Are You Protecting Your & Your Customers? Learnings from the 2017 OTA Trust Audit. August 1, 2017

Similar documents
2016 Online Trust Audit Authentication Practices Deep Dive & Reality Check

About Us. Overview Integrity Audit Fighting Malicious & Deceptive August 13, 2014

2015 Online Trust Audit & Honor Roll Methodology

2015 Online Trust Audit & Honor Roll Review June 23, All rights reserved. Online Trust Alliance (OTA) Slide 1

2016 Online Trust Audit Webinar Will Start Shortly

Is Your Marketing Trustworthy? Best Practices & Findings from Auditing 200 Top Retailers. December 13, 2017

Jeff Wilbur VP Marketing Iconix

DMARC ADOPTION AMONG

The Anti-Impersonation Company. Date: May 2 nd, ValiMail. All Rights Reserved. Confidential and Proprietary.

DMARC ADOPTION AMONG

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

2017 Cyber Incident & Breach Readiness Webinar Will Start Shortly

DMARC ADOPTION AMONG. SaaS 1000 Q Featuring Matthew Vernhout (CIPP/C) Director of Privacy, 250ok

DMARC ADOPTION AMONG e-retailers

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

An Executive s FAQ About Authentication

DMARC ADOPTION AMONG e-retailers

FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks

DMARC ADOPTION AMONG

DMARC Continuing to enable trust between brand owners and receivers

Phishing Discussion. Pete Scheidt Lead Information Security Analyst California ISO

Authentication GUIDE. Frequently Asked QUES T ION S T OGETHER STRONGER

Agari Global DMARC Adoption Report: Open Season for Phishers

DMARC ADOPTION AMONG

UK Healthcare: DMARC Adoption Report Security in Critical Condition

Office 365: Secure configuration

Anti-Spoofing. Inbound SPF Settings

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

building an effective action plan for the Department of Homeland Security

Communicator. Branded Sending Domain July Branded Sending Domain

Teach Me How: B2B Deliverability in a B2C World

How to Conquer Targeted Threats: SANS Review of Agari Enterprise Protect

OTA Strategic Update Building & Amplifying April 5, 2017

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Monthly Cyber Threat Briefing

CYBER SECURITY AND MITIGATING RISKS

Security by Any Other Name:

CISO as Change Agent: Getting to Yes

with Advanced Protection

Machine-Powered Learning for People-Centered Security

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

A Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01

2014 INTERNET COMMERCE CASE STUDY. The Battle Against Phishing and Fraudulent s. 100 S. Ellsworth Ave 4th Floor San Mateo, CA

Securing, Protecting, and Managing the Flow of Corporate Communications

Digital Health Cyber Security Centre

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Cyber Security in Smart Commercial Buildings 2017 to 2021

Keep the Door Open for Users and Closed to Hackers

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

Education Network Security

FDIC InTREx What Documentation Are You Expected to Have?

About Us. Unsub Best Practices & Audit A Decade Since CAN-SPAM. Unsub Best Practices & Audit A Decade Since CAN-SPAM September 30, 2014

Turning the Tide: Fending off Cyber Threats

THE CLOUD SECURITY CHALLENGE:

Cloud Security & Advance Threat Protection. Cloud Security & Advance Threat Protection

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Building a Scalable, Service-Centric Sender Policy Framework (SPF) System

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Must Have Items for Your Cybersecurity or IT Budget in 2018

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

IoT Security & Privacy Trust Framework v2.5

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

A Buyer s Guide to DMARC

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

Automatic Delivery Setup Guide

Competitive Matrix - IRONSCALES vs Alternatives

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

CISM Certified Information Security Manager

Sophos Central Partner. help

Symantec ST0-250 Exam

Automatic Delivery Setup Guide

Trustwave SEG Cloud BEC Fraud Detection Basics

Bringing Cybersecurity to the Boardroom Bret Arsenault

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Security and resilience in Information Society: the European approach

