If you're having trouble conveying the significance of appropriate cybersecurity investment, maybe our Making Security Make Sense presentation will help.
This presentation is most powerful if YOU can give it to your own clients, and especially if you can do it live, on a whiteboard, rather than with a slide deck and speaker notes!

If you'd like to learn HOW to give this presentation, watch this training video.
If you want a copy of the slide deck, please request it from [email protected]

How you get paid

• Sell our cybersecurity assessment (you markup the $2,169 reseller price to whatever you like)
• Collect signatures and payment from the customer
• ​Send us the signed contract and base price, and keep the rest for yourself

Examples:
Sell for $2,669 = keep $500
Sell for $3,000 = keep $831
Sell for $3,500 = keep $1,331

What you’re selling 
Infosec Consulting’s Cyber Risk Assessment

Target customer profile

• US Business owner of a small to medium business with 25-300 employees and 1-5 locations
  • ​Low to moderate cybersecurity maturity (not following best-practices)
    
  • Excludes medical/financial businesses and those who already have heavy compliance requirements

How you get paid

• Sell our cybersecurity assessment ($2,669 minimum sales price)
• ​Send us the signed contract
• We collect downpayment from the customer and pay you $500 + 60% of anything above the minimum price (no ceilings; no joke)

Examples:
Sell for $2,669 = $500 payout
Sell for $3,000 = $699 payout ($500 + $199 | 60% of the $331 markup)
Sell for $3,500 = $999 payout ($500 + $499 | 60% of the $831 markup)

​We provide you with sales and marketing templates and training.

What you’re selling
Infosec Consulting’s Vulnerability Analysis

When it's time to make an important decision, you should lean on proven methods. This is one of those methods.
​View our actual SOCaaS Weighted Decision Matrix here. Feel free to make a copy and use it for yourself.

​The winner of our SOCaaS WDM process was Perch Security. The next-closest was only 80% of Perch's score. 
Watch the video here. (If you end up pursuing a relationship with them, please mention us as your referral source!)
If you need to evaluate SOCaaS providers, have a look at the actual weighted decision matrix we used to make our decision. Since even a 19% margin of difference between your requirements/scoring and ours still leaves Perch in the lead, if your evaluation crieteria are anything close to ours, we've probably saved you a lot of work. Just go with Perch. 

(This article is a part of a series on email and domain protection)
DMARC's role is twofold: 1) It is used to specify what to do with incoming messages, based on whether they align with SPF and DKIM records of a given domain; and 2) It generates reports back to a domain owner regarding email volume, sources, and what policies were applied to those messages.
While there are plenty of how-to guides out there, the purpose of this article is to give a helpful overview of exactly what DMARC is and why it's important for everyone to implement on every domain.  
Without SPF and/or DKIM records in place, DMARC still has some value (reporting), but no power to accomplish anything.  At a minimum, an SPF record is required in combination with DMARC in order for receiving servers to apply any policies to inbound messages.

For domains that send mail, DMARC is a huge step in protecting not only IP-based reputation, but also domain-based reputation.  The domain administrator publishes an SPF or DKIM record (preferably both), then a DMARC record.  The DMARC record specifies what to do with messages that don't align with SPF or DKIM, as well as where to send reports on the quantity and sources of email received on behalf of the administrator's domain.
For any domain that sends mail, it is recommended to start with a DMARC policy of "none," which does nothing to break any mailflow, but allows for reporting.  The often-underrated significance of this reporting is that the administrator gets to see how many messages are coming from his domain as a whole, including servers not under his control.  Anyone can read the logs of their own equipment, but when, for example, a Russian spam server is sending mail from that same domain without permission, there is no other way to get reporting on that than DMARC.  DMARC allows receiving servers to report back to domain owners exactly what is being sent on their behalf.
These reports help domain owners to understand what email is being sent in their name, both legitimate and illegitimate.  These reports can be used to ensure all legitimate sources of mail have been accounted for before tightening down the SPF policy from ~all to -all.  The reports continue to be useful in fine-tuning DMARC policy when switching from "none" to "quarantine" and again from "quarantine" to "reject."
After accurately accounting for all legitimate sources of mail and accommodating them in SPF/DKIM records, the DMARC record can be changed from "none" to "quarantine."  Note, as in the illustrated example above, the policy is only applied to messages that fail both SPF and DKIM.  If both exist and the message aligns with either of them, the DMARC policy is not applied.
Quarantining a message generally means shoving it into a SPAM folder.  For the smoothest application of a policy of "quarantine" or "reject," DMARC allows for the policy to be applied to any percentage of messages, rather than all of them.  For example: when quarantining messages, it's prudent to start with 1% and wait for reporting to come in, then use the forensic reporting to view the raw HTML body of the affected messages.  Once comfortable that all the quarantined messages are illegitimate, the percentage can be increased so more and more messages are delivered to the spam folder instead of the inbox.  Gradually, this percentage is increased until all messages not aligning with SPF/DKIM are quarantined, then the process is restarted with a policy of "reject."

