Most Federal Agencies Are DMARC Compliant
While the federal government often trails the private sector in IT implementations, the realm of anti-phishing has proven an exception. After the Department of Homeland Security issued a Binding Operational Directive in 2017 that required agencies to strengthen email security, many federal agencies have adopted DMARC, or Domain-Based Message Authentication, Reporting and Conformance.
An email authentication protocol, DMARC protects an email domain from spoofing. It allows a recipient server to automatically authenticate an incoming email, and to quarantine or reject those messages that cannot be validated.
DHS’ Cybersecurity and Infrastructure Security Agency says that the number of federal domains using the strongest DMARC policy has increased to about 95 percent, providing a significant safeguard.
DMARC acts as a contract between the sender and the receiver of an email. The sender effectively says, “This is what I allow to be done in my name.” The receiver says, “I will do what you tell me to do with this email, or if you don’t tell me what to do, I will decide for myself.”
Despite the aggressive implementation of DMARC, federal agencies still can be targeted by a well-orchestrated phishing scheme. With a combination of technical tools and sophisticated training, however, it is possible to significantly limit the chances of a successful attack.
Follow These Steps to Help Prevent Phishing Attacks
Step one: Layer your defenses. Federal agencies that already use DMARC can take defense to the next level by validating a sender’s identity. At a base level, DMARC takes care of one kind of impersonation — for instance, where the sender deliberately misspells the agency name by one letter. Agencies can then layer on other types of sender identity-based solutions to authenticate and validate the sender of an email. This can clear up to 90 percent of suspect emails. Traditional filtering tools then add a further layer of defense.
Next, make it personal. “For the end user, there is no perceived consequence to getting this wrong,” says Grohmann. “This is not just about the company or the institution being at risk: These practices protect them as individuals. This is something that could happen to them personally. They can be compromised at home, and there’s no IT department to ride in and save you.”
Set effective limits. Email filtering tools can help prevent phishing, for example by rejecting messages that contain suspicious links. But there’s a downside.
“You can only ratchet up those tools to a certain level before you start to impact business operations, before you start blocking legitimate emails that maybe are time sensitive,” Grohmann says. “So you have to do an ongoing balancing act. If you are doing business with a particular vendor or partner, for instance, you can have the IT department set up a secure mailbox so those messages get through. It takes time and effort, but it may be necessary in order to set effective limits that don’t interrupt your operations.”
Employees Respond Best to Realistic Anti-Phishing Training
Despite all preventive measures, there’s a good chance some phishing act will succeed, so assume the worst. With this in mind, it makes sense to organize systems around damage control, with role-based controls and network architecture all geared toward limiting an intruder’s access.
“Machines should be isolated in their own networks. People should have the least amount of access needed to do their jobs,” says Shane Chagpar, a senior consultant with IT consultancy Kepner-Tregoe. “The person in marketing shouldn’t be able to view and edit reports from the financial side. Or they should only be able to view certain reports. You have to be granular in how you grant access.”
Phishing schemes take advantage of a psychological approach: The scammers know that people who are stressed, hurried or under pressure are more likely to respond to an urgent-sounding message. One key way to stop the clicks is to build a friendlier, less harried workplace.
“Pressure and stresses lead to people clicking on emails,” says Daniel Norman, a research analyst with the Information Security Forum. “So, if you can reduce the stress and reduce the pressure, if you can create a more positive work environment, that is actually going to reduce the likelihood of people clicking on phishing emails.”
Anti-phishing awareness doesn’t come from a PowerPoint deck. It comes from hands-on, realistic exercises.
“You might have a Bed Bath & Beyond coupon that looks very real. Or you put things in the email that make people mad: ‘Click here to see pictures of your spouse with someone else,’” says Bruce Beam, CIO of (ISC)2, a nonprofit membership association of certified cybersecurity professionals. “If people are going to learn, the training has to be realistic. It has to be convincing.”