Attacks/Breaches

10/16/2017
03:30 PM
50%
50%

DHS to Require All Fed Agencies to Use DMARC, HTTPS, and STARTTLS

The move follows a DHS review of federal government agencies' steps to secure email and deploy authentication technologies.

The U.S. Department of Homeland Security issued a binding operational directive (BOD) requiring all federal agencies that use .gov email and website domains to secure email and deploy authentication technologies in the coming months, the DHS announced Monday.

In the next 30 days, all federal agencies are mandated to develop a plan to implement the Domain-based Message Authentication, Reporting & Conformance (DMARC) security protocol, which is designed to prevent phishing and spamming attacks.

DMARC creates a whitelist of verified senders, then seeks to deliver only authenticated emails and delete fake ones before a user sees them. It also has the potential side benefit of reducing  "shadow IT" by restricting the ability for company employees to send out unauthorized email campaigns.

Three categories of filtering exist under DMARC: monitoring email for phishing and spam, quarantining emails that fall into this category, and, lastly, deleting such emails.

Within the next 90 days, all federal agencies are required to have their DMARC plans in place and, at a minimum, have begun monitoring emails.

Over the coming year, the DHS aims to have 100% of federal agencies rejecting phishing and spam emails, said Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the DHS, during a joint-press conference with the Global Cyber Alliance.  

"Citizens who depend upon interaction with the government deserve a trusted relationship. So, if they see an email from the IRS or FEMA, they need to believe and trust it is an email from the IRS or FEMA," Manfra said.

Additionally, within the next 120 days, all federal agencies will be required to use encryption on their websites via HTTPS and STARTTLS for email.

DHS has been working to implement DMARC over the past year and in the spring ramped up its efforts to encourage federal agencies to adopt the protocol. But, apparently, that was not enough.

"We felt in talking with all the agencies that we needed a little bit of a push to get people to really prioritize it and focus on it," said Manfra, who noted the DHS has previously used a BOD in a few cases with federal civilian offices.

DMARC Industry Details
Google, Yahoo, and Microsoft email services support DMARC, providing a large leg up in migrating consumers to the security protocol. The DHS reports 4.8 billion inboxes worldwide support DMARC, accounting for 76% of global email accounts.

Federal agencies and enterprise companies are far from the 50% DMARC level, according to the DHS and industry reports.

Two-thirds of Fortune 500 companies, meanwhile, have not deployed any level of DMARC, according to an analysis of DNS records by Agari.

Agari's report found 25% of survey respondents chose to only monitor email, 3% have a quarantine policy, and 5% have implemented a reject policy. Agari lumped the organizations that only monitor email into the category of not deploying any level of DMARC, because users would not have received the protection of having their emails quarantined or rejected.

DMARC Deployment Delays
The majority of DMARC deployments fail, according to a report last year by ValiMail. The report found 62% to 80% of DMARC efforts failed.

The protocol's low adoption rate may be blamed, in part, on a lack of education by users, as well as a hesitation to try a new technology, industry experts say. ValiMail also pointed to a reluctance to change back-end email systems, which have complex DNS tables.

But the Global Cyber Alliance (GCA) says implementing DMARC is not difficult. Shehzad Mirza, GCA's director of global operations, says the organization has a relatively easy DMARC setup guide on its website.

"Anyone with an email domain, small businesses, large businesses, should be using it," Mirza says.

Enterprises Stand to Win
Enterprises will "absolutely" benefit from the mandate, says Patrick Peterson, Agari's founder and executive chairman.

"This mandate will reduce risk for the enterprise as many phishing and malware attacks impersonate government agencies such as recent threats highlighting SEC and IRS spoofing. This leadership from DHS also sets a clear message that DMARC is valuable and should be implemented at scale which will drive enterprise awareness and adoption," says Peterson.

Peter Goldstein, chief technology officer and co-founder of ValiMail, also agrees enterprises stand to benefit from the DHS mandate.

And although Goldstein applauds the DHS's mandate, he cautions it is not enough to publish a DMARC record to the DNS.

"You have to get to enforcement to get real value out of DMARC," says Goldstein. "At enforcement, receiving mail servers are instructed to quarantine (flag as spam) or delete messages that fail authentication. But getting there requires authenticating all of an organization’s legitimate senders — both internal and cloud services sending on their behalf."

He noted that only 20% of companies succeed at reaching this point because of the complexity of modern email systems, which include dozens of cloud services a company may use to send emails on their behalf. As a result, it may prove tricky for many companies to get all of these services whitelisted, he says.

"We're seeing progress in some areas, like the biggest financial companies," Goldstein says. "But across the board, the rates of enforcement are still quite low."

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Box Mistakes Leave Enterprise Data Exposed
Dark Reading Staff 3/12/2019
How the Best DevSecOps Teams Make Risk Visible to Developers
Ericka Chickowski, Contributing Writer, Dark Reading,  3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.