You might think that when you own a domain name, you have full control over who can send email from it. Unfortunately, that’s not entirely true.

Anyone can fake emails that appear to come from your domain, unless you’ve set up the right protections. That includes spammers and scammers pretending to be you, your company or one of your colleagues.

There’s a fix for this. It’s nothing new, been around for a decade or so, but it’s still surprisingly underused. And even when people do set it up, many times it’s misconfigured in a way that makes it ineffective or even completely useless.

The fix has three parts: SPF, DKIM and DMARC. Sound technical? They are, but the core idea is simple. They help others verify that your messages are real and that fake messages get flagged or blocked.

To make handing the complexity easier, Remod created the Spoofproof Your Emails playbook and published it on Badrap. You can read through it as a guided checklist when you want to spoofproof your domain, with clear explanations for each step. And if you’re a Badrap customer, you can automate most of it with the included tools.

Let’s take a look at how it works and why it matters.

The basic concept

When someone receives email from your domain, their email service needs to decide: is this message legit?

By setting up SPF, DKIM and DMARC, you help them decide.

SPF tells who is allowed to send mail as you.

DKIM adds a digital signature to prove the message came from you and that it wasn’t changed on the way.

DMARC ties both SPF and DKIM together and lets you publish a policy that tells mail servers what to do if neither check passes.

With DMARC you can also enable reporting. This means you’ll start receiving machine-readable reports from other email services showing who is sending mail on behalf of your domain and whether those messages passed SPF and DKIM checks.

This configuration lives in your DNS, the same place where you manage your domain records.

But don’t Microsoft and Google handle this already?

If you’re using Google Workspace, Microsoft 365 or similar, they support SPF, DKIM and DMARC, but they can’t configure them for your domain. You have to add the DNS records yourself.

Think of it like a mailbox. The provider delivers the mail, but you’re still the one who locks the mailbox. The post office won’t do it for you.

Why is it worth doing?

This isn’t just about stopping spoofers.

Getting these protections in place also helps your real email reach the receivers inbox. Many email providers check your SPF, DKIM and DMARC settings to decide if they can trust the emails you send. If your domain isn’t configured properly, your messages might just disappear or land in spam without you ever knowing.

Even though these standards are well established, they’re still often missing or misconfigured. Especially in companies without a dedicated IT team. With the playbook, you don’t have to become an expert. Follow the steps, review the results and you’re done. And if you need help, Badrap and Remod teams are there to assist.

Also worth noting: spammers have already figured this out. They’re using SPF, DKIM and DMARC to make their fake messages look more trustworthy because it helps them bypass filters. Meanwhile, legitimate domains are missing basic protections. It’s not just ironic, it’s a real problem. If bad actors are doing it and you’re not, you’re the one who ends up looking suspicious.

Now, here’s the easy part

Email spoofing is an old problem with a known fix. By setting up SPF, DKIM and DMARC you can protect your name and improve mail deliverability.

If you’re already using Badrap, the playbook is ready when you are.

If not, now’s the perfect time to start!

The nice thing about using the Badrap playbook is that it keeps watch after setup. If something breaks or changes, you’ll get an alert. It acts like a security monitor for your domain, alerting you to changes or issues before they cause real damage.

Cyber Security Made Easy

The three acronyms stand for:

SPF = Sender Policy Framework
DKIM = DomainKeys Identified Mail
DMARC = Domain-based Message Authentication, Reporting and Conformance

Edit 2025–04–11: Added remark about DMARC and reporting.

Who’s sending email as you? was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

Supply chain security can be complex to manage. Even a small business can easily have dozens of vendors they depend on. Software applications, cloud services, system integrators and software-as-a-service providers tend to pile up as your business grows and evolves. No matter how hard you work to keep your own cyber security best practices, policies, and processes in great shape, vulnerabilities or bad security practices at a single vendor can jeopardize your whole business.

Your supply chain might be used to gain an entrance into your organization. A scam attempt may impersonate your vendor. A phishing attacker might ask for your credentials or passwords in the guise of a vendor’s IT person. Ransomware or other malware operators often use an unprotected vendor as a stepping stone into multiple customer organizations at the same time.

Taking regular care of your supply chain is paramount. You gain an understanding of the dependencies and risks associated in working with different vendors. You form an image of the maturity level and security posture of your vendors. You see how they deal with vulnerabilities reported to them and how they communicate during the vulnerability coordination process.

How can you take care of your supply chain?

In a Supply Chain Caretaking exercise, you first map out all of your important vendors with our assistance. You identify what key services each vendor provides, and how and why those services are used within your company. Vendors can be e.g. software manufacturers, system integrators, ISPs, SaaS providers, or cloud service providers.

Some of the identified services can also be your own internal servers, services or software applications developed in-house — in the context of Supply Chain Caretaking we can view those as “vendors” when appropriate.

Based on the information gathered together with you, we investigate each vendor in detail. The investigation is conducted using a set of open-source intelligence gathering methods and analysis made by our team of cyber security experts.

As security issues are identified during the analysis, we gather the findings into a set of vulnerability reports for the vendors. We report the issues to the affected vendors in collaboration with our customers, handling the heavy lifting of vulnerability coordination work on your behalf.

To understand your vendors, we consider basic vulnerability reporting practices. Does the communication work, does the vendor communicate about the potential issue to avoid misunderstandings, and of course, will the issue get fixed. In this process, we help the vendor any way we can — after all, the most important thing is to get the issues fixed.

What have our customers learned about their vendors?

We took a birds-eye view of 77 reports we’ve sent to 60 vendors. What common trends have emerged across all of the customers and vendors we’ve worked with?

What have we observed about the quality and speed of vendor responses and how easy it has been to communicate with them? One third of the vendors have A-class response, meaning that they react to reporting fast, and fix the issues as they should. The last two thirds react slowly, even if they want to fix the problem — or in the worst case, don’t respond at all.

