Insight by Proofpoint

Email: the often neglected cybersecurity threat

Over 90 percent of cybersecurity threats come through email, but only a fraction of security budgets are dedicated to the issue, said Tony D’Angelo, vice president of Proofpoint. And, he said, the most significant cybersecurity challenge for federal agencies is securing their people.

Proofpoint has a concept it refers to as “very attacked people” (VAP) – which is not necessarily a VIP. D’Angleo’s company works with agencies to identify VAPs within their organization.

“It’s relatively easy for cyber criminals to successfully hack an individual. They’re relying on people to unwittingly facilitate a crime. People are trusting by nature; they can easily be duped into opening malware, clicking on malicious links, entering login credentials, or other types of personal information,” D’Angelo said.

“The private sector is primarily a financial play – credit cards, personal information for identity theft …” and business email compromise, D’Angelo said.

The financial cyber threat called business email compromise happens when cyber criminals target employees who have access to company finances and trick them into making wire transfers to the criminal’s fraudulent bank account. The FBI estimates over $12.5 billion has been stolen this way.

But government hackers’ motivations are dramatically different. Their interest lies in stealing government secrets or intellectual property (IP) – and more recently – election rigging.

D’Angelo said many of these attacks are state sponsored by unfriendly foreign governments. Cyber criminals often target a federal contractor. “I’ve heard many government cyber experts say there’s a reason some foreign fighter jets look eerily similar to those of the United States Air Force and other defense agencies. It’s likely because a state sponsored bad actor targeted a VAP either by stealing their credentials or impersonating their co-workers and asking for design documents.”

Governments, over the years, have done a good job in securing infrastructure and making the attack vector more difficult and more complex. As a result, hackers have shifted their attention to softer targets – people. “The attack vector on people and through email is here and it’s here to stay for a very long period of time,” D’Angelo said. “Over 93 percent of attacks are on people, and of the attacks on people, 96 percent of those come through email. So clearly it’s a very successful attack vector for the cyber criminal.”

The move to cloud by federal agencies creates an additional concern. D’Angelo estimated 85 to 90 percent of the agencies Proofpoint interacts with have moved to Microsoft Office 365 or have plans to.

According to D’Angelo, “… It forces [agencies] to rethink all their cybersecurity initiatives … We’ve seen some very successful credential fishing campaigns which have allowed cyber criminals to gain access to accounts and sensitive information. With this data being offsite, that’s really all that they need. With someone’s credentials, you are effectively in, you are that person.”

A Proofpoint review of an agency would reveal the people being targeted, as well as the number and types of attacks delivered through email. “It’s a real eye-opening experience for the agency as it may not be an executive inside an agency, but often times it’s the administrative assistant of that executive who could be the target – sometimes greater by a factor of ten in the terms of the number of attacks,” D’Angelo said. By identifying the VAP, Proofpoint would work with an agency to put programs and policies in place to stop these types of attacks.

“If you asked every government chief information security officer (CISO) if they had enough budget for cybersecurity, they would say ‘no’, and in many cases that’s probably a true statement.” D’Angelo said agencies spend roughly 62 percent of their cyber budget on network and infrastructure security, but only a fraction on email.

D’Angelo said there is no one vendor who can do everything, but a single vendor in a major category can make sense. “You don’t need four or five vendors for email security particularly when the solutions tend to work together as a single system to analyze, identify, block and remediate threats.”

In October 2017, the Homeland Security Department released a mandate known as Binding Operational Directive 18-01, which forces civilian agencies to implement the Domain-based Message Authentication, Reporting & Conformance protocol (DMARC), a technology to authenticate email.

This directive is meant to prevent the cyber criminal from hijacking email and stealing money or technology inside an agency; from pretending to be a Congressional staffer and seeking campaign donations; or from spoofing a legitimate email domain and duping the user into clicking or entering sensitive information.

This past summer, Dana Deasy, CIO at the Defense Department mandated the adoption of the DMARC protocol for the entire department.

“It’s a great first step in trying to secure email. But one problem that I would love to see the government change is that these mandates come typically without funding or centralized management,” D’Angelo said.

He called for “mandates with teeth,” re-allocation of budgets to increase the spend on email security, focus on VAPs and an emphasis on greater security-awareness training.

“You have to assume that somebody is always going to open the piece of malware, click on the URL, go to the wrong site, and enter their credentials. With security awareness training, an agency can identify those more vulnerable, more fallible employees inside the organization, customize training for them, and prevent the attacker from coming in the front door in the first place,” D’Angelo said.