Most agencies fail to follow security steps to stop e-mail phishing

Most federal agencies don't follow the security steps that could prevent fraudulent e-mails that trick people into providing personal information or unwittingly launch a cyberattack, according to a report released on Thursday by an alliance of security companies.

The Online Trust Alliance, a group of security companies working to eliminate e-mail and Internet fraud, found that 56 percent of the agencies it studied failed to authenticate e-mails or message domain names, such as whitehouse.gov. The alliance evaluated the e-mail security of 25 federal agencies that are most susceptible to phishing, fraudulent messages that can use the names of real employees and their domain address to convince a recipient to disclose personal data or unknowingly install a virus.

The latest report is a followup to a broader study on e-mail authentication, which was released in January 2008.

Phishing messages are increasingly difficult to identify and often sent from what appear to be legitimate e-mail addresses. Authentication helps protect users from the threat by authorizing only certain IP addresses that are associated with a domain name or e-mail. A message that enters a network with an IP address that is not authorized for that domain will automatically be denied.

"Phishers will send mail that appears to come from the most recognized domains," such as IRS.gov, for example, said Craig Spiezle, chairman and founder of the Online Trust Alliance. "What the owner of those domains can do is publish a declaration that tells Internet service providers, receiving networks and e-mail programs, 'No e-mail will come from this domain,' or 'Only mail from these specific IP addresses is authorized to send mail from this domain.' But most agencies are not doing that."

The alliance examined public records in the agencies' Domain Name Service, which maps domain names to numerical IP addresses, and found that 14 agencies failed to authenticate their Web site domains and e-mails, including the Homeland Security, Treasury, and Housing and Urban Development departments, the White House, and the FBI. While not listed in the report, the Senate also failed to authenticate its domain and e-mail, he said.

Among the agencies that earned passing grades were the General Services Administration, Census Bureau, Veterans Affairs and the Internal Revenue Service.

The IRS improved e-mail security after reporting a spike in the number of bogus IRS e-mails that circulated over the Internet during the 2008 tax season.

"The North Star here is that organizations like the IRS, which had an onslaught of spoofed e-mail, recognized this problem and aggressively adopted standards, including domain and e-mail protections," Spiezle said, adding the agency also required private sector partners to adhere to the security standards.

Government and industry should work together to develop a universal standard for authenticating e-mails as they cross networks, said Wayne Grundy, director of the Transglobal Secure Collaboration Program, a public-private partnership working to develop a common framework that will allow secure collaboration and sharing of sensitive information internationally.

"A standard is needed that crosses government and industry," he said. "One of the difficulties in rolling out any new capability is that all of these agencies have something in place that they're already using to secure e-mail. But because there is no standard, there is no interoperability."

In February, the National Institute of Standards and Technology drafted a version of the Secure Domain Name System Deployment Guide (SP 800-81), best practices that ensure "the authenticity of domain name information and [that] maintain the integrity of domain name information in transit," the document notes. Public comment for the draft ended March 31, 2009.