SPF (v1) provides a framework for domain owners to effectively whitelist authorized email sources (servers by IP, not persons who send) for a given domain.

What about domains that don't send mail?  All domains need an SPF record.  It's simple: create a "null" SPF record to specify that nobody is authorized to send mail from that domain.  It's a whitelist that's blank, thereby eliminating the opportunity for malicious persons/organizations to send fraudulent mail on behalf of a legitimate domain.  Just because a business or person doesn't USE a domain to send mail doesn't mean someone else can't maliciously spoof the FROM as that domain.  Why leave it unprotected when a 2-minute task can secure it?

Create standard SPF record: 

1. Enumerate all legitimate sources of mail for the given domain.  Be thorough: survey all departments in order to accurately discover any 3rd parties who do or may send email for the given domain.  Example: goodguy.com sends direct mail from GSuite, and mass-marketing via ConstantContact, and a private mail server located at a static IP (123.234.255.255) but no other entities are authorized to send on behalf of goodguy.com
2. Lookup SPF "inclusions" for each source and compile.  These are usually publicly available, however some entities are not up-to-speed or require a support ticket to provide any help.
3. Build the SPF record.  For the example above, GSuite's SPF record is: include:_spf.google.com and Constant Contact's SPF record is: include:spf.constantcontact.com.  Therefore, the SPF record for goodguy.com is:
   v=spf1 ip4:123.234.255.255 include:spf.constantcontact.com include:_spf.google.com ~all 
4. Publish the amalgamation as a TXT record.  NOTE: Do not use the SPF record type, as it is now depreciated and may not be honored.

NOTE: These instructions for a sending domain end with ~all instead of -all as this is the recommended method until there exists absolute certainty about the whitelist of authorized senders.  Small organizations with 100% certainty they only use a few specific sources can publish a -all at the end of their record.
Larger organizations or those who think there is even a chance there is another 3rd party sending legitimate emails on their behalf (think: confirmation emails, receipts, marketing departments that don't coordinate with the IT department, etc) should use the ~all instead, as it will not cause messages to be rejected.  Messages from sources not whitelisted in the record receive a "soft-fail" mark which increases their chance of being delivered to spam if there are any other red flags in the message source, subject, or body.
Until additional visibility into mailflow and sending sources can be obtained, it is recommended to keep the soft-fail mechanism in place.
The next step in protecting a domain's reputation and preventing spoofed messages is either DKIM, DMARC, or both.  DMARC provides reporting on all mail purporting to be from a given domain, and gives excellent insight into sources that may not have been known by the IT department.  It can be used for a thorough "discovery" process and SPF/DKIM records can be adjusted before rejection policies are made strict.  This process preserves legitimate mailflow alongside the illegitimate, but prevents legitimate messages from being rejected or stuffed into spam folders.

