Security

How the Department of Homeland Security is cracking down on phishing

Federal domain adoption of DMARC increased 38 percent in a 30 day period, but is it enough to secure government agencies from email fraud? Agari founder Patrick Peterson explains how the system works.

Late last year, in Q4 2017, the United States Department of Homeland Security issued a mandate called BD18-01, it's better known as DMARC. The intent of DMARC is to strengthen email cyberprotections and crack down on things like phishing and other forms of cybervulnerability. For TechRepublic and ZDNet, I'm Dan Patterson. And it's a pleasure today to speak with Agari founder and executive chairman Patrick Peterson. Patrick, thanks a lot for your time today. Let's start with the acronym. What is DMARC? And what is the intent of this new regulation, or this new law?

Peterson: Thank you. It's a pleasure to talk to you and your viewers. You've hit me with a tough one to start. But I'm going to do my best. This is an acronym named by geeks, I was one of them, who clearly do not have an inch or an ounce, or a millimeter of marketing savvy, because DMARC stands for domain based messaging authentication reporting and conformance. And I'll tell you a quick story. I was just briefing about 90 people, three groups of 30 every 10 minutes. I asked everyone what the acronym was. Everyone knew the technology, but only one person knew the acronym. I'll give you the acronym. But not our finest moments of techies coming up with a name for it.

Patterson: Often the tech unfortunately in this case is so much more important than the acronyms. What is the technology behind DMARC? And what is the intended purpose of this policy?

Peterson: You bet. As you and your viewers might know, sadly internet email was built in 1982. At that point in time, there was no security model. There was no thought about security. There was hardly anyone who was on the ARCOM net. So why would you make it secure? As a result, when they invented this technology, there was no authentication in email. That means I can send an email as Dan Patterson at TechRepublic. I can send an email as Donald Trump at whitehouse.gov. I can impersonate anyone I would like in email. It's absolutely trivial to do. The reason that DMARC exists is, for many years, nation states, hacktivists, cybercriminals have been doing this daily. They love to claim to be PayPal, Apple, the United States government, trusted advisors to the president of the United States. And when they do, the computer systems look at those messages, and they take it at face value that you are who you claim to be. And this vulnerability has led to phishing, targeted attacks, cyberespionage using email as being the most common method that we get harmed.

And so, about a decade ago now, maybe a little less, PayPal, myself at Agari, Google, Microsoft, Yahoo, a bunch of us came together and said, "Let's put the genie back in the bottle. Let's take the unsecured, unauthenticated technology that's been feeding the bad guys for years, and build a standard so that TechRepublic, or Agari, or the Department or Health and Human Services can take back their identity."

They can say, "We are Health and Human Services. We're the only ones who claim to be us."

And criminals, no more sending these fake open enrollment emails or saying that, "Your Obamacare has been canceled." Or, "We need to get a new payment information for you."

And that's what DMARC was designed to do. That's what it's been incredibly successful at.

Patterson: How do you then assure, without some more complicated encryption techniques that do things like finger printing? PGP has ways we can authenticate who an email is coming from. How does your technology work without using some of the more confusing or at least technically challenging solutions?

Peterson: That's a great question. If you take PGP and S/MIME for example, and there's other technologies as well, those are wonderful ways for an end user to encrypt the messages they send to someone else, and vice versa. And we support those. We think they're great. On the other hand, my mom receives emails from Wells Fargo, the Social Security Administration, Health and Human Services, and about 50 other organizations. I'm sorry, but even her loving children, who are IT staff are not going to set up all those technologies for her to send emails back and forth.

And so, this was designed really, to compliment the individual message encryption technologies. What happens is, again we'll use Health and Human Services as our poster child, they authenticate all their email when it leaves their gateways, or when it leaves their third party providers. This isn't happening on every single desk at Health and Human Services. It's not happening inside every single email. Instead, it's happening as it leaves their organization. And then, when it gets to a Google, or a Yahoo, or a Microsoft, or an AOL, they also verify the authenticity at their gateway lair. And then when it lands in your inbox, my inbox, or my mom's inbox, it's already taken care of. By not having to put software, and do things on everyone's end computer, we can't get the end to end. But make this much more scalable. And right now, we're processing 10 billion messages a day this way. We never would have been able to do that if it required everyone to do something like PGP, which requires lots of end user client software.

Patterson: I'm glad you brought up the end user, because often as secure as outbound messaging can be, it all ultimately ends up in the inbox of somebody who could hover over an obfuscated email or something, a phishing attack that looks pretty legit. What do we do about the end user? How do we inform people? How do we protect them with technology?

SEE: Infographic: Almost half of companies say cybersecurity readiness has improved in the past year (Tech Pro Research)

Peterson: That's a great question. First, we do believe that the end user should be educated. Just like when I was getting my driver's license, they talked to me about defensive driving, and driving on slick roads. That's the kind of thing that we should be telling our end users. On the other hand, when I get in the car, I don't actually open the hood and check the oil. I don't overhaul the engine. And if I don't understand exactly how anti lock brakes work, I can use them just fine. That's our model for security. While we should have some common sense training for those on the internet, the technology should work and keep you safe. And if you get side swiped by someone, that roll cage, that airbag should keep you safe whether or not you've had your most recent automotive security training.

That's the great thing about DMARC, is all of the phishing is removed, at least from brands who adopt it. The end user doesn't have to think about this problem, doesn't have to worry about it. They just get fewer Health and Human Services and PayPal phish. And that's our model for how end users should be better served. We don't think it's getting them all PhDs in computer security, even though a few more wouldn't hurt our job market at all.

Patterson: If there's one thing we can be certain of, it is that phishing attacks like this will continue to occur, so anything that can crack down on illegitimate email and increase end user and sender trust is going to be more important as the year goes forward. Agari founder and executive chairman Patrick Peterson, thanks for your time today. I wonder if you could leave us with a forecast as we look into 2018 and beyond. We know to expect phishing attacks. But how are these becoming more sophisticated and evolving? And attached to that, how can we as end users, as business owners, or as employees help protect ourselves?

SEE: IT leader's guide to reducing insider security threats (Tech Pro Research)

Peterson: That's a great question. Let me give you an example of that, and then talk a little bit about why the DHS mandate is so important. The example attacks we saw in the last presidential election are the poster children for what we have to fear. Targeted at John Pedesta and many others, incredible social engineering, and they were done with a lot sophistication. For example, every recipient got a unique URL that was a shortened link. And those were never reused again. Those are the kind of attacks we see where the social engineering element, the personalization of it, the crafting of it, is incredibly sophisticated. That's, I think, one of the reasons, because this has been so disruptive to our government, that the Department of Homeland Security came out with that directive you mentioned, the 1801 that said, "The federal government shall secure their identities. It will no longer be responsible to impersonate a federal agency, which will make our agencies and our citizens a lot safer."

We've been incredibly excited to release some research that shows that in a brief two months, 47% of the federal government has already begun adopting DMARC, and is going to make those kinds of sophisticated socially engineering, cyberattacks a thing of the past. And in fact, the government has even eclipsed the fortune 500 in terms of their adoption. And so, the last thought I'll leave you with is, it so happens today that Alex Azar is going to be the new secretary of Health and Human Services pending, I'm sure, some interesting grillings from congress. As he goes before congress, he should be proud that his Health and Human Services team, and the rest of the government may have some challenges before them, but they're definitely helping our citizenry be more secure. And that's one of the most exciting things that we have to combat those advance social engineering attacks that we're going to see in 2018.

Also see

phishing-address.jpg
Image: iStock/weerapatkiatdumrong

About Dan Patterson

Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.

Editor's Picks

Free Newsletters, In your Inbox