In this column, ValiMail CEO Alexander García-Tobar discusses an aspect of security crisis communications that most companies overlook: Making sure that customers can actually trust the emails that the recently breached company is trying to send them.
In light of the recent OneLogin and DocuSign security breaches, that’s particularly pertinent, he writes:
Here’s a security scenario that’s all too common: A company suffers from a cyberattack, then responds to it promptly and alerts its customers, warning them to change their passwords. But the company remains vulnerable through the very means it uses to alert those customers: Email. In fact, attackers can exploit that vulnerability using email that pretends to be a security warning from the company, targeting customers and wreaking even more damage.
ValiMail CEO Alexander García-Tobar takes a hard look at the root cause of the recent ransomware scare known as WannaCry.
The ransomware crisis that swept the world last month highlights what we’ve known for years: The global IT infrastructure is incredibly vulnerable. …
However, media coverage of the attack has largely overlooked how this malware gets onto a computer in the first place. These attacks were almost certainly initiated by phish emails, and the recommendations to prevent WannaCry from the U.S. Computer Emergency Readiness Team (US-CERT) confirm this.
The risk from phishing attacks can be greatly mitigated using proven email authentication standards that are supported by the world’s largest senders of email. But most enterprises have not yet implemented email authentication.
Imagine if health officials, after discovering that the Zika virus was spreading rapidly across the globe, only focused on human-to-human transmission of the virus, and never mentioned the mosquitos that were actually the main cause of the virus.
In the case of the malicious WannaCry hack, reports vary as to the original source — we may never know. But in the majority of infections, the “mosquitos” are the email messages — specifically, phish or spam — that appear to be a message you’d be interested in from someone you trust, but are in fact fraudulent messages sent by hackers.
From Tweney Media client ValiMail, a timely post that scored incredible engagement on LinkedIn, raising ValiMail’s profile and helping to establish CEO Alexander García-Tobar as an email security expert:
A Russian phishing attack used a fake Harvard email address in an attempt to get malware into American think tanks and nonprofits, the Harvard Crimson reports.
The attack shows how effective it can be for phishers to use the exact domain name of organizations that are unprotected by email authentication.
This attack also shows how difficult email authentication is for many organizations–Harvard included. Quotes in the Crimson story, and ValiMail’s domain checker, make it clear that Harvard was essentially defenseless against phishing attacks.
Worse: Phishing-led attacks account for a huge proportion of hacks, including the momentous intrusions into the Democratic National Committee. Hackers start their assault by sending phish emails to targets within the organization, and if they’re lucky enough to get someone who clicks on a link or opens a malicious attachment, they use that opening to get into the network itself.
From Tweney Media client ValiMail, a provider of email authentication services via a SaaS platform:
[A recent security] audit shows that most corporations, banks, and government agencies have a long way to go before they fully implement the most advanced email authentication, DMARC.
However, many organizations clearly understand the importance of authentication preventing phishing and other forms of email fraud, … It’s just that very few companies have succeeded in getting DMARC to the point where it’s actually doing anything to stop fraud.