Is DMARC the answer to rising corporate ID theft?
Fri 10 Jun 2016
The Stack speaks to fraud and cybersecurity guru Neira Jones to discuss her pet subject, DMARC, and to find out why it is so critical for businesses to implement in their fight against email-based attacks…
In 2012 cybercrime expert Neira Jones was approached by information security firm Agari, who introduced her to a new authentication standard called DMARC. Since then Jones has been a crusader for the technology, pushing for greater awareness and a wider deployment of the email validation technology.
DMARC, or Domain-based Message Authentication, Reporting & Conformance, is an email security protocol that builds on existing standards to add a reporting feature which allows senders and receivers to improve the protection of their domain from malicious communications.
“Four years ago, we were seeing some phishing attacks but they weren’t as prominent in the news as they are now. This is why it’s of growing importance to promote the standard – I’m deeply puzzled as to why organisations are not more aware of it, it seems such a no-brainer to me,” says Jones.
Everyone is familiar with ‘personal ID theft’, she continues – “We know exactly how criminals do it. They target individuals to build a profile using email addresses, passwords, bank account numbers, credit card numbers, and then exploit it for their own criminal purposes – whether stealing money or data, or impersonating an individual to apply for financial products.”
Jones argues however that we don’t pay enough attention to the concept of ‘corporate ID theft’. She explains that cybercriminals are increasingly impersonating companies, sending emails on their behalf and attempting to commit criminal acts – “It is very easy to spoof companies. You could receive an email purporting to be from PayPal, your bank, or even your own CEO or financial director, asking you to make a payment.”
DMARC can give credibility by guaranteeing that an email has truly come from who it purports to be from
She admits that it is hard to sympathise with companies who fall for this trick as there is the technology out there to stop it. She notes too that if your CEO is asking for large payments there should be governance processes in place, as a further layer to the technology, such as segregation of duties and stages of approval.
Further to direct phishing attacks, Jones also points to ransomware, which is an increasingly prominent malware variant perpetrated via email. She describes a situation where a ransomware email tries to impersonate a company – “without authentication these attacks can be very successful. However, when DMARC is deployed, suddenly you’re going to make a big hit against this sort of attack.”
She highlights that DMARC can give credibility by guaranteeing that an email has truly come from who it purports to be from, and believes that all companies should deploy the technology as a critical authentication mechanism.
When it comes to email security, Jones explains that organisations tend to be more familiar with SPF and DKIM protocols. She suggests that combining these standards with DMARC could really make a dent in corporate ID theft, and could stop many of the phishing attacks that are currently targeting businesses.
People think implementing DMARC is far too hard, which is why we need to promote toolkits and help business streamline processes
Despite these obvious benefits, there is still a delay in adoption which puzzles Jones. She considers that it could perhaps seem that DMARC is not very easy to deploy. “For smaller organisations, there is typically one domain, so deploying DMARC would be relatively easy – it would mean modifying a couple of DNS records. However, even this process can seem daunting for SMEs. You have to be up to speed on cybersecurity and these companies don’t necessarily go looking for standards that they’re not aware of and nobody’s telling them about” she says.
Regarding larger corporate groups, she notes that there would be many domains and governance processes to manage. “Suddenly you’re going to have to be involved with changing DNS records and getting around existing governance processes. People think implementing DMARC is far too hard, which is why we need to promote toolkits and help business streamline processes so that the standard can be deployed easily.”
As an avid DMARC supporter, Jones has joined up with U.S./UK non-profit group Global Cyber Alliance, which is pushing to advance DNS and DMARC initiatives. She notes that its first project will be to develop and distribute a toolkit for organisations to help them understand and deploy DMARC mechanisms. In addition to the efforts from non-profit groups, she concludes that the recent addition of major companies to the DMARC roster, including Apple, American Express, and GSK, will further encourage a wider interest and garner more visibility for the technology.