Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

It Takes a Village: The Importance of Security Standards

The Greatest Challenge that DMARC Adoption Faces is That Many Do Not Know That it Exists

The Greatest Challenge that DMARC Adoption Faces is That Many Do Not Know That it Exists

It takes a communal effort to improve security. Technology standards are the foundation of secure and interoperable systems, but they are often overlooked and rarely get much fanfare. For example, it took years of public discourse before companies switched to secure HTTP.  Once it happened, companies like Facebook and Twitter were praised for making the move to encrypt their traffic. Now it is expected for digital brands and Web services to offer HTTPS. DMARC is now reaching this terminal velocity.

DMARC, the Domain-based Message Authentication, Reporting & Conformance standard, is offered by email service providers to prevent phishing and spam related to domain name spoofing, while simultaneously providing greater visibility into email ecosystems.

In October 2017, the Department of Homeland Security (DHS) issued the Binding Operational Directive 18-01, which required all federal agencies to implement DMARC within 90 days. Subsequently, the National Health Information Sharing and Analysis Center (NH-ISAC) called upon its members to pledge they would implement DMARC in 2018.

Why You Should Use DMARC

DMARC addresses spoofed emails. An analogy of email spoofing is a criminal sending consumers real-looking credit card statements in the same type of envelopes the credit card companies use — with the important difference that there is absolutely no cost associated with spoofing an email. 

DMARC is an email authentication standard designed to eliminate phishing and other types of attack that use spoofing to misrepresent an email sender identity. DMARC emerged from a pilot program between PayPal and Yahoo! Before DMARC, there were already two email authentication standards, “Sender Policy Framework” (SPF) and “Domain Keys Identified Mail” (DKIM). SPF uses DNS to authenticate the envelope sender, but cannot authenticate the “From: header.” DKIM uses cryptographic keys to authenticate email.

DMARC combines both of these standards by verifying both the SPF information and the DKIM signature. Once deployed, DMARC can monitor, quarantine or reject email messages with spoofed domains, dramatically reducing phishing and spam sent appearing to come from an impersonated  organization.

Advertisement. Scroll to continue reading.

Email spoofing is the most common type of identity deception in volumetric and scattershot attacks, which includes traditional phishing attacks and spam. Identity deception can be used to impersonate unprotected brands for other reasons, such as distributing misinformation or email account takeover. The implication of these attacks can even impact national security.

Unfortunately, DMARC adoption has been slow in most sectors. Recent research reveals low adoption rates, showing that within the Fortune 500, 67 percent have not deployed DMARC. Within the US government, about 50 percent of agencies had not deployed DMARC ahead of the Department of Homeland Security Binding Operational Directive 18-01.

One hypothesis for this slow growth is a simple lack of awareness. Another factor may be that when DMARC was first introduced, phishing was a problem felt mainly by the financial industry, which did rapidly adopt it.

In contrast, no deployment tradition was ever established in many other sectors. In the recent years, as society as such has come to a rude awakening in terms of the understanding of its vulnerability to online attacks, many people have not yet seen the link between a vulnerability to spoofing and a risk to the organization and its members.

As organizations move to adopt DMARC, those left lagging will be the most obvious targets to attack. Perhaps the greatest challenge that DMARC adoption faces is that many do not know that it exists. In that regard, we can be grateful that the DHS has called upon the government to hasten its adoption. As a result, the NH-ISAC has called upon the healthcare industry to do the same. We may be hopeful that more organizations follow their direction.

Related: DMARC in Higher Education – A Formidable Defense Against Targeted Scams

Related: Email Attacks Use Fake VAT Returns to Deliver Malware

 

Related: Top Websites Fail to Prevent Email Spoofing

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Phishing

The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Fraud & Identity Theft

Famed hacker Kevin Mitnick has died after a battle with pancreatic cancer.  At the time of his death, he was Chief Hacking Officer at...