[dmarc-discuss] On Inbound DMARC Support
Steven M Jones
smj at crash.com
Thu Jun 19 16:56:20 PDT 2014
On 06/19/2014 08:22 AM, John Levine via dmarc-discuss wrote:
>> But if it can help put any dent whatsoever in the endless stream of
>> corporate data breaches, for example, I think it's a net benefit for
Before I continue: No, DMARC is not designed to prevent data breaches,
and will not eliminate all data breaches - any more than it will
eliminate all phishing. And the above does not claim it will do so.
However DMARC can help remediate a vector commonly used to initiate an
intrusion against corporate networks, and recent data breaches have
shown phishing was a key step leading to the theft of consumer data.
> How can DMARC prevent breaches? At most we've seen it defend
> imperfectly against the consequences a very specific and unusual kind
> of breach in which they stole address books of individual mail users.
> For the typical breach of financial information, it's irrelevant.
Phishing is targeted at corporate mailboxes, with one goal being to open
a way into the corporate infrastructure. Access to the infrastructure is
the first step in gaining whatever data you're after. Same-domain
phishing is highly effective, so anything that addresses it is a prudent
control to deploy. Thus, inbound DMARC filtering is desirable for
The corporate information security sector is well aware of the inbound
* net-security.org: "Most cyber-attacks begin with spear-phishing emails"
* Verizon 2014 data breach report: "Users will be phished, and they
will eventually click"
o "... even a [phishing] campaign consisting of a small number of
messages has a high probability of success" - 9-18% depending on
o "Once the phishing email has done its work ... the name of the
game is [getting the data by leveraging network access]."
* June 12, 2013: "The FBI has seen an increase in criminals who use
spear-phishing attacks to target multiple industry sectors. These
attacks allow criminals to access private computer networks."
* Trusteer: "Spear-phishing is one of the main tools used by attackers
to compromise endpoints and gain a foothold in the enterprise network."
* Computerworld 2011: Phishing emerges as major corporate security threat
A few examples of successful phishing of corporations leading to
consumer data breach:
* The 2013 Target data breach was initiated by a phishing attack -
70+MM consumers affected?
* In 2012 the South Carolina Dept of Revenue suffered a data breach
due to credential theft via phishing - 5.7MM people, 700k
businesses, and 3.3MM bank accounts
* In 2010 Epsilon (the ESP) was the victim of a phishing attack that
ultimately exposed customer data of at least 50 of their corporate
customers - affecting as many as 5MM consumers
It's taken a while, but B2B mandatory TLS is now a common control at the
corporate level. I expect a similar evolution with DMARC as vendors make
* net-security.org - http://www.net-security.org/secworld.php?id=16585
* Verizon DBIR - http://www.verizonenterprise.com/DBIR/2014/
* FBI -
* Trusteer -
* Computerworld -
* Target breach -
* S Carolina -
* Epsilon -
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dmarc-discuss