I am honored to have been featured on the RocketMSP Podcast. Here's my favorite clip, dealing with fake math (risk matrices) vs realistic estimations of risk when it comes to making very expensive decisions... RocketMSP #22 (26:15) If you're having trouble conveying the significance of appropriate cybersecurity investment, maybe our Making Security Make Sense presentation will help. This presentation is most powerful if YOU can give it to your own clients, and especially if you can do it live, on a whiteboard, rather than with a slide deck and speaker notes! If you'd like to learn HOW to give this presentation, watch this training video. If you want a copy of the slide deck, please request it from [email protected] Watch for bold keywords which make excellent talking points with technical advisers. When I speak about using secure passwords, it’s often met with eye rolling, sighing, or recounting of frustrations with remembering passwords. I get it, but I can’t really change my message. It’s a core tenant of basic security practices. But people are dismissive of more than just long passwords; it’s security-related inconvenience in general — especially when related to computers and accounts. I’d like to highlight the value of difficulty and hopefully alter your paradigm. Let’s start with a story It’s raining and you arrive home and have a double-armload of groceries to carry into the house. Approaching the door, you’ve forgotten to get your house key out, so you dig for it. Struggling and juggling, a glass jar and several other items crash to the ground. Soaked, you finally find the key. Once you get the door unlocked, you sop inside, frustrated with the whole process. An alternate story It’s raining and you arrive home with the same armload of groceries. Getting inside quickly is no sweat, since you left the front door wide open to make it easy to get in and out. You hurry inside, barely wet, and put away your groceries, patting yourself on the back for how convenient you’ve made your life. I'm sure you see where I’m going. Essentially, it’s OK for some things to be hard. If you came home to see your front door open, what would you feel in the pit of your stomach? Would you call the police? We keep our homes and cars locked, even though it might cause us to be stuck in the rain or we might lose our keys and be locked out. We do this because it is an acceptable inconvenience. We see the value of locks, despite the extra effort required. Security is all about making something difficult for others to access. So if a slight inconvenience to you adds significant difficulty for an attacker, there's really no more evaluation needed. Why don’t we feel the same about securing our computers as we do about securing our homes? How sensitive or critical is the information accessible from your computer, your phone, and your online accounts? Isn’t that worth some effort protecting? If an attacker can get into your email, he can use it to reset all your online account passwords while you sleep. How much of your life could be controlled from just your email account? Of course, there is deeper value for you and your business. Following security best practices may yield lower cyber insurance insurance premiums and protect against actual and reputational damage or fines. Demonstrable competence in security can also boost client or employee confidence (tip: avoid security theater, which leads to a false sense of security). The benefits of security are myriad, though are often difficult to quantify, especially from your IT guy; for an insightful read, lookup “Security’s Value Proposition” from CSO Online.
So, what to do now? To begin with, if you can be considered important in any way, you should be using 2-factor authentication on every account you can. Do this today. As for your business, request a discussion with your IT department or service provider about the CIS Top 20 Controls, which lists the most effective controls to reduce security risk. Agree on one at a time and pursue each as a little project. Quarter-by-quarter, this will drastically reduce your business' risk. A last thought: insurance is not a substitute for security. Insurance cannot bring back your data or reputation, so it’s important to protect and maintain it properly. When it's time to make an important decision, you should lean on proven methods. This is one of those methods. View our actual SOCaaS Weighted Decision Matrix here. Feel free to make a copy and use it for yourself. The winner of our SOCaaS WDM process was Perch Security. The next-closest was only 80% of Perch's score. Watch the video here. (If you end up pursuing a relationship with them, please mention us as your referral source!) If you need to evaluate SOCaaS providers, have a look at the actual weighted decision matrix we used to make our decision. Since even a 19% margin of difference between your requirements/scoring and ours still leaves Perch in the lead, if your evaluation crieteria are anything close to ours, we've probably saved you a lot of work. Just go with Perch.
