We can likely all agree that governmental cyber security is an important issue. While the Attorney General has created a task force to deal with election hacking, there have been plenty of digital security fails in the past year. And the FCC doesn't seem to care too much about data privacy, either. Now, according to a report from security firm Global Cyber Alliance (GCA), more than 95 percent of the email domains managed by the Executive Office of the President (EOP) -- including WhiteHouse.gov -- could be used in a phishing attack due to lax security protocol. The top defense against email phishing and spoofing, says the report, is called the Domain Message Authentication Reporting & Conformance (DMARC).
Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government. Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you're visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks. Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind. The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks.
Last year, the UK blocked 80 million spoofed emails from entering government domains, thanks to wide deployment of the DMARC email authentication protocol. "That's how you stop people clicking on the link, because they never get the crap in the first place. Simple things done at scale can have a difference," said Dr Ian Levy, technical director of the UK's National Cyber Security Centre (NCSC) in October. At that time, 879 of the 3025 gov.uk domains, or around 29 percent, were protected by DMARC, he said. According to Stephen Gillies, who runs security advisory at Caret and Stick, DMARC's goal is "to bring some trust back to the From: field in email headers".
Nearly every company in the Fortune 500 is vulnerable to phishing attacks because they fail to utilize one of the most basic email security features available, according to a recently published report. Cybersecurity firm Agari found more than nine out of 10 companies were not making use of a domain-based message, authentication, reporting and conformance (DMARC) protocol that would combat phishing attacks that use spoofed email addresses. DMARC is an authentication standard that will reject messages that come from an unrecognized or unauthorized source. This is a relatively common phishing tactic, in which an attacker will use a spoofed domain to make it appear as though an email is coming from a trusted source. Unfortunately, just 39 of the 500 companies--or about eight percent--listed in the Forbes 500 are currently making use of DMARC, leaving 92 percent of the largest and most profitable organizations in the world at risk of a security breach carried out through phishing emails.