The Federal government is making steady progress in adopting a key anti-phishing email security protocol, installing it on systems more quickly than organizations in other sectors, if a little behind a Department of Homeland Security (DHS) deadline.
A first-quarter study by email security company ValiMail found that 68 percent of Federal agencies had complied with DHS’s order to install the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol, which protects against spoofing and phishing by validating the domain of an email’s sender. That’s at a rate outpacing those of other sectors, including tech (50 percent), banking (36 percent) and health care (26 percent), the study found, although DHS wanted agencies all on board sooner.
DHS issued a Binding Operational Directive, titled “Enhance Email and Web Security” in October 2017 that included an order for agencies to install DMARC and other email authentication measures by Jan. 15 of this year. Not many hit that first deadline, but agencies have since been gaining ground pretty quickly.
The directive ordered implementation of Opportunistic Transport Layer Security (STARTTLS), which uses encryption to prevent emails from being intercepted in transit, along with DMARC, which enhances the protections of two established techniques: Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). Together, they can effectively confirm the origin of an email, in the process preventing cyber attackers from getting a foothold into a protected network. The Department of Defense, which does not fall under DHS’s order, has said it will implement STARTTLS by this July.
The SPF details the IP address or domain of an email, while DKIM signs the email with a cryptographic key that the receiver can authenticate using a public key. The process essentially “watermarks” the email, DHS said. DMARC steps in and verifies the authentication checks and, if an email doesn’t pass muster, directs what happens next. DMARC can be set up at one of several levels – allow but report the unauthenticated message, quarantine the email in a junk mail folder, or reject it. DHS recommends a policy of “reject,” which stops a message at the mail server before it gets to someone’s inbox, as the best protection against a spoofed email.
DMARC can help deflect phishing emails that, for instance, appear to come from a trusted .gov address, as happened during the IRS scam that flourished during tax season. PayPal, which started using DMARC in 2013, a year after the specification was published, reported that fraud was down 70 percent during that first year, according to the DMARC.org industry group. Microsoft also confirmed that phishing by Outlook.com users dropped 50 percent from 2012 to 2013 thanks to the new protections.
Getting DMARC to full deployment will help protect agencies from phishing, which has been the starting point of the majority of cyberattacks, including many of the most high-profile and damaging hacks in recent years. But DMARC is only one part of any security strategy, and has its own limitations.
For one thing, both ends of an email exchange have to have installed DMARC in order for it to work. Full Federal compliance would provide a good level of protection within agencies, but the authenticity of outside emails couldn’t be guaranteed the same way. Vendors, for example, would need to be on board, and they haven’t been keeping pace with agencies. A study by the Global Cyber Alliance, released around the same time as ValiMail’s report, looked at the top 50 government IT contractors and found that only one was using DMARC at its highest level.
No security step is perfect, so DMARC, along with SPF and DKIM each have their own weaknesses to one degree or another. DMARC also is difficult to implement, according to an assessment at Dark Reading, which could contribute to slow adoption among some sectors. DMARC also has trouble scaling to cloud environments, and setting it to the highest enforcement mode runs the risk of false positives cutting off essential services.
Nevertheless, DHS concluded that the protocol’s anti-phishing and anti-fraud protections outweigh any drawbacks, providing one more bulwark against widely-used and often effective phishing attacks against Federal networks.