Cybersecurity

1 in 3 FHFA employees failed phishing test

Royalty-free stock illustration ID: 110138069 by 3dreams 

An audit at the Federal Housing Finance Agency found more than one third of employees subjected to a fake phishing attack failed to follow the proper response protocols, along with a number of other vulnerabilities present at the agency's network perimeter.

FHFA oversees Fannie Mae and Freddie Mac and the Federal Home Loan Bank System. The agency had 753 employees in 2018 according to the Office of Personnel Management.

Auditors ran a mock phishing attack against 50 employees as part of an annual Federal Information Systems Management Act audit and found that 17 -- or 34 percent -- failed the test.

The report is substantially redacted, and it's not clear how many employees may have actually clicked on a malicious link or failed to follow other internal protocols. According to the audit, just three of the 50 employees tested reported the suspicious emails to their superiors.

The audit also scanned 376 of the agency's internet-facing IP addresses and found a number that were relying on outdated encryption protocols. This was mostly due to the use of outdated equipment, with FHFA managers telling auditors that the machines associated with the flagged addresses could not support more advanced versions of the software needed to run higher-grade encryption. However, auditors were unable to leverage these vulnerabilities to gain access to FHFA networks and systems.

Auditors made three recommendations: replace any outdated machines incapable of running the latest encryption protocols, continue conducting regular phishing tests on employees and emphasize best email security practices.

CIO Kevin Winkler said the agency plans to replace the older machines this year and laid out a number of additional actions to further test email security practices.

"FHFA will evaluate its latest phishing email test results by June 30, 2019 to determine if its end user phishing email training need to be enhanced," said Winkler. The agency will also add a warning banner on external email by the end of March.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.