Successful training reaches more than 1,200 registrants from 23 countries
By Shehzad Mirza
Since June 2016 the Global Cyber Alliance (GCA) has worked to accelerate the adoption of Domain-based Message Authentication, Reporting, and Conformance (DMARC) through advocacy, campaigns to drive deployment, and by providing a set of tools. GCA has also measured the economic impact of DMARC, which is considered the industry standard for email authentication combating email impersonation. The result of a domain not implementing any form of DMARC policy is exposing its recipients to possible phishing attacks; unsurprisingly, 91% of all cyberattacks begin with a phishing email.
In September 2019 GCA started the Defend & Deliver: DMARC Bootcamp as part of our continuing efforts to support and promote DMARC. The purpose of the bootcamp was to provide organizations with enough information to be able to understand DMARC and its associated parts: authentication, reporting, and conformance. In that fall bootcamp, we had more than 1,800 people register from 1,297 organizations across 55 countries. By the end of the bootcamp, 90 organizations had implemented DMARC: seven at policy “reject,” eight at policy “quarantine,” and 75 at policy “none.” We are still seeing progress on those domains. As of June 8, 2020, 183 domains from the fall participants have DMARC in place, with 126 set to policy “none,” 36 set to policy “quarantine,” and 21 set to policy “reject.”
Due to the success and positive feedback from attendees of the fall DMARC bootcamp, we decided to conduct additional bootcamps in 2020 (with some slight modifications), the first of which ran from May 6 to June 3, and the next beginning the week of September 15.
Overall, we had more than 1,200 people register from 892 organizations across 23 countries for the May bootcamp. Of the 1,200-plus registrants, we had up to 650 people attend the webinars, with the first session drawing the highest attendance, and we maintained a 60% or higher attendance rate throughout the five weeks. We recorded each session and provided additional resources, which can be found here: https://dmarc.globalcyberalliance.org/dmarc-bootcamp/.
Before the bootcamp started, we performed a scan of domains (based on the emails of the registrants) and excluded all consumer based accounts (gmail, hotmail, yahoo, etc.). Based on our initial scans:
- 487 domains had no DMARC policy
- 252 domains were set to p=none, which is the “monitor only” mode for DMARC (no filtering but used for making adjustments)
- 66 were set to p=quarantine (DMARC enforcement which puts fraudulent messages in spam/junk)
- 76 were set to p=reject (DMARC enforcement which drops fraudulent messages)
- 11 domains had set up a DMARC policy but had errors with the policy (see below for more details)
Throughout the five weeks, we saw organizations start to implement DMARC and make adjustments to their DMARC policy, with an average of 10 organizations implementing DMARC each week.
(Figure 1 – DMARC adoption across five weeks of the DMARC Bootcamp)
Let’s focus on the 487 domains that did not have DMARC at the start of the bootcamp, as these are the ones we look to help implement DMARC during the bootcamp. By the end of the five weeks, we saw a total of 60 organizations implement DMARC (the previous bootcamp ended with 90 domains implementing DMARC). 427 domains still did not have DMARC implemented.
(Figure 2 – DMARC implementation by organizations starting with no DMARC policy)
The breakdown of the 60 domains is as follows:
- 50 set to p=none
- 6 set to p=quarantine
- 4 set to p=reject
Initially there were 11 organizations that had errors with the policy. The issue with these domains was that the p tag is located toward the end of the policy rather than having the p tag set as the second tag. In order for a DMARC policy to be recognized correctly by the receiving systems, the p tag must be the second tag in the policy.
Another 28 domains had a different kind of error. These domains have a DMARC policy that does not have reporting enabled, which is a problem especially when a majority of these domains have the DMARC policy set to “none.” The purpose of level “none” is simply to enable reporting and review the reports that are being generated; it does not do any filtering or actually enforce DMARC. The DMARC reports are what provide you with the information necessary to determine when to change your policy to “quarantine” or “reject.” Just having a policy of “none,” with no reporting enabled, does not protect your domain or brand nor does it prevent the use of your domain in phishing campaigns.
There were also domains that had DMARC in place prior to the bootcamp. Some of these domains did change their policy levels during the bootcamp.
