizations can be reached by e-mail. As a result, there is always an opening into the internal networks for external attackers. A large proportion of the security incidents that paralyse entire companies and organizations today originate in a malicious e-mail. As attackers become more sophisticated, the risk of becoming a victim of an e-mail cyberattack increases. 

In the past, dangerous e-mails could often be recognized by the fact that they came from a clearly dubious sender or had inappropriate content. Even if the name of the sender cannot be clearly identified as a forgery, suspicion arises at the latest when looking at the sender’s address. However, you can no longer rely on that today.

This blog is intended to help those responsible in the PSAPs by first showing what dangers exist associated with e-mails. A real example is then given of how a PSAP was attacked by a malicious e-mail. Finally, measures are given on how to protect yourself from such attacks.

Motives of attackers

The motives of the attackers can be financial, but also ideological. Political and military actions can also be directed in particular against critical infrastructure. The critical infrastructure does not necessarily have to be the actual target of the attack. Many attacks are automatically performed on a variety of targets, for example against larger IP address ranges or automatically read lists of e-mail addresses. The attackers usually accept collateral damage. As a result, PSAPs are also at risk of becoming victims of an e-mail attack at any time. There is no compelling motive required.

What dangers can lurk in an e-mail?

The most well-known danger in an e-mail come from attachments. In the simplest case, the attacker sends an executable file, the recipient opens it and the system is infected. But it’s not usually that easy these days. The malware usually hides in seemingly harmless Office documents. If you open it, perhaps only the expected document will appear at first. However, scripts are executed in the background, which load additional malware or immediately start compromising the system. 

Many e-mail clients display e-mails in HTML format instead of plain text. This entails the risk that scripts contained in the e-mail will be executed or files (e.g. images) will be automatically reloaded from external servers, which in turn could contain malware. Viewing the e-mail is enough to get infected. 

Another form of danger lurks in the content of the e-mail, which is intended to trick the user into clicking on a link. If you click on the link in the e-mail, the web browser opens and loads the website. This can contain malicious code that, for example, exploits a security hole in the web browser to infect the system. 

In addition, the website can be simulated as a well-known website in order to trick the user into entering his secret access data. The access data are stored by the attacker and can be used by them. This type of attack, in which scammers fish for secret information, is called phishing

A non-technical attack can also be carried out via e-mail: if the e-mail comes from an apparently-known sender, the user is tricked into carrying out the instructions in the e-mail, although these actually come from the attacker. The instructions may be of a financial nature (e.g. money transfers) or a request to access credentials or other classified information. This kind of attack is called spoofing.

A recent example from a PSAP

A current real example of a PSAP shows that the danger of becoming a victim of a cyber attack through e-mail is not only of a theoretical nature. The affected PSAP has been working with a foreign ambulance transport service provider for a long time. If ambulance transport is due, the service provider sends information about the transport to the PSAP by e-mail. The e-mails are always in a similar form and therefore have a high recognition value for the staff in the PSAP. 

The PSAP recently received another such e-mail from the ambulance service provider. The structure was familiar. However, this time the e-mail contained a hyperlink telling the recipient to click on it to get more information. However, the hyperlink did not show the website of the ambulance transport service provider, but a website with malware that attempts to exploit security gaps in the web browser and thereby infect the local computer. Presumably, all data should be encrypted. Fortunately, the PSAP employee was alert, suspected an issue, and did not click the hyperlink, but instead informed the PSAP security officer. 

The security officer looked into the matter. It turned out that it was not a targeted attack on the PSAP. The e-mail system of the ambulance service provider with which the PSAP works had previously been compromised. In order to spread the virus further, the malicious organization picked up scanned past e-mails, modified them with the hyperlink to the infected website described above, and resent them to the recipients. For the recipient, everything looked like a valid e-mail from a known sender. And one of the recipients happened to be the PSAP: an accidental victim.

Protective measures

The only one hundred percent guaranteed protection strategy would be to no longer use the communication medium of e-mail. That would be difficult for most organizations. In addition, the alternative communication channels could open up other security gaps. So what should you do to protect yourself? 