• Class A: Relentless hunter — Sometimes the starting point is obscure. “This should not be possible.” Relentless hunters are not daunted by the difficulties, they hunt down the issue until the root cause is found and it can be fixed. Respect.
• Class A: Pro — They acknowledge the report immediately, say what they are going to do, and do what they said. They talk about the issue with the reporter to avoid miscommunication. Sometimes they learn new things in the process, and allow the reporter to learn too. Such beauty.
• Class A: Do it in scale — “I’ve read your report, and checked all similar places. I found 8 different places with the same issue. All of them are fixed now, thanks.”
• Class B: Slowish vendor — “We’ve investigated the issue and are waiting for our own vendor to fix this.”
• Class B: Focus on the present day — “This service was built in 2008, it can not be patched anymore, we are investigating how to migrate it to a new service.”
• Class C: There is no problem — In these cases, we get a nonsensical explanation why the problem does not exist. For example, when we find an open database, the vendor explains that it is not a problem, as the service is not used anymore.
• Class C: Our IT infra is totally broken — When your vulnerability report bounces because the vendor’s domain is not available.
• Class C: Silent treatment — This is the most problematic category. Does the vendor not respond because they don’t want to, don’t know what to say, or because the message hasn’t reached the right people? How can we activate them in a positive way?

What kinds of vulnerabilities have been found?

17% of the 343 vendors we’ve dealt with have had issues that should be fixed. Typical issues have been old unsupported operating systems running on abandoned servers, exposed databases, known vulnerabilities in Internet-facing services, subdomain takeover vulnerabilities, or vulnerable applications.

A common category of vulnerabilities we have encountered are old server installations that no longer receive security updates. A vendor has installed e.g. a server with a particular Linux distribution, and hasn’t noticed that the distribution has reached end-of-life (EOL) status. The server is no longer receiving security updates. Gradually more and more known vulnerabilities pile up, making it easy for an attacker to exploit those known vulnerabilities and to take over the server and any important business or customer data it contains. Sometimes the vendor knows that the OS version has reached end-of-life, but they do not have a clear plan or process on how to systematically upgrade their servers to a new release.

Another very common category of vendor issues comes from known vulnerabilities in software. Keeping track of new security vulnerabilities against all of the layers of a complex system can be quite a daunting task for a software integrator. Keeping all of the customer servers updated to the latest releases of important software is even more time-consuming. Reacting fast to emerging threats and updating all of the potentially affected servers whenever a new vulnerability is announced takes resources, skills and highly optimized system management processes.

Services left open to the Internet either by accident or through lazy service architecture design is also a very common finding among the vendors we’ve reviewed. No matter how well your servers are updated and new security vulnerabilities managed, if your customer database is open to the Internet without authentication, that can be an extremely damaging oversight with liabilities ranging from brand impact to personal data breach ramifications. Often we find open services such as databases, remote desktops or file sharing ports that have been left open due to some administrative process oversight: a maintenance routine or a software update requires remote access, or system configurations are accidentally overwritten and replaced with default access configurations when an update is installed.

Subdomain takeover vulnerabilities are also very common among our findings. A vendor has set up a server in the cloud, and the customer DNS has a CNAME record pointing to that server. The server may have been set up and used for a specific purpose, but that need has already ended. The vendor decommissions the server, but the DNS record is left pointing to a cloud resource. An attacker may set up their own server at the same address, and use that to deceive users that still try to access the decommissioned service.

Case: Kotkan Energia — Dealing with vendors provided insights

“Executing the supply chain caretaking playbook with Badrap proved highly useful for us”, confirms an ICT Manager from Kotkan Energia. “We were able to map out our suppliers and to understand our digital dependencies even better than before. We received valuable insights on how our vendors deal with security issues. Better yet, our suppliers now know we are assessing their security response capabilities as a standard practice. This is what others should do, too.”

Choose the right angle to cyber

Badrap’s goal is to make cyber security as easy as possible for everyone. That’s why we created Playbooks — they make completing your cyber security tasks guided, systematic, and easy. You’ll just have to pick a task and follow the guided steps!

Playbooks cover different cyber security related themes, and the execution varies: playbooks cover training, monitoring and policies. In this post, you hopefully got a comprehensive view on our Supply Chain Caretaking Playbook: how it works and what results and knowledge we have gained on the way.

What if Supply Chain Caretaking is not relevant to your organization right now? We have plenty of other playbooks to start with: check out all of our playbooks at badrap.io!

Lessons Learned from Supply Chain Caretaking was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

I felt we may have been driving ordinary people and employees away from security and I listed my Doh’s of Cyber Security Training in the previous blog. How could we be more like Dons and take pride in educating people, and believe in the students? Here are my seven Dons of Cyber Security Training to get started. These “Dons” are my ideal teachers and talents (from French) to look for in them.

Our students are, we believe, crème de la crème. The trouble is that they have been let down by the ‘system’ before they came to us.” — It’s a Don’s Life by Mary Beard

Don #1 — Administer in small doses

What if the course would feel like taking a short positive break from work?

Online security courses prevent employees from achieving their daily goals. Even if they would like to learn, the stress from not finishing work can take over and ruin an otherwise good experience. If you administer content in small doses, the stress of “not completing work” is thrown out of the window. Now your message has a much better chance of getting through.

Don #2 — Be casual on every level

We want to get rid of the impression that cyber security is somebody else’s problem.

You may have heard the “I’m not a target” argument. It makes more sense if you check out the infosec news. Faceless corporations falling victim, spies taking over government networks and foreign hackers just waiting to press enter to stop whole countries. Yes, these are important too, but not relatable to the problems that ordinary people have.

