Homeland Security Secretary Jeh Johnson at an event in 2015. Photo credit: Gage Skidmore/Flickr
“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing.” — Homeland Security Secretary Jeh Johnson
If you aren’t yet convinced that spear phishing is a serious threat, perhaps this warning from the head of Homeland Security will persuade you.
Speaking to law enforcement officials last week at a security event in New York, Johnson warned that phishing is an enormous risk. He’s absolutely right: The Democratic National Committee email hacks that dominated this year’s election news began with phishing emails. John Podesta’s emails, and Colin Powell’s, were compromised through the same route. It’s no coincidence that security expert Brian Krebs gave the DNC (and the RNC) a failing grade for email security, because neither of them were using DMARC, the most advanced email authentication standard, which can help prevent such phishing attacks.
How is Homeland Security responding? Partly through education, and partly by testing employees. Johnson said that the department periodically sends emails to its employees with enticing subject lines like “Free Redskins tickets!” If anyone clicks, that’s a sign they haven’t learned to avoid clicking on links in suspicious emails.
However, education only goes so far, because studies have shown that it’s remarkably easy to get even sophisticated users to click on phish. That’s why email authentication is so important.
At the same conference, Manhattan District Attorney Cyrus Vance debuted a new tool from the Global Cyber Alliance that can help organizations install DMARC. The tool is free.
Vance also concurred with Johnson, stating “Phishing — mundane as it is — is the biggest threat we face and need to tackle.”
DMARC can be difficult to set up and manage due to the complexity of the standard and limitations with SPF and DKIM, which DMARC utilizes. ValiMail can help simplify DMARC and overcome built-in limitations, such as the 10-lookup limit in SPF. Contact us for more information and a free trial.