Email Infrastructure Seen as Lingering Vulnerability for Elections

(Image: Shutterstock)

New research shows that email is still a weak link in U.S. election infrastructure, with only five percent of the nation’s largest counties protecting election officials from impersonation attempts.

The latest research from Valimail finds that an “overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails,” with 90 percent of attacks involving phishing, and 89 percent of phishing involving impersonation.

Valimail looked at Sender Privacy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) status for 187 domains that were used by election officials in each state’s three largest counties. The researchers then sought to determine whether each domain is protected from impersonation attacks by a correctly configured DMARC record with a policy of enforcement.

“A DMARC enforcement policy prevents unauthorized senders from using the domain in the ‘From’ field of their messages, cutting of one of the most devious impersonation vectors used by attackers,” the report said.

Of the 187 domains examined, 124 had no DMARC records, while 63 domains did. Among the 63 domains that had DMARC records, 11 domains were incorrectly configured, 42 were correctly configured, but not at enforcement, and 10 were correctly configured and at enforcement.

“While there are other types of impersonation, exact-domain impersonation (putting the exact domain of a spoofed organization into the ‘From’ field of a phishing email) is particularly difficult for email recipients to detect and often go uncaught even by many email security solutions,” the report said. “Only DMARC offers definitive protection against this kind of attack, and only when correctly configured and set to an enforcement policy.”

Valimail suggests that all state and local election officials configure their domains with DMARC at enforcement, and endorses that as a “crucial best practice for stopping the largest attack vector into any organization.”

The organization asserted that none of the Help America Vote Act funding disbursed by the Federal government in 2018 to help state and local election authorities improve infrastructure has been used to upgrade email security.

Categories

Recent