Oct 02 2019

Phishing Still Catches Federal Employees Unaware

Continuous training and awareness is the key to protecting high-value agency assets.

Last year, the Defense Information Systems Agency reported that the Defense Department had fended off 36 million malicious emails containing phishing ploys, malware, viruses or all three. And that’s just one federal agency.

The bogus emails that con or coerce users into disclosing key personal data are a major weapon in successful cyberattacks. Nearly 90 percent of successful data exfiltrations and breaches in the federal government over the past few years were the result of phishing attacks, according to William Evanina, director of the National Counterintelligence and Security Center.

While education has helped slow the rate of successful phishing attempts, there are still gaps where the misleading messages can get through. One thing to think about during National Cybersecurity Awareness Month, which kicked off Oct. 1: About 18 percent of those who clicked on test phishing links in 2018 were on mobile devices, according to Verizon’s “2019 Data Breach Investigations Report,” which says that mobile users can be more susceptible to phishing.

The pace of federal work can also feed the phenomenon. “People are constantly filling out forms, constantly replying to messages. Everyone is in a hurry to get things done; it’s a constant barrage. That is when people will click automatically,” says Alex Grohmann, a director on the Information Systems Security Association’s international board.

Most Federal Agencies Are DMARC Compliant

While the federal government often trails the private sector in IT implementations, the realm of anti-phishing has proven an exception. After the Department of Homeland Security issued a Binding Operational Directive in 2017 that required agencies to strengthen email security, many federal agencies have adopted DMARC, or Domain-Based Message Authentication, Reporting and Conformance. 

An email authentication protocol, DMARC protects an email domain from spoofing. It allows a recipient server to automatically authenticate an incoming email, and to quarantine or reject those messages that cannot be validated. 

DHS’ Cybersecurity and Infrastructure Security Agency says that the number of federal domains using the strongest DMARC policy has increased to about 95 percent, providing a significant safeguard

DMARC acts as a contract between the sender and the receiver of an email. The sender effectively says, “This is what I allow to be done in my name.” The receiver says, “I will do what you tell me to do with this email, or if you don’t tell me what to do, I will decide for myself.” 

Despite the aggressive implementation of DMARC, federal agencies still can be targeted by a well-orchestrated phishing scheme. With a combination of technical tools and sophisticated training, however, it is possible to significantly limit the chances of a successful attack.

MORE FROM FEDTECH: Find out how the NIST Risk Management Framework helps boost agencies’ cybersecurity. 

Follow These Steps to Help Prevent Phishing Attacks

Step one: Layer your defenses. Federal agencies that already use DMARC can take defense to the next level by validating a sender’s identity. At a base level, DMARC takes care of one kind of impersonation — for instance, where the sender deliberately misspells the agency name by one letter. Agencies can then layer on other types of sender identity-based solutions to authenticate and validate the sender of an email. This can clear up to 90 percent of suspect emails. Traditional filtering tools then add a further layer of defense. 

Next, make it personal. “For the end user, there is no perceived consequence to getting this wrong,” says Grohmann. “This is not just about the company or the institution being at risk: These practices protect them as individuals. This is something that could happen to them personally. They can be compromised at home, and there’s no IT department to ride in and save you.”

Set effective limits. Email filtering tools can help prevent phishing, for example by rejecting messages that contain suspicious links. But there’s a downside. 

“You can only ratchet up those tools to a certain level before you start to impact business operations, before you start blocking legitimate emails that maybe are time sensitive,” Grohmann says. “So you have to do an ongoing balancing act. If you are doing business with a particular vendor or partner, for instance, you can have the IT department set up a secure mailbox so those messages get through. It takes time and effort, but it may be necessary in order to set effective limits that don’t interrupt your operations.”

MORE FROM FEDTECH: See where the DHS CDM program is headed next.

Employees Respond Best to Realistic Anti-Phishing Training

Despite all preventive measures, there’s a good chance some phishing act will succeed, so assume the worst. With this in mind, it makes sense to organize systems around damage control, with role-based controls and network architecture all geared toward limiting an intruder’s access. 

“Machines should be isolated in their own networks. People should have the least amount of access needed to do their jobs,” says Shane Chagpar, a senior consultant with IT consultancy Kepner-Tregoe. “The person in marketing shouldn’t be able to view and edit reports from the financial side. Or they should only be able to view certain reports. You have to be granular in how you grant access.”

Phishing schemes take advantage of a psychological approach: The scammers know that people who are stressed, hurried or under pressure are more likely to respond to an urgent-sounding message. One key way to stop the clicks is to build a friendlier, less harried workplace. 

“Pressure and stresses lead to people clicking on emails,” says Daniel Norman, a research analyst with the Information Security Forum. “So, if you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails.”

Anti-phishing awareness doesn’t come from a PowerPoint deck. It comes from hands-on, realistic exercises

“You might have a Bed Bath & Beyond coupon that looks very real. Or you put things in the email that make people mad: ‘Click here to see pictures of your spouse with someone else,’” says Bruce Beam, CIO of (ISC)2, a nonprofit membership association of certified cybersecurity professionals. “If people are going to learn, the training has to be realistic. It has to be convincing.”

erhui1979/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT