Well over 2 thousand years ago, Aristotle, a Greek philosopher, defined a concept that we know and use today – that of causality typically known as “cause and effect”. In fact, he proposed that causality has 4 contributing factors or causes, that can identify the reason of anything occurring.
Don’t worry – you haven’t landed on Philisophy_101.com, but as I sit here and type away on my laptop, I am truly awed and deeply humbled at the incredible intelligence of these early scientists and philosophers that lived in the 3rd century BC.
Back to the present day, and Aristotle can still help all of us in our fight against cybercrime, specifically against those confidence tricksters that impersonate our favourite brands.
The FBI has reported in recent times, email domain impersonation or spoofing has cost us a staggering $2 billion USD over a period of only 2 years !!
Applying Aristotle’s writings on cause and effect to email domain spoofing, we can deduce that poorly configured email platforms will be targeted by cyber criminals where the outcome will be some type of security breach with the loss of personal identifiable information, credit card data or maybe even the loss of strategically important information that happens to be on your own home email server and not the more secure State Department infrastructure!!
What’s more striking in some of the security breaches that have occurred in the recent past, is that the basic security principles that most school kids understand have not been applied – the Bangladesh Central Bank and the Swift hack comes to mind. What do you expect when anyone can wander in off the internet, stop over at the local bank branch network due to the non-existent firewall and make a number of withdrawals !! Cause and effect !!
So back to email domain spoofing and you will be surprised at how many organisations today, after so many security breaches seem to have no urgency at securing their email domains, considering that the email borne threat has become the vector of choice for cyber criminals. The public domain holds a lot of identifiable information for an organisation’s email platforms – very useful in identifying potential weaknesses.
Remember that email is not only a for internal communications but also to your customers and suppliers. Securing your email domains will keep all stakeholders happy. So what can you do – here’s a small list to get you going.
1. Add SPF record – Sender Policy Framework is a public record located in your domain’s DNS that identifies the servers, internal or 3rd party, that are authorised to send email on your behalf. There are so many organisations today that have misconfigured SPF records and many more that don’t even have a SPF record. This typically occurs when a cloud based email and web gateway has been subscribed. Under this scenario of no SPF but with a cloud based email gateway, protection is primarily focused on your internal users but not your external customers and suppliers. And it doesn’t protect you against email domain spoofing, unless you have DMARC configured.
2. Add DMARC record. This is also a public record that checks for alignment between the 2 email FROM addresses in the email header. We discussed this is a previous blog – The Fundamental flaw in email. DMARC will produce an audit of all the email senders, authorised or not, of your domains. A policy is applied in much the same way as the SPF record – to pass through, quarantine or reject.
3. Add DKIM record – DKIM essentially confirms that the email was sent from the domain by the use of a public/private key between the email servers of the receiver of the email and the sender.DMARC’s output produces an alignment across all 3 records, namely SPF, DKIM and DMARC.
4. Monitoring these records is just as important as configuring them into your domains DNS. Drilling down on the email volume per domain with the Authentiscope tool provides an excellent view of all servers that are sending email on your domain’s behalf – trusted, known 3rd party providers, forwarders and threats/unknowns.
5. Layered email security – I’m a big advocate for subscribing to a cloud based email and web secure gateway service, in conjunction with a premise based appliance from an
alternate vendor. Primarily the cloud gateway must be DMARC compliant to take advantage of the record you have configured in your domain’s DNS.
So don’t despair and throw your hands up in the air and say – “What can we do against email domain spoofing ??!!? “. Well, here’s a small list – get going!. By Con Lokos