Could it be as easy as shooting phish in a barrel? We’ve seen a number of threats against government agencies this past year, many of which have been targeted by organizations looking to prove a point. Hacktivists have shined a spotlight on agencies like the FBI, CIA, often taking control of the agency’s website. Yet, according to the United States Computer Emergency Readiness Team (U.S. CERT), the most common threat against government agencies in 2011 came from phishing attacks.
The U.S. CERT’s mission is to improve the nation’s cybersecurity posture, coordinate cyber information sharing and proactively manage cyber risks to the nation while protecting the constitutional rights of Americans. The team collects security incident reports across federal and local agencies and correlates the data to report on risks. In the past year, the team reported that nearly half of all the incidents that have occurred used phishing techniques.
What is phishing and why is it so common among attackers?
Phishing is an attempt to lure an unsuspecting user to provide personal information by using social engineering techniques. Fraudulent emails often appear to be sent from a legitimate organization or known individual and attempt to entice users to click on a link that will take the user to an illegitimate website that often contains malicious malware. In most cases, the user is asked to provide personal information such as account usernames and passwords that can further expose them to future compromises.
Now more than ever, these techniques are easier to employ due to the rapid adoption of social media. An attacker can scan simply look up a Facebook account or Foursquare location and make references to a recent outing or vacation.
In fact, Government Computer News reported that a new phishing scam was launched targeting military personnel, retirees and civilian employees receiving disability compensation. This specific attack alludes to the potential of securing additional disability compensation in an effort to get recipients to give up their personal information. The Defense Finance and Accounting Service has issued warnings and posted details to their site.
Here are a few additional recommendations we provide our customers to ensure that they address all components in the security ecosystem: people, process and technology:
- Educate your employee base. Do not click links within emails. Even if the URL is reputable, it is best to type in the URL into the web page manually.
- Create and implement security policies across your agency and ensure that these policies are monitored and enforced.
- Update and monitor. Most agencies believe they are protected if they have antivirus protection, firewalls and intrusion detection / prevention systems in place. However, these technologies must be tuned, updated and monitored on an ongoing basis. Additionally, web and email content filtering systems are a must since 80% of threats today are still web-based. These filtering solutions will prevent malicious links from coming through the network.
- Prepare for the worst – attacks are inevitable – so have an incident response plan in place.
Have other questions or concerns about protecting your agency from the latest phishing scams? Drop me a comment below.