DMARC and your.bank Domain. September 2015 v

Transcription

1 DMARC and your.bank Domain September 2015 v

2 MAKES IT EASY FOR CRIMINALS TO REACH YOUR CUSTOMERS USING YOUR BRAND Phishing and brand abuse erode consumer trust Attacks cause lasting brand damage Fallout impacts every team IT, IS, Security, Risk, Marketing, Operations, Customer Service, & the C-Suite Attacks decrease engagement, reducing your bottom line It s far too risky to leave your business and reputation exposed to these kind of attacks 2

3 .bank Registration Requirements Specifically designed to protect banks and consumers from cybercriminals Require that you: - are a bank or other eligible entity - publish a DMARC quarantine or reject policy if domain is not used for policy plus either DKIM and/or SPF if domain is used for These requirements are the most stringent of any TLD and registry This is a good thing. Something you should tell your customers and your boards about Today our focus is the DMARC reject requirement Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 3

4 Background: What is DMARC? Copyright 2014 Agari. All rights reserved. Confidential and Proprietary. 4

5 Dee-MARK is an Acronym D omain-based M essage A uthentication R eporting (and) C onformance and a de-facto security standard 5

6 In 2007, These Guys Started It 6

7 And Soon These Guys Joined In 7

8 Proven at Scale With Volume & Complexity AGARI RECEIVERS SENDERS RECEIVERS Largest bank Most abused brand Largest sender of on the planet Largest consumer electronics company 2.5B endpoints 85% of US inboxes 70% of global inboxes 10B messages daily Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 8

9 How does DMARC Work? You (a sender of ): - Send all messages as compliant messages, authenticated in specific ways - Tell the world to delete or drop non-compliant (the reject policy ) Then, the Receivers/ISPs: - throw out (delete/drop) the non-compliant Dead simple but the devil is in the details Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 9

10 Using your.bank domain for sending Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 10

11 Migrating is a Process Send all messages as compliant messages 1. Audit. Perform an audit to identify types and sources of you send 2. Plan. Determine which types and sources will be migrated to your new.bank domain 3. Implement. Implement and confirm the authentication methods applicable to each source of . Send test messages. Fix the problems that surface. Repeat. 4. Communicate. Tell your customers to expect from the new sources using existing channels. Or wait and tell using the new channels. 5. Act. Switch over to using your.bank domain when sources are compliant Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 11

12 DMARC supports your Audit Audit Goal: Identify all legitimate sources of using your brand(s) Typically a combination of: - sent directly by your bank s IT systems and departments - sent using third party vendors in your behalf - You may be surprised by some sources Tips: - Publish a DMARC monitor policy on your existing domains. This will help you identify legit sources. - Use a DMARC monitoring, workflow, and security vendor to assist you (this is what Agari and others can help you with) Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 12

13 On Implementation Authentication SPF, DKIM, or both? - Very likely both (depends upon the amount of forwarding) - SPF: fragile but easier to implement - DKIM: signing software at message source, crypto, but resilient to forwarding SPF Issues - Identifying and correctly adding the authorized IP space (sets of IP addresses) - Ensuring alignment the SMTP dialog s MAIL FROM must match the From Header Domain. Requires server side configuration to fix DKIM - Key management: creation, publishing in DNS, signing - Key Length: minimum 1536 bits - Signing domain must match From Header Domain. Requires server side configuration changes to fix Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 13

14 Tips: Engage your Vendors Good: - We send DMARC-compliant with a reject policy today for at least one customer Warning: - Oh sure, We sign our messages with SPF - We can sign messages with DKIM - Doing DMARC just means using DKIM or SPF, so no problem Be Patient, Avoid Pitfalls: - DMARC amends and invalidates certain practices in widespread use with SPF and DKIM. Consequently, - Existing vendor implementations of SPF or DKIM are rarely DMARC-compliant. They will need remediation - Overall, the nuances take time to address Help for is out there. DMARC.org, Agari, and others work with vendors to help them achieve compliant sending practices Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 14

15 Summary.bank Registry requirements are protective of banks and consumers. Mandatory use of DMARC ensures that only you can send as you Migrating your traffic to use your.bank domain for customer communications is a process Work with your IT departments, Vendors, and outside DMARC service providers to achieve, confirm and maintain ongoing compliance Do not forget to tell your customers and your stakeholders! Copyright 2015 Agari. All rights reserved. Confidential and Proprietary. 15

16 Thank You! Copyright 2014 Agari. All rights reserved. Confidential and Proprietary. 16