Caleb Christopher gave a talk on cryptography at SecKC in May 2019.
Here's a little quiz for you...
-----BEGIN TALK DESCRIPTION-----
QW4gb3ZlcnZpZXcgb2Ygb3VyIG5lZWQgZm9yIGNyeXB0b2dyYXBoeSwgd2hhdCBpdCBpcywgYW5kIGhvdyBpdCB3b3JrcyB3aXRoIHNvbWUgcHJhY3RpY2FsIGV4YW1wbGVzLg==
-----END TALK DESCRIPTION-----

​Email is critical for business operations. If your emails don’t land reliably in peoples’ inboxes, business can grind to a halt.

In 1972 email was originally designed to enable communication. It has ever since. Communication – not security – was the focus when it was designed. That is why I can install a simple, free mail server software on any computer and start sending messages, claiming they’re from anyone I want – even you. Spoofing is the act of masquerading as another, and with email it’s incredibly easy if protections aren’t activated. In its various forms, spoofing fuels phishing and other fraud. Spoofing preys upon the legitimate reputation of an organization, and that organization gets the reputational “credit” for anything done in its name. Your business could be “sending” spam campaigns right now.

What if I told you there was a three-step method to:

• Protect your company's digital reputation and decrease the likelihood of your emails being marked as spam;
• Show how many unauthorized emails are being fraudulently sent "from" [email protected];
• Tell recipients what to do with messages that don’t actually come from your business?

What if I sent you an email about it? From yourself. Sometimes that’s what it takes for my message to land impactfully in the mental inbox of some managers. Whenever I have the opportunity while conducting vulnerability assessments, I make sure to send myself a noteworthy email from an executive within the organization. I do this without ever touching their equipment, or logging into their systems simply because I can – anyone can. That’s my point.

Security as an afterthought is almost always clumsy and usually requires manual
configuration. Here’s why I even have this job: security is rarely included in project/product
design phases and IT guys rarely turn on the security options available.

So, what’s the fix? My three-step plan?
I stumbled upon it while researching email authentication. There are three public DNS records you should publish for each domain you own: SPF (Sender Policy Framework), DKIM (Domain-Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Here’s the short version: SPF specifies which IP addresses can send mail as @yourbusiness.com; DKIM adds a unique digital signature to prove the message came from you (and is unmolested); and DMARC is twofold: it adds reporting and defines an action policy for unauthenticated messages.

DMARC is where email security gets traction. Without it, email could be reasonably
secure (tip: it usually isn’t), but previously there was no way to know whether your domain is
being misused. The Reporting component is revolutionary, making it now possible to discover 
how many emails are being sent on your behalf and where from, even from systems you don’t own or control.

DMARC has been mainstream-usable since early 2015, but for lack of awareness most
businesses have not yet begun using it. I have spoken at regional information security conferences on it and I find a majority of IT professionals are unaware of or don’t yet understand DMARC. On that note, a word of caution: DMARC is powerful and can block all the fraudulent emails, but can also block the good ones. A careful plan is essential.

I have deployed DMARC for more than 40 domains. One of those domains was sending more than two million fraudulent emails per month. The client indicated that domain should not be  sending any email, so a quick forensic investigation into the content of the messages yielded evidence of phishing campaigns, links to hacked websites, myriad erectile dysfunction ads, and so on. This company was getting the reputational credit for having sent these emails. I published a DMARC policy to reject any mail from that domain, and now 99.9991% of those messages being blocked. At one point, the volume spiked to greater than 5.9 million in a month. All blocked!

Another client’s members recently received a fraudulent message “from” a staff member requesting donations for another real member’s fake sick child on a GoFundMe site, complete with sad pictures and fake quotes from other members. I connected with their IT service provider to assist with damage control and remediation.

So how long does it take; how much does it cost?
The answer is, “it depends.”
Simple environments can be done in less than a month with little capital outlay. Complex environments can take months and cost thousands.
In my experience, most SMBs are relatively simple environments.

Secure your email.
You’re likely in the majority who aren’t being actively impersonated, but if you were, wouldn’t you like to know? And wouldn’t you like to properly configure things so it can’t happen?