October is cybersecurity awareness month, which was perfect timing for the Department of Homeland Security to formally announce a policy to protect federal agencies against cyberthreats coming from email solutions. Mid-month, the Department of Homeland Security Assistant Secretary for Cybersecurity and Communications, Jeanette Manfra, announced that federal agencies have 90 days to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) for their email systems. DMARC is an email-validation system designed to detect and prevent email spoofing, developed specifically to address the shortcomings of previous methods. For details about the mandate, go to the site here: https://cyber.dhs.gov/.
DHS has officially recognized what we have known all along, email is the number one threat vector and federal agencies are at risk for phishing, business email compromise and ransomware. Business email compromise often starts with a spoofed email, one that looks like a legitimate request, coming from a legitimate sender. Social media and social engineering have fueled spoofing attacks, and their success. According to the 2017 Midyear Cisco Cybersecurity Report,$5.3 billion was stolen due to business email compromise fraud between October 2013 and December 2016, an average of$1.7 billion per year. Implementing an email security solution with DMARC can help mitigate this risk.
So now that you know you have until January to comply, what should your next steps be?
1. Why mandate DMARC now? It is a years old security standard.
Members of Congress have been pushing the federal government to take cybersecurity more seriously, particularly since there have been high profile incidents involving spoofed emails sent to government officials.
2. If I have an email security solution, does it have DMARC? Do I have to buy something new to be compliant with the new mandates?
It depends what solution you are using today. If you have Cisco Email Security, it is included in your base license so you do not need to buy anything new. However, we recommend you create a plan to enable, test, and implement it successfully. Cisco Technical Assistance Center and Advanced Services can help and so can your Cisco Account Manager
3. How do I know if I have DMARC turned on in my solution? If I do not is it hard to do?
DMARC record verification is available through many online tools. You can use, for example, MXtoolbox: https://mxtoolbox.com/dmarc.aspx. Publishing a DMARC record is not hard on its own, but DMARC relies on two underlying technologies, SPF and/or DKIM, to provide validation of the sender address. Ease of deployment depends on your current state of SPF or DKIM support and complexity of your email infrastructure. Your Cisco Account Manager and Cisco Advanced Services can provide guidance on DMARC implementation.
4. What if I use third party services to send my emails? Do I need to stop doing this now? Should I be concerned about someone sending emails on my behalf, even if it is legitimate and I am allowing them to do it?
You do not need to stop using your third party vendor but you do need to ensure that you coordinate the validation schemes and align your settings properly.
5. Do I need to alert my users and customers? Do I need to put new training/best practices in place with my users?
As with any change in your email policy, you should follow your change management guidelines. Your end users will not be required to do anything differently as these are changes in global configurations; there is no action that users will need to take.
To learn more about protecting your organization from email-based threats with DMARC and other threat protection technology, read the Cisco Email Security Buyer's Guide (pdf).