Email Security (SPF, DKIM, DMARC)

Electronic mail (email) has been around for a very long time since 1971 according to some trusted sources. Not only is email used in our personal lives, but businesses also use it to conduct daily activities. Emails may contain a plethora of sensitive information from Financial Records, Secret Formulas, and Health Records. You name it if the data exists there is a possibility of flowing through email. Five decades ago the existence of Spam, Phishing, Whaling, or any of the myriad of cybersecurity attacks was not even conceived of. The security email protocols were not considered. It's been a long time since then and now it seems that cybersecurity is at the forefront of everyone's mind. 

There have been iterations of security mechanisms that aid in securing email. Here we provide an overview of  the major security protocols:

SPF stands for Sender Policy Framework. SPF uses DNS records to verify that an email was sent from an authorized IP address. Email administrators publish these DNS records which receiving parties use to discern if emails are coming from trusted and/or allowed IP addresses. If emails do not pass this test they are flagged as not having passed SPF. It is up to the receiving party how to deal with these emails. 

DKIM or DomainKeys Identified Mail uses a digital signature to verify that an email wasn't modified prior to arriving at the recipient's mailbox. DKIM also uses DNS records in order to publish its Public Key which is required for hashing to take place. In short, the sender hashes the email contents and provides the hash, the receiving party then computes to the same hash on the received email. If the hashes match then we can verify that the message has not changed and therefore pass DKIM. If the hashes differ the email will fail DKIM. It is up to the receiving party how to deal with these emails.

Up until now, we are just checking whether SPF or DKIM passes, but we are not telling anyone what to do with non-compliant emails. (emails that don't pass DKIM or SPF checks. This is where DMARC or Domain-based Message Authentication, Reporting, and Conformance steps in. You guessed it DMARC also uses DNS records. These DNS records instruct the receiving party on how to address emails that fail checks. The three basic options that you can request from the receiving end are:

• Do Nothing
• Quarantine The Emails
• Reject the emails. 

The end goal should be to ask for emails to be rejected though there are use cases where the other two options are used. 

These protocols help protect against business email compromises by helping prevent spam, phishing, and other cyber security threats impacting emails. Large email providers such as Google and Microsoft have already adopted these protocols. There is no reason why you shouldn't implement these tools if you are running email services. While there are many SPF/DKIM/DMARC online tools, I would start with your email provider it may be that they can do the heavy lifting. 

Email is a critical communication tool, it's used daily. Implementing these security mechanisms isn't difficult and it helps prevent cyber security threats.  I encourage all of you to implement these protocols in order to improve the security of your email communications.

Road to OSCP Part1

I've been busy as always, busy enough not to post anything in the last two+ years. I'll give you the TLDR I have obtained some certifications along the way:

• CISSP 
• CASP+
• Security+
• AWS Solutions Architect Associates
• CCENT

That's not why I am here, I wanted to let you all know that I have found another avenue of mind absorption which is Ethical Hacking/ Pentesting. I will be getting the OSCP certification, I don't know when yet but I would say within a year. After getting my CISSP I really wanted the Certified Ethical Hacker( CEH) title, while I still do and more than likely I will come back to get it I feel that my time is better spent on something that is hands-on and fun. 

I was going to say that I've used Kali Linux since it was BackTrack, but that would be an overstatement. For pentesting use cases, it is definitely. I am going to consider myself a newbie when it comes to this, I have concepts, knowledge, training, and ideas that will help me in this journey but never have I jumped into this topic as I have others.  

There are other resources that I will take advantage of during this marathon. Certifications :

• Certifications: 
• PNPT (Practical Networking Penetration Tester)
• eJPT
• CEH Practical
• Services
• VulnHub
• HackTheBox
• Proving Grounds
• TryHackMe
• Training
• Youtube
• TCM-Security
• eJPT
• Udemy

Where am I starting?

I have chosen to start with the PNPT using the accompanying training courses, more information can be found here: https://certifications.tcm-sec.com/pnpt/. Heath Adams CEO and his team over at tcm-security have a great program gaining some momentum over the last couple of years. I have not decided but before the end of the year I will be PNPT certified. 

What else?

I am going to try and not lie to myself, they say the best way to learn is to teach. I am going to try and create writeups for machines that I successfully pentest. There are a ton of walkthroughs for machines out there. What I have found out is that videos are either edited, or content is curated carefully to only show successes. I don't want to do that I want to submit my failures, I want to show where I failed, where I didn't understand, where I asked for help. More of a realistic approach