CyberScoop’s Shaun Waterman interviewed GCA Director of Operations, Shehzad Mirza, this week about the recent DHS Binding Operational Directive 18-01 and the improvement in DMARC adoption amongst federal agencies in just the two weeks since the directive was issued.
You can read the full article here.
The Global Cyber Alliance is pleased to announce the addition of Maryam Rahmani, CISSP, as its Global Partnership Officer. Maryam will leverage her 25 years of experience in technology sales, consulting and cybersecurity policy to provide value to GCA’s existing partner network and grow its partnership sphere across the Americas, Europe, the Middle East, and Africa.
“Adding someone with Maryam’s experience, skills, and ability is a major boost to our organization,” said Global Cyber Alliance President and CEO Philip Reitinger. “For more than two decades she has positioned technology solutions to address complex problems. She has worked with private sector companies across sectors including communications, energy, and financial services. Her experience and her passion for cybersecurity, make her a perfect fit to help us fulfill our mission to eradicate systemic cyber risk.”
Rahmani reciprocated Reitinger’s enthusiasm saying, “Joining Global Cyber Alliance is a calling and a natural continuation of my commitment to cybersecurity, as I sincerely believe in GCA’s mission of doing something measurable to reduce cyber risk. I am thrilled to be part of an alliance made up of and supported by high caliber, well respected and experienced people, organizations, and companies dedicated to making the cyber domain safer and more secure for all. I look forward to helping GCA spread its mission globally by supporting existing partners and their stakeholders to deploy valuable best practices, participate in ongoing projects, as well as reaching out to other like-minded entities and inviting them to join this global alliance. By working together, we can make a difference and reduce cyber risk.”
Beyond her work with GCA, Maryam is deeply committed to outreach and awareness activities in support of encouraging more women to pursue careers in science, technology, engineering, and math especially information security. She currently serves as the Technical Co-Chair for the IEEE Women in Engineering (WIE) Forum East. She is an active member of the ISSA Women in Security (WIS) Security Interest Group(SIG) and previously served as a board member of the Society of High Performance Computing Professionals (SHPCP). She holds a Master of Science degree in Cybersecurity Policy from University of Maryland University College and a Bachelor of Science in Electrical Engineering from the University of Florida.
By Shehzad Mirza
On October 16th, the US Department of Homeland Security (DHS) issued Binding Operational Directive 18-01 (BOD 18-01) in which all federal agencies are mandated to implement various email security measures, one which of which is DMARC. Prior to its issuance, there was very slow progress. We are excited, however, in the large increase in DMARC implementation amongst federal agencies since the 16th!
Figure 1: DMARC Implementation for federal domainsAt the beginning of October, there were 1,159 federal agencies without DMARC: 82 using policy level ‘none’, 6 using policy level ‘quarantine,’ and 68 using policy level ‘reject.’ On November 1st, the numbers were much better.
There are now 1,038 federal agencies without DMARC: 157 using policy level ‘none,’ 3 using policy level ‘quarantine,’ and 117 using policy level ‘reject.’ Just five days later, on November 6th, the number increased even more.
There are now 971 federal agencies without DMARC: 215 using policy level ‘none,’, 3 using policy level ‘quarantine,’ and 126 using policy level ‘reject.’
The number of domains using policy level ‘quarantine’ dropped but for good reason. Those three domains moved up to the highest DMARC policy level ‘reject.’
The increase in the number of domains at DMARC policy ‘reject’ is a big improvement. What is especially important about this increase is that 96 of those domains are not used for email purposes. This is based on the SPF record for those domains, which is set to “v=spf1 -all”. This means that there are no authorized systems to send on behalf of those domains. However, there are 137 additional federal domains that are using the same SPF record. For those domains, 108 domains should also implement a DMARC policy ‘reject’, assuming that they are not to be used for email. The remaining 29 domains are using the same SPF record, but the DMARC policy level is ‘none’. It is possible those agencies are either confirming that email is used for those domains or are in the process of adjusting the SPF records after reviewing the DMARC reports.
One area of minor concern is that nine of the agency domains that have implemented DMARC have done so without enabling reporting. Four of these domains are using DMARC level ‘none without reporting. DMARC level ‘none’ has no impact on messages and is meant only for monitoring purposes, but it is useless if the reporting is not enabled. The remaining five domains are using the DMARC policy level of ‘reject’ without reporting enabled. This is not a huge concern since they are at the highest level, but the reports can still be useful to IT staff for troubleshooting, and for cyber security staff to obtain cyber intel in the form of spammers/phishers.
The 215 federal domains that are at DMARC policy level ‘none’, must not forget to still keep working towards an effective DMARC policy of ‘quarantine’ or ‘reject’. Only at one of these levels will there be an impact on usage of their domain name.
There are still 68 days for the remaining 971 federal domains to implement a DMARC of policy ‘none’, and based on the pace of implementation so far, past few days, they should be able to make it. This is very encouraging compared to other sectors.
We strongly encourage everyone to follow the leadership of DHS and the United Kingdom government with the implementation of DMARC and to use our DMARC Setup Guide (which is now available in thirteen languages). We also have many resources (awareness videos and tutorials, monthly Webinars, and information resources) available to assist with DMARC implementation and ensure use of the reporting capability of DMARC. There is a lot of valuable information for an organization’s IT and security staff in those reports.
The author, Shehzad Mirza, is the Director of Operations at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.
By Renée McLaughlin
On Monday October 16, the Assistant Secretary for Cybersecurity and Communication for the U.S. Department of Homeland Security announced that the Acting DHS Secretary signed Binding Operational Directive (BOD) 18-01 requiring all federal agencies to implement the DMARC protocol across all federal email domains within 90 days. Agencies have until January 16th to adopt DMARC and be at a minimum of policy level “none.”
Within the year, all agencies will need to have progressed from policy level “none” to “reject.”
GCA applauds this federal initiative and the ambitious schedule set forth. We would like to challenge others to do the same. The more organizations that implement DMARC, the better security for the entire email ecosystem. For some, this will be easy, for others, a bit more challenging. We invite everyone in the public and private sectors to take the challenge.
Following on the heels of National Cyber Security Awareness Month in the U.S. and Cyber Security Month in Europe, GCA kicks off this challenge with a month of education and awareness, building a coalition of partner and other organizations who recognize the urgency of securing our cyber ecosystem and will champion the cause.
On December 1, 90 Days to DMARC will begin. Every step of the way, GCA and partners will assist with resources and guidance, including but not limited to:
Month One: The Plan
Month Two: Implement
Month Three: Analyze, Review and Adjust
We urge you to accept this challenge and utilize our tools and resources to aid you on the DMARC journey to improve your email security. If the federal government can do it, so can you!
Sign up here to accept the challenge and get updates about our Webinars and other resources as they become available.
The clock is ticking!
The author, Renée McLaughlin, is the Director of Digital Media and Editor at the Global Cyber Alliance. You can follow her on Twitter @RNMc3.
By Shehzad Mirza
On October 23, 2016, just over a year after the formation of the organization, GCA released its first tool to eradicate systemic cyber risk – the GCA DMARC Setup Guide – to ease the burden of implementing the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol and help organizations protect their brand from email fraud. The Setup Guide performs a scan of a domain to check for SPF/DKIM/DMARC protocols and provides step-by-step guidance on how to create SPF/DKIM/DMARC records.
Now here we are, a year after it’s launch, and the DMARC Setup Guide has been visited 16,493 times from 10,562 users in 3,407 cities across 144 countries.
Of those visits, 10,680 unique domains were used on the site, and 2,040 of those domains ( from across 112 countries) have enabled a correct DMARC policy after visiting the Setup Guide.
That is a 19.1% implementation rate in just under one year from when the site was released!! This is over double the nonprofit industry average click-through rate of 7%.
In fact, GCA had a record week starting on Friday, October 13th (lucky #13) in which we had the most visits and usage of the DMARC site since launch. The second highest came on Monday, October 16th, thanks to our event in NYC at which the Department of Homeland Security (DHS) announced Binding Operational Directive 18-01, mandating all federal agencies to implement DMARC alongside additional email security mechanisms.
Behind the Numbers:
The above numbers are great for a nonprofit entity that has been promoting, educating and raising awareness about DMARC. However, let’s look more closely at who and where we have had an impact around the globe.
Figure 1: The number of entities which implemented DMARC for each policy.
Figure 1 indicates how many domains attempted to use the DMARC Setup Guide and which level of DMARC policy these entities have implemented or are using. The blue bar shows those that have enabled DMARC after visiting the GCA DMARC Setup Guide. The orange bar shows the domains which already had DMARC enabled at certain levels. The obvious concern is the high number of domains with nothing implemented, followed by the number of domains that are still at DMARC policy level ‘none’. Why is this a concern? We’ll discuss that later in the report.
Being a global organization, GCA wanted to make sure our project had global reach. Based on the statistics, the majority of our users are from the US and the UK, but we have quite a few visitors from other countries as well.
Figure 2: Top-10 Countries visiting the GCA DMARC Site (excluding the USA and the United Kingdom)
What is interesting is that in Figure 2, once you remove the domains that do not have DMARC implemented, the same countries are still present just in a different order. This is due to the number of domains that set a DMARC policy after visiting the Setup Guide. Germany is still the highest regarding visits and DMARC implementation.
Figure 3: Top-10 Countries with DMARC implemented (excluding the USA and the United Kingdom)
Overall concerning implementation rate, Germany has the most domains with the effective levels of DMARC (policy set to quarantine or reject) after visiting our site, followed by France and Canada.
