Government Domains Exposed To Spoofing Attacks

In October 2016, the Cabinet Office highlighted the need for strong email security when they agreed to use Domain-based Message Authentication, Reporting and Conformance (DMARC) technology as the default on all their email communication. However, a recent report by Egress has found that only 28% of all domains are using DMARC to prevent impersonation and phishing attacks.

The data security company Egress ran the test just weeks before the Government’s Secure Intranet (GSI) system, which has been operating on all internal governmental communication since 1996, is set to be replaced by the end of March 2019.

What they discovered was a lack of preparation from many government email administrators. From the 2,000 email domains that were checked, it was clear that almost three quarters were vulnerable to phishing attacks.

53% of the domains that had integrated DMARC also had their policy set to ‘do nothing’ which places each email box in immediate threat. These settings would enable hackers and cyber criminals the opportunity to send spam and phish messages direct to email boxes. It also means that Business Email Compromise (BEC) and email buffering can’t be prevented.

DMARC detects and prevents email spoofing, enabling the recipient to feel more confident in determining whether the sender is genuine and legitimate. Unfortunately, despite governmental advice, the majority of their domains are unprotected and unnecessarily exposed.

Whilst speaking at the Times Tech Summit earlier this week, CEO of the National Cyber Security Centre, Ciaran Martin, claimed DMARC was being updated onto government networks. If this is the case, they will also need to ensure that appropriate settings are employed to avoid any further vulnerabilities.

Ciaran Martin, CEO of the NCSC, commented: “we are pioneering the implementation of the DMARC protocol on government networks freely and publishing how we do it. Spoofing is one of the biggest aspects of the cyber attack eco-system, but the organisation being spoofed tends to suffer no damage.

“The example we always use is HMRC. It was the most spoofed brand in the UK for obvious reasons, but it made no impact on the tax take. It was still a law that you have to pay tax, so HMRC themselves were not affected but, for the public good, they worked with us to implement DMARC, and in the first year they blocked 300 million attempts.

“We simplified password guidance, and the official guidance coming out of the US in the initial part of this century has been rescinded because it was too hard to follow. We are doing things where, as government, when we send a message asking people to take down phishing sites – they do that. We have automated that, in partnership with a great company called Netcraft in Bath, where they take down phishing sites at scale. The average phishing site in the UK used to be up for 27 hours, but it is now up for around an hour. This is an active, real, automated measure that really makes a difference.”

Neil Larkins, Egress CTO, commented: “It’s quite startling to see that so many public sector organisations have not yet enabled DMARC effectively and therefore cannot provide full assurance over their email network’s ability to withstand phishing attacks. With [not long] before the GSI framework is retired, it’s critical that organisations heed the advice laid out by GDS.

“The advice from the GDS is a great first step in safeguarding that government organisations are securely sharing and authenticating email messages. However, as with many complex organisations, Government departments and councils will probably also need to look to supplement TLS with additional technology, such as message-level encryption – which is suitable, for example, when they don’t have assurance that TLS is set up correctly on the recipient’s server or when messages need to be encrypted at-rest in the recipient’s mailbox. This is especially important for government organisations sharing data externally, where the security posture of the recipient is often unknown.”

DMARC can be implemented with ease into all law firm domains and should be used to protect the sensitive business and client data that is stored digitally and sent electronically.

Does your law firm protect their communication channels using DMARC?