Attacks/Breaches

10/16/2017
03:30 PM
50%
50%

DHS to Require All Fed Agencies to Use DMARC, HTTPS, and STARTTLS

The move follows a DHS review of federal government agencies' steps to secure email and deploy authentication technologies.

The U.S. Department of Homeland Security issued a binding operational directive (BOD) requiring all federal agencies that use .gov email and website domains to secure email and deploy authentication technologies in the coming months, the DHS announced Monday.

In the next 30 days, all federal agencies are mandated to develop a plan to implement the Domain-based Message Authentication, Reporting & Conformance (DMARC) security protocol, which is designed to prevent phishing and spamming attacks.

DMARC creates a whitelist of verified senders, then seeks to deliver only authenticated emails and delete fake ones before a user sees them. It also has the potential side benefit of reducing  "shadow IT" by restricting the ability for company employees to send out unauthorized email campaigns.

Three categories of filtering exist under DMARC: monitoring email for phishing and spam, quarantining emails that fall into this category, and, lastly, deleting such emails.

Within the next 90 days, all federal agencies are required to have their DMARC plans in place and, at a minimum, have begun monitoring emails.

Over the coming year, the DHS aims to have 100% of federal agencies rejecting phishing and spam emails, said Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the DHS, during a joint-press conference with the Global Cyber Alliance.  

"Citizens who depend upon interaction with the government deserve a trusted relationship. So, if they see an email from the IRS or FEMA, they need to believe and trust it is an email from the IRS or FEMA," Manfra said.

Additionally, within the next 120 days, all federal agencies will be required to use encryption on their websites via HTTPS and STARTTLS for email.

DHS has been working to implement DMARC over the past year and in the spring ramped up its efforts to encourage federal agencies to adopt the protocol. But, apparently, that was not enough.

"We felt in talking with all the agencies that we needed a little bit of a push to get people to really prioritize it and focus on it," said Manfra, who noted the DHS has previously used a BOD in a few cases with federal civilian offices.

DMARC Industry Details
Google, Yahoo, and Microsoft email services support DMARC, providing a large leg up in migrating consumers to the security protocol. The DHS reports 4.8 billion inboxes worldwide support DMARC, accounting for 76% of global email accounts.

Federal agencies and enterprise companies are far from the 50% DMARC level, according to the DHS and industry reports.

Two-thirds of Fortune 500 companies, meanwhile, have not deployed any level of DMARC, according to an analysis of DNS records by Agari.

Agari's report found 25% of survey respondents chose to only monitor email, 3% have a quarantine policy, and 5% have implemented a reject policy. Agari lumped the organizations that only monitor email into the category of not deploying any level of DMARC, because users would not have received the protection of having their emails quarantined or rejected.

DMARC Deployment Delays
The majority of DMARC deployments fail, according to a report last year by ValiMail. The report found 62% to 80% of DMARC efforts failed.

The protocol's low adoption rate may be blamed, in part, on a lack of education by users, as well as a hesitation to try a new technology, industry experts say. ValiMail also pointed to a reluctance to change back-end email systems, which have complex DNS tables.

But the Global Cyber Alliance (GCA) says implementing DMARC is not difficult. Shehzad Mirza, GCA's director of global operations, says the organization has a relatively easy DMARC setup guide on its website.

"Anyone with an email domain, small businesses, large businesses, should be using it," Mirza says.

Enterprises Stand to Win
Enterprises will "absolutely" benefit from the mandate, says Patrick Peterson, Agari's founder and executive chairman.

"This mandate will reduce risk for the enterprise as many phishing and malware attacks impersonate government agencies such as recent threats highlighting SEC and IRS spoofing. This leadership from DHS also sets a clear message that DMARC is valuable and should be implemented at scale which will drive enterprise awareness and adoption," says Peterson.

Peter Goldstein, chief technology officer and co-founder of ValiMail, also agrees enterprises stand to benefit from the DHS mandate.

And although Goldstein applauds the DHS's mandate, he cautions it is not enough to publish a DMARC record to the DNS.

"You have to get to enforcement to get real value out of DMARC," says Goldstein. "At enforcement, receiving mail servers are instructed to quarantine (flag as spam) or delete messages that fail authentication. But getting there requires authenticating all of an organization’s legitimate senders — both internal and cloud services sending on their behalf."

He noted that only 20% of companies succeed at reaching this point because of the complexity of modern email systems, which include dozens of cloud services a company may use to send emails on their behalf. As a result, it may prove tricky for many companies to get all of these services whitelisted, he says.

"We're seeing progress in some areas, like the biggest financial companies," Goldstein says. "But across the board, the rates of enforcement are still quite low."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.