People need to hear about mundane every-day trouble caused by ordinary criminals and scammers. On that front, Finnish broadcasting company YLE did a great job with their “Digitally scammed” TV-series. (Unfortunately, it is encrypted with Finnish.) Drop me a note if you know similar English content.

Then there is “Team Whack” docuseries, which demystifies how hackers operate. Forget those state-sponsored military-grade hackers for a moment and check out Benjamin, who climbs a bit too high to find some computers from the trash.

“Forget those state-sponsored military-grade hackers for a moment.”

Don #3 — Be FuRious (Fun but Serious)

The topics are serious enough, let’s not make it worse.

As the topics are serious and even scary, let’s not make them worse by amplifying the scary parts ourselves. Also, let’s not be too clinical about the topics. Emotions are needed to keep the material engaging, but there are other emotions to invoke besides fear.

Here is a perfect example of the FuRious approach, by Derek Muller, a.k.a Veritasium on YouTube. Climate change is a topic that can get boring fast when you get to the important details. He explains a lot in seven minutes. To make it more entertaining, he included a “Youtuber”-version of himself to bring up the typical counter-arguments.

Here is my FuRious-example. I once flipped a full 180° on ice while I was recording an intro for our security course participants. I decided to keep that part in. It became a nice ice-breaker for the following online session we had later on.

Don #4 — Get personal

Want more than two minutes of people’s attention? You need to be useful.

So it turns out that besides online security and privacy, people also have other things to worry about. How long do you think they want to pay attention to your topic? I’d give it max a few minutes if you are just pushing your own agenda to them. Let’s draw some inspiration from a methodology called solution sales.

Solution sales is a common methodology in business-to-business sales. In solution sales, you don’t just fire a broadside of your product’s features at your potential customer. You figure out what their pain points are and how your product can solve them.

Talk to some of your audience, preferably those you never thought you’d talk to about security. What do they think about security? What kind of reasoning do they have for doing or not doing something related to security? Is that reasoning solid?

Our “cyber attacks are like germs” topic came up after talking to a bunch of people. Some of them said they are not a target of cyber criminals. In reality, your average online criminal just sprays their attacks as widely as possible.

Don #5 — Keep up with the dialog

You got some great feedback in advance from the previous step, great! Don’t stop there. If you can embed dialog in the training, all the better. You’ll learn all the time, and your students will be much more interested in the content.

If you are in a situation where you can only do a one-directional webinar, proceed with caution. Too many might just multitask their time through the webinar and forget most of what was said. Remember the “administer in small doses”. Do coffee-break sized sessions. Long enough to handle one, and only one, topic, but short enough that nobody has time to distract themselves. :) Rinse and repeat with different topics.

Don #6 — Let people think for themselves

Most courses have some sort of quiz at the end. I’ve done a few and I’m not a huge fan. Do you remember my friend from my previous blog? I also had to help him with one answer, and my tip was: “option D sounds least wrong”. It is no wonder that my friend just wanted to pass the quiz. Thinking and reflecting the material was not on the table at all.

Ask questions, but if possible, let the participant think for themselves. Ask more open-ended questions and let people reflect on their own lives. “Why security is important for you?”, “What devices you have at home which could leak your personal information?”. And so on. This approach was also inspired by the solution sales methodology.

Don #7 — Close the gap from social distancing

Online live sessions work, if you alter your approach. Reduce the group size and length, and increase interaction.

We’ve found that groups with around six people are pretty ideal for fun and interactive sessions. Rather do three one-hour sessions with six people each, than a three-hour session with 18 people. Or do interactive versions with the most security-critical personnel and use more scalable methods for the rest. As a nice side effect, you are forced to cut the fat from your content. :)

These types of sessions have been a blast for us, and the feedback from the participants has been great. I’ve never heard someone ask for more after a three-hour session in a classroom setting. Now, after several shorter and online-versions, I’ve had several “can we get more of these” questions at the end of the session.

Accelerate the change towards human-centric training

When we stop preaching and start helping people, people take interest and feel they are being helped. We have laid the groundwork for scaling our efforts. How to go forward from here?

Companies have an incentive to help employees

Companies have incentive to help employees, as most attacks target their employees. If you are a CISOs or CSO, make sure your company’s (good) training materials are online, and available for everyone. Measure the interest and adjust your message over time. And don’t forget new employees, onboarding is a great place to introduce good cyber hygiene habits for employees.

Now that we are human-centric, HR can also join the party. You can improve the lives of the company’s workforce, while making the workplace safer for everyone. Less employee churn and more secure working place.

Individuals are great influencers

Most importantly, individuals, learners and trainers, are the stars of the show. Take InfoSecSherpa for example. An ex-librarian, current “Cyber Analyst SOC Sherpa”, who wants hackers to talk more with librarians, and tells them how to do it.

Train the challengers, or challenge the trainers and put your new skills into practice. Don’t forget to tell your co-workers, friends and family about what you have learned. Enjoy the next security training you are going to make or take! Break stereotypes: talk to people, especially security pros and trainers. Show that you care about security and tell us how we can improve our game.

This was my seven Dons of Cyber Security Training for the ordinary people. I’ve seen the light, and I hope you will too. I believe people will start practicing cyber hygiene the same way we brush our teeth and was our hands.

Did you like this article? Ping me on LinkedIn or Twitter, I’d love to meet more people who want to crack the challenges related to employee training.

D’ohs and Dons of Cyber Security Training (2/2) — the Seven Dons was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

Se você recebeu um alerta de vazamento de dados de um serviço de monitoramento como Have I Been Pwned ou Badrap.io e está se perguntando: o que devo fazer agora? Não procure mais, vamos resolver isso juntos!

1. Altere sua senha

Primeiramente acesse o serviço que vazou os dados e altere sua senha. Mesmo que você não tenha certeza de que as senhas vazaram nesta violação em particular, este é um primeiro passo seguro e importante.

