Tag Archives: DMARC

It All Starts With Physical Access

Sometimes we focus on the details of cybersecurity protections. And ignore the core issues.

In a lot of cases, when companies office in multi-tenant office buildings, the Internet comes into a shared area of the building that is not part of the company’s leased space. This is called a Dmarc for point of demarcation. The demarcation is where the Internet provider’s responsibility ends and your company’s responsibility starts.

But this is not in your space. it could be in a closet or in the building’s basement. You may not even have access to that space. If you do have access, other people may also have access. It may not even be locked. I used to have an office in a building where all of the communications connections came in to the basement and that space didn’t even have a door, never mind a lock.

Many times it is more convenient to put your company’s network gear such as switches and firewalls in this area. That way you don’t have to allocate any space in your area.

But why is this a problem?

Because now a hacker doesn’t have to hack your network from the outside; he or she can just come in and be on the inside. He or she can pay a janitor a few bucks, at night, to let him or her in, for example, or pick a lock. When only the cleaning crew is there, is someone taking 60 seconds to pick a lock in a hall closet going to be noticed?

Come into the building at night when the cleaning crew is there and insert a probe into your network. The cleaning crew is not going to stop anyone. At that point the hacker may be able to see and capture and transmit all of your network data to any place they want. They can come back at some time in the future and retrieve their gear. Or consider it a throwaway.

So what should you be doing?

Number one is that YOUR Dmarc should be inside your office space and it should be locked in a cabinet. The cabinet can have a tamper seal on it (since locks are for honest people) to make it more likely that you can detect if someone tries to get into it.

Hackers sometimes masquerade as cleaners or maintenance people and even if the equipment is in your space, if it is easily accessible, then that is a problem. Other times they just bribe them.

No one wants to think that an employee would go rogue, but it does happen. Ask the NSA. They “vetted” Edward Snowden. It didn’t work out very well for them.

If you lock the equipment up – and I am talking all network gear – you at least make it more difficult for the hackers.

You still have to deal with that common area Dmarc, but for a one time fee, the utility will typically extend that into your space. Then they are responsible for that wire. If you have to extend it yourself, you really should put your firewall at the end of the wire that is in your space. That way, anything outside your firewall is not trusted and not a whole lot different than what a hacker sees from the Internet – untrusted and with no sensitive data.

If you have questions about how your network gear is protected, reach out to us. We can do a virtual inspection and make recommendations for improvements, if needed.

Microsoft Working to Reduce Spam Emails

DMARC is a technology that is designed to reduce the amount of spam that makes it into your mailbox.  It provides an email’s recipient with instructions on how to validate a sender’s email.

Unfortunately, it is a voluntary standard for both the sender and the receiver and if the sender doesn’t have DMARC setup then there is nothing for the receiver to test.

In addition, if the policy tag is set to none, then the recipient is supposed to do nothing, even if the DMARC tests fail.

Microsoft is working on adding a feature to Office 365’s Advanced Threat Protection that will automatically block sender domains that failed the DMARC test.

Currently, the antispam rule allows administrators to allow domains regardless of the domain’s reputation.

This new feature will override the allow and block all domains that fail DMARC.


Initially, email that fails will be marked as spam and handled according to the spam rules.

This will be coupled with another feature to block malicious content regardless of custom configurations, unless manually overridden.

Here is the problem.

Even if you are not an Advanced Threat Protection (ATP) customer.

Even if you are not an Office 365 customer.

Even if you don’t use Microsoft tools.

This WILL affect you.

If the company you are sending an email TO is  using Office 365 ATP and they follow the recommended default configuration, if your configuration fails, your email will go into the junk box.

Your mission, should you decide to accept it – actually whether you decide to accept or not – is to make sure that your DMARC configuration is set up correctly.

Source: Bleeping Computer