In order to reduce the risk of becoming a victim of a cyber attack via e-mail, various protective measures should be implemented:

– Do not display e-mails in HTML format: Sending e-mails in HTML format allows you to design e-mails with graphics, different font formats, etc. This can increase readability. Unfortunately, a HTML e-mail also increases the risk of infection enormously. The HTML code can hide malicious code that is executed on the local system simply by displaying the e-mail. Forging hyperlinks is also much easier in HTML-formatted e-mails. E-mail clients should therefore be configured by default so that they only display e-mail in plain text. Of course, you also shouldn’t send any e-mails in HTML format yourself.

– Do not load content from external servers into e-mails: Spammers often try to include content from external servers in e-mails. These can be photos, for example, or small pixel-sized graphics that cannot be perceived by the human viewer. Depending on the configuration of the e-mail client, this content is retrieved from these external servers directly when the e-mail is displayed. This creates various dangers: On the one hand, the reloaded content itself can contain malicious code. On the other hand, the sender learns by retrieving the content from his server that the recipient has opened the e-mail. This tells him that the recipient’s address actually exists and is being used. Further attacks on this e-mail address can therefore be worthwhile.

– Display the sender’s address instead of just the sender’s name: The sender’s addresses in e-mails can be easily forged. However, it is even easier to enter an incorrect sender name in an e-mail. Unfortunately, in many e-mail clients, only the sender names are displayed in the default settings and not the e-mail addresses. If several mouse clicks are necessary to check the e-mail address, many users save themselves this simple but effective method, with which a large part of malicious e-mails can already be sorted out. E-mail clients should therefore be configured in such a way that the e-mail address is always displayed directly in addition to the name.

– Virus scan already on the server: Virus scanners are well known. They check incoming e-mails for known malicious code. The protection is even more effective if the virus scan is already on the mail server and not only on the local client. As a result, a malicious e-mail does not even reach the local system. Since virus scanners usually only find known malicious code, these programs must be updated regularly. If the virus scanner did not find any malicious code in the checked e-mail, this does not necessarily mean that the e-mail is clean. For example, there is malicious code that is so new that it cannot (yet) be detected by virus scanners.

– Enabling DKIM on mail servers and clients: A few years ago, the DomainKeys Identified Mail (DKIM) protocol was developed to ensure the authenticity of e-mail senders. DKIM must be configured on the mail server. The recipient’s mail client can then indicate whether there are discrepancies between the sender’s mail server and the domain used in the sender’s address. This makes it more difficult for attackers and spammers to send an e-mail under false names. Many organizations have already activated DKIM. In order to use the advantages of DKIM, however, corresponding warnings should also be displayed in the mail clients.

– Encrypt network connections to the mail server: Connections to the mail server were established unencrypted for many years. This made it easy for attackers to steal mailbox credentials. In the meantime, it is actually standard to encrypt the connections. Unfortunately, outdated configurations are still used occasionally. Network connections to mail servers should therefore be checked for encryption.

– Signing: With digital signatures, the authenticity of the sender of an e-mail can be ensured. The protocols S/MIME and OpenPGP are available for this. Unfortunately, the procedures have not yet caught on in most organizations. However, an introduction is possible with relatively little effort. In addition to being signed, e-mails can also be encrypted using the two protocols, making them even more secure.

– Network separation: The last security measure is actually self-explanatory, but it still has to be mentioned at this point. E-mails must not be received on critical systems. A separate system must be maintained for communication via e-mail so that the productive systems remain unaffected in the event of a security incident. For example, in the PSAP, the Computer Aided Dispatch (CAD) system cannot be on the same network as the client used to check e-mail and surf the Internet. Of course, data transfers from e-mails to CAD systems are often still necessary. Security gates should be used for this.

Conclusion

E-mail is not only an important communication medium, but also harbors many cyber security risks. Of course, hardly any organization can do without communication via e-mail. However, every e-mail user should be aware of the dangers described. 

The example of the attacked PSAP shows that attacks on PSAPs do not necessarily have to be targeted attacks. The risk of becoming a victim of collateral damage is much greater. 

By implementing the protective measures presented, you can significantly reduce the risk of becoming a victim of a cyber attack via e-mail.

The opinions expressed are those of the author and do not necessarily represent the views of EENA. Articles do not represent an endorsement by EENA of any organisation.