- Eight domains changed their policy from “none” to “quarantine”
- One domain change their policy from “none” to “reject”
- Four domains change their policy from “quarantine” to “reject”
- One doming dropped from “quarantine” to “none”
Overall, the GCA DMARC Bootcamp allowed for many organizations to implement DMARC or obtain the knowledge to get started with making a plan to implement DMARC. According to our data, 60 organizations were able to get to a policy level of “none” within five weeks. This shows that getting started is relatively easy. It is much more challenging to move to “quarantine” or “reject,” because it may take time to review the reports and make the appropriate adjustments to the authentication mechanisms used by DMARC.
To all bootcampers and non-bootcampers, even though the bootcamp has finished, it doesn’t mean that you should stop your progress. If you haven’t started, then start by implementing a policy of “none.” If you are at “none,” don’t lose your momentum! Keep moving forward, review those reports, and get to a higher enforcement level of DMARC. GCA is still here to help and provide guidance on DMARC at any level. Please do not hesitate to reach out to us by posting questions to our community forum or reaching out directly at email@example.com.
As a reminder, you can view the recorded sessions online at: https://dmarc.globalcyberalliance.org/dmarc-bootcamp/.
We will also be conducting another bootcamp in September, so stay tuned to the GCA website for more details if you’re interested in signing up.
LOS ANGELES — June 16, 2020 — Today, the Internet Corporation for Assigned Names and Numbers (ICANN) announced the signature of a Memorandum of Understanding (MoU) with the Global Cyber Alliance (GCA). The MoU aims to bolster the relationship between ICANN and GCA and enhance their collaboration in support of an efficient and resilient Domain Name System (DNS). These efforts are of interest to both parties and target important issues, such as security threats to the DNS.
“For ICANN and GCA to work together on research and increasing awareness of the different forms of DNS abuse is something that makes complete sense. As we join forces, we will leverage each other’s strengths to support and protect our unique communities which, in the end, make up one single, global community.” – Göran Marby, ICANN President and CEO
“GCA shares ICANN’s vision of secure Internet infrastructure, and we are proud to partner with ICANN to achieve that. We all depend on the DNS, therefore improving the security and privacy DNS provides can extend across the Internet to protect everyone, especially including vulnerable communities.” – Philip Reitinger, GCA President and CEO.
Security threats to the DNS affect millions of Internet users and are a primary concern for both organizations. The MoU is intended to advance the organizations’ shared objective of supporting activities aimed at reducing abuse of the DNS. ICANN and GCA have agreed to collaborate on activities aimed at reducing risk in the DNS. These activities may include research projects; projects to increase capabilities to address threats to and abuse of the DNS; coordination of efforts to bring stakeholders together; and exchange of information. Read the full Memorandum of Understanding here.
To learn more about GCA’s efforts to make the Internet more secure, visit https://globalcyberalliance.org.
GCA is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. GCA was formed in September 2015 by the Manhattan District Attorney’s Office, the City of London Police, and the Center for Internet Security to unite global communities, implementing solutions to address systemic cyber risk and measuring the effect of those solutions.
ICANN’s mission is to help ensure a stable, secure, and unified global Internet. To reach another person on the Internet, you need to type an address — a name or a number — into your computer or other device. That address must be unique so that computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
By Michael Tanji
If you are of a certain age you remember what it was like to work on your own car. Today, about the only thing people do to their cars is put gas in them. Unless you drive like you are in a demolition derby, fixing a problem with your car is a pretty rare occurrence. The flip side of that coin? A lot of people have no idea what to do if their car does not start or if it starts to shake or smoke. They cannot troubleshoot problems, much less fix them. All they know is a light on the dash came on and then the car would not work, so they called someone else who fixed it.
You see a parallel between knowledge about automobiles and knowledge about cybersecurity. Because you may not know what to do if something bad happens to your systems, you need your own cybersecurity help line — a firm you can call to help you when you get attacked. In cybersecurity circles, what you are looking for is a DFIR company. DFIR stands for “digital forensics and incident response,” and those are the skills you need to clean up the mess you are in and get back to work.
Digital forensics (DF) is exactly what it sounds like: looking at digital evidence to determine how something (a policy violation, a data breach, etc.) happened. Maybe it was a hack from an external actor, or maybe it was one of your own people carrying out some kind of fraud. Regardless, someone has to go through the system logs, hard drives, and other data associated with the event in question to gather evidence and piece together what, when, and how it happened.
If digital forensics is the “crime scene investigation” team, incident response (IR) is the “paramedics.” When you have been breached and you need someone to help you get the bad guys out and get back to a known good state, you need an IR team. They stop the bleeding, get things stabilized, and initiate a course of treatment that will get your systems — if not exactly “cured” — at least not dying.
