Research reveals that the vast majority of the 401 companies exhibiting at Infosecurity Europe are failing to protect their own email domains from fraudsters...
If there's one thing that you learn from walking the floor at the Infosecurity Europe exhibition, it's that everyone has an answer to the problem that is information insecurity. If there's one thing that Red Sift, a data-driven cyber-security company, learned from an analysis of the 401 companies exhibiting there it's that most of them are failing to protect their own domains from falling victim to email impersonation. Given that email is the most common mechanism employed during the initial attack phase by the vast majority of threat actors, phishing often uses trusted brands as leverage, and you don't get much more trusted than a security vendor, this is worrying news indeed.
Red Sift analysed the Domain-based Message Authentication, Reporting & Conformance (DMARC) records that were associated with the primary email domains of the 401 exhibitors at the Infosecurity show. It found that only a mere 13 percent had actually executed full DMARC protection successfully so as to stop potential phishing emails at the gateway. That leaves 87 percent failing at one level or another: 46 percent simply didn't have DMARC in place, 22 percent had implemented it only at the monitoring level which still allows fraudulent email to hit the inbox, and 19 percent had tried to implement it but failed to do so successfully.
Rahul Powar, co-founder and CEO of Red Sift, says that DMARC is "a basic security protocol that everyone in the industry should be getting right" and is concerned that information security should apparently be "ignoring this fundamental protocol that can stamp out phishing."
Ed Tucker, co-founder of Human Firewall and a former head of cyber-security at HMRC, says that if he was a threat actor who had done his homework before a major event such as Infosecurity Europe then he would have sent "a whole raft of phishing emails in the name of some of the biggest security vendors" as a consequence of so many not using DMARC to prevent their domains from being spoofed. As Tucker so rightly said in conversation with SC Magazine UK, "how can I trust your security if you don’t even protect your own domain?"
Not that DMARC alone is the answer to all email-driven security problems. Earlier this year when the results of a two-year study of 100,000 verified email spoofing attacks bypassing secure email gateways (SEGs) was published it found that exact sender name impersonation, an email masquerading as being from a work colleague, accounted for most of the spoofing that evaded the filters. Eyal Benishti, CEO at Ironscales, insisted that "organisations must address the threat of email spoofing by implementing advanced mailbox-level security that continuously studies every employee's inbox to detect anomalies based on both email data and meta data extracted from previously trusted communications."
Email also turned up in the latest Privileged Access Threat Report from BeyondTrust, which revealed that poor security hygiene by employees in the UK continues to be a challenge for many organisations. Employees sending files to personal email accounts was cited as a problem for 64 percent of organisations surveyed. And then there was the latest Email Security Risk Assessment (ESRA) from Mimecast that was also published as the Infosecurity show kicked off. This was particularly relevant to the poor state of DMARC implementation as it found some 55,190 'impersonation attack' emails were missed by incumbent email protection providers as part of a false negative rate of 11 percent of all inspected emails. There were also 27,156 malware attachments and 466,905 malicious URLs that got missed.
Mimecast says that 85 percent of 1,025 global respondents experienced an impersonation attack last year, and 73 percent of them experienced a direct business impact as a result, be it financial, data or customer loss. "Today’s threat landscape continues to evolve as cybercriminals adapt their attack methods, particularly email-borne attacks, to evade the detection of traditional security solutions," Joshua Douglas, vice president of threat intelligence at Mimecast insists, "this is becoming a huge problem for companies regardless of size, across the globe..."