2. Quais dados estavam envolvidos na violação?

Entenda melhor o que foi afetado na violação de dados. Tente encontrar respostas para as seguintes perguntas:

• Quais dados vazaram?
• As senhas ou nomes de usuário vazaram?
• As perguntas de segurança e as respostas vazaram?
• Quando aconteceu a violação de dados?
• Quão antigo são os dados?

Agora você tem uma ideia aproximada da extensão do vazamento. Tente pensar o que outra pessoa poderia fazer com essa informação.

Pense no que um criminoso poderia fazer com a informação vazada.

3. Sua conta de e-mail tem a mesma senha vazada?

Se a senha da sua conta de e-mail era a mesma da senha no vazamento de dados, altere-a agora.

Com acesso à sua caixa de entrada de e-mail, o criminoso pode redefinir e alterar suas senhas para todos os outros serviços online que você usa, incluindo Facebook, Netflix e Google. Eles serão capazes de assumir o controle de toda a sua vida online, convenientemente a partir de um único lugar. É por isso que sua caixa de entrada do seu e-mail é a Joia da Coroa e precisa de forte proteção.

Crie uma senha forte e única à sua conta de e-mail. Cada vez mais serviços oferecem autenticação de dois fatores, muitas vezes encurtados como 2FA (two-factor authentication). Habilite sempre que possível — veja as instruções do Google e Facebook. Adicione informações de contato de emergência para que você possa ter sua conta de volta, caso algo aconteça.

Com acesso à sua caixa de entrada do e-mail, um criminoso é capaz de assumir o controle total de sua vida online.

4. Outros serviços online têm a mesma senha vazada?

Se você usa apenas um limitado grupo de senhas ou se as mesmas são muito semelhantes, você precisa começar a muda-las agora. Comece pelos serviços que tem a mesma senha que foi vazada.

Em seguida, altere todas as outras senhas também, mesmo se elas não estiveram envolvidas nesta violação de dados. Deixá-las do jeito que estão é um desastre esperando para acontecer.

É um trabalho tedioso, mas que vale a pena. Depois do esforço inicial, vai ficando mais fácil.

A partir de agora comece a cuidar melhor das suas senhas. Considere usar um programa para gerencia-las. Estes incluem os gerenciadores de senhas incorporados nos navegadores Chrome, Firefox e o MacOS Acesso às Chaves. Aplicativos como 1Password, LastPass, KeePass (em inglês) são tão bons quanto. Gere senhas fortes, difíceis de adivinhar e exclusivas para cada serviço. Adicione autenticação de dois fatores sempre que possível.

Reciclagem não é para senhas. Use uma senha exclusiva para cada serviço online.

5. Sua conta de e-mail de trabalho tem a mesma senha vazada?

Se sua conta de usuário de trabalho ou e-mail de trabalho tiver a mesma senha do serviço violado, entre em contato com o suporte de TI da sua empresa para obter assistência. Eles podem querer monitorar sua conta para quaisquer tentativas de acesso não autorizadas e checar se a conta foi acessada de forma suspeita.

Não hesite ou fique envergonhado, apenas ligue para eles! Não é sua culpa se um serviço online teve uma violação de dados e sua senha por acaso vazou. O melhor de tudo — Agora em diante você sabe que senhas podem vazar e da próxima vez pode começar a usar senhas exclusivas para todos os serviços.

Não se esqueça de mudar sua senha de trabalho para uma única e forte.

Entre em contato com a TI da sua empresa se sua senha do e-mail de trabalho vazar.

O caminho para uma melhor higiene on-line

É uma boa ideia praticar uma higiene online ao fornecer qualquer informação pessoal a um serviço. Forneça o mínimo possível e esteja consciente sempre que fornecer informações. Pergunte a si mesmo: “O que poderia acontecer se esses dados vazassem?”

Outros dados pessoais vazaram?

• Que tipo de informação você deu ao serviço? Detalhes pessoais, fotos, números de cartão de crédito.
• Que tipo de dados o serviço tem de você?
• Havia dados sobre outras pessoas além de você? Seus filhos, amigos, outros endereços de e-mail, fotos?

Remova detalhes pessoais desnecessários, como seu aniversário e endereço residencial. Pergunte a si mesmo: por que o serviço precisa tê-lo? Para verificação de idade? Notificações de aniversário? “1 º de janeiro de 1900” funcionará perfeitamente em muitos casos.

Se os detalhes do cartão de crédito estiveram envolvidos, entre em contato com seu banco. O banco provavelmente vai querer cancelar o cartão como precaução. Pode haver uma pequena taxa envolvida, mas isso é melhor do que a alternativa. No futuro, não dê os dados do seu cartão de crédito para que serviços individuais armazenem em seus bancos de dados. Em vez disso, sempre que possível use um serviço de transação de pagamento comumente conhecido e com uma boa reputação. Estes incluem PayPal, Stripe (en) e Amazon Pay (en).

Informe seus entes queridos se algum de seus dados pessoais estavam envolvidos. Remova esses dados, se possível, e evite fornecê-los no futuro.

Comece a praticar uma higiene on-line rigorosa. Tente estar ciente dos dados que você está fornecendo o tempo todo.

Seja um mentor

Eduque os outros. Conte sua história e aborde-os com melhores práticas de senha e higiene on-line. Mostre-os como monitorar os vazamentos de dados. Seja um mentor.

Conte sua história e seja um mentor em higiene online.

Monitoramento de vazamento de dados com Badrap.io

Com Badrap.io você pode monitorar violações de dados para vários endereços de e-mail, como seus e-mails pessoais e de trabalho de uma única conta Badrap.io. Adicione os e-mails de seus entes queridos; como crianças e pais, para que seja notificado caso seus e-mails estejam envolvidos em um vazamento de dados.

