Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

Companies Are Failing to Deploy Key Solution for Email Security

A single -- albeit complex-to-deploy -- technology could stop the most expensive form of fraud, experts say. Why aren't more companies adopting it?

Business email compromise (BEC) is the most expensive form of online fraud encountered every year, with international losses in excess of $26 billion over the past three years, according to the FBI. Despite that, email security measures that could stop the messages impersonating business executives remain underdeployed, experts say.

The key technology, known as Domain-based Message Authentication, Reporting, and Conformance, or DMARC, significantly reduces attackers' abilities to spoof targeted domains and business executives by validating the path from the sending server to the receiver's inbox. In addition, the technology gives an organization's email administrator visibility into how their domain is being abused in emails.

Given the recent move of many companies to remote work during the coronavirus pandemic, validating email messages is even more important, says Joseph Blankenship, vice president of research for cybersecurity at Forrester Research.

"We designed email to trust by its very nature," he says. "To keep it secure, we need a multilayered approach that makes sure any anti-phishing defense is using multiple methods to verify email senders."

Every year, attackers use impersonation in phishing attacks to harvest user credentials as well as in BEC schemes where they send fake invoices from vendors or requests for payment from purported company executives to a target's accounting department. In 2019, the FBI received nearly 24,000 complaints of BEC fraud totaling $1.8 billion in losses, according to the annual Internet Crime Complaint Center report

A triad of email security technologies are designed to hobble attackers' attempts to impersonate legitimate organizations. Sender Policy Framework (SPF) adds the legitimate mail servers into the authoritative DNS record for a domain. The Domain Keys Identified Mail (DKIM) technology signs email messages to confirm the messages have not been changed. Finally, DMARC checks that a message's From address matches the information verified by SPF and DKIM. In addition, DMARC produces aggregate reports on the email traffic sent from an administrator's domain.

While DMARC gives companies protection against phishing, brand misuse, and BEC, it's difficult to implement across companies. "As someone who tried to do it with a team of smart IT people, it is an undertaking, I'll tell you that," says Blankenship. "We actually failed — we gave up after a couple of weeks."

Forrester recommends that companies work with their email infrastructure provider to set it up and consider bringing in a consultant.

While the complexity may scare off small firms, organizations that use the large email providers will likely have a managed offering that walks them through the process, he says.

"Two of the biggest providers of email services, Microsoft and Google, have a lot of email security capabilities built in," he says. "So any small firm should be taking full advantage of all the email filtering that is available to them from their email infrastructure provider."

While the use of DMARC is growing — tripling in 2019 — less than 10% of companies use it in most industries. Because of a US government mandate, however, almost every US federal agency uses the technology.

In addition, getting the full security benefits of the technology takes time. Administrators of an organization's email can select three different polices for messages that fail verification: Complete delivery of the messages, quarantine the messages, or reject the messages. In 2019, 71% of companies failed to enforce strict rules, taking no action and allowing the message to be delivered, according to data from DMARC.org.

"Phishing is implicated in more than 90% of all cyberattacks, and the vast majority of phishing emails leverage impersonation," Alexander García-Tobar, CEO and co-founder of email security firm Valimail, said in a statement. "This is only possible due to email's lack of robust sender identity validation. The sharp rise in DMARC records worldwide is promising, but the low rate of enforcement indicates there is a long way to go in establishing real trust in one of the world's most common forms of communication."

Related Content

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Untangling Third-Party Risk (and Fourth, and Fifth...)."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...