Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) protocol remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email. At the same time, users transmitting data via unencrypted HTTP protocol, which does not protect data from interception or alteration, are vulnerable to eavesdropping, tracking, and the modification of the data itself.
The Cybersecurity and Infrastructure Security Agency (CISA) encourages its State, Local, Tribal and Territorial (SLTT) government partners, as well as private entities, to use this guide to learn more about this threat and associated mitigation activities. This guidance is derived from Binding Operational Directive 18-01 – Enhance Email and Web Security and includes lessons learned and additional considerations for non-federal entities seeking to implement actions in line with federal civilian departments and agencies, as directed by CISA.
How It Works
- An attacker spoofs the domain of a reputable organization, and sends an email that looks to be a legitimate email.
- Data sent over HTTP is susceptible to interception, manipulation, and impersonation. This data can include browser identity, website content, search terms, and other user-submitted information.
Why It’s Effective
- Other organizations or members of the public might receive spoofed emails, perceive them to be from an authoritative source, and act on them.
- Internal employees may assume spoofed emails are legitimate and act upon them.
- If an attacker is successfully spoofing a domain in order to send malicious emails from it, this can significantly harm the affected organization’s reputation.
- Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about the users of unencrypted websites and services.
Near Term Recommendations
To address the significant risks to organizational information and information systems posed by phishing emails and use of the unencrypted HTTP protocol, CISA directed federal civilian agencies to undertake the following series of near-term actions and encourages non-federal organizations to do the same:
Actions to Mitigate Phishing Email Attacks
- When enabled by a receiving mail server, STARTTLS signals to a sending mail server that the capability to encrypt an email in transit is present. While it does not force the use of encryption, enabling STARTTLS makes passive man-in-the-middle attacks more difficult.
- SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) allow a sending domain to effectively “watermark” their emails, making unauthorized emails (e.g., spam, phishing email) easy to detect. When an email is received that does not pass an organization’s posted SPF/DKIM rules, DMARC (Domain-based Message Authentication, Reporting & Conformance) tells a recipient what the domain owner would like done with the message.
- Setting a DMARC policy of “reject” provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, DMARC reports provide a mechanism for an organization to be made aware of the source of an apparent forgery, information that they would not normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.
Actions to Enhance Web Security
- HTTP connections can be easily monitored, modified, and impersonated; Hypertext Transfer Protocol Secure (HTTPS) remedies each vulnerability. HTTP Strict Transport Security (HSTS) ensures that browsers always use an https:// connection, and removes the ability for users to click through certificate-related warnings.
- Organizations should consider progress on HTTPS and HSTS deployment, such as removing support for known-weak cryptographic protocols and ciphers.
- 3. According to CISA vulnerability scanning data, 7 of the 10 most common vulnerabilities seen across observed networks at the time of issuance of Binding Operational Directive 18-01 would be addressed through implementing the recommended actions in this guidance related to web security.
Where to Get Started
- Recommendations for enhancing email security:
- Configure all internet-facing mail servers to offer STARTTLS, and all second-level organization domains to have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports.
- Ensure that Secure Sockets Layer (SSL) v2 and SSLv3 are disabled on mail servers, and 3DES and RC4 ciphers are disabled on mail servers.
- Ensure that organizations add the centralized body location as a recipient of DMARC aggregate reports.
- Set a DMARC policy of “reject” for all second-level domains and mail-sending hosts.
- Recommendations for enhancing web security:
- Ensure that all publicly accessible websites and web services provide service through a secure connection (HTTPS-only, with HSTS), SSLv2 and SSLv3 are disabled on web servers, and 3DES and RC4 ciphers are disabled on web servers.
- Identify and provide a list of second-level domains that can be HSTS preloaded, for which HTTPS will be enforced for all subdomains to the centralized body charged with managing these recommendations.
- Consider drafting a report to the leadership of the centralized body charged with managing these recommendations on the status of implementation.
- Collect feedback and input from partner equities before release to avoid vendor constraints during implementation.
- Ensure validating authority and its mechanisms are sound and in place before re-lease to track compliance to successful implementation.
- Send all sub-organizations a weekly scorecard to drive competition amongst the participants.
Ongoing Recommended Actions
- Perform extensive outreach and support for technical as well as implementation questions.
- Host implementation events and technical exchanges to provide additional guidance on implementation.
- Send out scorecards weekly to leadership for awareness and to motivate improvement.
- Develop public-facing website to provide guidance and FAQs.
- Identify non-compliance for follow-on conversations.
- Develop a central reporting location for all DMARC reports, and provide analysis to all equities.
Lessons Learned and Additional Considerations
- Due to a general misunderstanding about how DMARC works, and the potential fear of “missing” emails, the centralized body charged with managing the recommendations should create guidance to share with non-technical staff.
- Many organizations do not understand the need to protect non-sending email domains with DMARC. DMARC adoption helps organizations better understand email use and categorize mail sending domains.
- Organizations need higher-level governance to guide their actions concerning these standards. Future changes in an environment could result in increased vulnerability.
- Organizations should be cautious when entering records on DNS as it is sensitive to errors.
- While the goal is to reach 100% adoption of mitigation best practices, an organization’s environment can fluctuate, causing unevenness in maturity. Adoption progress tends to ‘mature’ at the 90-95% mark, on average.
- The challenges around “indirect email flows,” where email is sent via intermediaries (mailing lists, account forwarding) is recognized as an issue and discussed further in the references below.
- There is a significant vendor constraint in disabling 3DES in mail environments.
- Microsoft has stated that they will begin disabling in July 2019.
- Google has launched MTA-STS as a solution.
- Be aware of potential issues with scanning sites that require authentication.
- Have a firm understanding of inventory/environment before release.
- Establish internal success metrics before release.
- Entities with consolidated IT organizations are more efficient at implementation.
- Many organizations, particularly smaller ones, may lack DMARC expertise and require support in order to implement DMARC.
- Reading and understanding DMARC reports is extremely difficult without a tool.
- Implementing the actions recommended in this guide may result in budgetary and/or contractual/vendor implications.
- Return to the CISA Insights web page.