Fortimail Email Authentication: SPF, DKIM and DMARC
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
DMARC and Email Authentication
DMARC and Email Authentication Steve Jones Executive Director DMARC.org Cloud & Messaging Day 2016 Tokyo, Japan November 28th, 2016 What is DMARC.org? • DMARC.org is an independent, non-profit advocate for the use of email authentication • Supported by global industry leaders: Sponsors: Supporters: Copyright © 2016 Trusted Domain Project 2 What Does DMARC Do, Briefly? • DMARC allows the domain owner to signal that fraudulent messages using that domain should be blocked • Mailbox providers use DMARC to detect and block fraudulent messages from reaching your customers • Organizations can use DMARC to perform this filtering on incoming messages – helps protect from some kinds of phishing and “wire transfer fraud” email, also known as Business Email Compromise (BEC) • Encourage your partners/vendors to deploy inbound DMARC filtering for protection when receiving messages • More information available at https://dmarc.org Copyright © 2016 Trusted Domain Project 3 Overview Of Presentation •DMARC Adoption •Case Study - Uber •Technical Challenges •Roadmap Copyright © 2016 Trusted Domain Project 4 DMARC Adoption This section will provide an overview of DMARC adoption since it was introduced, globally and within particular country-specific top-level domains. It will also show how the DMARC policies published by top websites has evolved over the past two years. Copyright © 2016 Trusted Domain Project 5 Deployment & Adoption Highlights 2013: • 60% of 3.3Bn global mailboxes, 80% consumers in US protected • Outlook.com users submitted 50% fewer phishing -
DMARC — Defeating E-Mail Abuse
CERT-EU Security Whitepaper 17-001 DMARC — Defeating E-Mail Abuse Christos Koutroumpas ver. 1.3 February 9, 2017 TLP: WHITE 1 Preface E-mail is one of the most valuable and broadly used means of communication and most orga- nizations strongly depend on it. The Simple Mail Transport Protocol (SMTP) – the Internet’s underlying email protocol – was adopted in the eighties and is still in use after 35 years. When it was designed, the need for security was not so obvious, and therefore security was not incor- porated in the design of this protocol. As a result, the protocol is susceptible to a wide range of attacks. Spear-phishing campaigns in particular can be more successful by spoofing (altering) the originator e-mail address to imper- sonate a trusted or trustworthy organization or person. This can lead to luring the recipient into giving away credentials or infecting his/her computer by executing malware delivered through the e-mail. While raising user awareness on how to avoid e-mail fraud is recommended, the Verizon Data Breach Investigations Report indicates that more needs to be done. The DBIR report reveals that 30% of all phishing e-mail messages were opened by the recipients and with 12% clicked on the content and executed malicious code. The median time for the first user of a phishing campaign to open the malicious email is 1 minute, 40 seconds. The median time to the first click on the attachment was 3 minutes, 45 seconds. These statistics highlight the risk for an organization on the receiving end of spear-phishing e-mails. -
Electronic Mail Standard
IT Shared Services Standard: Electronic Mail Standard For South Carolina State Agencies Version 1.0 Effective: August 8, 2018 Revision History: Date Authored by Title Ver. Notes Recommended by the Security and Architecture 08.08.2018 Standards 1.0 Executive Oversight Group. Review Board Standard finalized. Electronic Mail Standard | 2 Contents Revision History: ................................................................................................................................... 1 Electronic Mail ...................................................................................................................................... 4 Rationale ........................................................................................................................................... 4 Agency Exception Requests ............................................................................................................... 4 Current State..................................................................................................................................... 4 Purchasing......................................................................................................................................... 4 Maintenance ..................................................................................................................................... 5 Service Level Agreements ............................................................................................................. 5 Security ............................................................................................................................................ -
DHS Mandates DMARC for Email Security
