[dmarc-discuss] On Inbound DMARC Support

Steven M Jones smj at crash.com
Thu Jun 19 16:56:20 PDT 2014


On 06/19/2014 08:22 AM, John Levine via dmarc-discuss wrote:
>
>> But if it can help put any dent whatsoever in the endless stream of
>> corporate data breaches, for example, I think it's a net benefit for
>> consumers.

Before I continue: No, DMARC is not designed to prevent data breaches,
and will not eliminate all data breaches - any more than it will
eliminate all phishing. And the above does not claim it will do so.

However DMARC can help remediate a vector commonly used to initiate an
intrusion against corporate networks, and recent data breaches have
shown phishing was a key step leading to the theft of consumer data.


> How can DMARC prevent breaches?  At most we've seen it defend
> imperfectly against the consequences a very specific and unusual kind
> of breach in which they stole address books of individual mail users.
> For the typical breach of financial information, it's irrelevant.

Phishing is targeted at corporate mailboxes, with one goal being to open
a way into the corporate infrastructure. Access to the infrastructure is
the first step in gaining whatever data you're after. Same-domain
phishing is highly effective, so anything that addresses it is a prudent
control to deploy. Thus, inbound DMARC filtering is desirable for
corporate infrastructure.

The corporate information security sector is well aware of the inbound
phishing threat:

  * net-security.org: "Most cyber-attacks begin with spear-phishing emails"
  * Verizon 2014 data breach report: "Users will be phished, and they
    will eventually click"
      o "... even a [phishing] campaign consisting of a small number of
        messages has a high probability of success" - 9-18% depending on
        methods
      o "Once the phishing email has done its work ... the name of the
        game is [getting the data by leveraging network access]."
  * June 12, 2013: "The FBI has seen an increase in criminals who use
    spear-phishing attacks to target multiple industry sectors. These
    attacks allow criminals to access private computer networks."
  * Trusteer: "Spear-phishing is one of the main tools used by attackers
    to compromise endpoints and gain a foothold in the enterprise network."
  * Computerworld 2011: Phishing emerges as major corporate security threat


A few examples of successful phishing of corporations leading to
consumer data breach:

  * The 2013 Target data breach was initiated by a phishing attack -
    70+MM consumers affected?
  * In 2012 the South Carolina Dept of Revenue suffered a data breach
    due to credential theft via phishing - 5.7MM people, 700k
    businesses, and 3.3MM bank accounts
  * In 2010 Epsilon (the ESP) was the victim of a phishing attack that
    ultimately exposed customer data of at least 50 of their corporate
    customers - affecting as many as 5MM consumers


It's taken a while, but B2B mandatory TLS is now a common control at the
corporate level. I expect a similar evolution with DMARC as vendors make
it available.

--S.


Links:

  * net-security.org - http://www.net-security.org/secworld.php?id=16585
  * Verizon DBIR - http://www.verizonenterprise.com/DBIR/2014/
  * FBI -
    http://www.fbi.gov/sandiego/press-releases/2013/fbi-warns-public-that-cyber-criminals-continue-to-use-spear-phishing-attacks-to-compromise-computer-networks
  * Trusteer -
    http://www.trusteer.com/solutions/spear-phishing-and-credentials-theft
  * Computerworld -
    http://www.computerworld.com/s/article/9215995/Phishing_emerges_as_major_corporate_security_threat
  * Target breach -
    http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
  * S Carolina -
    http://www.scmagazine.com/sc-tax-breach-began-when-employee-fell-for-spear-phish/article/269448/?DCMP=EMC-SCUS_Newswire
  * Epsilon -
    http://www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119?




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140619/51b6edb1/attachment.html>


More information about the dmarc-discuss mailing list