On 06/19/2014 08:22 AM, John Levine via dmarc-discuss wrote:
>
>> But if it can help put any dent whatsoever in the endless stream of
>> corporate data breaches, for example, I think it's a net benefit for
>> consumers.
Before I continue: No, DMARC is not designed to prevent data breaches,
and will not eliminate all data breaches - any more than it will
eliminate all phishing. And the above does not claim it will do so.
However DMARC can help remediate a vector commonly used to initiate an
intrusion against corporate networks, and recent data breaches have
shown phishing was a key step leading to the theft of consumer data.
> How can DMARC prevent breaches? At most we've seen it defend
> imperfectly against the consequences a very specific and unusual kind
> of breach in which they stole address books of individual mail users.
> For the typical breach of financial information, it's irrelevant.
Phishing is targeted at corporate mailboxes, with one goal being to open
a way into the corporate infrastructure. Access to the infrastructure is
the first step in gaining whatever data you're after. Same-domain
phishing is highly effective, so anything that addresses it is a prudent
control to deploy. Thus, inbound DMARC filtering is desirable for
corporate infrastructure.
The corporate information security sector is well aware of the inbound
phishing threat:
* net-security.org: "Most cyber-attacks begin with spear-phishing emails"
* Verizon 2014 data breach report: "Users will be phished, and they
will eventually click"
o "... even a [phishing] campaign consisting of a small number of
messages has a high probability of success" - 9-18% depending on
methods
o "Once the phishing email has done its work ... the name of the
game is [getting the data by leveraging network access]."
* June 12, 2013: "The FBI has seen an increase in criminals who use
spear-phishing attacks to target multiple industry sectors. These
attacks allow criminals to access private computer networks."
* Trusteer: "Spear-phishing is one of the main tools used by attackers
to compromise endpoints and gain a foothold in the enterprise network."
* Computerworld 2011: Phishing emerges as major corporate security threat
A few examples of successful phishing of corporations leading to
consumer data breach:
* The 2013 Target data breach was initiated by a phishing attack -
70+MM consumers affected?
* In 2012 the South Carolina Dept of Revenue suffered a data breach
due to credential theft via phishing - 5.7MM people, 700k
businesses, and 3.3MM bank accounts
* In 2010 Epsilon (the ESP) was the victim of a phishing attack that
ultimately exposed customer data of at least 50 of their corporate
customers - affecting as many as 5MM consumers
It's taken a while, but B2B mandatory TLS is now a common control at the
corporate level. I expect a similar evolution with DMARC as vendors make
it available.
--S.
Links:
* net-security.org - http://www.net-security.org/secworld.php?id=16585
* Verizon DBIR - http://www.verizonenterprise.com/DBIR/2014/
* FBI -
http://www.fbi.gov/sandiego/press-releases/2013/fbi-warns-public-that-cyber-criminals-continue-to-use-spear-phishing-attacks-to-compromise-computer-networks
* Trusteer -
http://www.trusteer.com/solutions/spear-phishing-and-credentials-theft
* Computerworld -
http://www.computerworld.com/s/article/9215995/Phishing_emerges_as_major_corporate_security_threat
* Target breach -
http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/
* S Carolina -
http://www.scmagazine.com/sc-tax-breach-began-when-employee-fell-for-spear-phish/article/269448/?DCMP=EMC-SCUS_Newswire
* Epsilon -
http://www.darkreading.com/attacks-and-breaches/epsilon-fell-to-spear-phishing-attack/d/d-id/1097119?
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