Why Engage a DFIR Company Now?
Unless yours is a company of sufficient size, and/or in a high-risk line of business, DFIR skills are probably not something you want to maintain in-house. The software required can be expensive, the certifications are expensive to earn and maintain, and if you do not routinely use the skills, they atrophy.
DFIR companies do not hurt for work. They are constantly busy, and the number of prospective customers they have to turn away because of a lack of capacity can be substantial. One of the best ways to ensure that you will have the expertise you need, when you need it, is to establish a relationship with a service provider now. A little time and effort to build rapport and trust now — along with a reasonable retainer — will pay dividends when you-know-what hits the fan.
The best laid plans can go sideways on a moment’s notice. When that happens, you want to be able to pick up the phone and have people with the expertise you need show up. Identifying those people and establishing a relationship with them, so that they will not only take your call but respond in a timely fashion, is an important part of reinforcing your security posture. Companies without such relationships are forced to wait at the end of the line when something goes wrong, or are simply left out in the cold, which is not where you want to be.
By Rodney Lee
In today’s climate, it is important that we don’t lose focus on the rights and needs of the people. We know our country was built on the backs of people of color in all industries, and we deserve acknowledgement for our contributions to making America become leaders of the “free world.” When black people continue to be targets of law enforcement and the judicial system, it strips away our lives by the gun and the gavel and doesn’t seem free from our viewpoint. This is bigger than a black problem, this is an American problem. The eyes of the world have been on us as what is supposed to be the United States looks more divided than it has been since the days of segregation. All over the globe there have been nations who have taken a stand with our black citizens and demanded justice for those who have been lost at the hands of police brutality. The message is simple: #BlackLivesMatter. “All men are created equal” doesn’t seem to be taken as seriously as the 1st or 2nd amendments in this nation, and the fact that speech and gun ownership takes precedence over lives of human beings is sickening.
As a black man in an industry that isn’t as diverse as we would like, I find solace in knowing that the company I work for stands in solidarity with the Black Lives Matter movement for justice and racial equality. The Internet is a place where everyone has a voice and bigotry, hate speech, and racist rhetoric is spewed for all eyes to see. Social media has made it easier for hate groups to exercise their freedom of speech and target groups of people to make them feel marginalized. Other groups target those who haven’t been educated on cyber hygiene and threats, making them victims of a lengthy list of cyber crimes. The Global Cyber Alliance has been a workplace that I personally can call a “home” as we work to make the internet a safer place for EVERYONE. The people of the world deserve to feel safe in all aspects of life, and we make it our mission to protect them regardless of their background or ability to pay. We stand with our people, and we believe that #BlackLivesMatter.
GCA is pleased to welcome our newest team member, Anna Hardy, who joins us as our Global Finance Director.
Anna brings more than two decades of experience in accounting and business management to GCA. Her roles have included service in the nonprofit sector as well as in healthcare and entertainment. Her unique perspective will serve us well as we move GCA forward into its next phase of growth and innovation.
“I couldn’t be more excited to be joining GCA during this time of growth,” Anna said. “I’m looking forward to using my experience to help further our mission.”
“Anna has great experience and is an essential addition to our team,” said Mary Kavaney, GCA’s Chief Administrative and Legal Officer.
Check out Anna’s bio to learn more about her impressive record.
Welcome to the GCA family, Anna!
By Klara Jordan
The cost of exploitation of vulnerable information and communications technology (ICT) systems is always high, but perhaps there is nothing higher than the potential human cost caused by cyberattacks on healthcare systems.
That is why the Global Cyber Alliance (GCA) is supporting and contributing to the Cyber4Healthcare initiative orchestrated by the CyberPeace Institute (CPI). The initiative connects healthcare organisations in need of cybersecurity advice and resources with a range of actors willing to offer cybersecurity assistance services free of charge.
The healthcare community got its first serious taste of the potential effect of cyberattacks on its ability to operate during the May 2017 global ransomware attack known as WannaCry. A security researcher activated a kill switch in the evening of the same day the attack started, causing WannaCry to stop locking devices relatively early. Despite the rapid intervention, according to NHS England the WannaCry ransomware affected at least 80 out of the 236 trusts across England, either because they were infected by the ransomware or turned off their devices or systems as a precaution. A further 603 primary care and other NHS organisations were also infected.
