While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
It’s one of a CISO’s worst nightmares: The department’s systems and data are compromised because a user’s credentials were stolen during a successful phishing attempt. However, agencies are learning that there are clear ways to prevent or mitigate such threats.
The Interior Department is the latest government agency to experience a phishing scam, but its response shows that such intrusions do not have to be devastating. Agencies need to be proactive and train users on good cyberhygiene.
By employing strong authentication technology and providing regular training on security best practices, agencies can keep phishing attempts at bay — and keep their networks and data safe.
As Norton (a Symantec brand) notes in a guide on the practice, phishing scams are “a kind of identity theft which is growing in popularity amongst hackers. By using fraudulent websites and false emails, perpetrators attempt to steal your personal data — most commonly passwords and credit card information.” Most often, the email will appear to be coming from a legitimate sender, but will have a link embedded that will launch malware if a user clicks on it.
The Interior Department’s office of the inspector general initiated an investigation in January 2016 after multiple OIG employees received a phishing email from an internal DOI bureau-level employee, according to an Interior OIG report released in late May.
“The phishing email was sent from the bureau-level employee’s account without their knowledge,” the summary of the report states. “When the recipients clicked a link within the email, they were presented with a webpage that appeared to be DOI’s standard log-in screen, and were prompted for their username and password. At least two recipients clicked on the link and entered their DOI Gmail (Bison Connect Email System) credentials, thereby unknowingly compromising their accounts.”
For two weeks after that, more than 1,500 Interior employees received the phishing email, resulting in roughly 100 Interior users’ Gmail credentials being compromised. The successful phishing attempt resulted in illegal access to the DOI network through remote logins on a least eight Gmail accounts, according to the report.
The source of the attack was most likely located outside the United States, and Interior OIG turned the information over to the FBI’s National Cyber Investigative Joint Task Force.
As a result of the investigation, Interior CIO Sylvia Burns accelerated the agency’s existing plan to require two-factor authentication for departmental Gmail access, the report said.
The agency completed the transition 11 days after the phishing began. “By implementing two-factor authentication, DOI ended the attack and it substantially increased the security of DOI’s Gmail system, Bison Connect,” the report concluded. Two-factor (or multifactor) authentication combines multiple methods of authenticating a user’s identity by asking the user to provide something he or she knows (a password, for example), is (a biometric marker, like a retinal scan) or has (such as a code randomly generated via a secure mobile application).
Beyond instituting multifactor authentication to strengthen the security of users’ credentials, there are some clear best practices agencies can train users to follow. The FBI has its own list of cyberhygiene tips for preventing phishing scams, and they echo what many private sector companies recommend, including: