Just recently, Twitter announced that if you receive an email from them you need not worry about the email being a phishing attack using a spoofed address. The email is authentic because of their use of DMARC email authentication.
DMARC, or Domain based Message Authentication Reporting and Comformance, is a standard that governs email authentication mechanisms like Sender Policy Framework and DomainKeys Identified Mail (SPF and DKIM respectively). Working with email clients like Gmail, AOL, Yahoo Mail and Microsoft’s Hotmail and Outlook, DMARC promises to authenticate outbound mail so that when it arrives in a sender’s inbox they can be assured it is not a fake.
However this looks again like a silver bullet hope that will solve the spam/phishing/malicious email plague that threatens so many people.
Businesses leaders often see these as signs that spam is no longer a problem. Much like the news reports that claim, “Spam is Dead” or even those that show spam levels are down do some serious damage to email security. The damage comes as a result of decision makers not seeing malicious email as a real threat. After all, if spam is dead and DMARC can prove that emails are real then the question of why do we need to spend money on additional security becomes a big question.
Educating Decision Makers
Cutting spam protection could certainly help your organization save a bit of cash. For those faced with budget constraints any type of savings is usually looked upon favorably.
However, if you are tasked with keeping spam out and email secure you might not want the person in charge of your budget to make decisions without a bit of input from you. To make the case for spending that money on anti-spam technologies, whether it is a new purchase, an upgrade or simply to maintain services, make sure that whoever is deciding on understands that fighting against email borne threats is an ongoing battle that requires a layered approach.
Layer 1 – The outside layer relies on variables that you cannot control, like DMARC. You have no say as to what outgoing security controls other organizations use on their outgoing mail.
Layer 2 – Email security solutions are the next layer of defense. Here, email messages are scanned to see if they pose a threat. Typical solutions will look at:
- The sender’s address to see if it is a known spammer
- The subject line of the email
- The content of the email to see if contains any flags that may indicate the message is spam
- Any attachments to see if they may be malware
These security solutions also dissect the message for many other indicators depending upon the level of protection offered. Like your overall security plan, any email security solution should provide multiple layers of defense to protect against the many different threats.
Layer 3 – Local security on the device comes next. Laptops and desktops should be running anti-virus software to protect against malware that may be delivered to the recipient as an attachment or through a link to a malicious website that was embedded in an email message. This solution should be centrally managed and frequently updated to keep systems free of harmful software. In addition to protecting laptops and desktops, mobile devices like smartphones and tablets should also have anti-virus software installed.
Layer 4 – The user should make up the final layer of your email security plan. They should know how to avoid malicious emails, how to spot them and most importantly – what to do if they receive them. Anti-spam solutions that make it easy for your users to quarantine and report suspicious emails go a long way in keeping your organization safe.
Of course setting up a security program that matches something like the one outlined here only works if the policies and procedures that govern it are in place. The moment that an organization decides they no longer need one, or more, of the layers described here they put themselves at serious risk.
As the email administrator is your responsibility not only to re-evaluate the products, policies and procedures that keep your organization safe; but also to keep your supervisors apprised of what they are doing to protect your assets from being compromised.