Badrap.io também envia notificações automáticas se seus endereços de IP foram encontrados por pesquisadores de segurança como dispositivos/redes vulneráveis.

Esse artigo é uma tradução do original em inglês escrito por alatalo em https://medium.com/badrapio/i-got-a-data-breach-alert-what-next-d3fa36d9a7c7

Sofri um vazamento de dados. Como devo proceder? was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

I have been taking, running, and eventually creating cyber security courses for a while. I have had both my Homer Simpson moments and increasingly frequent bright moments. I will try to share them here in two parts, first the D’ohs and then the Dons, and what Dons got to do with this.

“People are the weakest link” myth

It is easy to talk about human beings being the weakest link, “people don’t care about security”, ”people can’t handle it”, “people don’t get it” and so on. Is there any other industry or skill area in the worklife where you intentionally downplay the humans while still employing them to do the job? Humans have social superpowers which make them one of your best defences if just given a chance.

“People don’t want to or can’t learn cyber security” fallacy

A big portion of them do. How big? Depends on the teacher.

Have you ever heard a primary school teacher say: “No use teaching Spanish, students will never learn.” I don’t think so. A teacher sees the shades of gray. There are those who learn just by taking a glance at the book. Then there are those who have difficulties, and those who lack motivation. And in between, there are many many capable students. The situation is similar, when it comes to people and security. In practice, when given a chance people will feel cyber security is important and they want and can learn.

“There is a technical gizmo for that” delusion

Bad guys can always shop the latest gizmos as well and train against them at their home.

It might feel that humans are hard and technology is easy. It might be true when it comes to relationships, but in cyber security there is no magical technological silver bullet that will solve it all. There is always the next-gen cyber security fad, trend or magical gizmo that is being used as an excuse not to invest in humans and their training.

In the worst case, the latest technical defences have just made us more vulnerable. I see it like this, bad guys can always shop the latest gizmos as well and train against them at their home, but they never can adapt to your human defences and instinct. There is a place for technical defences but training us, the humans, evens the game and turns an uneven match into more of an Alien vs. Predator thing. Hmmm, who won? :)

“It is a IT problem, no it is a HR problem” debacle

Arranging cyber security training and onboarding seems to far too often between the cracks. IT departments are busy with technology and HR departments may feel that IT owns cyber security. Happily this seems to be solvable by someone taking the lead and asking IT and HR to help.

“Compliance got to be dull” despair

Someone I know went through a mandatory employee information security course. The course had all the usual bells and whistles. A well-produced 40-minute video, talking heads explaining different aspects of information security, and an exam afterwards. The outcome was a frustrated employee who thinks security courses are an utter waste of time. That got me thinking. I know he cares about security and privacy. Then it hit me: we are not just passively complaining about people, sometimes we are the ones who ruin them.

At one point, he asked why he needs to learn those topics in the video. I didn’t have the answer. The content was mostly suitable for someone aiming to be a CISO, but every employee of a large organisation needed to take it. Time away from his actual job added to the stress, and he tried to get work done while completing the course. Putting the video in the background didn’t work. The course creators got that covered. The quiz at the end requires participants to remember trivial details, such as terminology and listings of concepts mentioned. Congrats, you need to go back, you lose more time, and end up even more stressed.

In the next part, I will try to find ways to make even the compliance more fun, engaging and efficient.

“Cyber security trainers and experts are infallible” mistake

With cyber security training and onboarding now being more commonplace, we can learn from the feedback and dialog in order to create more interesting and actual content.

Cyber security is a moving target. People have been told to change passwords too often, giving birth to those post-it passwords on the monitor frames that you can spot in the casual work place videos. It made sense back in the 90'ies, when you could pretty easily brute force weak password hashes. Yup, there has been a bit of a cargo cult, stupid things have been taught and yours truly have stumbled as well:

With cyber security training and onboarding now being more commonplace, we can learn from the feedback and dialog in order to create more interesting and actual content. We learn how to enable people to be our best line of defence.

In this part we saw how we might have been driving people away from security. In the next part I will take a look at what we can do to win them back, and what “Dons” have to do with all of this. Follow this publication, @badrapio in Twitter, or me in LinkedIn to notice the next post.

Cyber classroom: https://stories.freepik.com/illustration/classroom/rafiki
Spanish teacher: https://unsplash.com/photos/N_aihp118p8
Robot pic: https://unsplash.com/photos/2EJCSULRwC8
Security on: https://stories.freepik.com/illustration/security-on/amico
Back to work picture: https://unsplash.com/photos/i71ZRcnqqvw

D’ohs and Dons of Cyber Security Training (1/2) was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

Results from warning decision-makers affected by data breaches in Finland

This article addresses the last question from my previous study: Are the executives involved in data breaches aware of their exposure? During my analysis, I came across dozens of people that had their credentials for both personal and work-related identities leaked out. I couldn’t just sit on this information, so I notified them.

How was the notification made?

At Badrap, we are on the mission to get security information delivered to those who need it. Personal security issues can be exploited to affect companies. In the digital realm, our personal and work identities intertwine with one another. It has become less obvious who should be notified about security issues related to those identities. If we share our findings with corporate security teams, we end up exposing non-work related matters. On the other hand, reaching the affected people needs careful craft to make the message clear and not alarmist. And running this study and working in a security company, they could ignore my message as marketing.

Considering that the found information involved personal email addresses, we notified the victims directly by email and gave a heads up for the security teams if we had a contact in that company. You can find both of the models at the end of this article.

Answers received

From the eleven companies contacted, we got responses from only two companies. And the responses came from CISOs (chief information security officers), instead of the victims. In both cases, the messages were very similar. They acknowledged the importance of raising awareness and ensure the victim’s knowledge but also asked that any future victims’ notification should be sent first to the security team. I was glad to hear both organizations actively monitored data breaches related to the corporate domain.