(This article is a part of a series on email and domain protection) DMARC's role is twofold: 1) It is used to specify what to do with incoming messages, based on whether they align with SPF and DKIM records of a given domain; and 2) It generates reports back to a domain owner regarding email volume, sources, and what policies were applied to those messages. While there are plenty of how-to guides out there, the purpose of this article is to give a helpful overview of exactly what DMARC is and why it's important for everyone to implement on every domain. Without SPF and/or DKIM records in place, DMARC still has some value (reporting), but no power to accomplish anything. At a minimum, an SPF record is required in combination with DMARC in order for receiving servers to apply any policies to inbound messages. DMARC Message delivery workflow
For domains that send mail, DMARC is a huge step in protecting not only IP-based reputation, but also domain-based reputation. The domain administrator publishes an SPF or DKIM record (preferably both), then a DMARC record. The DMARC record specifies what to do with messages that don't align with SPF or DKIM, as well as where to send reports on the quantity and sources of email received on behalf of the administrator's domain. For any domain that sends mail, it is recommended to start with a DMARC policy of "none," which does nothing to break any mailflow, but allows for reporting. The often-underrated significance of this reporting is that the administrator gets to see how many messages are coming from his domain as a whole, including servers not under his control. Anyone can read the logs of their own equipment, but when, for example, a Russian spam server is sending mail from that same domain without permission, there is no other way to get reporting on that than DMARC. DMARC allows receiving servers to report back to domain owners exactly what is being sent on their behalf. These reports help domain owners to understand what email is being sent in their name, both legitimate and illegitimate. These reports can be used to ensure all legitimate sources of mail have been accounted for before tightening down the SPF policy from ~all to -all. The reports continue to be useful in fine-tuning DMARC policy when switching from "none" to "quarantine" and again from "quarantine" to "reject." After accurately accounting for all legitimate sources of mail and accommodating them in SPF/DKIM records, the DMARC record can be changed from "none" to "quarantine." Note, as in the illustrated example above, the policy is only applied to messages that fail both SPF and DKIM. If both exist and the message aligns with either of them, the DMARC policy is not applied. Quarantining a message generally means shoving it into a SPAM folder. For the smoothest application of a policy of "quarantine" or "reject," DMARC allows for the policy to be applied to any percentage of messages, rather than all of them. For example: when quarantining messages, it's prudent to start with 1% and wait for reporting to come in, then use the forensic reporting to view the raw HTML body of the affected messages. Once comfortable that all the quarantined messages are illegitimate, the percentage can be increased so more and more messages are delivered to the spam folder instead of the inbox. Gradually, this percentage is increased until all messages not aligning with SPF/DKIM are quarantined, then the process is restarted with a policy of "reject." Domains that send no mail should have both a "null" SPF policy and a DMARC policy of "reject."
Further monitoring revealed a peak fraudulent output of >6 million messages in a month, 99.99% of which were being blocked.
SPF - Sender Policy Framework SPF (v1) provides a framework for domain owners to effectively whitelist authorized email sources (servers by IP, not persons who send) for a given domain.
What about domains that don't send mail? All domains need an SPF record. It's simple: create a "null" SPF record to specify that nobody is authorized to send mail from that domain. It's a whitelist that's blank, thereby eliminating the opportunity for malicious persons/organizations to send fraudulent mail on behalf of a legitimate domain. Just because a business or person doesn't USE a domain to send mail doesn't mean someone else can't maliciously spoof the FROM as that domain. Why leave it unprotected when a 2-minute task can secure it?
