How government agencies can keep malicious email out of their inboxes
According to a new report, 80 percent of the more than 1,300 domains operated by the U.S. federal government now use the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol to improve email security. That’s up from just 50 percent in 2018. Although federal agencies have not fully met a Department of Homeland Security mandate for 100 percent DMARC deployment by Oct. 2018, they have made impressive strides.
State and local governments, by contrast, have a long way to go. Less than 1 percent of the thousands of domains operated by government agencies at the state and local level have successfully implemented DMARC.
That’s unfortunate given that email has become the No.1 delivery mechanism for ransomware, malicious attachments and links, phishing attacks, and business email compromise. DMARC is specifically aimed at identifying spoofed email messages and notifying email servers to delete those messages upon receipt — thus keeping them out of inboxes and preventing their propagation.
Limitations of Older Technologies
Email lacks any sort of built-in ability to authenticate the identity of the sender. That makes it all too easy for hackers to use a spoofed “from” address or display the name of someone else in an email header. Users are tricked into opening the email, clicking on malicious links and attachments, and even responding with sensitive information.
Most organizations use either Sender Policy Framework (SPF) or DomainKeys Identified Email (DKIM) for email authentication. SPF verifies that incoming email is from an authorized domain, but allows non-verified mail to go through — merely tagging it as suspicious. DKIM adds a digital signature to each outgoing email, enabling the recipient to verify that the signature matches the public key of the sending domain.
Both SPF and DKIM have limitations. Because many organizations use multiple systems to send email, it can be difficult to authenticate messages. When a mix of authenticated and unauthenticated messages come from the same sender, the recipient has to decide if each message should be treated as legitimate. That decision falls to spam filters, which are notoriously error-prone.
How DMARC Works
DMARC incorporates both SPF and DKIM but is designed to go further by automatically rejecting any unauthenticated messages and notifying the sending domain. This dramatically improves the authentication process by giving senders the information they need to troubleshoot authentication issues and to block unauthorized use of their domain names.
PayPal developed this approach in 2007 in collaboration with Yahoo Mail and later Gmail, greatly reducing the delivery of fraudulent email purportedly from PayPal. The DMARC open standard is going through the IETF standardization process, and has the backing of major email providers and strong support in both the financial services and IT security communities.
For DMARC to protect against email spoofing it must be correctly configured for “enforcement.” Misconfigurations are fairly common, and many state and local government agencies use DMARC only in “monitoring” mode out of fear of blocking legitimate emails. Agencies can benefit from tools such as Cisco Domain Protection, which automates some of the configuration of DMARC. Note that the list of senders and receivers who are DMARC-compliant will need to be reviewed prior to moving to enforcement mode.
Cisco Advanced Phishing Protection combines DMARC with predictive artificial intelligence to prevent email spoofing and attacks using compromised accounts. A lightweight sensor deployed on the email platform examines all incoming messages. Those that are considered malicious are either blocked or redirected for further investigation.
State and local governments should follow the lead of federal agencies in securing their email infrastructure. The security experts at Cerium Networks can help with DMARC deployment, encryption solutions and other safeguards to reduce the risk to your vital email communications.