So why aren’t they being used?
Ever-expanding attack surface areas and hordes of relentlessly motivated malicious parties in hacker-land are surely depriving many CISOs of a good night’s sleep. The situation is dire, but it’s also inexplicable. On the one hand, network security threats truly present technical challenges to the even most competent IT operators. On the other hand, why is it the perennial case that so many companies appear to be lacking in fundamental defenses that are universally recommended? Metaphorically, if you lived in a high-theft neighborhood, would you leave your front door open and post a sign saying, “This house is NOT protected by ADT?”
Let’s take a look at one especially bothersome issue: email phishing. Numerous credible sources reckon that 2018 will be a record year for phishing attacks. Banks and healthcare providers are cited as the top two targeted sectors. It’s a sure thing that at least 15 banks with revenues over $1 billion WILL suffer from successful phishing scams. Some of them are repeat – even serial victims.
Defending one’s enterprise and customers from spoof email scams would seem to have an effective solution, embraced by all: just implement DMARC, DKIM, SPF and DNSSEC. Not to trivialize the subject, there are certainly many other measures required for a complete defense, but these DNS security parameters are minimally essential. No right-thinking IT professional would argue not to implement them.
So here’s the big question: why are so few companies implementing these hugely necessary DNS security measures? The stats are shocking: only 10% of all banks and 4% of healthcare providers have implemented DMARC and related policies. These are two of the most targeted enterprise sectors – and also among the most vulnerable. Note: phishing specialists actively target those with the least protected domains! Survey numbers from Security Week show that 67% of all F500 companies lack DMARC and 25% have no DNS-based email policies at all.
By contrast, and to its credit, the US government has mandated DMARC implementation across all of its agencies and departments. Thus far, government DMARC adoption is showing positive results. Domains protected have increased from 16% to 47% as of January 2018. Over 400 US government domains and billions of emails now have a 96% rate for the strongest DMARC policy setting (p=reject). (Source: Securityweek.com, Eduard Kovacs, January 2018)
The private sector seems to be another story. Authentic Web Inc. audited the email security settings of several companies, (each with over $1 billion in revenue) by inspecting their APEX-level resource records on domains in the public WHOIS record. The results show a very inconsistent approach taken by the organizations we inspected:
ADOPTION | LOW % | MEDIAN % | HIGH % |
SPF | 1.0 | 5.7 | 51.0 |
DKIM | 0 | 0 | 5.0 |
DNSSEC | 0.4 | 1.4 | 8.3 |
DMARC | 0 | 12.0 | 83.4 |
Secondary DNS | none | none | none |
The US government experience with DMARC is empirical proof that email authentication policies work. So why are so few F500 companies adopting these clearly efficacious policies? Here are my suspected reasons for corporate failure to adopt best practice policies such as DMARC:
- Learning Curve: Anecdotal conversations with IT security professionals show that subject matter expertise for many is still developing. The number of how-to articles published by CSO Online, SC Magazine and scores of other journals is a good indication that these policies are still new to many and not fully understood.
- Corporate Inertia: People resist change – sometimes even in the face of compelling forces including cyber-attacks actually experienced, as the following numbers show. As email-authentication related cyber-attacks continue to increase (2016-2018), corporate adoption of recommended DNS security measures lags.
- Communication: Even where DMARC and related policies are implemented, corporate adoption looks to be inconsistent across departments, domain groups and business units. Are people communicating effectively or are they operating in silos?
- Split Ownership: Domain ownership in organizations can be ambiguous. Stakeholders include Legal, Marketing, IT, and domain administrators. Despite the involvement of many interested parties, end-to-end compliance on every domain and their myriad resource records is often lacking or absent. C-level governance over domain assets is unheard of. So who’s minding this critical and risk-exposed area?
- Staff and Process Continuity: Full DMARC implementation is no simple exercise. It’s complicated and fraught with potential for error. When an internal subject matter expert moves or turns over, does policy compliance survive the personnel change?
- Systems and Processes: To err is human. Processes and automated systems protect us from ourselves. The simplest of domain tasks (such as correctly implementing a certificate authority) can be subject to multiple steps and scope for error. It happens all the time. A typical portfolio of 500 domains could easily have 5,000-10,000 resource records in which highly complex DNS settings reside (like DMARC, DKIM, SPF, DNSSEC, etc.). People need processes and automated systems to backstop compliance and minimize errors. Spreadsheets and ad hoc tools leave too much room for error.
Legislation sponsored by Homeland Security galvanized the US government to implement DMARC. In the absence of legislation, corporate entities rely on top-down mandates. C-level executives are the private sector equivalent of the law. The buck stops at the top. DMARC would surely be adopted throughout the financial (or any other) sector if Boards, CEOs, CIOs and CISOs sponsored the mandate. It’s not at all evident that they are, despite the ongoing threat of anticipated phishing attacks in 2018.
Top-down mandates initiate action but don’t always ensure success. Teams need empowerment and enabling tools. Ensuring that legacy systems are evaluated, updated and sourced from reputable vendors is essential to successful implementation. Many companies manage their domains with multiple registrars, across numerous DNS services, relying on spreadsheets and email ticketing in lieu of automated change management systems. Layering the full suite of DMARC and related policies onto a shaky or fragmented domain and DNS management environment elevates the risk of poor implementation and high cost of management.
When it comes to protecting our networks and customers from domain related security risks such as phishing scams, we know that authentication policies such as DMARC are effective. We need to address the people, processes and management practices behind the adoption and implementation of DNS security.
About the Author: Paul Engels is Vice President of Authentic Web Inc., a solution provider of systems that improve enterprise domain and DNS security, compliance and performance.
RESOURCES
Download our white paper “Domain & DNS: Security, Compliance and Performance” for IT security and digital executives.
Learn about a useful Apex-level domain and DNS audit for your organization.