More than a third of federal agencies still have not adopted Department of Homeland Security-mandated security measures that stop attackers from spoofing email, according to an analysis of public records. And worse, many have misconfigured it.
As of Feb. 22, just 180 .gov domains — or 58 percent of the 311 .gov domains reviewed by Easy Solutions — had a policy for Domain-based Message Authentication, Reporting and Conformance, which DHS required as of Jan. 15.
Of those, nearly 30 are still vulnerable to subdomain spoofing because they haven’t set a proper subdomain policy.
DMARC works by creating a public record that email systems can check to determine whether a message sender is in fact authorized to transmit on behalf of a particular internet address or domain — like dhs.gov.
Because of the open character of the internet email system, forging a message to look like it comes from dhs.gov is easy to do. It’s a technique widely used by hackers to send messages containing malicious attachments or links. These phishing emails are much more likely to be effective if they appear to come from a trusted correspondent like a government agency.
In a new report from CyberScoop, Ian Breeze, a product manager at Easy Solutions, a vendor that provides software and advice to organizations seeking to implement DMARC, explains agencies’ struggle to move adopt the measure and how even those that have are still leaving their email open to fraud.
Read more on CyberScoop.