I replied to their emails, thanking their feedback, and guaranteeing that I would communicate to them any further notification. I wrote that even understanding their will to be on top of the issues affecting their employees; I should only disclose exposed private information with the affected person.

Cybersecurity got in a similar field as occupational health regarding this balance between individual and corporate. The employee’s behavior and habits can affect his work, but the employer must respect their privacy. When the data is about people, including their personal identities, who should get the information?

Lessons learned

1- Show the actual results — not just the method to get them. Seeing the findings would help people understand better how we are trying to help. The victims’ notification email explained the method used to find the potential vulnerabilities but didn’t show the results, like the emails involved and the services that leaked their data.

2- Give a heads up to security teams in all companies. We considered this as a nice-to-have but is likely a must-have. Instead of just messaging the contacts that we already knew, it would be better to let all those professionals have the time and opportunity to communicate with their colleagues before the victims’ notification hit their email inbox.

3- Avoid hyperlinks. I wrote in plain text the addresses from services or pages that I used during my study. I didn’t want to have active hyperlinks in my email (nothing that could resemble a phishing attempt), but I realize that some email clients create active links just by having a valid internet address in the message body.

4- Timing. I sent the notifications on the morning of the 31st of December. Even still being a typical working day, some people were on holiday. The idea was to contact all the potential victims as soon as possible. But choosing a better day would improve the odds of having the message seen. And I wouldn’t need to check my email regularly to answer enquires during the new year’s eve.

Below you will find the email templates referred at the beginning of this article.

Email sent to the victims:

Subject: (full name) — notification about a potential data breach

Dear (last name),

I’m researching data breaches to understand how they affect large companies in Finland. I’m contacting you directly because I found your email from the publicly available data breach material. You are one of the many; it appears that data breaches have affected 65% of the executives of the 11 most valuable companies in Finland. Their emails and passwords were leaked from other services (e.g., LinkedIn, Adobe, eBay, etc.).

You may be aware of these issues and worked on them already. In this case, I apologize for the redundant report.

I am not publishing any specifics about the companies or people involved, only statistics. The goal of my research is to understand how executives deal with cybersecurity awareness when notified about data breaches. Below I have frequently asked questions and more details about the steps that I followed to find the information regarding the data breaches potentially affecting you.

From where did I get the results? To check the emails of the executive board, I combined the information from the links:

1 — (company’s link with the description of the executives)

2 — Discovered actual and other email addresses (as personal and past emails) using web crawlers as the service RocketReach.co

3 — and then checked if they were involved in data breaches (with password exposition) on haveibeenpwned.com

What can be done to protect my accounts? Some companies found it useful to endorse the affected users not to reuse those breached passwords and, when possible, use two-factor authentication. If you feel that you could help with my research, you can reply to the question below through email.

SURVEY QUESTION: How did you learn about these specific breaches? (choose all that apply)

Original data leak source (3rd party service that leaked): yes/no

Your company’s staff: yes/no

News or other media: yes/no

This notification email: yes/no

Other: please describe

Thank you very much. If I can be of any assistance, let me know.

FAQ

How am I exposed? From previous experience and studies, it is common to see people reusing passwords on different services, like corporate emails and social media platforms. The risk involved using the breached password is the possibility of someone getting access to that leaked information tries to access other services held by the victim with the same or similar password. In some cases, criminals also use extorsion with the claim that they hold more information than your email and password.

How many people have been affected by these breaches? These breaches have been affecting virtually almost all Internet users. Other businesses and individuals are dealing with the same challenge.

Who are you? I’m Bruno Triani, and I have a professional interest in the data breach topic. I write articles about the topic, and my company works in this field.

Are you selling something? No. My company and I don’t mix victim notifications with commercial activities. All the relevant information is packaged here. No strings attached.

Are you going to publish this? I never publish victim details. I may publish general findings and aggregated statistics as part of my research. Some of my findings can be found in my Medium blog articles.

Where did you get your information? I use publicly available information, which is easy to get. I’ve documented my methodology in my blog articles.

We are aware of this already, why are you contacting us? Great. One issue I have seen is that often the victims are not aware, even if the information is publicly available. Or they may be aware of the issue, but think there is nothing they can do or even think it does not matter.

Email sent to the cybersecurity professionals that I already had the contact:

Hi. I’m Bruno from Badrap, a security company from Oulu. I’m researching data breaches to understand how they affect large companies in Finland. As part of this research, I became aware of a handful of your decision-makers’ involvement in data breaches. As a final part of my study, I’m notifying them about the breaches just in case and asking their voluntary feedback about where they first heard about the breaches (if they did) — see the template below.

If you have any questions or comments, feel free to contact me.

Data breaches — who needs to know? was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

I have been discussing how data breach information can be used to scam or attack people and companies (links below). So I got curious. Are decision-makers, C-levels, and executives involved in data breaches? And if they are involved, is the breached data easily available? Are they aware of it? I now know the answer to two out of my three questions.

I decided to survey the managers of the 11 most valuable companies in Finland and checked if I could easily find information about data breaches that they were involved in. I assumed that attackers don’t discriminate, and they may go after anyone they can get. Of course, some targets may be more lucrative than others.

Are decision-makers involved?

Yes. Here is how I figured it out.

1 — Find the names

Most of the companies keep on their website a list of their executives with a brief description of each one. Usually under the “Investors” tab.

2 — Get their public profiles from LinkedIn

I looked up for every name on LinkedIn (virtually all executives have an online profile). The idea here is to match each name to a public profile ID, out of the companies webpage. I will explain why soon.

3 — Find email addresses

There are commercial services to purchase employee contact information. For example, Alma Media sells decision-maker contact info such as email and phone numbers. I used a service called RocketReach that lists present and past emails, including personal ones. Using this tool, I can search for someone using their LinkedIn profile, helping me to find the exact person.

