The Global Cyber Alliance continues to coordinate smart guidance, tips and approaches for improving security posture. They are an international, cross-sector organization designed to confront, address, and prevent malicious cyber activity (it is led by the gracious and sociable cyber champion Phil Reitinger).
Their most recent report is titled “Top Federal IT Contractors Leave Emails Vulnerable to Phishing, Spoofing.” It is the result of a study of the use of a special email protocol called DMARC by the top federal contractors (DMARC stands for Domain-based Message Authentication, Reporting and Conformance). Basically this is a widely accepted set of configurations and protocols that can help organizations make sure their domains are not being spoofed by bad guys. Setting up DMARC is pretty easy, and once it is put in place it is harder to have your domain used for phishing attacks against others, and is a little easier to protect your own employees from some kinds of tricks.
With the release of their new report, I was asked by Government Matters TV to provide some context on the report.
Before doing so I did a bit of my own research using the simple to use tool at https://dmarcguide.globalcyberalliance.org/#/
I typed in the domains of every major defense contractor myself. Like the Global Cyber Alliance I found only one of the top 50 was in compliance. I was so excited to find it was the team at Carahsoft who had put this in place. I had the pleasure of telling that to Craig Abod of Carahsoft in person today. Craig knows the importance of this to keeping trust with partners and customers in the ecosystem. I know others in the community also aspire to be as trusted as Carahsoft and imagine we will see many others follow suit soon. I would also recommend that anyone in the federal ecosystem, in or out of government, that wants tips on how to implement DMARC should reach out to Carahsoft. They have the experience to get you started on that right away and can also recommend software tools to help make it iron clad.
The video also provides some context on suggestions of a consolidation of DoD IT and on lessons from the RSA conference, and mentions the Cloud Security Alliance.