Agari U.S. Federal Government DMARC Adoption: DHS Mandates DMARC for Email Security Executive Summary On October 16, 2017, the U.S. Department of Homeland Security issued a Binding Operational Directive (BOD) 18-01 that mandates the implementation of specific security standards to strengthen email and 82% of all Federal domains have no web site security. As part of this directive, all federal agencies that operate DMARC policy .gov email domains must implement a DMARC monitoring policy (p=none) within 90 days. Furthermore, all federal agencies must move to a reject policy (p=reject) by 1 year. Based on Agari research of public DNS records, 82% percent of all US Federal Government domains do not have a DMARC policy, leaving their constituents unprotected from phishing and other forms of email attacks 86% of Federal that impersonate their agency email domains. Cybercriminals exploit this domains that use DMARC choose Agari 1 vulnerability by sending billions of phishing emails per year claiming to be from these government agencies. 1 Includes all domains that send aggregate data to a 3rd party DMARC vendor. 1 | www.agari.com Email Abuse on Federal Agency Domains Phishing continues to be a pervasive threat in the United States and around the world.The impact of these threats has been felt specifically by government agencies. Beyond the high-profile targeted attacks that have made headlines, criminals are executing phishing attacks leveraging the brand name of agencies. Indeed, over the last six months, Agari has seen an amplification of attacks against our Federal customers. As the following chart indicates, on the email-sending and defensive domains that we monitor, 25% of email volume was malicious or failing authentication. -
DMARC Jesse Thompson, Technical Architect University of Wisconsin-Madison [email protected] Motivation → Authenticity
Email Authenticity with DMARC Jesse Thompson, Technical Architect University of Wisconsin-Madison [email protected] Motivation → Authenticity ● Mail your institution sends isn’t accounted for ● Mail claiming to be your domain may be fraud ● Instead of filtering the bad...we start authenticating the good? Functional Motivators for Email Authenticity 1. Deliverability: Google/MS/etc starting to require 2. Policies: DHS Binding Operational Directive 18-01 3. Security: Stop abuse Build on SPF SPF = Sender Policy Framework Publish in DNS a list of servers authorized for MAIL FROM (SMTP envelope return path). Receivers consult list. https://tools.wordtothewise.com/spf/check/wisc.edu wisc.edu. 3600 IN TXT "v=spf1 ip4:144.92.197.128/25 ?all" Build on DKIM DKIM = Domain Keys Identified Mail Attach signatures to email. Public key in DNS. Receivers verify signature. https://tools.wordtothewise.com/dkim/check/wisc.edu/selector1 DKIM-Signature: v=1; a=rsa-sha256; d=wisc.edu; s=selector1; c=relaxed/relaxed; q=dns/txt; t=1126524832; x=1149015927; h=from:to:subject:date:keywords:keywords; bh=MHIzKDU2Nzf3MDEyNzR1Njc5OTAyMjM0MUY3ODlqBLP=; b=hyjCnOfAKDdLZdKIc9G1q7LoDWlEniSbzc+yuU2zGrtruF00ldcF VoG4WTHNiYwG Build on SPF and DKIM SPF Problems: ○ Users can’t see MAIL FROM / no alignment to Header From domain ○ Forwarding / mailing lists ○ DNS lookup limit of 10 ○ Inconsistent enforcement by receivers DKIM Problems: ○ Users can’t see key selector / no alignment to Header From domain ○ Message modification in transit / mailing lists ○ Key management / vendor support Protagonist → Header From domain Need to create a link between the domain and the message. dmarc.org What is DMARC? Domain-based Message Authentication Reporting and Conformance 1. -
FAQ: DMARC for Email Service Providers Email Authentication Is Becoming a Big Deal
FAQ: DMARC for Email Service Providers Email authentication is becoming a big deal. Here’s a guide to the key standards from ValiMail. FAQ: DMARC for Email Service Providers Port25 Evaluation Requests By Hourly Email Volume 34.22% 17.63% Less Than Greater 10K than 1M 12.09% Between 250K-1M Why email authentication matters: This is how non-authenticated email 30.24% 13.94% will look in Gmail and Outlook, starting sometime in 2016. Between Between 10K-50K 50K-250K WHAT IS DMARC? DMARC — Domain-based Message Authentication, Reporting and Conformance — is an open email authentication standard that sending domains use to block fraudulent emails. DMARC is built on top of two earlier standards — SPF and DKIM — and adds additional Port25 LinkedIn Engagement Data features like reporting, policy definition, and the notion of identity By Company Size alignment. 7.37% DOES DMARC STOP PHISHING? 201-500 Employees When configured correctly, DMARC can completely stop phishing 8.42% attacks in which the attacker sends an email with a ‘From’ address 5,001-10,000 that appears to originate from a protected domain. As this is the Employees 25.26% 10,001+ primary form of phishing attack, DMARC is a very effective tool to Employees defend customers, employees, partners, and others from phishing. 8.42% 11-50 Employees DOES DMARC HELP DELIVERABILITY? Large-scale email receivers, such as Google, Microsoft, and 8.95% 16.32% 1,001-5,000 51-200 Yahoo!, are increasingly requiring that email messages be properly Employees Employees authenticated in a DMARC-compliant way. So adding a DMARC record for a domain, in conjunction with properly configured SPF and/or DKIM records, will help ensure proper delivery. -