Figure 4: Top-10 Countries with DMARC implementation after visiting the GCA DMARC Site (excluding the USA and the United Kingdom)
Figure 5: Top 10 Sectors using GCA DMARC Setup Guide
The domains who used the Setup Guide are also representative of a variety of sectors across the globe. One might expect IT Services to be the highest, but what was unexpected was that the Education sector would be in the top five, since they do not appear on various vendor reports. Ultimately, ALL sectors should make a plan to implement DMARC as soon as possible. Every sector maintains some form of Personally Identifiable Information (PII) (e.g. social security numbers, credit card data, banking information, medical records, etc.). Maintaining the integrity of an organization’s networks and customer data is critical.
Each sector had various levels of implementation when using the Setup Guide (which is not the same as the number of visits). Figure 5 shows that the IT Services sector has the largest implementation of DMARC, as expected due to the volume of domains attempted. However, the Legal and Food & Beverages sector drop off the top 10 list implementation list, and Manufacturing and Media sectors take their place.
Figure 6: Top 10 Sectors DMARC implementation after visiting the GCA DMARC Site
Overall in terms of implementation rate, IT Services has the most domains with the effective levels of DMARC (quarantine and reject), followed by Finance and Retail.
What have we learned?
Figure 7: Top-10 Sectors DMARC implementation after visiting the GCA DMARC Site
The first thing we learned during this past year is that quite a large number of entities have never event heard of DMARC. This would, in part, explain the slow adoption rate. A small percentage indicated it was too difficult and too expensive to implement. Due to this, GCA conducted monthly webinars and developed several videos to raise awareness and educate executives on the benefits of implementing DMARC, as well as more technical guidance with implementation, and some cost-effective options for DMARC reporting.
One major thing we’ve learned is that approximately 79% of the domains that have implemented DMARC at level “none” and have remained at that level for the past several months, if not longer. DMARC level “none” has no impact on messages and is meant only for monitoring and reporting purposes. It is important that organizations implement DMARC enforcement by using policy level ‘quarantine’ or ‘reject’. As a result of these findings, GCA developed a rating level in the Setup Guide to encourage users to encourage reporting and to increase their protection level from “none” to “quarantine” and eventually “reject.”
Additionally, approximately 16% of these domains have not enabled reporting. If the DMARC policy is set to “none” and reporting is not enabled, there is no benefit to having DMARC at all. Report analysis is necessary to determine if DKIM, SPF and/or domain alignment need to be adjusted. This in turn will lead to moving up to a DMARC policy that allows for enforcement. There is a lot of valuable information for an organization’s IT and security staff in those reports! More information about DMARC reporting analysis can be found here.
We also learned that a majority of users at the start were from the United States and the United Kingdom, due in large part to the fact that the Setup Guide and resources were originally only available in English. In order to make a greater global impact, GCA released the DMARC Setup Guide in twelve other languages this year: Arabic, Bulgarian, Chinese (Cantonese and Mandarin), French, German, Hindi, Japanese, Korean, Portuguese, Spanish and Russian. Once each language was released, we saw an increase in usage from regions with those primary languages. We also started began the process of translating our awareness video. We now have it available in Spanish and Japanese. By the end of this month, we will also have it in French and Mandarin, and more planned for release in 2018, to have even more impact around the world!
Overall, the adoption rate for DMARC has been slow, but with the help of free tools and resources and increased implementation and awareness amongst GCA partners, we expect the adoption rate to pick up steadily. The United Kingdom and the United States governments have both established mandates for their agencies to implement DMARC, which is a strong sign of support. We hope this trend continues both in the public and private sector. Especially since a majority of the world’s consumer inboxes – 76 percent, or 4.8 billion – already support DMARC. Organizations across all sectors around the globe need to do their part to protect those consumers.
So what are the next steps?
If you are one of the many who has yet to implement DMARC, we are here to help! Get started with the DMARC Setup Guide or take a look at the many videos available on the GCA YouTube Channel. We are also available for any questions or help to get started. Contact us at gca-dmarc@globalcyberalliance.org.
If you have DMARC and would like to help us promote its benefits and the importance of implementation, we have kit that gives you all the basic information for spreading the word at: https://dmarc.globalcyberalliance.org/dmarc-media-kit.html
If you have a story to tell, please share it with us so others can learn from your experience! What were your challenges and how did you overcome them? What successes did you encounter as a result of implementation? What resources did you find useful? We love to hear success stories! Contact us at gca-dmarc@globalcyberalliance.org.
The author, Shehzad Mirza, is the Director of Operations at the Global Cyber Alliance. You can connect with Shehzad on LinkedIn.