There are several recent examples of this trend, putting additional strain on a system already pushed to its limits by the COVID-19 pandemic. In the past couple of months, hospitals, testing and medical facilities, government health agencies, and even the World Health Organization (WHO) have fallen victim to cyber operations with varying degrees of impact.
Research organisations and law enforcement agencies have confirmed the negative trajectory of the trend of exploiting the current pandemic by nation state actors and criminals. Nation state actors exploit the crisis to further their national security and foreign policy goals. According to Google researchers, they are increasingly using the pandemic as cover for digital reconnaissance and espionage.
Criminals profit from the COVID-19 pandemic by using social engineering attacks themed around the pandemic to distribute malware that spreads ransomware and unleashes ransom demands with unprecedented speed. Fraud schemes mercilessly exploit the anxiety and fear of victims, and the cost has already reached millions of dollars.
We will never know what the impact will be on individuals’ health when thousands of appointments and operations are cancelled and patients have to travel farther to accident and emergency departments because of WannaCry or other current cyberattacks, but this sample allows us to appreciate the potential impact of these types of incidents.
However, focused action, both at the strategic and the tactical level, can prevent harm to individuals as a consequence of cyberattacks.
At the strategic level, governments, international leaders, and international law experts have intensified efforts to curtail attacks on the healthcare sector.
For example, the Netherlands leads the UN’s efforts and recommends that countries include the healthcare sector on a list of critical infrastructure entities that states should not conduct or support cyber activities with. On 26 May, more than 40 former and current international leaders called on the world’s governments to take collective action to prevent and stop cyberattacks that target the healthcare sector, including working with civil society and the private sector to protect medical facilities. The International Committee of the Red Cross (ICRC) has been outlining rules which provide protection to the healthcare sector.
Given the urgency of the current crisis and the unrelenting efforts of adversaries, these strategic initiatives must be complemented through action.
CPI’s Cyber4Healthcare initiative positions itself on the tactical and practical level and aims to provide meaningful and timely assistance to hospitals, care facilities, clinics, labs, and clinicians, as well as pharmaceutical sciences, life sciences, and medical device companies that are researching, developing, manufacturing, and providing pandemic-related treatments to nongovernmental organisations (NGOs) and international nongovernmental organisations (INGOs) working to combat COVID-19.
The initiative builds on existing efforts and capabilities of supporting organisations such as Airbus, CybExer Technologies, Rapid7, and Unisys and will serve as a clearing house between requests for assistance and support that these organisations can provide.
GCA’s bias for action, along with our track record of providing practical tools that operationalize cyber hygiene to increase cyber resilience at scale, make us a natural partner for this initiative. We believe that basic cyber hygiene implemented at scale can make a real difference in protecting the healthcare ecosystem.
We will support the initiative by providing our free tools and associated assistance that will allow the organisations in need to:
- Increase their email security with an easy-to-follow guide to facilitate adoption of DMARC, an email authentication standard that helps protect email domains from spoofers, spammers, and phishing scams. Ransomware attacks — the largest concern of the healthcare sector — often starts with a phishing attack. The goal of this attack is to either steal personally identifiable information (i.e., usernames, passwords, bank or credit card information), to orchestrate fraud (e.g., false wire transfer requests), or to infect systems with malware, such as ransomware or a keylogger. In addition, DMARC helps to prevent attacks in which malicious third parties send harmful emails using a counterfeit address. DMARC stops most email impersonation — by implementing DMARC, domains lower their odds of being spoofed and used for phishing attacks on recipients, which is particularly important given the large number of fraud attempts associated with the pandemic.
- Protect themselves from accessing known malicious websites through increased DNS security with Quad9. Quad9 provides a dynamic list of sites that protect against the threats of phishing and identity theft scams and malware, ransomware, and command-and-control botnet systems for viruses, worms, and other forms of malicious software. Quad9 is currently seeing a new record-setting rate blocking access to malicious sites an average of 60 million times per day, which represents a 600% year-over-year growth rate. During heavy “storms” of cybercrime activity, this volume has spiked to more than 100 million events per day. This growth relates directly to hackers launching new tools, new phishing campaigns that send out vast amounts of increasingly sophisticated messages, or dormant networks of bots that awaken and try to reach their control systems.
- Use a suite of basic cyber hygiene tools to raise their overall resilience. GCA’s Cybersecurity Toolkit for Small Business can be used by any organisation that desires to have access to curated free tools to implement cyber hygiene guidance such as the CIS Controls.
