Smart policies protect agencies

Good training teaches employees to spot, and not take, the bait from phishing scammers.

As phishing and spear phishing grow in popularity with online attackers, government organizations are finding that the right set of policies and training might be the best shield against them.Phishing e-mail messages try to trick readers into revealing personal information and passwords or clicking on links that can infect their computers with malicious programs. Spear phishing ups the ante by tailoring the e-mail message with information that seems specific to the recipient, such as making it appear to be about an internal agency conference or sent from a co-worker.The ability to mirror valid information makes spear-phishing e-mails difficult to identify, said Linda Wilbanks, chief information officer at the National Nuclear Security Administration.A report released in February by the Computer Emergency Readiness Team — an arm of the Homeland Security Department — said that in one effort, phishers sent bogus e-mails claiming to be from the Justice Department. Also, the Internal Revenue Service warned of increased spear-phishing efforts heading into tax season.Phishers are targeting the government aggressively. For example, in October and November 2007, attackers sent thousands of phishing e-mails to the Energy Department’s network of national laboratories. The attackers blasted e-mails to as many individuals in the lab system as they could  to trick at least a few. The messages referred to an internal agency event and appeared to be valid, Wilbanks said. But a link in the message pointed to a Trojan horse, a malicious program that would immediately start sending data to the attackers if clicked.Most labs shrugged off the attacks, but two lost some data. Attackers breached a database containing personally identifiable information on visitors to Oak Ridge National Laboratory, in Tennessee. Los Alamos National Laboratory, in New Mexico, suffered intrusions into an unclassified network, but officials declined to elaborate on the amount or kind of information exposed. Fewer than 10 employees opened the e-mail, but that triggered the data transmission, Wilbanks said.Standard security controls quickly mitigated the damage through automated intrusion-detection software, she said. But information technology controls can only lessen the damage from phishing attacks. Stopping them completely is possible only when users are trained to recognize and avoid fraudulent e-mails, Wilbanks said.  Scott Studham, Los Alamos’ CIO, said his office undertook an aggressive campaign to inform lab employees on the problem. When employees are trained, they become noticeably better at protecting themselves, he said. Some IT security officials have started phishing their own employees as a training exercise. William Pelgrin, head of New York state’s Cyber Security and Critical Infrastructure Protection division, recently tried that approach. With AT&T’s help, he created an e-mail that asked employees to change their network log-in passwords. He tracked whether people clicked on the e-mail link and how many clicked on the box on the Web site. The approximately 15 percent of state employees who fell for the ruse got an e-mail admonishment. Pelgrin had sent an e-mail alert that warned about phishing attacks about two weeks before the exercise. However, employees had no warning that their boss was going to try to trick them. The Army Computer Emergency Response Team sent a similar e-mail in March to 10,000 soldiers, civilians and family members of military personnel that offered free tickets to area theme parks. More than 3,000 people took the bait.Pelgrin said that the nature of phishing attacks requires e-mail users to be proactive about defending themselves and learn not to click on links in e-mails without being certain they are valid.“The No. 1 rule of defending against phishing? Start questioning what’s there,” Pelgrin said.