What is the one technique involved in almost every security breach? Phishing.
Nearly every major breach starts with some sort of phishing attack, in which nefarious individuals send reputable-looking emails with the goal of getting the recipient to reveal information or click on a malicious link. Perhaps it’s an assistant opening what he or she thinks is a contract for the boss that drops an exploit on the endpoint. Or a whaling attack that strikes when the boss opens an email and clicks on a link believed to be coming from a business partner.
Many times these phishing attacks come from the domain of the business itself or a business partner. Once the user opens an attachment or clicks on a link, it’s too late. Unless some endpoint security software can identify or perhaps stop the exploit from working, the attacker now has a compromised endpoint and a way to move into the network more deeply if needed.
According to a study released this week from the Federal Trade Commission’s Office of Technology Research and Investigation (OTech), many businesses are using better email authentication to combat email phishing attacks. But very few — too few in my view — are using technology that would help them almost eliminate phishing attacks against their organizations entirely.
That technology is Doman-based Message Authentication, Reporting & Conformance — or DMARC in short.
DMARC is an email protocol that builds on two other email authentication protocols, SPF and DKIM. Not that I want to drown you in acronym soup, but stay with me here for a moment. SPF stands for Sender Policy Framework, a common email authentication method that enables ISPs to determine when emails don’t come from who the mail is purported to come from. The other protocol, DKIM, is a way to authenticate emails through signatures.
With DMARC, a list of email servers are authorized to manage email for the organization. DMARC policies automatically enforce these authorized servers and respond when an email does not meet a policy. These emails could be saved for review or just dropped.
These are straightforward steps any organization can take to reduce risk — which is why it’s so disappointing so many organizations don’t.
According to the OTech study just released, 86% of major online businesses are using SPF, but less than 10% of those organizations have implemented DMARC “in a manner which would allow the businesses to receive intelligence on potential spoofing attempts and to instruct ISPs to automatically reject any unauthenticated messages that claimed to be from the businesses’ email addresses,” the FTC said in a statement.
Because DMARC is inexpensive and relative easy to implement – especially when compared to so many other things organizations must do to increase security – and because phishing attacks are so prominent in fraud and cyberattacks, DMARC is something that will hopefully grow in adoption as more organizations become aware of the capability.
Check out the FTC’s analysis here.