DHS Wants to Make Sure Agencies Block Suspicious Emails

Don’t click on that suspicious-looking email. That’s what the Department of Homeland Security (and the FBI) would undoubtedly advise. Now DHS is assessing how good of a job agencies are doing about protecting federal employees from malicious emails, and in particular, how much they are adopting an industry standard meant to protect users from such messages.

Christopher Krebs, DHS’s assistant secretary for infrastructure protection, told Sen. Ron Wyden last month in a letter that the agency “is actively assessing the state of email security and authentication technologies … across the federal government,” to include Domain-based Message Authentication, Reporting and Conformance (DMARC), CyberScoop reports.

The goal is to get more agencies to adopt DMARC and other cyberhygiene best practices and tools. DMARC can help agencies protect themselves from phishing attacks, which remain prevalent.

As Norton (a Symantec brand) notes in a guide on the practice, phishing scams are “a kind of identity theft which is growing in popularity amongst hackers. By using fraudulent websites and false emails, perpetrators attempt to steal your personal data — most commonly passwords and credit card information.” Typically, the email will appear to be from a legitimate sender but will have an embedded link that will launch malware if a user clicks on it.

Adopt Industry Standards to Prevent Phishing

DMARC, an industry standard, is an email authentication, policy and reporting protocol that’s designed to prevent the spoofing of emails — when malicious actors make it appear like the email is coming from someone else — which is the foundation of phishing. An initiative of the Trusted Domain Project, DMARC was finalized in 2015 by contributors including Google, Yahoo, Mail.ru, JPMorganChase and Symantec, CyberScoop notes.

DMARC “builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (‘From:’) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email,” says DMARC.org.

The DMARC site notes that if senders used the Domain Keys Identified Mail and Sender Policy Framework protocols, then email receivers should “easily be able to differentiate the fraudulent messages from the ones that properly authenticated to the domain.” However for a variety of technical reasons, that’s not the case, and many fraudulent and deceptive messages still make it into users’ inboxes.

DMARC is designed to minimize false positives, provide robust authentication reporting, assertsender policy at receivers, reduce the successful delivery of phishing messages, work on large scales and minimize complexity.

Krebs told Wyden that DHS’s centralized cybersecurity monitoring hub, the National Cybersecurity and Communications Integration Center (NCCIC), “will soon be scanning federal agencies as part of its cyber hygiene service to incentivize the adoption of these technologies.”

According to CyberScoop, Krebs noted that NCCIC already recommends the use of email authentication techniques like DMARC. “As we gain a better understanding of existing practices across the federal … government, DHS will consider additional options for promoting its implementation,” he said.

Pushing for Enhanced Email Security

Krebs’s message comes after Wyden sent a letter in July to acting DHS Deputy Undersecretary of Cybersecurity Jeanette Manfra urging the government to adopt DMARC.

The Global Cyber Alliance (GCA), a partnership of European and American law enforcement and research organizations, said DMARC “has been proven effective, and deployment can reasonably be done by organizations of all sizes, making it an invaluable resource for hospitals who need to protect their patients’ digital health,” according to FedScoop.

As of Aug. 1, only 10 percent of federal email domains had some form of DMARC, according to the GCA, and most of those sites did not have it switched on yet, CyberScoop notes.

Wyden called in July for DHS to include DMARC scanning as part of the cyberhygiene initiative and to work with the General Services Administration to develop a central platform designed to automatically collect DMARC reports from agencies, according to ExecutiveGov.

In his response to Wyden, Krebs said that DHS “is also working to establish a central collection point for DMARC reports” that will give officials “better situational awareness into phishing campaigns and the abuse of government [email] domains.” Since DMARC reports are open source, “NCCIC welcomes all parties to contribute to the effort,” Krebs said.

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.