No agency wants to make headlines for a security breach. After the Office of Personnel Management breaches in 2015, in which the personal information of 22.1 million current, former and potential federal employees (and their friends, neighbors and family members) was stolen, agencies were put on high alert. Now, the Department of Homeland Security is requiring agencies to take steps designed to mitigate future breaches.
Last month, DHS issued what is known as a “Binding Operational Directive” on cybersecurity, mandating that agencies apply security standards for email and web traffic. At this point, agencies have another three months to put all of the new protections in place.
The goal, DHS says, is to have agencies use standards that have been widely adopted in industry, and thus “ensure the integrity and confidentiality of internet-delivered data, minimize spam and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system.”
DHS issued the directive “based on current network scan data and a clear potential for harm.”
DHS Pushes for Stronger Email Security Protections
By Nov. 15, agencies need to provide DHS with a plan of action to implement the new protections.
For email, there are two new standards agencies must deploy. One is known as STARTTLS, which, as FastMail notes, is “a way to take an existing insecure connection and upgrade it to a secure connection” using Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL). As DHS notes, when STARTTLS is enabled by a receiving mail server, the protocol signals to a sending mail server that the capability to encrypt an email in transit is present. Though it does not force the use of encryption, enabling STARTTLS makes passive man-in-the-middle attacks more difficult.
The second email protection is DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance. DMARC, an industry standard, is an email authentication policy and reporting protocol that’s designed to prevent email spoofing — when malicious actors make it appear like the email is coming from someone else — which is the foundation of phishing. An initiative of the Trusted Domain Project, DMARC was finalized in 2015 by contributors, including Google, Yahoo, Mail.Ru, JPMorgan Chase and Symantec.
DMARC “builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (From:) domain name, published policies for recipient handling of authentication failures and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email,” notes DMARC.org.
DHS notes that setting a DMARC policy of “reject” gives agencies the “strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery.”
Additionally, DHS notes that DMARC “reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn’t normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.”
In August, DHS began investigating agencies’ use of email security and authentication technologies, including DMARC.
“What I really like about DMARC is it’s not complicated. Cybersecurity can be a very daunting discipline to take on, and it’s important to take discrete, tangible steps that will have very scalable, broad impact across the global ecosystem,” Jeanette Manfra, the assistant secretary of the DHS office of cybersecurity and communications, said last month at the Global Security Alliance event in New York City, Federal News Radio reports. “Both the government and our citizens that depend upon interaction with the government deserve a trusted relationship.”
By the middle of January, agencies will be required to configure all internet-facing mail servers to offer STARTTLS, and all second-level agency domains to have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports.
By the middle of February, agencies must ensure 3DES and RC4 ciphers, and Secure Sockets Layer (SSL)v2 and SSLv3 are disabled on mail servers.
Within 15 days of establishing a centralized National Cybersecurity & Communications Integration Center (NCCIC) reporting location, agencies must add the NCCIC as a recipient of DMARC aggregate reports.
And by the middle of October 2018, agencies must set a DMARC policy of “reject” for all second-level domains and mail-sending hosts.
Agencies Must Enhance Web Security with HTTPS
The DHS directive also pushes agencies to enhance the security of their public websites.
Hypertext Transfer Protocol (HTTP) connections can be easily monitored, modified and impersonated, DHS notes, and switching to HTTPS remedies each vulnerability. Additionally, HTTP Strict Transport Security (HSTS) ensures that browsers always use an https:// connection, and removes the ability for users to click through certificate-related warnings.
In 2015, a directive from the Office of Management and Budget required all existing federal websites and web services to be accessible through a secure connection (HTTPS-only, with HSTS). In 2017, the .gov registry began automatically preloading new federal .gov domains as HSTS-only in modern browsers.
However, DHS states that agencies must make more progress on deploying HTTPS and HSTS by removing support for known weak cryptographic protocols and ciphers.
“According to DHS’s Cyber Hygiene scanning data, seven of the 10 most common vulnerabilities seen across federal agency networks at the issuance of this directive would be addressed through complying with the required actions in this directive related to web security,” the directive notes.
By the middle of February, agencies must switch all publicly accessible federal websites to HTTPS and HSTS-secure connections. By then they also must ensure that 3DES and RC4 ciphers, and SSLv2 and SSLv3 are disabled on web servers. By then, agencies also must provide DHS with a list of agency second-level domains that can be HSTS-preloaded, for which HTTPS will be enforced for all subdomains.