Audit: DHS Employees Not Fooled by Phishing Scams

First, the good news: Recent “social engineering” tests undertaken by an independent auditor reveal Homeland Security Department employees are getting savvier about basic cybersecurity.  

But the bad news: Some employees are still leaving sensitive paper documents strewn about their cubicles.

Those findings are included in a May 6 report on DHS security practices by the agency’s inspector general. The report was publicly released this week.

The DHS IG contracted with independent auditing firm KPMG to conduct the recent security reviews, which included social engineering tests and after-hours tours of DHS facilities to review the physical security of sensitive information.

The goal was to identify instances where DHS employees violated agency policy for safeguarding sensitive material, the IG said in a summary of the audit.

Social engineering, also known as phishing, describes a method of intrusion in which hackers -- often posing as friends, acquaintances or employers -- trick unsuspecting targets into divulging sensitive information, such as computer passwords or other log-ins, over the phone or through email.  

As part of the test, auditors, posing as agency technical support, made phone calls to DHS employees and asked them to provide login credentials. Auditors attempted to call a total of 28 employees and contractors and successfully reached eight -- none of whom actually turned over their passwords.

However, DHS employees were apparently less cognizant of more low-tech vulnerabilities.

When auditors inspected cubicles and offices as part of an after-hours “walkthrough,” they discovered six workspaces where sensitive material had been left unsecured, in violation of DHS policy. That included some information marked FOUO, or “For Official Use Only,” which is the designation DHS uses to denote information that is unclassified but still sensitive.

DHS isn’t the only agency reporting a drop in employees falling victim to phishing attempts.

Last week, the cybersecurity adviser for the Office of Personnel Management said the once-hacked agency had hardened its cybersecurity defenses so much that DHS penetration testers were having a hard time gaining access in order to launch phishing tests against OPM employees. And when the tests did finally go out, fewer employees were taken in by the bogus emails, said Clifton Triplett, a result he attributed to a greater “cultural awareness of cybersecurity.”