Why phishing attacks are increasingly targeting the public sector (and what you can do about it)

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By Sam Hutton
 

Connecting state and local government leaders

By Sam Hutton

|

Many agencies rely on legacy email security solutions that fail to address today's sophisticated phishing attacks.

One need only look at the news to know cyberattackers are targeting government with renewed vigor. The massive 2015 breach of the Office of Personnel Management and reported hacks into the Democratic National Committee emails all dramatically underscore the fact that government and political organizations are a large and rapidly growing target for political hacktivism and cyber espionage.

But while cyberattacks on the largest agencies have received the lion’s share of the headlines, cybercriminals are also putting rejuvenated effort into attacks against smaller, lesser known public-sector agencies. While clearly not as sensational as the OPM hack, attacks against the Kansas Commerce Department, which leaked millions of Social Security numbers across 10 states, and against the Oklahoma Office of Management and Enterprise Services, compromising the personal information of more than 430,000 people in that state, have had a dramatic and far-reaching impact on public-sector security.

Perhaps surprisingly, these lower-profile attacks are garnering cybercriminals lucrative returns. And here’s why -- by targeting the low-hanging fruit in the commercial space they can eventually reach their desired targets. Initially, hackers interact with the supply chain or whatever “weak link” gets them in the door of larger organizations where they can then access a bounty of sensitive data.

Attackers take a similar approach with government agencies, targeting smaller organizations that typically lack adequate security defenses and are deemed easy targets.  These vulnerable, smaller government organizations also house an abundance of personal citizen data, including Social Security information and tax returns. While valuable on its own, this kind of highly sensitive user information opens the door for bigger, more sophisticated and expansive attacks that could lead to even more lucrative returns. Consequently, attackers see less reason to go after the highly defended Defense Department, when attacking a smaller agency can give them just as big a bang for their buck.

Phishing for targets: Infiltrating the government network

While it might be surprising in light of the sophisticated security landscape, today’s cyberattackers are still relying on age-old phishing attacks to infiltrate government networks. Government agencies, particularly small ones, often lack adequate email security defenses designed to combat increasingly stealthy threats. All too often, antivirus software -- a cornerstone of most small agencies' security infrastructure -- won’t even recognize the latest cyberthreats.

Meanwhile, despite the fact that malicious attachments are the primary cause of network compromise, file-based malware largely remains an enigma to most public-sector organizations. Less than two percent of malicious PDFs contain "just" an embedded file, while around 40 percent of Excel and 27 percent of Word malware have no macro or embedded file. This means that organizations that attempt to identify macros as their primary phishing attack defense strategy can easily miss malware in related attachments. All it takes is a click on one malware-bearing file for the attacker to successfully get in the door to compromise an entire government or public-sector network.

What’s more, phishing attacks  have been proved effective time and time again because employees repeatedly fall victim to them. According to Glasswall research, the vast majority (82 percent) of employees open email attachments if they appear to be from a known contact, despite learning about sophisticated social engineering attacks from their security training. Of those, 44 percent opened these email attachments every time they received one.

These days, it’s easier than ever for attackers to acquire personal details of government employees. A  simple social media search can uncover location, employment information and other personal interests. These details in turn can be leveraged with other types of data found in documents containing personally identifying information on government websites. From there, attackers use the combined information to craft an email that appears to be from a friend or colleague, often addressing the user with a subject that appears to have immediate relevance or requires action.

Criminals then hide malicious code -- such as a macro or JavaScript -- in the structure of what appears to be a common Office document or an attached functional element, which is accompanied by a socially engineered email designed to trick employees into clicking or downloading. Government employees who aren’t trained in email security best practices will often automatically open on the infected attachment, unintentionally downloading malware that can compromise the entire network and steal valuable data.

Even those employees who have been trained in network security become victims. Unlike phishing attacks in years prior, today's social engineering is so sophisticated that it can often successfully deceive even the savviest of security experts.

Bolstering the government security arsenal

Like many industries, the public sector is having a tough time protecting itself from phishing attacks. And perhaps one of the most significant challenges agencies face is that their approved legacy security infrastructure is becoming alarmingly less effective at combatting advanced threats. 

Email security solutions, in particular, have become less effective over time. Initially created to identify and reduce spam, they still leave many organizations susceptible to more malicious attacks, such as ransomware, botnets, viral worms and information-stealing Trojans.

One of the reasons for these diminished returns is that most of solutions on the market are reactive – that is, based on detection of malicious code. The result is that they often unable to defend against an attack that doesn’t meet predefined parameters. 

There are a few tactics that government agencies can take to reduce the likelihood of a devastating phishing attack.

Update email security policies to conform with current advanced threats, and hold regular training for employees on email security best practices, including being able to identify phishing emails and applying caution when clicking on unsolicited attachments. Among other things, routine training keeps email security top of mind for employees and creates an environment of awareness and information sharing that can be a strong first defense against phishing.

Invest in next-generation technologies, such as file-regeneration solutions, that will provide adequate defense against corrupted email documents leveraged in phishing attacks.

At its core, an automated file regeneration solution can disarm malicious files, producing a benign version referenced against the manufacturer’s original standard, and check it down to byte level, as opposed to just looking for active content in the body of the document. From there, the sanitized file is regenerated and passed on to users in real time, without the user even knowing. The technology protects organizations against the smallest alterations in file structure, detecting, for example, where criminals have altered just a few bytes in a PDF file to crash the reader software, launch malware or trigger hidden exploits.

Overcome apathy toward growing email threats targeting government networks. Despite the number of high-profile breaches occurring regularly in government agencies, many IT managers are still complacent about security, relying on outdated antivirus and perimeter solutions that fail to address where most of threats are hidden -- in file-based malware delivered in email attachments.

The public sector has no shortage of obstacles to overcome: dwindling budgets, rapidly evolving malware, lagging patch policies and slow software updates. But if history is any indication, it’s a safe bet that criminals will continue to go after the targets that provide the biggest returns. That means they will forego targeting a highly protected organization and attack smaller and less security-minded agencies with critical data that give them an inroad to larger networks.  Taking the right steps to increase awareness and invest in the right defenses will go a long way to reducing the risk of a devastating attack that is almost sure to come down the road.

NEXT STORY: Creating a blockchain playbook for government

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.