Smart policies protect agencies

As phishing and spear phishing grow in popularity with online attackers, government organizations are finding that the right set of policies and training might be the best shield against them.

Phishing e-mail messages try to trick readers into revealing personal information and passwords or clicking on links that can infect their computers with malicious programs. Spear phishing ups the ante by tailoring the e-mail message with information that seems specific to the recipient, such as making it appear to be about an internal agency conference or sent from a co-worker.

The ability to mirror valid information makes spear-phishing e-mails difficult to identify, said Linda Wilbanks, chief information officer at the National Nuclear Security Administration.

A report released in February by the Computer Emergency Readiness Team — an arm of the Homeland Security Department — said that in one effort, phishers sent bogus e-mails claiming to be from the Justice Department. Also, the Internal Revenue Service warned of increased spear-phishing efforts heading into tax season.

Phishers are targeting the government aggressively. For example, in October and November 2007, attackers sent thousands of phishing e-mails to the Energy Department’s network of national laboratories. The attackers blasted e-mails to as many individuals in the lab system as they could  to trick at least a few.

The messages referred to an internal agency event and appeared to be valid, Wilbanks said. But a link in the message pointed to a Trojan horse, a malicious program that would immediately start sending data to the attackers if clicked.

Most labs shrugged off the attacks, but two lost some data. Attackers breached a database containing personally identifiable information on visitors to Oak Ridge National Laboratory, in Tennessee. Los Alamos National Laboratory, in New Mexico, suffered intrusions into an unclassified network, but officials declined to elaborate on the amount or kind of information exposed.

Fewer than 10 employees opened the e-mail, but that triggered the data transmission, Wilbanks said.
Standard security controls quickly mitigated the damage through automated intrusion-detection software, she said. But information technology controls can only lessen the damage from phishing attacks. Stopping them completely is possible only when users are trained to recognize and avoid fraudulent e-mails, Wilbanks said. 

Scott Studham, Los Alamos’ CIO, said his office undertook an aggressive campaign to inform lab employees on the problem. When employees are trained, they become noticeably better at protecting themselves, he said.

Some IT security officials have started phishing their own employees as a training exercise. William Pelgrin, head of New York state’s Cyber Security and Critical Infrastructure Protection division, recently tried that approach.

With AT&T’s help, he created an e-mail that asked employees to change their network log-in passwords. He tracked whether people clicked on the e-mail link and how many clicked on the box on the Web site. The approximately 15 percent of state employees who fell for the ruse got an e-mail admonishment.

Pelgrin had sent an e-mail alert that warned about phishing attacks about two weeks before the exercise. However, employees had no warning that their boss was going to try to trick them.
The Army Computer Emergency Response Team sent a similar e-mail in March to 10,000 soldiers, civilians and family members of military personnel that offered free tickets to area theme parks. More than 3,000 people took the bait.

Pelgrin said that the nature of phishing attacks requires e-mail users to be proactive about defending themselves and learn not to click on links in e-mails without being certain they are valid.
“The No. 1 rule of defending against phishing? Start questioning what’s there,” Pelgrin said.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.