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

Getting Started with DMARC A Guide for Federal Agencies Complying with BOD 18-01

How Cyber-Criminals Steal and Profit from your Data

Managing Cybersecurity Risk

The rise of major Adversaries is the most relevant trend in 2014, targeting Government and Critical Services

M 3 AAWG DMARC Training Series. Mike Adkins, Paul Midgen DMARC.org October 22, 2012

Initiative. Copyright Techdemocracy, 2017

Office 365 Buyers Guide: Best Practices for Securing Office 365

Healthcare HIPAA and Cybersecurity Update

Getting Started with DMARC. A Guide for Federal Agencies Complying with BOD 18-01

Sage Data Security Services Directory

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Tripwire State of Cyber Hygiene Report

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

Combating Cyber Risk in the Supply Chain

W H IT E P A P E R. Salesforce Security for the IT Executive

OWASP CISO Survey Report 2015 Tactical Insights for Managers

Information Security in Corporation

2018 Marketing & Unsubscribe Audit

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

Evaluating DMARC Effectiveness for the Financial Services Industry

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Transcription:

Are You Protecting Your Email & Your Customers? Learnings from the 2017 OTA Trust Audit August 1, 2017 2017 All rights reserved. Online Trust Alliance (OTA) Slide 1 Panel Kevin Gallant Manager, Intelligence Products, Yes Lifecycle Marketing Peter Goldstein CTO & Co-Founder, ValiMail Mike Jones Director, Product Management, Agari Jeff Wilbur Director, Online Trust Alliance, Internet Society 2017 All rights reserved. Online Trust Alliance (OTA) Slide 2

Why Care? The Risk. Rise in phishing attacks, precision, variety of methods Entry point for >90% of breaches 2017 All rights reserved. Online Trust Alliance (OTA) Slide 3 Why Care? The Value. Protect customers, partners & employees Insight into authentication, attacks Deliverability 2017 All rights reserved. Online Trust Alliance (OTA) Slide 4

Who Cares? 2017 All rights reserved. Online Trust Alliance (OTA) Slide 5 2016 Who s Doing It? 2017 All rights reserved. Online Trust Alliance (OTA) Slide 6

2017 Who s Doing It? Store Tools 2017 All rights reserved. Online Trust Alliance (OTA) Wireless Slide 7 9th Annual Audit Overview Over 1,000 web sites Internet Retailer Top 500 Bank 100 (previously FDIC 100) Consumer Services 100 News/Media 100 Federal Gov t 100 ISP/Carriers/Hosters 100 OTA Members Scoring Consumer Protection Security Privacy 100 baseline points for each category Weighted composite analysis Bonus points for emerging practices Penalties for vulnerabilities, data loss incident & fines/settlements Honor Roll = 80% or higher overall, no failure(s) Failure for less than 60 points in each category 2017 All rights reserved. Online Trust Alliance (OTA) Slide 8

Causes of Failures Overlooking the basics & fundamentals 36% failed in one area, 11% failed in 2-3 areas 2017 All rights reserved. Online Trust Alliance (OTA) Slide 9 Consumer Protection 2017 Base points Email authentication SPF and DKIM at top-level and subdomains ( TLD weight) DMARC record and policy DMARC reject/quarantine Increased weight for reject Invalid SPF / DMARC & naked DMARC records not counted Bonus points TLS for email DNSSEC IPv6 Multi-factor authentication Italics = new for 2017 Penalty points Domain locking (not locked) Security Consumer Protection Privacy Can the app or website be spoofed, fooling a person to open/download an update, open an attachment or simply open an email with a drive-by exploit? Does the site or app exercise best practice to help prevent brand-jacking and domain abuse? 2017 All rights reserved. Online Trust Alliance (OTA) Slide 10