4 — Check data breaches

After gathering the emails, I need to check if they were involved in public data breaches including leaked passwords. Past and personal emails are important information even if the individual doesn’t use them anymore. Many people can move to new emails and usernames but keep the same password. I checked their emails on haveibeenpwned.com, which is a repository that lists emails found in data breaches.

Results

After having all the names matched with the correspondent LinkedIn profiles, I listed every email that had its password exposed in a data breach. All the 11 companies had executives exposed to those incidents; on average, each organization had 10 leading executives when counting in C-levels, presidents, and vice-presidents. The breaches affected at least 20% of the executives of each company, creeping up to 80% in some cases. On average, 65% of the executives of all surveyed companies were exposed in data breaches involving password leak.

Is the breached data easily available?

Haveibeenpwned.com is an excellent and reputable service, and I have no reason to doubt its results. But some things you need to witness with your own eyes before you feel comfortable talking about them. So I decided to get a sample set. Off to the dark and deep webs, right? Wrong. I was stunned to realize how easy it is to get a password dump of one billion accounts and passwords. All I needed to know was to search the web and download a torrent file. Emails and passwords were found in plain text.

How data breach information can be used to scam or attack people and companies

Email scam example — video

My Sports Tracker Password Is Not Just My Private Business — article

How one breach can haunt individuals and companies for years — article

3 steps to engage employees in cyber hygiene — article

Are they aware of it?

The first thing to do is to warn the victims. I am contacting the people involved to make sure they are aware of the issue. I am still waiting for feedback to help me understand if they already knew the problems and how did they find out the leaks in the first place. After the victim notification, I will delete the names and emails from my survey. For the study, it will be enough to keep the statistics and collect the feedback. Good information hygiene helps to be part of the solution rather than part of the problem.

In the face of password breaches, we are equal was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

I already wrote about the challenges to deal with data breaches and how companies struggle to communicate about cybersecurity to its collaborators. Another perspective concerning the increasing numbers of unauthorized access to our data is how that information flows through the Internet.

How are breaches published in the media?

Often we stumble upon news describing millions of users being exposed from social media platforms, open databases, or even governmental agencies. At the moment that information becomes public, the size and reach of the breaches are just estimations, as well the time they had the data exposed¹. The general feedback that I get from people worried about their data safety is related to privacy and money. If personal documents or credit card numbers are involved in the cases mentioned above, more attention comes from the public. The number of incidents is getting so frequent that it seems we are experiencing a kind of fatigue related to data breaches. Its numbing effects are even in the markets. After a couple of quarters, some C-level heads rolled and embarrassing public communications; investors get back the attention to profitability and other performance metrics. Even after compromising critical information, life goes on for the business. “Sorry, but now we are going to improve our services.” Insurance and legal battles take care of the rest².

What happens with the stolen data?

The motivation to break into a system is mostly for extortion or misuse, aiming for financial benefit. As soon as an organization recognizes the vulnerability, the stolen data becomes a clear proof of a crime and a kind of toxic material for criminals. The illegally-gathered information on the beginning is used by the people involved in the attack. But after some time, the breached data can pass through different hands while it becomes more popular and decrease its value in the black market. More copies, less value.

What kind of information about myself can it be out there?

The problem we are facing now is that these breaches are getting so popular that they are even available for free. I just came across a password and email dump of 1 BILLION records, all in plain text³. We have some tools to check if our credentials and networks are involved in public leaks. We rarely dig on the Internet to check on every incident and less likely to understand how we were exposed. In the best-case scenario, the company that had the issue communicate users on how their private data was disclosed. Of course, we rarely see these messages and warnings. Most of the companies have just a discrete public note after clear proof of the incident. Typically, the breaches involve name, email, passwords (encrypted or not), date of birth, physical addresses, and phone numbers. Social media profiles associations are also becoming more popular.

Don’t recycle passwords

As mentioned above, this stolen data loses its value in the black market as time passes by. It is hard to keep track of what kind of information we give every time we subscribe to a service. After being aware of our involvement in data breaches, a must-do is to change our password for that service. I won’t get into the details of how we use minimal effort to change passwords when needed or the convenience of reusing the same password for different logins. The main point here is, the chance is that one breach involving you is available out there in plain text is a reality. That password is not good anymore, anywhere.

From individuals to companies, the long-tail effect

Many people would say that they have nothing to hide, and therefore, the leaked information is not that critical. We forget that all our online information is interconnected. From one email (corporate or personal), I can guess or find other electronic addresses under the same identity. With one name, I can search for every partial or public profile on any platform. The critical link here is with one email and password; there is a broad range of places that an attacker could try to take over. In every step, more critical information can be raised, and higher is the risk that your private messages/data can be accessed. From blackmail to impersonation, different threats can be used against you or over your network.

Others’ business data breaches are your business

The biggest issue with companies is that they move way more money than individuals and also carry large important information in their servers. If one person affected by a data breach can be endangered, how about dozens of people from the same company being exposed? The risks of finding one illegal way into business’ data (and money) through several employees are much higher compared to an attack aiming only technical vulnerabilities of a corporate infrastructure. It is like having the key’s house of many employees. Why should criminals bother to break into the company’s door?

How companies react to this new reality?

After coming across to easy access to breaches’ data and knowing that people keep reusing passwords, companies should work to monitor critical information available from their employees. It is not hard to find how many people from the same domain are exposed. I am researching the biggest companies in Finland to check how many of their executives and employees were involved in data breaches. I will notify those companies and try to understand how CEOs are handling this issue.

