Posted 3 years ago on July 4, 2013, 7:56 p.m. EST by carlahari07
This content is user submitted and not an official statement
Foiling Phishing With Authentication : http://abneyassociatesclausen.wordpress.com/
In its new report on using e-mail authentication to fight phishing attacks, BITS offers a list of best practices and recommendations, including expanded use of the DMARC security protocol. BITS, the technology policy division of The Financial Services Roundtable, believes that the Domain-based Message Authentication, Reporting and Conformance protocol plays a key role in mitigating phishing schemes.
DMARC standardizes how e-mail receivers perform e-mail authentication by providing a uniform reporting mechanism that's built on reputation. "DMARC is pretty helpful in a couple of different areas," says Andrew Kennedy, senior program manager for BITS' security initiatives, in an interview with Information Security Media Group [transcript below]. Kennedy sees DMARC as an overlay of the Sender Policy Framework [SPF] and DomainKeys Identified Mail [DKIM] protocols, which aid in e-mail authentication. "If there was an authentication failure for one of those protocols, it leaves you in the lurch if you don't have a policy in place to deal with that, and DMARC helps close the gap there," he says.
Also in the interview, John Carlson, executive vice president of security programs at BITS, stresses that an essential component when fighting phishing is for banking institutions and their business partners and customers to follow similar authentication strategies. "It requires extensive collaboration from many different groups within the company and outside in order to implement these controls," he says. During this interview, Carlson and Kennedy discuss: All of the e-mail protocols that address phishing attacks and how the protocols work in tandem; Why spoofed websites are increasingly concerning; and Steps banking institutions are taking to get business-partner buy-in for the DMARC initiative. At BITS, Carlson works with members to strengthen the security and resiliency of financial services through best practices and strategies for secure IT systems infrastructures, products and services. He also collaborates with the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security, or FS-SCC, and co-chairs its Threat and Vulnerability Assessment Committee. He re-joined BITS in December 2011 after serving as a managing director at Morgan Stanley. Kennedy, now the program lead for BITS' security initiatives, previously served as project manager for the BITS Vendor Management Program. He interned at BITS in 2006 and worked as an IT professional and security consultant in the biotech and software industry in California.
E-Mail Authentication Guidelines TRACY KITTEN: Before we get into some of the details, could you talk a little bit about what prompted BITS to update the guidelines that it first issued about e-mail authentication back in 2009?