Think your email is secure? Don’t: odds are, you’re doing it wrong

Ongoing lack of awareness is compromising Australian companies’ defence against email-based phishing and business email compromise attacks, one security executive has warned as new research suggests that 73 percent of Australia’s largest 100 companies still haven’t implemented the current best-practice standard for blocking domain spoofing.

The audit of ASX 100 companies – conducted by Domain-based Message Authentication, Report & Conformance (DMARC) standard contributor Agari and Australian security consultancy InfoTrust – found that 96 of the companies still had not implemented the highest level of control in the DMARC standard by instructing recipients to quarantine or reject messages that don’t pass DMARC checks.

Fully 73 percent of the surveyed companies had not adopted DMARC at all – noted by the conspicuous absence of a DMARC policy in the public DNS records where DMARC is implemented. Of those that had, all but 4 were running a ‘monitor’ policy that allows for reporting on spam volumes but does not take formal action to block them.

The surprising shortfall in DMARC adoption highlighted a gap in awareness amongst CISOs that either have not heard of DMARC, or have implemented its subsidiary Sender Policy Framework (SPF) standard and assumed their work was done. DMARC requires messages pass checks with SPF or the related DomainKeys Identified Mail (DKIM) standard as well as checks to confirm email addresses are aligned with registered domains.

“Awareness is still very much a part of the issue,” Agari chief technology officer Vidur Apparao told CSO Australia, “and another part is the scope of the team’s sense of what their responsibility is. There are still security teams that are very parochial – and we still talk to well-informed CISOs and security operators who are not aware of the availability of this technology.”

Email authentication regimes like DMARC have become increasingly important as the volume of phishing emails and business email compromise (BEC) attacks exploded in recent years, with a recent Australian Criminal Intelligence Commission report noting 749 cases of BEC reported during fiscal 2015-16.

Proofpoint’s recent 2017 Human Factor Report found that BEC was the biggest cybersecurity threat to Australian businesses, having risen from 1 percent of the volume of banking Trojan-carrying emails in 2015 to 42 percent by the end of 2016.

More than 90 percent of malicious emails with maliciously-constructed URLs led users to credential phishing pages, Proofpoint found, while 99 percent of email-based financial fraud attacks relied on human clicks to install malware. The firm also noted a 150 percent increase in attacks in which cybercriminals created a social-media account that emulated that of a trusted brand, and in its latest quarterly update noted that BEC attacks had jumped by 30 percent from Q1 to Q2 this year.

With security compromises rife and brands as well as data at stake from malicious activity, Apparao said DMARC represents a powerful tool in blocking deceptive and fraudulent emails before they even get to the intended receipients.

“We have seen DMARC used as a very effective protocol to prevent a large class of the types of attacks that impact all of us as users of email,” he said. “But its impact, even within the largest and most impacted companies, is still not where it needs to be.”

Tightening governance requirements had seen some companies and government agencies paying new attention to the need for DMARC and, in particular, the “journey to get to reject” – the DMARC configuration setting in which messages are flat-out rejected by the email server and never reach the business.

Reaching this level of surety can’t be done “overnight”, Apparao admitted, but until companies get there “you really are offering no greater protection to yourselves or your customers than if you have a log-only or no policy at all.”

DNS-level protection has become more important in security defences as cybercriminals refine domain generation algorithms (DGAs) that generate large volumes of domain names to support malware command-and-control activities. DNS traffic “plays a significant role in security monitoring,” Akamai security specialists warned in the company’s latest quarterly State of the Internet Security Report. “it requires defenders to have visibility into current blind spots that may be overlooked…. DNS traffic can be monitored to discover infections that might otherwise evade detection.”

The lack of DMARC maturity is in line with broader immaturity amongst Australian companies identified by Simon Piff, vice president of IDC’s Asia Pacific Security Practice. Speaking at this month’s CloudSec conference in Sydney, Piff noted that fully 10.1 percent of businesses are still at the ‘naïve novice’ stage of security practice and 51.3 percent were at the ‘reactive responder’ stage. This was well ahead of APAC overall but still far short of the ideal.

“With just over a quarter of Australian businesses having taken, at a minimum, the first step in adopting DMARC to combat the threat of digital deception,” the Agari report notes, “it is evident that a high level of education still needs to be undertaken in this market.”