Agencies Get Access to New Mobile Phishing Protections

Phishing is not going away for federal agencies. Now, they have another tool to fight back against the attacks.

Earlier this year, William Evanina, director of the National Counterintelligence and Security Center within the Office of the Director of National Intelligence, noted that about 90 percent of the data exfiltrations that have hit the federal government and private sector in the last eight or nine years were the result of spear-phishing campaigns that targeted unsuspecting employees.

This month, the Department of Homeland Security announced that security firm Lookout added new anti-phishing and content protection capabilities to its Mobile Endpoint Security platform, which received funding from DHS’s Science and Technology Directorate. The enhanced platform is now available for iOS and Android operating systems.

“Most enterprise mobility management solutions require mobile endpoint security technology to continuously validate security and protect their mobile devices and applications,” S&T Mobile Security Research and Development Program Manager Vincent Sritapan says in a statement.

“These advancements in mobile threat defense will protect sensitive data, such as personally identifiable information, on mobile devices and enterprise networks and greatly increase the security of the federal government’s mobile systems for mission-critical activities,” he adds.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

Why Phishing Protections Matter for Feds 

Protecting against phishing attacks, in which malicious actors attempt to gain access to a user’s credentials (and then to systems and networks) through social engineering, is still critical for the government.

In October 2017, DHS mandated that federal agencies use the Domain-Based Message Authentication, Reporting and Conformance protocol.

DMARC enables email servers to determine whether an email is actually from the sender, then delete forged emails or mark them as spam. Without it, anyone can send emails with a forged sender address and recipients would be unaware of the forgery.

Some DMARC requirements were due for adoption in January while others have an October deadline. But recent reports indicate that many agencies are not yet using the protocol or don’t have it configured correctly.

The updated platform from Lookout is one more arrow in agencies’ quivers to fight phishing. DHS notes that the rapid growth of mobile device and app use and the constantly expanding mobile ecosystem mean that agencies must continuously validate mobile security and enhance their threat protection. “Vulnerabilities discovered in new devices and apps may be used by hackers as vectors to access sensitive government information and attack legacy enterprise network systems,” the agency says in the statement.

The new capabilities are designed to block mobile phishing attacks that aim to steal user credentials or deliver malware.

“Beyond simply detecting phishing attempts in SMS messages, the system also detects and prevents attacks that hide inside mobile apps, social media messages, and in personal and corporate email,” DHS says.

The updated Lookout platform inspects all outbound connections at the network level when a user attempts to connect. However, DHS notes, the platform does not inspect message content, and thus maintains user privacy.

The system sends real-time alerts to users when it detects a harmful connection, which protects users (and networks) from malicious apps, websites with known vulnerabilities and other risky content, DHS says.

“Phishing protection for mobile never existed before. It’s really important to bring those capabilities to bear,” Sritapan tells FedScoop. “So we provide licenses — this includes the use of the software and also the labor support to train their people — that’s all a part of the engagement.”