People may complain about the volume of email they receive, but email remains a massively important medium of communication. Nearly five billion active email accounts exist, generating hundreds of billions of messages every day.
Because of its ubiquity, malicious online actors have long favored email as a favored attack vector. Email attacks take a variety of forms, with increasing potential for trouble:
● Old fashioned scams, mailed in mass quantities, asking for bail bond, foreign cash account designations and the like. Few people are not on to these scams.
● Fakes coming from hacked accounts that include the recipient’s address, often containing a PDF, picture or hyperlink containing or leading to malware.
● Phishing from familiar institutions such as banks, internet service providers, or retailers asking for account verification, credit card information, or password resets.
● Highly targeted, well-crafted messages written by people with knowledge of the targeted organization, containing a request for data that would be highly plausible to the recipient. Like less sophisticated phishing, these messages appear to come from a legitimate sender doing expected business.
It is this fourth type that has chief information security officers, program managers and agency executives the most worried because of how real they seem. Even employees well trained in the dangers of e-mails can ⎯ and frequently do ⎯ fall for these. Moreover, they undermine employees’ sense of trust in all internal email. That can potentially harm productivity or disrupt operations. Such well-crafted messages coming from federal agencies to citizens can do similar harm.
So how to deal? For some answers, Federal News Radio convened a panel of federal and industry experts for insight into the latest best practices and technologies to protect organizations from email-derived fraud.
● Ping Look, executive advisor for security and awareness at Optiv
● Bhagwat Swaroop, executive vice president and general manager for email security at Proofpoint
● Sean Lang, chief information security officer at the Library of Congress
● Cameron Dixon of the National Cybersecurity Assessment and Technology Services branch, at Homeland Security’s National Protection and Programs Directorate
● Capt. Michael Dickey, commanding officer of the Coast Guard Command, Control, Communications, and IT Service Center.
Watch the webinar as they discuss a critical technology for email authentication, the Domain-based Message Authentication, Reporting & Conformance policy and its associated protocols. Thanks for the most recent Homeland Security Department’s Binding Operational Directive, federal agencies are required to begin developing plans for implementing DMARC.
Tom Temin, Federal News Radio
Tom Temin has been the host of the Federal Drive since 2006. Tom has been reporting on and providing insight to technology markets for more than 30 years. Prior to joining Federal News Radio, Tom was a long-serving editor-in-chief of Government Computer News and Washington Technology magazines. Tom also contributes a regular column on government information technology.
Sean Lang, Chief Information Security Officer, Library of Congress
Sean Lang is currently the Chief Information Security Officer for the Library of Congress. Prior to joining the Library of Congress, Mr. Lang was the Chief Information Security Officer for the Department of Homeland Security’s Science and Technology directorate where he was tasked with assuring the information security for Department’s research labs. Mr. Lang has also held positions covering most IT security disciplines in both the private and public sectors. He has also taught courses on secure application development and testing.
Cameron Dixon, IT Specialist, National Cybersecurity Assessments and Technical Services, National Protection and Programs Directorate, DHS
Cameron Dixon is a public servant at the U.S. Department of Homeland Security, where he works to improve information security practices across the government. Cameron manages the DHS “Cyber Hygiene” network and vulnerability scanning service, pushes for the deployment of stronger encryption and security standards across federal agencies, and believes in dispelling magical thinking with great kindness.
CAPT Michael Dickey, Commander, United States Coast Guard Command, Control, Communications, Computers and Information Technology Service Center (C4ITSC)
Captain Dickey, USCG, is the Commander of the Coast Guard’s Command, Control, Communications, Computers, & Information Technology Service Center (C4ITSC). In his current role, CAPT Dickey is responsible for overseeing the development and management of all C4IT Services for the Coast Guard.
Captain Dickey graduated from the United States Coast Guard Academy with a Bachelor of Science degree in electrical engineering in 1990. From 1994 to 1996 he attended graduate school at the University of Illinois where he earned a Master of Science degree in electrical engineering.
Captain Dickey has held a variety of challenging assignments in both Coast Guard operations and mission support, including: Operations Officer, Executive Officer and Commanding Officer of Coast Guard Cutters, project manager at the Coast Guard Research and Development Center, and Command of Electronic System Support Unit Cleveland and the Telecommunication and Information Systems Command (TISCOM).
In 2001 he was selected for assignment to the White House Communications Agency where he managed their first significant modernization of communications systems in 15 years. Most recently, Captain Dickey served as the Deputy Commander of Coast Guard Cyber Command.
Captain Dickey’s military awards include the Defense Meritorious Service Medal, three Coast Guard Meritorious Service Medals, four Commendation Medals, the Joint Service Achievement Medal, the Coast Guard Achievement Medal, and the Coast Guard Letter of Commendation.
Ping Look, Executive Advisor, Security and Awareness, Optiv
Ping Look brings over a decade of program leadership and experience to her current role as executive advisor, security communications and awareness at Optiv. In this role, Look oversees the development and implementation of the Optiv internal security awareness and education program, provides research and vision into improving the effectiveness of such programs, and advises companies and governments on developing a security-minded work force.
Look has broad experience in the information security field, having served in roles ranging from operations, marketing and program coordination to management, sales and practice management. Her experiences give her a unique understanding of the industry from both the perspective of technical practitioner to nontechnical end user.
Prior to her previous position at Accuvant starting in 2012, Ping served as event director for Black Hat briefings, and training and operations director at DEF CON where she was instrumental in growing the two events from underground gatherings to world renowned information security conferences. In the case of Black Hat, the event grew from 20 speakers and 300 attendees to a $20 million industry-recognized event with over 100 speakers, 100 sponsors and 10,000 attendees. As a result of her time at Black Hat and DEF CON, she has a unique connection and understanding of the most technical and influential resources in the industry.
Look holds a bachelor’s degree from Clark University.
Bhagwat Swaroop, Executive Vice President and General Manager, Email Security, Proofpoint
Bhagwat Swaroop leads Proofpoint’s industry-leading email security business unit. His global team delivers advanced email security, targeted attack protection, information protection and business continuity solutions to protect organizations worldwide. With more than 20 years of leadership success during tenures with Intel, McKinsey & Company, NetApp and Symantec, Mr. Swaroop excels in strategy, product development, go-to-market excellence and building high performance teams. Prior to joining Proofpoint, Mr. Swaroop served as vice president of Global Solutions, Product Management and Product Marketing at Symantec. He brings a deep understanding of the enterprise security landscape, technology ecosystem and cloud-driven business models to his role. Mr. Swaroop holds multiple degrees including a B.E. in instrumentation and control from Delhi Institute of Technology, a M.S. in electrical engineering from Arizona State University and an M.B.A. from the Wharton School of Business at the University of Pennsylvania.
Optiv is a market-leading provider of end-to-end cyber security solutions. We help clients plan, build and run successful cyber security programs that achieve business objectives through our depth and breadth of cyber security offerings, extensive capabilities and proven expertise in cyber security strategy, managed security services, incident response, risk and compliance, security consulting, training and support, integration and architecture services, and security technology. Optiv maintains premium partnerships with more than 350 of the leading security technology manufacturers.
Proofpoint Inc. is a leading next-generation security and compliance company that provides cloud-based solutions to protect the way people work today. Proofpoint solutions enable organizations to protect their users from advanced attacks delivered via email, social media and mobile apps, protect the information their users create from advanced attacks and compliance risks, and respond quickly when incidents occur.