Cybersecurity

1 in 3 FHFA employees failed phishing test

Royalty-free stock illustration ID: 110138069 by 3dreams 

An audit at the Federal Housing Finance Agency found more than one third of employees subjected to a fake phishing attack failed to follow the proper response protocols, along with a number of other vulnerabilities present at the agency's network perimeter.

FHFA oversees Fannie Mae and Freddie Mac and the Federal Home Loan Bank System. The agency had 753 employees in 2018 according to the Office of Personnel Management.

Auditors ran a mock phishing attack against 50 employees as part of an annual Federal Information Systems Management Act audit and found that 17 -- or 34 percent -- failed the test.

The report is substantially redacted, and it's not clear how many employees may have actually clicked on a malicious link or failed to follow other internal protocols. According to the audit, just three of the 50 employees tested reported the suspicious emails to their superiors.

The audit also scanned 376 of the agency's internet-facing IP addresses and found a number that were relying on outdated encryption protocols. This was mostly due to the use of outdated equipment, with FHFA managers telling auditors that the machines associated with the flagged addresses could not support more advanced versions of the software needed to run higher-grade encryption. However, auditors were unable to leverage these vulnerabilities to gain access to FHFA networks and systems.

Auditors made three recommendations: replace any outdated machines incapable of running the latest encryption protocols, continue conducting regular phishing tests on employees and emphasize best email security practices.

CIO Kevin Winkler said the agency plans to replace the older machines this year and laid out a number of additional actions to further test email security practices.

"FHFA will evaluate its latest phishing email test results by June 30, 2019 to determine if its end user phishing email training need to be enhanced," said Winkler. The agency will also add a warning banner on external email by the end of March.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at djohnson@fcw.com, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.