Create standard SPF record:
Larger organizations or those who think there is even a chance there is another 3rd party sending legitimate emails on their behalf (think: confirmation emails, receipts, marketing departments that don't coordinate with the IT department, etc) should use the ~all instead, as it will not cause messages to be rejected. Messages from sources not whitelisted in the record receive a "soft-fail" mark which increases their chance of being delivered to spam if there are any other red flags in the message source, subject, or body. Until additional visibility into mailflow and sending sources can be obtained, it is recommended to keep the soft-fail mechanism in place. The next step in protecting a domain's reputation and preventing spoofed messages is either DKIM, DMARC, or both. DMARC provides reporting on all mail purporting to be from a given domain, and gives excellent insight into sources that may not have been known by the IT department. It can be used for a thorough "discovery" process and SPF/DKIM records can be adjusted before rejection policies are made strict. This process preserves legitimate mailflow alongside the illegitimate, but prevents legitimate messages from being rejected or stuffed into spam folders. Intro to CryptographyCaleb Christopher gave a talk on cryptography at SecKC in May 2019. Here's a little quiz for you... -----BEGIN TALK DESCRIPTION----- QW4gb3ZlcnZpZXcgb2Ygb3VyIG5lZWQgZm9yIGNyeXB0b2dyYXBoeSwgd2hhdCBpdCBpcywgYW5kIGhvdyBpdCB3b3JrcyB3aXRoIHNvbWUgcHJhY3RpY2FsIGV4YW1wbGVzLg== -----END TALK DESCRIPTION----- DMARC for the winEmail is critical for business operations. If your emails don’t land reliably in peoples’ inboxes, business can grind to a halt.
In 1972 email was originally designed to enable communication. It has ever since. Communication – not security – was the focus when it was designed. That is why I can install a simple, free mail server software on any computer and start sending messages, claiming they’re from anyone I want – even you. Spoofing is the act of masquerading as another, and with email it’s incredibly easy if protections aren’t activated. In its various forms, spoofing fuels phishing and other fraud. Spoofing preys upon the legitimate reputation of an organization, and that organization gets the reputational “credit” for anything done in its name. Your business could be “sending” spam campaigns right now. What if I told you there was a three-step method to:
What if I sent you an email about it? From yourself. Sometimes that’s what it takes for my message to land impactfully in the mental inbox of some managers. Whenever I have the opportunity while conducting vulnerability assessments, I make sure to send myself a noteworthy email from an executive within the organization. I do this without ever touching their equipment, or logging into their systems simply because I can – anyone can. That’s my point. Security as an afterthought is almost always clumsy and usually requires manual configuration. Here’s why I even have this job: security is rarely included in project/product design phases and IT guys rarely turn on the security options available. So, what’s the fix? My three-step plan? I stumbled upon it while researching email authentication. There are three public DNS records you should publish for each domain you own: SPF (Sender Policy Framework), DKIM (Domain-Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Here’s the short version: SPF specifies which IP addresses can send mail as @yourbusiness.com; DKIM adds a unique digital signature to prove the message came from you (and is unmolested); and DMARC is twofold: it adds reporting and defines an action policy for unauthenticated messages. DMARC is where email security gets traction. Without it, email could be reasonably secure (tip: it usually isn’t), but previously there was no way to know whether your domain is being misused. The Reporting component is revolutionary, making it now possible to discover how many emails are being sent on your behalf and where from, even from systems you don’t own or control. DMARC has been mainstream-usable since early 2015, but for lack of awareness most businesses have not yet begun using it. I have spoken at regional information security conferences on it and I find a majority of IT professionals are unaware of or don’t yet understand DMARC. On that note, a word of caution: DMARC is powerful and can block all the fraudulent emails, but can also block the good ones. A careful plan is essential. I have deployed DMARC for more than 40 domains. One of those domains was sending more than two million fraudulent emails per month. The client indicated that domain should not be sending any email, so a quick forensic investigation into the content of the messages yielded evidence of phishing campaigns, links to hacked websites, myriad erectile dysfunction ads, and so on. This company was getting the reputational credit for having sent these emails. I published a DMARC policy to reject any mail from that domain, and now 99.9991% of those messages being blocked. At one point, the volume spiked