web analytics

Get details right to safely implement DANE in Exchange Online, warn experts – Source: www.csoonline.com

get-details-right-to-safely-implement-dane-in-exchange-online,-warn-experts-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Experts welcome Microsoft’s announcement that Exchange Online can now handle Inbound SMTP DANE with DNSSEC to improve email security, but admins may not find it easy to implement.

Microsoft’s announcement this week that it is adding support for two new security standards in Exchange Online is seen by experts as encouraging news — as long as CISOs and email administrators get the complex implementation details right.

The announcement should encourage all email administrators and vendors of email solutions to add the capabilities to their solutions, experts told CSO Online. But, they caution, adding the two protocols – DNS-based Authentication of Named Entities (DANE) for SMTP and Domain Name System Extensions (DNSSEC) isn’t easy, even if they are Exchange Online customers.

DANE provides a safe way to detect if a remote mail server supports TLS (Transport Layer Security), and which certificates it uses to encrypt and authenticate the connection. Microsoft further explained in its announcement that “SMTP DANE with DNSSEC provides a secure connection between sending and receiving mail servers that is resistant to both TLS-downgrade attacks and adversary-in-the-middle attacks (a form of eavesdropping where the communication is monitored or modified by a bad actor).”

The Microsoft announcement “is helpful,” commented David Shipley, who heads the security awareness training provider Beauceron Security and is former director of strategic IT initiatives at the University of New Brunswick, “but only so much as people have good records and implement good records. I’m sure big brands like Microsoft will be resourced to do this, but doubtful all enterprises or even a fraction of small and mid-size firms will do it.”

Many sites haven’t yet implemented other existing email security protocols, he pointed out. For example, only 59% of the top 1 million domains have an older protocol, SPF (sender policy framework), validly configured, he said, citing an article in DMARC Checker. And of the Top 1,000, only 77% have the basic SPF correct.

DANE won’t stop phishing, Shipley added, although “it may help further put a dent on spoofing.”

Exchange Online customers may not have to do much, Johannes Ullrich, dean of research at the SANS Institute, pointed out, because Microsoft is taking care of it on its platform. However email administrators using their own domains will have to face configuring these protocols if they want added email protection.

And a mistake in implementing DNSSEC can easily lead to a self-inflicted denial of service attack, Ullrich added. It’s a risk he feels many CISOs are not willing to take.

On the other hand, Jess Burn, a principal analyst at Forrester Research, said the Microsoft announcement is “great news for enterprises of all sizes as well as consumers with personal email addresses.”

“Any additional protection email infrastructure and security firms can provide to ensure users know who they are communicating with will help. More and more successful BEC [business email compromise] attempts originate with attackers jumping into email threads via unencrypted connections. The use of SMTP DANE and DNSSEC, if configured properly and widely adopted, will reduce man-in-the-middle attacks.”

The best combination to protect end users from falling for phishing and BEC attempts is implementing SMTP DANE and DNSSEC to secure the confidentiality of messages, he said, as well as using email authentication protocols like DMARC, DKIM, and SPF to validate the sender and reduce the number of emails from spoofed domains from hitting inboxes.

“Achieving this combination, however, requires effort, maintenance, and often multiple stakeholders and functions to implement,” he cautioned.

How much work will Exchange Online admins have to do to add Inbound SMTP DANE? Quite a lot, and the advice Microsoft offers in a paper explaining how SMTP DANE works should be followed closely. Admins should note that to get the benefit of SMTP DANE, Microsoft says DNSSEC has to be enabled for the domain.

Before starting, the admin must have added the organization’s domain set as an ‘Accepted Domain’ and the domain status must be ‘Healthy’ in the Microsoft 365 Admin Center. The domain’s MX record has to be set and there should be no fallback or secondary MX record. If there is a secondary record, changes have to be carried out correctly.

Microsoft warns that if an organization’s business partners use connectors to your Outlook endpoint, those connections will have to be updated to a new endpoint before you configure Inbound SMTP DANE with NDSSEC.

Microsoft also warns that DNS record provisioning and updates can take some time to complete and become visible due to multiple layers of caching.

Again, refer to the exhaustive paper before starting.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3596509/get-details-right-to-safely-implement-dane-in-exchange-online-warn-experts.html

Category & Tags: Email Security – Email Security

Views: 1

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos