A quarter of US gov domains FAIL on email security

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

A year ago, DHS mandated that all federal government domains should have the strongest DMARC policy. (In case you’ve been living under a rock, it’s a way to help solve phishing.)

The deadline was this week. Sadly, many organizations still haven’t complied—roughly a quarter either haven't turned on the “reject” DMARC option or haven’t even bothered to set it up.

Your tax dollars at work (or not). In this week’s Security Blogwatch, we don’t like spam.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: If Educational Videos Were Filmed Like Music Videos 

State of Security Operations 2018: Go Inside World SOCs

Dead deadline headline

What’s the craic? Zack Whittaker writes CIA, NSA and the Pentagon still aren’t using a basic email security feature:

Some of the most sensitive U.S. government departments and agencies still aren’t using a basic email security feature that would significantly cut down on … spam or phishing. … Domain-based Message Authentication, Reporting, and Conformance [is what] email systems use to verify the identity that the sender of an email is not an impersonator.

Out of over a thousand federal domains, [only] 75 percent have a DMARC policy … despite Tuesday’s deadline for BOD 18-01, a directive issued by Homeland Security … a year ago. [It] aimed to improve email and cybersecurity across the federal government by introducing email encryption (STARTTLS) … doubling down on use of HTTPS certificates [and] by cranking up the DMARC settings to its safest.

The government isn’t the only outlier. Only one-third of the Fortune 500 are said to use DMARC on their domains.

That’s bad, isn’t it? Joe Uchill isn’t chill—Many government agencies miss email security deadline:

A year ago, Homeland Security gave nearly all civil federal agencies 12 months to adopt an email security standard that prevents email fraud. [But] between a quarter and a half of those agencies' … domains failed to meet the Tuesday deadline..

Just imagine how much chaos an attacker could cause by sending fraudulent email messages from "evacuation-warnings@EPA.gov." When properly set up, DMARC plugs that security hole.

Intelligence and defense agencies were exempt and … almost entirely did not comply. … Some extremely big-name agencies fall far short. … More than half of the tested domains run by … the White House. … Just under half of the Department of Commerce domains. … Amtrak's lone domain had not implemented it, either.

But no, this was a triumph! Fareed Bukhari is making a note here—Huge Success: [It’s hard to overstate my dissatisfaction—Ed.]

When BOD 18-01 was announced in October 2017, Agari determined that only about 18 percent of federal domains had adopted DMARC, and less than ten percent had implemented a reject policy.

Today … 85% of federal domains have adopted DMARC and at least 74% have implemented a reject policy … of “p=reject.”

BOD 18-01 has clearly made a positive impact on the cybersecurity posture of the United States government. … Private enterprise is definitely lagging behind the public sector now.

Do we do what we must? Robert Holmes says it’s for the good of all of us: [Except the ones who are fired—Ed.]

This is a significant achievement as many agencies did not have this initiative in their plans/budgets when the mandate was announced, and DMARC implementation can be complex. … While not every agency is DMARC compliant … at the deadline, the progress made over the past year is commendable.

Ideally, we will continue to see this positive trend until each agency fully protects their domains from email spoofing attacks. … BOD 18-01 has been a promising step in the right direction that organizations in all industries should follow.

Is there any sense crying over every mistake? Rob Fegan and Joe Stocker have run out of cake:

If you don't have DMARC/DKIM then your sender reputation will be impacted when you email [Office 365] orgs., as Microsoft … will treat you with increased scrutiny.

[It] can mean a larger % of your outgoing emails are quarantined … or sent to junk.

Will the science get done? Sean Kerner made a neat gun:

DMARC is a protocol that helps protect the integrity and authenticity of email. DMARC is not a single technology but rather is a combination of several components, including the Sender Policy Framework (SPF) and Domain Keys Identified Email (DKIM), to help verify email authenticity.

There are also different levels of DMARC policies. The "p=none" policy enables organizations to monitor their email systems for senders, while the "p=reject" policy [instructs recipients to] block non-compliant messages completely.

While there is reason for optimism about the improved state of email security in the U.S. government, the reality is that not all federal agencies [met] the deadline. … There are several challenges to adopting DMARC, both within the government and at commercial enterprises.

Are you even angry? Brad Gurley’s being so sincere right now:

In addition to … advising how to handle unauthenticated mail, DMARC also provides a reporting component that can be very useful. … By enabling the reporting features of DMARC, your organization can receive reports indicating all mail that is being sent with your domain in the FROM: address. This can help identify spoofed or falsified mail patterns as well as tracking down other business divisions or partners that may be legitimately sending mail on your behalf without authentication.

The first step is to talk to your email support team about how to ensure you’re authenticating. … In addition, there are lots of great tools available on the web, including a number of SPF wizards and DKIM key generators to guide you through the process of creating a record you can copy and paste.

However you go about it, we strongly recommend you authenticate your messages with SPF, DKIM, and DMARC. You’ll be able to acronym like the best of them, while keeping your brand’s reputation safe and secure.

So the Global Cyber Alliance and the Cybersecurity Tech Accord broke my heart, and killed me:

DMARC allows domain owners to signal that they are using email authentication (SPF, DKIM), provide an email address to gather feedback about messages using their domain – legitimate or not [and] apply a policy to messages that fail authentication (report, quarantine, reject).

[It allows] email receivers to be certain a given sending domain is using email authentication, consistently evaluate SPF and DKIM along with what the end user sees in their inbox, determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks [and] provide the domain owner with feedback about messages using their domain.

Being more concise, Tim Draegen tore me to pieces:

DMARC and email security - it's like saying wings are an important part of an airplane.

Meanwhile, who threw every piece into a fire? Philip Reitinger—@CarpeDiemCyber:

DMARC is foundational to email security - without DMARC you can’t even talk about email security.

The moral of the story? Publish a DMARC record on each of your domains—even the ones that don’t send email.

And finally …

These points of data make a beautiful line


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Dean Franklin (cc:by)