[1] The WIRED Guide to Data Breaches — https://www.wired.com/story/wired-guide-to-data-breaches/

[2] Target shares recover after reassurance on data breach impact — https://www.reuters.com/article/us-target-results/target-shares-recover-after-reassurance-on-data-breach-impact-idUSBREA1P0WC20140226

[3] File With 1.4 Billion Hacked And Leaked Passwords Found On The Dark Web — https://www.forbes.com/sites/leemathews/2017/12/11/billion-hacked-passwords-dark-web/#2ba39e5821f2

What we don’t see when a data breach happens was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

3 steps to engage employees in cyber hygiene

I have written about my journey to understand how we deal with cybersecurity. First, I raised attention to the actions we perform online and how blurry the boundaries of digital trust can be. Next, I tried to figure out how to define responsibilities for information security. Now, the last part of this series captures my experiences in engaging employees in cybersecurity.

Part I — Where are the boundaries of trust?

Part II — From board meetings to daily tasks, who owns cybersecurity risk for the company?

1 — We are driven by convenience (cut to the chase)

The biggest challenge to convey a message is to make it as simple as possible. The first impulse that I had to make people interested in safer online practices was to stress the risks and threats that they are exposed to. But presenting the problem doesn’t eliminate the fact that increasing fear without offering convenient solutions just creates more repulse towards efficient protection. We like to access information 24/7 without many steps, from shorter access codes to facial recognition. No more warning signs, just messages letting me know what are the risks I am now exposed to.

2 — Making it personal (and inter-personal)

Informing people about what they should and should not do online is close to patronizing. It is difficult to focus on something that is said to be important but has been defined as such by someone else. First, we need to accept that the information is relevant and concern us. In the second article, I mentioned that standard awareness campaigns struggle to show the connection between daily activities, responsibilities and the pitfalls that could affect our work and business. The other aspect of safer online practices is about expanding the circle of protection. More than taking care of our own assets, it makes sense to protect our family and friends as well. Expanding the good practices and awareness to reach people around us elevates the activity from “just a checklist” to a far-reaching positive loop of protection.

3 — Rewards and tracking (support and feedback)

When people don’t see immediate results from a piece of advice or information, rewards can help to get their attention. Many times the absence of motivation from people to understand high-risk online behavior is just a lack of ability. Rewards like movie tickets and day-off are cheap if they help to avoid bad online decisions and resulting fallout to the companies. Training is often measured only though participation or test scores. But when awareness and behavioral change is the objective, gathering feedback from the participants can lead to a better understanding of how the content is seen and also their level of engagement. Not just numbers, but real answers from the training campaign, offering rewards and raising feedbacks. Another aspect is to offer users support for better future decisions. Advice that pushes responsibility and workload to the user’s shoulders can backlash against the initial purpose of raising awareness. We must offer help towards this journey of improvement.

To make security information accessible for everyone, we at Badrap are working to make the “weakest link” in information security stronger — individuals. We developed a free platform that connects the findings of security researchers to help people check if their credentials or devices are exposed online. Sign up for free at badrap.io

After having seen the positive impact of interactive training, personal approach, and rewards & tracking in raising cybersecurity awareness we are also now helping companies with the Cyber Hygiene Campaign. We offer an online awareness campaign that helps protect your business and connects your employees with our platform. You can try it out at hygiene.badrap.io

There is no work-life balance in cybersecurity — part III was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.

From board meetings to daily tasks, who owns cybersecurity risk for the company?

This article is the second of a series of three through my journey to understand how people and companies are dealing with cybersecurity. In the first one, I raised attention to the number of actions we perform online and how blurry the boundaries of digital trust can be.

Part I — Where are the boundaries of trust?

Part III — 3 steps to engage employees in cyber hygiene

If everybody is responsible, nobody is accountable

Many times when I reach companies to understand how they are dealing with the cybersecurity of their employees a ping pong of responsibilities starts. I talk with the CEO and as fast as the word “cyber” is mentioned, the name of the CIO comes into the conversation. “We have this person taking care of our systems, you should talk to him/her.” Right, then the Chief Information Officer is inquired about how they are managing cybersecurity. This time the word “security” comes to his attention — “We are pretty well, our security tools are in order.” I explain that I would like to discuss how they are ensuring employees are following best practices, such as awareness and training. “Sure, we have periodic training. But this part is with HR.”. I don’t need to mention that when the Human Resource manager listens to the word “cyber” something like comes “It is better to involve the IT person in the meeting”…

Awareness is not about IT

Companies have to manage their data and workforce. As we struggle to manage our personal and professional credentials (as happened with my LinkedIn account), businesses hold this challenge to not only control access and rights but also ensure that every individual is aware of the digital threats involving their jobs. But before discussing the balance between security and convenience, it could help understand better how different business units can cooperate with the solution. Why should CMOs, CFOs or even HR be engaged in cybersecurity awareness? Because no one else understands better the needs of their own units. If an attacker reaches a customer service pretending to be a valid customer to gain privileged information, the chief marketing officer would have to explain later what happened. If procurement follows an internal urgent request to pay a fraudulent invoice, why the chief financial officer would care about it? Who ensures that the recruiter doesn’t open that email attachment that looked like a resume?

Making it personal

Cybersecurity awareness for individuals only works after the understanding of where each one stands in this tension between efficiency and risk. We can blame the responsibility for security breaches to third parties, but the consequences affect us directly. Enforcing a password change because of a policy rule it just makes people take the minimal effort to keep their access. It would be more effective to show them that their credentials were exposed in a data breach and many of their accounts could be vulnerable. Current attacks against businesses and individuals rely on failure to follow good cyber hygiene practices.

For the last article, I will share 3 steps to engage employees in cyber hygiene. From personal motivation, awareness-raising to checking their digital assets.

There is no work-life balance in cybersecurity — part II was originally published in badrap.io on Medium, where people are continuing the conversation by highlighting and responding to this story.