Overall Adoption Trends 100% 80% 60% 40% 20% OVERALL EMAIL AUTHENTICATION ADOPTION Any SPF or DKIM Any SPF SPF at TLD Any DKIM Both SPF & DKIM DKIM at TLD DMARC TLD Record 0% 2013 2014 2015 2016 2017 DMARC TLD R/Q General uptrend, especially DKIM and DMARC Dip in SPF-related adoption this year due to invalid records, shift in sector lists 2017 All rights reserved. Online Trust Alliance (OTA) Slide 11 Fighting Phishing 90% 81% 80% 75% 78% 77% 73% 65% SPF & DKIM ADOPTION 77% 70% 53% 53% 56% 48% 51% 35% 92% 88% 83% 77% 75% 60% 55% 46% SPF (TLD) DKIM (TLD) SPF & DKIM IR 100 IR 500 BANKS FED CONSUMER NEWS ISP/HOSTS OVERALL SPF & DKIM allow recipient to verify sender Recommend implementation for inbound & outbound email All domains top-level and subdomains 2017 All rights reserved. Online Trust Alliance (OTA) Slide 12

Fighting Phishing 62% DMARC ADOPTION 50% 33% 39% 20% 29% 25% 34% 22% 13% 10% 11% 34% 11% 12% 15% DMARC RECORD DMARC R/Q IR 100 IR 500 BANKS FED CONSUMER NEWS ISP/HOSTS OVERALL DMARC ensures from matches real sender, allows sender to get reports, tell receiver how to handle messages that fail authentication Use of enforcement (reject/quarantine policy) growing, but far from adequate 2017 All rights reserved. Online Trust Alliance (OTA) Slide 13 The Trifecta Gaining Momentum SPF+DKIM AT TLD AND DMARC R/Q - 2016 VS 2017 28% 16% 3% 9% 2% 5% 5% 9% 6% 8% 3% 11% 11% 4% 9% IR 100 IR 500 FDIC CONSUMER FED NEWS ISP/HOSTS OVERALL Shows percent of organizations that support both SPF and DKIM at the TLD and have a DMARC record with a reject or quarantine policy Highlights need for increased focus across organizational silos to protect consumers, employees and brands 2017 All rights reserved. Online Trust Alliance (OTA) Slide 14

2017 Who s Doing It? Store Tools 2017 All rights reserved. Online Trust Alliance (OTA) WirelessSlide 15 Audit Findings Common Mistakes SPF (10% of records) DMARC (5% of records) References to invalid, non-existent records Naked records (p=none, no reporting) Multiple SPF records Syntax errors Syntax errors Send records to places not set up to receive Use of?all or +all Excessive lookups (8%) Bottom line check your records regularly! Utilize resources of OTA members 2017 All rights reserved. Online Trust Alliance (OTA) Slide 16

Notable Trends DMARC initially focused on consumer email, now available in many enterprise offerings, e.g. Google G Suite, Microsoft O365 Cisco/IronPort, Mimecast, Proofpoint ARC new proposed standard to connect the dots for DKIM signing (mailing lists, etc.) Sender identification ongoing developments to build on authentication 2017 All rights reserved. Online Trust Alliance (OTA) Slide 17 Justifying Internally Security When door s shut, bad guys go elsewhere Protects users, and employees (when used inbound) Insight Email governance ( shadow email ) Attackers Deliverability Helps receivers better assess real reputation Improves overall reputation (bad guys stop, spoof messages don t count) 2017 All rights reserved. Online Trust Alliance (OTA) Slide 18

What Now? Self-assessment inventory, stakeholders, etc. Get help OTA, industry resources Build a business case Implement and put processes in place 2017 All rights reserved. Online Trust Alliance (OTA) Slide 19 Tools & Resources OTA Email Security https://otalliance.org/eauth DMARC https://otalliance.org/dmarc Resources https://otalliance.org/eauth/resources TLS https://otalliance.org/tls OTA Members Agari https://www.agari.com/resources/ Dmarcian https://dmarcian.com/ Global Cyber Alliance https://dmarc.globalcyberalliance.org/ ValiMail http://www.valimail.com/ 2017 All rights reserved. Online Trust Alliance (OTA) Slide 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback