FINANCIAL INSTITUTIONS should adopt robust and layered security controls for their e-mail servers to prevent cyberattacks, the Bangko Sentral ng Pilipinas (BSP) said.
Memorandum No. M-2022-043 signed by BSP Deputy Governor Chuchi G. Fonacier said BSP-supervised financial institutions (BSFIs) should enhance their e-mail security controls as it has become a primary mode of communication in business operations.
“Given the central role of e-mail in digital communications, cyberthreats ranging from spam, phishing, ransomware and other malware attacks targeting e-mail platforms and communications continue to confront BSFIs,” the central bank said.
“To further enhance e-mail security, BSFIs should adopt, as warranted, the security controls and best practices in safeguarding both incoming and outgoing e-mails,” it added.
The BSP, in the memo, advised BSFIs to set up a Simple Mail Transfer Protocol (SMTP) authentication method for their mail servers. They should also use industry-accepted encryption standards and versions.
Financial institutions are also expected to enforce thresholds and rate-limit SMTP connections to prevent attacks on mail servers.
To ensure that the Internet Protocol (IP) addresses of incoming e-mails are under a valid domain name, financial institutions should activate a Reverse Domain Name System. This would also cut down spam e-mails if BSFIs use reputation-based blacklists and local IP address filtering.
The central bank also advised institutions to allow anti-spam and anti-virus features to detect and block suspicious e-mails with malicious links and attachments.
Institutions are also encouraged to use layered security controls such as firewalls and intrusion prevention systems.
“(BSFIs should) activate Sender Policy Framework (SPF), Domain-based Message Authentication Reporting and Conformance (DMARC), and DKIM (DomainKeys Identified Mail) to prevent sender address spoofing,” the BSP said.
SPF refers to an e-mail authentication protocol used to stop phishing attacks. Likewise, DMARC provides domain-level protection of the e-mail channel.
These authentication protocols detect and prevent e-mail spoofing techniques used in phishing and other e-mail-based attacks.
Lastly, DKIM allows an organization to transmit a message in a way that mailbox providers can verify. This is to protect employees and customers from targeted cyberattacks.
“To thwart advanced threats and implement a defense-in-depth approach, BSFIs should integrate e-mail security solutions with enterprise fraud management systems, privilege access management, data leak protection, and mobile device management, among others,” the BSP said.
Aside from technical controls, financial institutions should also ensure ample user education and awareness on how to report and handle malicious e-mails.
BSFIs should also identify risks of malware infection, inspect e-mail header information, carefully scrutinize the content of the e-mail, and conduct regular phishing simulations or exercises, the BSP said.
Financial institutions likewise are expected to report any major e-mail-related cyber incidents or crimes to the central bank. They may also ask help from appropriate law enforcement agencies, especially for cases involving public safety and security. — Keisha B. Ta-asan
