With POPIA and privacy legislation being enacted worldwide and the marked increase in cybercrime, Discovery is enhancing its security posture by taking further steps to protect client data.
Since we take the protection of our clients' digital lives seriously, we will be placing additional security measures in the flow of information between Discovery and third parties.
What is TLS?
Transport Layer Security (TLS) provides a way to encrypt a communication channel between two computers over the Internet, this provides a safe form of communication and with similar assurance to that of using password protected emails.
Why is encrypting emails in transit with TLS important?
When an email is sent between two parties; the email is sent through the Internet, which means that there is a risk that an adversary, will read it or even tamper with it. Without this channel, even password protected files can be intercepted by a hacker where they use tools to decrypt these passwords. This is why encrypting the email channel itself is so important in protecting our privacy and security: it guarantees that no unauthorised third party can read or tamper with the email content.
What is DMARC, SPF and DKIM ?
Sender Policy Framework (SPF) hardens your DNS (Domain Name System) servers and restricts who can send emails from your domain. SPF can prevent Domain spoofing. IT enables your mail server to determine when a message came from the domain that it uses. SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators.
DomainKeys Identified Mail (DKIM) ensures that the content of your emails remain trusted and hasn't been tampered with or compromised. DKIM allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message. The recipient system can verify this by looking up the sender's public key published in the DNS. A valid signature also guarantees that some parts of the email (possibly including attachments) have not been modified since the signature was affixed.
Domain-Based Message Authentication, Reporting and Conformance (DMARC) ties SPF and DKIM protocols together with a consistent set of policies to determine the action. DMARC is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected.
What is required from your organisation?
For the attention of your CIO, CTO and CISO or head of Information Security as these are technical changes required on your IT Infrastructure.
If you utilise a IT Hosting provider, these can be requested for them to complete on your behalf.
TLS requirements:
It is recommended that you configure your email servers to Enforce TLS on all out going emails meant for Discovery Domains.
SPF Policy:
It is recommended that you deploy SPF Policy in hardfail mode.
DKIM:
It is recommended that you configure DKIM on your email servers.
DMARC:
It is recommended that you deploy DMARC policy with quarantine.
Keeping our clients data safe is one of our highest priorities. For our mutual benefit, we recommend that you also enforce these additional security controls by enforcing TLS between yourselves and Discovery and implement the appropriate verification protocols on your email domain
Should you require further information please contact us at DSYsecurity@discovery.co.za