to greater than 5.9 million in a month. All blocked! Another client’s members recently received a fraudulent message “from” a staff member requesting donations for another real member’s fake sick child on a GoFundMe site, complete with sad pictures and fake quotes from other members. I connected with their IT service provider to assist with damage control and remediation. So how long does it take; how much does it cost? The answer is, “it depends.” Simple environments can be done in less than a month with little capital outlay. Complex environments can take months and cost thousands. In my experience, most SMBs are relatively simple environments. Secure your email. You’re likely in the majority who aren’t being actively impersonated, but if you were, wouldn’t you like to know? And wouldn’t you like to properly configure things so it can’t happen? A Hole In One (Club After Another)This is a variation of the article published in The BoardRoom magazine, Sept/Oct 2017
Unintended Confidences As a cybersecurity and risk assessor in the Club space, time and again I find Clubs' cyber defenses are practically non-existent, and they don't even know it. They've got the framework, but it's not being leveraged. We've got a firewall; we're solid, right? "Cyber" is this distant intangible--and it's the IT department's job to handle anyway. Without fail, when I'm invited to give a wake-up-and-smell-the-cyber seminar to overview the kinds of real problems I find at nearly every Club I visit, Club representatives come up to me afterward stammering things like, "I never knew the risks!" or, "I never even thought a computer breach could allow a hacker to do that." They feel compelled to go tell others; so do I and that is why this is what I do. When It Finally Hits Home When I brief a Club's board of directors at the close of a vulnerability assessment, the abstract risk they saw at my seminar becomes real life. Imagine your face as I show you video footage from your own security cameras which my hacking team was able to access from anywhere in the world… or a copy of your member database. How does your stomach feel as you contemplate mass identity theft becoming the legacy of your Club? Just lookup "Chicago Yacht Club Hacked" and read quotes from former members. Really. Or, right now, go lookup "Country Club Hacked" and find current results--the hackers are leaving their signatures on Clubs' websites. Make sure your Club isn't on that list. But How Did It Get This Way? Clubs often have just an IT guy. Unless specifically tasked with security, the primary focus of that IT "department" is to keep things working. That makes sense, because convenient, functional information systems for workers allow fast service to members. Unfortunately, convenience and security are inversely related; if one increases, the other necessarily decreases. Without additional resources (personnel, training, or outside support), the existing IT department can usually only trade one for the other. Like an old radio-tuner slider. Increased security measures may result in scenarios such as a helpdesk call for a password reset while a member has to stand, waiting. For some, this is untenable. Simply opting for convenient system operation is by default a forfeiture of security, which is a notion that hasn't occurred to most Clubs—or even most other small organizations in general. Additionally, existing IT departments often lack either the manpower or the expertise to implement reasonable levels of information security in their Clubs. Without an infusion for the IT department (whether more IT staff, better educating current staff, or augmenting the department by bringing in a team of outside experts with a fresh set of eyes to conduct a vulnerability assessment), this paradigm won't change. What About Cyber Insurance? Cyber insurance is one of the fastest growing segments in the insurance industry, however it's not the safety net many people think it is. Many insurance policies are based on subjective questionnaires, focusing on the existence of policies and procedures, without verifying whether the insuree follows through with its own policies. Without objective risk profile analysis, insurance policies tend to vary wildly in cost, cover very specific incidents, and have sweeping exclusions. Many organizations have a very hard time making a collectible claim on cyber insurance after an incident. Insurers don't exist to be a safety net for organizations who don't care to take basic steps to secure themselves against events. Wake Up and Smell the Cyber The fact is this: Clubs have an incredibly high hack value, and most seem not to have taken reasonably prudent measures to secure their systems and their members' confidential data against a breach. Club members already trust you to protect their personally-identifiable-information (PII). If they didn't they wouldn't be members. Is that trust misplaced? Prudent managers no longer dismiss cyber security, saying, "Oh that's the IT department's job." They're asking themselves, "How, and from whom do I want to find out how vulnerable my club is?" |