Smart policies protect agencies

As phishing and spear phishing grow in popularity with online attackers, government organizations are finding that the right set of policies and training might be the best shield against them.

Phishing e-mail messages try to trick readers into revealing personal information and passwords or clicking on links that can infect their computers with malicious programs. Spear phishing ups the ante by tailoring the e-mail message with information that seems specific to the recipient, such as making it appear to be about an internal agency conference or sent from a co-worker.

The ability to mirror valid information makes spear-phishing e-mails difficult to identify, said Linda Wilbanks, chief information officer at the National Nuclear Security Administration.

A report released in February by the Computer Emergency Readiness Team — an arm of the Homeland Security Department — said that in one effort, phishers sent bogus e-mails claiming to be from the Justice Department. Also, the Internal Revenue Service warned of increased spear-phishing efforts heading into tax season.

Phishers are targeting the government aggressively. For example, in October and November 2007, attackers sent thousands of phishing e-mails to the Energy Department’s network of national laboratories. The attackers blasted e-mails to as many individuals in the lab system as they could  to trick at least a few.

The messages referred to an internal agency event and appeared to be valid, Wilbanks said. But a link in the message pointed to a Trojan horse, a malicious program that would immediately start sending data to the attackers if clicked.

Most labs shrugged off the attacks, but two lost some data. Attackers breached a database containing personally identifiable information on visitors to Oak Ridge National Laboratory, in Tennessee. Los Alamos National Laboratory, in New Mexico, suffered intrusions into an unclassified network, but officials declined to elaborate on the amount or kind of information exposed.

Fewer than 10 employees opened the e-mail, but that triggered the data transmission, Wilbanks said.
Standard security controls quickly mitigated the damage through automated intrusion-detection software, she said. But information technology controls can only lessen the damage from phishing attacks. Stopping them completely is possible only when users are trained to recognize and avoid fraudulent e-mails, Wilbanks said. 

Scott Studham, Los Alamos’ CIO, said his office undertook an aggressive campaign to inform lab employees on the problem. When employees are trained, they become noticeably better at protecting themselves, he said.

Some IT security officials have started phishing their own employees as a training exercise. William Pelgrin, head of New York state’s Cyber Security and Critical Infrastructure Protection division, recently tried that approach.

With AT&T’s help, he created an e-mail that asked employees to change their network log-in passwords. He tracked whether people clicked on the e-mail link and how many clicked on the box on the Web site. The approximately 15 percent of state employees who fell for the ruse got an e-mail admonishment.

Pelgrin had sent an e-mail alert that warned about phishing attacks about two weeks before the exercise. However, employees had no warning that their boss was going to try to trick them.
The Army Computer Emergency Response Team sent a similar e-mail in March to 10,000 soldiers, civilians and family members of military personnel that offered free tickets to area theme parks. More than 3,000 people took the bait.

Pelgrin said that the nature of phishing attacks requires e-mail users to be proactive about defending themselves and learn not to click on links in e-mails without being certain they are valid.
“The No. 1 rule of defending against phishing? Start questioning what’s there,” Pelgrin said.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.