ACSC publishes advice on fighting fake emails
The Australian Cyber Security Centre (ACSC) has published new guidance covering how to combat social engineering attacks on organisations using fake emails.
The advisory covers guidance on how to mitigate the risk of email spoofing, as well as advice for security practitioners and IT managers on how to configure systems to prevent their domains being used as the source of fake emails.
To reduce the likelihood of their domains being used to support fake emails, ACSC has recommended that organisations implement Sender Policy Framework (SPF) and domain-based message authentication, reporting and conformance (DMARC) records in their DNS configuration.
This should be combined with DomainKeys Identified Mail (DKIM) to sign legitimate emails, the ACSC said.
Implementing SPF requires identifying authorised outgoing mail servers, including primary and backup servers, and keeping records of these servers as text records within DNS configurations.
Organisations should also explicitly state if a domain does not send emails, and apply proactive protection to non-existent subdomains.
Once SPF records are deployed, the success of a deployment should be monitored to confirm that email delivery is continuing normally. SPF records should be updated regularly, so they should be incorporated into change management processes, the ACSC said.
Meanwhile, the ACSC is recommending that at least the body of all emails and a wide range of headers including to, cc, date, from, subject, sender and reply-to fields be signed using DKIM.
Organisations must also be aware of when in the practice of signing emails using DKIM is applied in the process of sending an email. Processes which modify messages in transit, such as by adding a disclaimer or signature, could invalidate DKIM signatures if they are applied early.
Accordingly, ACSC said the best way to reduce the chance of unintended changes is by signing email at the last stage before they leave the infrastructure under an organisation’s control.
DKIM implementations require the generation of public and private keys. Public keys should be published within DNS records, while private keys should be protected in accordance with an organisation’s key management plan.
Finally, DMARC is implemented by publishing a policy as a text record in DNS. The basic implementation involves a simple monitoring policy for a domain which requests that DMARC capable mail servers send statistics about emails they see using the domain.
Once organisations believe that all or most of their email traffic is protected by SPF or DKIM, they can implement a quarantine policy requiring DMARC-enabled servers to flag emails from the domain that fail verification as spam.
After this quarantine policy is thoroughly tested, it can be placed with a rejection policy preventing the sending of all emails that fail SPF and DKIM verification.
Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.
Failing to provide IT employees with quality training can cause significant costs for businesses,...
An exploit for the BlueKeep Windows vulnerability has been released by the open source Metasploit...
The Australian Government is seeking feedback on a new cybersecurity strategy to help businesses...