Hello, ISC2 Community!
My name is Lew, and I am a CISSP. I work in the media and broadcasting industry as an Identity Governance Security Specialist.
I want to expand on my offensive security capabilities when it comes to email. I have been searching far and wide for certifications focused on email security. Does anyone have any recommendations or resources that you have used to educate yourself about email threats and attack vectors? In summary, I would like to learn more about email threats and counter-adversary operations (e.g., spoofing, obfuscation, phishing email creation and propagation).
Please feel free to contribute with your own stories, experience, or findings!
Thank you so much for your help,
Lew,
I have not seen any certifications specific to email security probably because it would need to be vendor specific.
You have not said what email system that you are using but here are a few links that MAY assist you:
https://www.microsoft.com/en-us/security/business/security-101/what-is-email-security
Yes these are all Microsoft and there are more. Even if this is not the mailer you are using, you can gather a substantial amount of information that could be generically applied.
Also, here is a youtube about email security.\
https://www.youtube.com/watch?v=6nCsajcQQyc
Hope this is of some assistance.
d
Perhaps because email has become so mutilated since when Ray Tomlinson first sent one in 1971 (even to the point where his deserved title of inventor of email has been subject to crackpot legal dispute), it's hard to think of it as own domain. It's really just a vector of attack that you can use to deliver anything you want - from social engineering to malware. The problem isn't the email. It's the range of really bad applications, host security, and consumer exploitation that get used around it.
I suppose you could focus on SPF, DKIM, DMARC, but to me these are more accomplices than solutions. The harder we make it to deliver email, the more we are encouraging individuals and businesses to move toward a handful of email providers whose business model is gathering and marketing customer data. If you strip away the garbage that we have pumped into email (for the love all that is good, please never put an emoji in a subject line), it is actually more secure even if we throw out with that bath water some other "good" things. However, were we to do that, the big providers lose their tracking and so do many other parasite "tech" companies.
And so, not for any educated reason, we use email in an inherently risky way - extremely high risk if you choose to marry certain email applications to an OS prone to execute any sort of code it sees. But I don't see this as an "email" issue as much as a user one.
Reject email, embrace carrier pigeons! In all seriousness though, thank you to everyone for your thoughtful contributions. I really value and appreciate your willingness to help a guy out. Happy Holidays and good luck to you all in your endeavors. Thank you
Hi Lew, I hope this message finds you well.
If you're interested in deepening your understanding of email security, authentication protocols, and the history of email-related threats such as phishing, I highly recommend exploring the EasyDMARC Academy. They offer two comprehensive courses that cover these topics in great detail, and the best part is that they are available for free. These courses are incredibly valuable for anyone looking to strengthen their expertise in email security.
Here is the link, Please check it out and let me know your thoughts.
Warm regards.