[dmarc-discuss] On Inbound DMARC Support

Steven M Jones smj at crash.com
Thu Jun 19 16:56:20 PDT 2014

On 06/19/2014 08:22 AM, John Levine via dmarc-discuss wrote:
>> But if it can help put any dent whatsoever in the endless stream of
>> corporate data breaches, for example, I think it's a net benefit for
>> consumers.

Before I continue: No, DMARC is not designed to prevent data breaches,
and will not eliminate all data breaches - any more than it will
eliminate all phishing. And the above does not claim it will do so.

However DMARC can help remediate a vector commonly used to initiate an
intrusion against corporate networks, and recent data breaches have
shown phishing was a key step leading to the theft of consumer data.

> How can DMARC prevent breaches?  At most we've seen it defend
> imperfectly against the consequences a very specific and unusual kind
> of breach in which they stole address books of individual mail users.
> For the typical breach of financial information, it's irrelevant.

Phishing is targeted at corporate mailboxes, with one goal being to open
a way into the corporate infrastructure. Access to the infrastructure is
the first step in gaining whatever data you're after. Same-domain
phishing is highly effective, so anything that addresses it is a prudent
control to deploy. Thus, inbound DMARC filtering is desirable for
corporate infrastructure.

The corporate information security sector is well aware of the inbound
phishing threat:

  * net-security.org: "Most cyber-attacks begin with spear-phishing emails"
  * Verizon 2014 data breach report: "Users will be phished, and they
    will eventually click"
      o "... even a [phishing] campaign consisting of a small number of
        messages has a high probability of success" - 9-18% depending on
      o "Once the phishing email has done its work ... the name of the
        game is [getting the data by leveraging network access]."
  * June 12, 2013: "The FBI has seen an increase in criminals who use
    spear-phishing attacks to target multiple industry sectors. These
    attacks allow criminals to access private computer networks."
  * Trusteer: "Spear-phishing is one of the main tools used by attackers
    to compromise endpoints and gain a foothold in the enterprise network."
  * Computerworld 2011: Phishing emerges as major corporate security threat

A few examples of successful phishing of corporations leading to
consumer data breach:

  * The 2013 Target data breach was initiated by a phishing attack -
    70+MM consumers affected?
  * In 2012 the South Carolina Dept of Revenue suffered a data breach
    due to credential theft via phishing - 5.7MM people, 700k
    businesses, and 3.3MM bank accounts
  * In 2010 Epsilon (the ESP) was the victim of a phishing attack that
    ultimately exposed customer data of at least 50 of their corporate
    customers - affecting as many as 5MM consumers

It's taken a while, but B2B mandatory TLS is now a common control at the
corporate level. I expect a similar evolution with DMARC as vendors make
it available.



  * net-security.org - http://www.net-security.org/secworld.php?id=16585
  * Verizon DBIR - http://www.verizonenterprise.com/DBIR/2014/
  * FBI -
  * Trusteer -
  * Computerworld -
  * Target breach -
  * S Carolina -
  * Epsilon -

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140619/51b6edb1/attachment.html>

More information about the dmarc-discuss mailing list