1 in 3 FHFA employees failed phishing test
A penetration test found some concerning vulnerabilities at the Federal Housing Finance Agency, but auditors weren't able to gain access.
An audit at the Federal Housing Finance Agency found more than one third of employees subjected to a fake phishing attack failed to follow the proper response protocols, along with a number of other vulnerabilities present at the agency's network perimeter.
FHFA oversees Fannie Mae and Freddie Mac and the Federal Home Loan Bank System. The agency had 753 employees in 2018 according to the Office of Personnel Management.
Auditors ran a mock phishing attack against 50 employees as part of an annual Federal Information Systems Management Act audit and found that 17 -- or 34 percent -- failed the test.
The report is substantially redacted, and it's not clear how many employees may have actually clicked on a malicious link or failed to follow other internal protocols. According to the audit, just three of the 50 employees tested reported the suspicious emails to their superiors.
The audit also scanned 376 of the agency's internet-facing IP addresses and found a number that were relying on outdated encryption protocols. This was mostly due to the use of outdated equipment, with FHFA managers telling auditors that the machines associated with the flagged addresses could not support more advanced versions of the software needed to run higher-grade encryption. However, auditors were unable to leverage these vulnerabilities to gain access to FHFA networks and systems.
Auditors made three recommendations: replace any outdated machines incapable of running the latest encryption protocols, continue conducting regular phishing tests on employees and emphasize best email security practices.
CIO Kevin Winkler said the agency plans to replace the older machines this year and laid out a number of additional actions to further test email security practices.
"FHFA will evaluate its latest phishing email test results by June 30, 2019 to determine if its end user phishing email training need to be enhanced," said Winkler. The agency will also add a warning banner on external email by the end of March.