The toolkit allows users to:
- Conduct inventories of devices and applications to ensure small business owners are aware of devices needing protection;
- Ensure that security settings of devices are automatically updated;
- Ensure that accounts are protected by strong passwords and two-factor authentication;
- Access a range of tools that can be used to prevent common attacks and ensure devices are backed up in the event an attack does occur; and
- Implement policies and recommendations for training employees to understand how to identify and avoid phishing emails.
GCA is looking forward to working with the CyberPeace Institute and its partners to support the healthcare sector and test a new model of collaboration in practical cybersecurity assistance.
By Philip Reitinger
I recently had a chance to catch up with Peter W. Singer, a world-renowned thinker and strategist about cyber conflicts and politics.
On May 26 he and August Cole published Burn-In, a “novel” based just a few years into the future when cyber is king and artificial intelligence is of ever-increasing importance. The book is a “novel” because while it is fictional, the events in it are all based on incidents and facts that have actually occurred (and references are provided). In short, the plot is far more realistic than what you might find in the nonfiction section of your local library. Peter and I discuss artificial intelligence, cybersecurity, and cyber warfare.
Burn-In is a taught techno-thriller, compelling in its writing, plot, and science. Get smarter and be entertained – what could be better?!
We also discuss LikeWar, an actual nonfiction book published in 2018 by Peter and co-author Emerson T. Brooking. LikeWar is about the weaponization of social media.
Together, these books talk about a world where the virtual has become of equal importance to the physical, and where the changeable nature of truth and reality and the power of machines put the nature of reality at risk. I hope you enjoy the discussion.
As the world continues to adapt to the COVID-19 pandemic, different forms of cyberattacks have been targeting what is now a largely remote workforce. Philip Reitinger, our President and CEO, was interviewed by Voice of America’s Russian Service about cybersecurity concerns during this time, changes to our working and living models, and simple tips for everyone, from small businesses to their employees. You can read the full interview here — an option for Google Translate should pop up if you’re reading it in English.
By Michael Tanji
The quickest, easiest, and cheapest way to get back to business, regardless of the type of attack or disruption, is to have current backups available. Backups are one of those things, like checking a car’s fluid levels, which seem like old-fashioned drudgery but have the potential to save you a lot of grief and expense.
Online ‘backup-as-a-service’ offerings and backup software take most of the guesswork and complication out of the backup process, but it is still essential that you periodically check and make sure your data is actually there. If your IT person is using the backup utilities that are present in the operating system your organization uses, they absolutely must double check to make sure backups are being created. I say this because here is a scenario I’ve seen play out more than once in my career:
- System Administrator sets up a backup scheme.
- System Administrator doesn’t realize he misconfigured the backup scheme.
- System Administrator takes backup tapes or disks and stores them without verifying if the backups were actually made.
- In the aftermath of an attack or crash, System Administrator retrieves backup disks and tries to restore company data, only to find that the backup process ran, but because of the misconfiguration or some other error, no data was actually stored.
- System Administrator looks for a deep hole to crawl into while they update their resume.
Where should you store your backups? If you’re in a business where you want to be back online in hours, store your daily copies (on physical media) locally, under lock and key. Store weekly or monthly copies off-site. A safe deposit box works just fine if you don’t have a lot of media to store, but really any self-storage facility with physical security measures that is climate controlled will do if you don’t deal with particularly sensitive data that must be handled in accordance with some type of legal or regulatory regime.
If you are concerned at all about ransomware, make sure you configure your backup system to disconnect from the network or power off once backups are made and validated, or schedule backups to run just before you leave for the day and power off or manually disconnect the system. The goal here is to preclude an attacker from holding both your live data and backups hostage, which may be possible if you keep a backup system connected and running.
Creating backups is fundamentally an IT job that has serious implications for security. Backups are not a sexy or sophisticated security solution but a standard, often mundane, task for a system administrator. Yet the value of a current backup can be, in the right circumstances, the sum total value of your business. Particularly in the age of ransomware, backups are the most inexpensive and painless way to minimize the impact of being held hostage. What’s the best backup scheme for your organization? What are you trying to protect, and how badly would you be impacted if that data were unavailable for an extended period of time? Let the answers to these questions drive your backup strategy.
The GCA Cybersecurity Toolkit contains instructions on how to backup your data whether you’re using a Windows or Mac. There are multiple third-parties – backup-as-a-service if you will – that will back up data on an individual or organizational level, in near-real-time, leaving you time to focus on your business, not on becoming an expert in archiving.