Lagging behind: why government organisations need to upgrade their email security
May 1, 2019
Maor Hizkiev, CTO and co-founder, BitDam, explains how and why government organisations are lagging behind in implementing standard email security measures and what needs to be done to improve the state of security in the public sector.
Whether they are seeking profit, political leverage, status or simply to cause infrastructural damage, infiltrating a government organisation can prove a highly fruitful venture for a cybercrime group or team of nation-state hackers.
By circumventing security solutions, attackers can access, effect and retrieve valuable data from a wide network of official systems. With it, they can halt productivity, hold organisations for ransom and severely impact operational continuity.
Despite the severity of this threat, which was typified by the huge infrastructural damage caused by the WannaCry ransomware attack in 2017, government organisations remain as vulnerable as ever.
One area of particular concern for the National Cyber Security Centre’s (NCSC), which strives to protect the UK from attack, is email security.
As part of its Active Cyber Defence (ACD) initiative to promote the implementation of better security practices, it has urged government organisations to adopt standard Domain-based Message Authentication, Reporting and Conformance (DMARC), an elementary protocol which helps to authenticate inbound emails and block impersonation attacks. Only one third of government organisations have heeded the NCSC’s advice.
If these networks are gateways to official databases filled with sensitive information, and critical infrastructures that the public relies so heavily upon, why isn’t more being done to protect them? And what needs to be done to ameliorate the state of security in the public sector?
Comprised of over 500 departments, agencies and public bodies centred around a compartmentalised bureaucratic framework, which are in constant communication with a wide range of external stakeholders, the UK government possesses thousands of points of entry for cybercrime groups to exploit.
Once inside one of its organisation’s systems, criminals can access and stake-out a much wider variety of interconnected networks and databases to determine what is worth stealing or develop a plan to inflict maximal structural damage.
These conditions make government organisations a highly attractive target for adversaries. Not only are they a relatively easy score, they are high-volume entities that contain resources that can be used for political, financial and reputational gain.
One way that attackers attempt to infiltrate these organisations is through their email networks. Open by default and inherently difficult to regulate and secure, they are highly vulnerable to the threat of spear-phishing and social engineering attacks, which, according to the NCSC, are the biggest problems that UK cyber security faces today.
However, despite this warning, government organisations lag far behind central government in their adoption of standard email security protocols. Whereas nearly 90% of central government departments have enabled DMARC email authentication, less than a third of government organisations have done the same.
This failure to prepare could prove costly for government organisations. In March the Government Secure Intranet (GSI) platform, a wide area network that facilitated secure email interorganisational communications for over ten years, was discontinued. In anticipation, the UK Government Digital Service (GDS) urged all agencies to implement DMARC protocol as a replacement.
However, without the power to mandate these changes, and the inherent bureaucracy of the public sector, the GDS’ advice has not been heeded with any great urgency. Consequently, hundreds of organisations appear more susceptible to the threat of email-borne attacks than ever before.
The small number of government bodies that have implemented the protocol aren’t exactly immune from attack either. While DMARC helps protect senders from being directly impersonated by malicious actors, it does little to protect the recipients of emails against a wide variety of email impersonation attacks.
For instance, attackers can bypass DMARC authentication and spread malware under the guise of “genuine” emails simply by hijacking one of thousands of publicly available government email domains.
For public organisations, which possess large sets of valuable data that are accessible to, and shared between, thousands of employees, this pitfall poses yet another risk to their email security.
The potential impact of infiltrating the email network of a government organisation is huge. Depending on the target organisation and the sophistication of it’s operating systems, adversaries may gain access to the much wider network of systems and databases that it is connected to.
The WannaCry ransomware attack in 2017, which affected more than 200,000 computers worldwide including thousands across the NHS, typifies the extent and severity of the damage that can result from attackers exploiting governments’ failure to update systems and maintain consistent security protocols.
Ultimately, gaining wide access to a variety of systems and databases means access to a greater amount of valuable data and opportunity to maximise profit or gain strong political leverage.
All public organisations, much like those in the private sector, are responsible for safeguarding their own information, networks and employees. This is where the problem, and vulnerability, lies.
Unlike the Department of Homeland Security (DHS), which possess the power to mandate the implementation of email authentication standards across all federal departments, the NCSC can only advise government organisations to take action. They are under no real pressure or obligation to do so.
Therefore, a different approach is required, and it needs to come from the bottom-up.
As the threat of spear-phishing grows, government organisations need to be proactive rather than reactive, in protecting their networks and systems.
Although DMARC protocol is a step in the right direction, more needs to be done to protect the recipients of emails who remain exposed to increasingly sophisticated social engineering attacks. This requires an advanced threat protection technology that doesn’t rely on trends or past attacks to detect them but can identify them as they continue to evolve and iterate.