According to Paul Maddinson, NCSC director of national resilience and strategy, the new Email Security Check tool aims to assist users in discovering where they can do more to avoid spoofing and preserve privacy and provide practical advice on how to stay safe. Moreover, by implementing the recommended activities, organizations may strengthen their defenses, demonstrate that they are taking security seriously, and make life more difficult for cyber thieves.
Previously available as an alpha version only to select organizations, the Beta version was launched on May 11 for institutions and organizations across the UK free of charge.
Following are the highlights of the recent meeting and the decisions taken for the increasing cyber security of businesses:
- At the UK government’s flagship cyber security event, CYBERUK 2022, a free email security checker tool was officially launched to help organizations ensure that they are protected.
- Early Warning is the latest Active Cyber Defense (ACD) tool aimed at helping businesses increase their cybersecurity preparedness, with the NCSC being the point of assistance and contact for organizations reporting cyber occurrences.
- The UK government is inviting organizations to subscribe to receive timely alerts about cyber attacks on their networks.
- A free version of this service is being offered because some UK sectors are only superficially implementing the recommended email security controls (as low as 7 percent), according to NCSC’s guidance on email security and anti-spoofing.
Introduction to the Free Tool: Its Features and Working
EARLY WARNING: As part of the nation’s approach to utilizing technology, the Government of the United Kingdom has introduced a free email security service as an extension of the already available commercial services. Its characteristics and working has been explained as follows:
- Anti-spoofing Check: Defenders can check for anti-spoofing and email privacy risks when using Email Security Check to look up publicly available information about email domains.
- DMARC Policy Configuration: The NCSC says it makes sure anti-spoofing standards, such as DMARC, are configured correctly to keep cybercriminals from abusing organizations’ domains and sending malicious messages.
- Use of DNS: The system checks publicly accessible internet DNS records to validate if anti-spoofing controls are properly configured (notably the DMARC Policy) and checks the TLS configuration by initiating a “handshake” with the server.
- TLS Configuration: Additionally, the Early Warning tool checks whether privacy protocols, such as TLS, are in place to ensure emails are encrypted during transit so they cannot be accessed.
Availability to Public and Private Organizations
Although the Email Security Check service can only identify vulnerabilities that cybercriminals can find, its aim is to help organizations all across the country identify risks before they are exploited and find out the targeted email domains.
The Mail Check service is currently not available for private sector organizations, only for those in central government, local authorities, devolved administrations, emergency services, healthcare organizations, academia, and charities.
How Will it Help Businesses?
The new Email Security Check tool is designed to help organizations identify where they can do more to prevent spoofing and protect their privacy. It also helps gain access to more “in-depth guidance” on securing their email by signing up for the NCSC’s free Mail Check service.
Use of Email Security Check is free and does not require registration or personal information. It assists technical teams in organizations quickly recognizing threats, so they can strengthen their defenses by implementing NCSC guidance on email security and anti-spoofing.
For businesses, it offers:
- Email anti-spoofing. This tool will help prevent cybercriminals from sending emails purporting to be you (a practice known as spoofing).
- Email privacy. By using TLS correctly, cybercriminals will have a harder time intercepting and reading your emails.
This tool can check the security of email domains, but it cannot check if individual emails or domains are malicious. Those receiving suspicious emails are advised to forward them to email@example.com.
Free Cybersecurity Tools Provided By CISA
CISA has produced a list of free cybersecurity tools and services to help organizations advance their security skills to minimize cybersecurity risk across US critical infrastructure partners and state, municipal, tribal, and territory governments. Some of these include:
- CISA Cybersecurity Publications: CISA provides subscribers with automatic updates via email, RSS feeds, and social networks.
- Immunet Antivirus: Immunet is a malware and antivirus prevention solution for Microsoft Windows that uses cloud computing to provide community-based protection.
- CISA Web Application Scanning: This service identifies and evaluates publicly accessible websites for bugs and weak configurations to make recommendations on mitigating the risks associated with web application security.
- CISA Phishing Campaign Assessment: This tool allows you to determine whether or not your employees are vulnerable to phishing attacks. This is a hands-on activity that will help you support and assess the efficacy of security awareness training.
- CISA Vulnerability Scanning: By scanning public, static IP addresses, the service checks for the presence of external networks and vulnerabilities. Weekly vulnerability reports and ad-hoc notifications are provided.
The recent shift to remote working has necessitated the need to provide remote access security. Organizations must reconsider their security strategies in light of a dispersed infrastructure. Meanwhile, cybercriminals are refining their technique, getting savvier, and doing everything to expand their attack vectors. Cyber-attacks will never be eliminated by one silver bullet but instead require multiple technologies and processes to work in tandem to minimize their likelihood.
The recent free tool announcement is not the only way to upgrade your organization’s cybersecurity in the UK. There are multiple other free tools that you can use to ensure protection against monetary and non-monetary losses to your organization caused by email-based cyber attacks.