DMARC: Monitor & Secure Your Email Delivery
Guide DMARC: Monitor & secure your email delivery Chris Nagele Founder of Wildbit postmarkapp.com Read the web version. Do you know every source of email for your domain? Are spammers trying to spoof your email domain for hacking or fraud opportunities? Are you complying with the best email practices to ensure inbox delivery? These are the questions that DMARC answers, giving you full control of email delivery for your company’s domain. At Postmark, email authentication has been extremely important to us from day one. We believe that anyone should be able to easily send emails with proper infrastructure, tools, and email standards without having to pay enterprise prices. DMARC, and our support of it, is a big part of this mission. 2 What is DMARC? DMARC (Domain-based Message Authentication, Reporting & Conformance) is a standard that prevents spammers from using your domain to send email without your permission — also known as spoofing. Spammers can forge the “From” address on messages so the spam appears to come from a user in your domain. A good example of this is PayPal spoofing, where a spammer sends an email to you pretending to be PayPal in an effort to obtain your account information. DMARC ensures these emails get blocked before you even see them in your inbox. In addition, DMARC gives you great visibility and reports into who is sending email on behalf of your domain, ensuring only legitimate email is received. The good news is that DMARC is open and free for anyone to use, allowing you to secure your domain’s emails and gain control of your email delivery. -
DMARC Reports
Bootcamp Shehzad Mirza Director of Operations [email protected] [email protected] DMARC Reporting & Analysis: What Happens Next 3 DMARC DNS TXT Record • Basic: Host: _dmarc. <domainname> Value: v=DMARC1; p=quarantine; rua=mailto:<email address>; ruf=mailto:<email address>; • Complex: Host: _dmarc. <domainname> Value: v=DMARC1; p=none; rua=mailto:<email address>; ruf=mailto:<email address>; fo=1; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=reject; 4 Overview 5 1 2 3 4 6 7 5 DMARC Reports • DMARC Generates two types of reports: • Aggregate • Forensic 6 Forensic/Failure Reports (ruf tag) • Number of reports is dependent on amount of email sent • Reports will provide insiGht as to which messaGes were marked as suspicious • Concerns with privacy 7 Sample Forensic/Failure Report 8 Aggregate Reports (rua tag) • Reports sent in XML format to email of choice (can be sent to multiple addresses) • Number and lenGth of reports is dependent on amount of email sent • Allows for: • IT staff to correct any issues with valid messages being dropped by the policy • Visibility into which systems are sending email using org’s domain name (authorized and unauthorized sending IP addresses) 9 <?xml version="1.0" encoding="UTF-8" ?> <feedback> <report_metadata> <org_name>google.com</org_name> <email>[email protected]</email> <extra_contact_info>https://support.google.com/a/answer/2466580</extra_contact_info> <report_id>6156901232184779430</report_id> <date_range> <begin>1466121600</begin> <end>1466207999</end> </date_range> -
What Is DMARC, SPF, and DKIM? • How to Configure • Common Mistakes • Best Practices • How Phishes Get By
How to Prevent 81% of Phishing Attacks From Sailing Right Through DMARC, SPF, and DKIM Roger A. Grimes Data-Driven Defense Evangelist [email protected] About Roger • 30 years plus in computer security • Expertise in host and network security, IdM, crypto, PKI, APT, honeypot, cloud security • Consultant to world’s largest companies and militaries for decades • Previous worked for Foundstone, McAfee, Microsoft • Written 11 books and over 1,000 magazine articles • InfoWorld and CSO weekly security columnist since 2005 • Frequently interviewed by magazines (e.g. Newsweek) and radio shows (e.g. NPR’s All Things Considered) Roger A. Grimes Certification exams passed include: Data-Driven Defense Evangelist KnowBe4, Inc. • CPA • CISSP Twitter: @RogerAGrimes • CISM, CISA LinkedIn: https://www.linkedin.com/in/rogeragrimes/ • MCSE: Security, MCP, MVP • CEH, TISCA, Security+, CHFI • yada, yada Roger’s Books 3 KnowBe4, Inc. • The world’s most popular integrated Security Awareness Training and Simulated Phishing platform • Based in Tampa Bay, Florida, founded in 2010 • CEO & employees are ex-antivirus, IT Security pros • 200% growth year over year • We help tens of thousands of organizations manage the problem of social engineering 4 Today’s Presentation • What is DMARC, SPF, and DKIM? • How to Configure • Common Mistakes • Best Practices • How Phishes Get By 5 • What is DMARC, SPF, and DKIM? § How to Configure Agenda • Best Practices • How Phishes Get By 6 DMARC, DKIM, SPF Global Phishing Protection Standards • Sender Policy Framework (SPF) • Domain -
A Security Analysis of Email Communications