By Adnan Baykal
The Global Cyber Alliance, along with our partner organization Packet Clearing House, has built a global anycast open, recursive, privacy-enabled DNS infrastructure. This community-driven solution offers a highly effective first layer of protection by using multiple threat intelligence feeds from the security industry’s leading threat intelligence providers to block DNS resolution to known malicious domains.
Setting up DNS filtering requires just a simple configuration change.
If you are interested in learning more about the GCA DNS Service, GCA offers a monthly Webinar on the fourth Wednesday of each month. Please register below for the dates and times you are interested in.
The next Webinar sessions are scheduled for October 25, 2017.
Register for the 2:30 pm ET session.
You can also learn more about this initiative at our new DNS Website: dns.globalcyberalliance.org.
The author, Adnan Baykal, is the Global Technical Advisor at the Global Cyber Alliance. You can follow him on Twitter @adnan_baykal81.
NEW YORK, October 16, 2017 – The Global Cyber Alliance today applauded the U.S. Department of Homeland Security’s issuance of a Binding Operational Directive (BOD) focused on bolstering email and web site security for all federal agencies that operate .gov email and website domains.
At a cybersecurity roundtable hosted by the Global Cyber Alliance, Jeanette Manfra, Assistant Secretary for the Office of Cybersecurity and Communications, announced that, within the next 90 days, all federal agencies will be required to:
Within the next 120 days, all federal agencies will also be required to:
“It is critical that U.S. citizens can trust their online engagements with all levels of the federal government,” Assistant Secretary Manfra said. “Today, we are calling on all federal agencies to deploy a toolkit of advanced cybersecurity technologies that will enable them to better fulfill our ultimate mission – serving and protecting the American public.”
“A single spoofed email can compromise the security of an entire organization, and a breach at one organization can sometimes leave an entire industry open to similar attacks and vulnerable to fraud. Working with our partners, my office is committed to reducing cyber risks worldwide, and I encourage others in both the public and private sector to take precautions against malicious activity by implementing tools like DMARC,” said Manhattan District Attorney Cyrus R. Vance, Jr..
DMARC is supported by 85 percent of consumer email inboxes in the United States (including Gmail, Yahoo, Microsoft, etc.) and more than 4.8 billion email inboxes worldwide. However, DMARC adoption rates among enterprises and government remains low.
“DMARC doesn’t protect email, it protects people,” said Phil Reitinger, President and CEO of the Global Cyber Alliance. “Once federal agencies fully deploy DMARC, citizens cannot be phished by a criminal posing as a government employee. The federal government is stepping up and setting an example that the private sector should follow. If the U.S. government can deploy DMARC across more than 1,300 domains, then we should expect the same of the companies on which we depend.”
For more details on DMARC, please visit: https://dmarc.globalcyberalliance.org/dmarc-media-kit.html
About the Global Cyber Alliance
The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to confronting cyber risk and improving our connected world. It is a catalyst to bring communities of interest and affiliations together in an environment that sparks innovation with concrete, measurable achievements. While most efforts at addressing cyber risk have been industry, sector, or geographically specific, GCA partners across borders and sectors. GCA’s mantra “Do Something. Measure It.” is a direct reflection of its mission to eradicate systemic cyber risks.
GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at globalcyberalliance.org.
By Renée McLaughlin
On Monday October 16th, U.S. Department of Homeland Security (DHS) Assistant Secretary, Office of Cybersecurity and Communications, Jeanette Manfra, will outline new steps that the federal government is taking to improve e-mail and web security.
Cybersecurity leaders from DHS, the Manhattan District Attorney’s Office, and the Global Cyber Alliance, and others will examine how organizations can protect customers and employees from e-mail born phishing attacks that damage brands, enable identity theft and cost the U.S. economy billions of dollars per year.
Industry experts at the event will include:
Join us live via Facebook starting at 9:30 am!
The author, Renée McLaughlin, is the Director of Digital Media and Editor at the Global Cyber Alliance. You can follow her on Twitter @RNMc3.
By Renée McLaughlin
October is National Cyber Security Awareness Month in the United States and Cyber Security Month in Europe. At GCA, we are excited to be a Champion and contribute to the effort with a 100% focus on DMARC implementation. This Special Edition of the GCA newsletter is dedicated to encouraging all organizations to implement DMARC to protect themselves and their customers and members. We have spent the last year working with partners and supporters around the globe to raise awareness, educate and make available tools, resources and training materials to assist organizations. We hope you enjoy this edition – we have many new features and resources for our global community!
You can view the entire newsletter here.
If you are not already receiving our newsletter directly, please sign up now!
The author, Renée McLaughlin, is the Director of Digital Media and Editor at the Global Cyber Alliance. You can follow her on Twitter @RNMc3.
731 Lexington Avenue
65A Basinghall Street
London, UK EC2V 5DZ
Copyright @ 2020 Global Cyber Alliance