Good hygiene has been in the news a fair
amount in recent weeks and months, leading us all to pay substantially more
attention to washing our hands – for longer – and to diligently covering our
coughs. The fact that this guidance needs to be shared anew every flu season
highlights just how important a sense of urgency, and regular reminders on how
to act, are in stemming the spread of infection. The same is true when it comes
to our behavior online. Evidence suggests that a regime of foundational
measures, reflecting prioritized, essential tasks to defend against avoidable
dangers in cyberspace, does in fact work to substantially reduce overall risk.
This is one of the reasons why the Cybersecurity
Tech Accord signatories endorsed the Paris Call for Trust and Security in
Cyberspace
and committed ourselves to working on implementing
its principle focused on improving cyber hygiene. This includes both ensuring
that the Cybersecurity Tech Accord companies themselves adopt and implement
good practices, but also – and perhaps more importantly – working on making
cyber hygiene measures available and accessible at scale, and particularly in
communities with limited financial and technical resources.
We are therefore delighted to be working on
this issue together with the Global Cyber Alliance, an international
non-profit organization that has made eradicating global cyber risk its sole
mission. For the past two years, they have been working on efforts to improve
email security, including driving the wider adoption of Domain-based
Message Authentication, Reporting & Conformance (DMARC), an email authentication
policy and reporting protocol that helps prevent impersonation attacks via email
– something which the Cybersecurity Tech Accord has also enthusiastically supported
previously.
DMARC ensures that legitimate email is
properly authenticated against established Domain
Keys Identified Mail (DKIM) and Sender Policy
Framework (SPF) standards, and that fraudulent activity appearing to come
from domains under the organization’s control is blocked. We encourage all organizations
to utilize resources made freely available by the Global Cyber Alliance, including
their implementation guide, and also want to take this opportunity to dispel
a number of myths that have emerged around DMARC in particular.
Myth #1: It’s used on email domains only
ANY domain can be impersonated and used in phishing attacks,
so we need to do more than just securing the domains used to send mail.
Every domain owned by your organization should be secured with its own DMARC
policy.
Myth #2: It’s a Silver Bullet
DMARC is not an inoculation against every cyber risk. It
protects only one type of spoofing and should never be used alone. All
organizations need a layered defense when it comes to securing email, and DMARC
is an important layer but still only one. Your organization may also use other
secure email mechanisms, such as DNS-Based
Authentication of Named Entities (DANE) or Message Transfer Agent Strict
Transport Security (MTA-STS) (as well as others).
Myth #3: It’s not good for privacy
With DMARC, you can view who is sending emails on your
domain’s behalf, thus protecting privacy by preventing hackers from using your
domain to send suspicious messages within your organization or to your
customers. In this way, DMARC reporting actually prioritizes privacy above
other secure email practices.
Myth #4: It’s easy
Starting the implementation of DMARC may be relatively
simple, but the real work – and the most important part – comes with analyzing
reports and adjusting your policy levels for enforcement, which can be more
labor-intensive.
Myth #5: It’s going to negatively impact my email
DMARC actually improves the delivery rate of the email
you send to customers and others.
Myth #6: It’s only for large entities
Every organization with a public-facing domain can be vulnerable
to spoofing and phishing, regardless of size. DMARC needs to be
implemented by ALL organizations, from small startups to Fortune 500
corporations.
Email remains a preferred attack method for impersonation and fraud. Whether it’s sophisticated nation-state attacks, targeted phishing schemes, business email compromise or ransomware, such attacks are on the rise at an alarming rate and are also increasing in their sophistication. It is therefore imperative that organizations employ technologies such as DMARC to reduce both the specific threats to their entity, as well as to improve the resilience of the Internet more broadly to help keep us all safe online.
The post Dispelling the myths about DMARC appeared first on Cybersecurity Tech Accord.