A security analysis of email communications Ignacio Sanchez Apostolos Malatras Iwen Coisel Reviewed by: Jean Pierre Nordvik 2 0 1 5 EUR 28509 EN European Commission Joint Research Centre Institute for the Protection and Security of the Citizen Contact information Ignacio Sanchez Address: Joint Research Centre, Via Enrico Fermi 2749, I - 21027 Ispra (VA), Italia E-mail: [email protected] JRC Science Hub https://ec.europa.eu/jrc Legal Notice This publication is a Technical Report by the Joint Research Centre, the European Commission’s in-house science service. It aims to provide evidence-based scientific support to the European policy-making process. The scientific output expressed does not imply a policy position of the European Commission. Neither the European Commission nor any person acting on behalf of the Commission is responsible for the use which might be made of this publication. All images © European Union 2015, except: Frontpage : © bluebay2014, fotolia.com JRC 99372 EUR 28509 EN ISSN 1831-9424 ISBN 978-92-79-66503-5 doi:10.2760/319735 Luxembourg: Publications Office of the European Union, 2015 © European Union, 2015 Reproduction is authorised provided the source is acknowledged. Printed in Italy Abstract The objective of this report is to analyse the security and privacy risks of email communications and identify technical countermeasures capable of mitigating them effectively. In order to do so, the report analyses from a technical point of view the core set of communication protocols and standards that support email communications in order to identify and understand the existing security and privacy vulnerabilities. On the basis of this analysis, the report identifies and analyses technical countermeasures, in the form of newer standards, protocols and tools, aimed at ensuring a better protection of the security and privacy of email communications. -
98-367: Security Fundamentals
98-367: Security Fundamentals 1. Understand security layers (25–30%) 1.1. Understand core security principles Confidentiality; integrity; availability; how threat and risk impact principles; principle of least privilege; social engineering; attack surface analysis; threat modelling 1.2. Understand physical security Site security; computer security; removable devices and drives; access control; mobile device security; disable Log On Locally; keyloggers 1.3. Understand Internet security Browser security settings; zones; secure websites 1.4. Understand wireless security Advantages and disadvantages of specific security types; keys; service set identifiers (SSIDs); MAC filters 2. Understand operating system security (30–35%) 2.1. Understand user authentication Multifactor authentication; physical and virtual smart cards; Remote Authentication Dial- In User Service (RADIUS); Public Key Infrastructure (PKI); understand the certificate chain; biometrics; Kerberos and time skew; use Run As to perform administrative tasks; password reset procedures 2.2. Understand permissions File system permissions; share permissions; registry; Active Directory; NT file system (NTFS) versus file allocation table (FAT); enable or disable inheritance; behavior when moving or copying files within the same disk or on another disk; multiple groups with different permissions; basic permissions and advanced permissions; take ownership; delegation; inheritance 2.3. Understand password policies Password complexity; account lockout; password length; password history; time -
BOD-18-01 Original Release Date: Applies To: All Federal Executive Branch Departments and Agencies
Secretary U.S. Department of Homeland Security Washington,DC 20528 Homeland Security Binding Operational Directive BOD-18-01 Original Release Date: Applies to: All Federal Executive Branch Departments and Agencies FROM: Elaine C. Duke Acting Secretary OCT 1 6 20t7 CC: Mick Mulvaney Director, Office of Management and Budget SUBJECT: Enhance Email and Web Security A binding operational directive is a compulsory direction to federal, executive branch, departments and agencies for purposes of safeguardingfederal information and information systems. 44 U.S.C. § 3552(b)(l). The Department ofHomeland Security (DHS) develops and oversees the implementation ofbinding operational directivespursuant to the Federal InformationSecurity Modernization Act of2014 ("FISMA"). Id.§ 3553(b)(2). Federal agencies are required to comply with these DHS-developed directives. Id. § 3554(a)(l)(B)(ii). DHS binding operational directivesdo not apply to statutorily defined"National Security Systems" or to certain systems operated by the Department ofDefense orthe Intelligence Community. Id. § 3553(d)-(e). I. Background Federal agency 'cyber hygiene' greatly impacts user security. By implementing specific security standards that have been widely adopted in industry, federal agencies can ensure the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system. Based on current network scandata and a clear potential forharm, this directive requires actions related to two topics: email security and web security. A. Email Security STARTTLS When enabled by a receiving mail server, STARTTLS signals to a sending mail server that the capability to encrypt an email in transit is present.