Nearly 50% of all phishing attacks in 2021 were aimed at pilfering the credentials of federal, state, and local government workers, according to a report released Wednesday by an endpoint-to-cloud security company.
Phishing attacks on civil servants jumped 30% from 2020 to 2021, with one out of every eight workers exposed to phishing threats during the period, noted the report prepared by Lookout and based on an analysis of anonymized data from 200 million devices and 175 million apps belonging to the company’s federal, state and local government customers.
While malware delivery dominates mobile phishing attacks outside the public sector, in it credential theft continues to grow, increasing 47% in 2021 over the previous year, as malware delivery dropped 12% during the same period.
Compromised credentials provide an easy way for threat actors to get their hands on valuable data possessed by governments.
“The first thing that comes to mind are nation-state actors trying to establish a presence on government networks,” observed Mike Fleck, senior director of sales engineering at Cyren, a cloud-based security provider in McLean, Va.
“Fraudsters would also be interested in access — think phony unemployment claims and “cleaning” VINs of stolen vehicles,” he told TechNewsWorld.
“When it comes to government,” added Lookout Senior Manager for Security Solutions Steve Banda, “there’s going to be some highly confidential information available that’s going to be valuable to some party somewhere, either a malicious individual or nation-state.”
BYOD Expanding in Government
The report also noted that all levels of government are increasing their reliance on unmanaged mobile devices. The use of unmanaged devices in the federal government increased by some 5% from 2020 to 2021 — and close to 14% for state and local governments during the same period.
“We saw there was quite a bit of a shift when it came to what organizations are starting to do with mobile devices,” Banda told TechNewsWorld. “There’s a large shift towards unmanaged, especially as agencies get more comfortable adopting BYOD strategies.”
“Remote work has definitely accelerated BYOD,” he added.
While increased use of unmanaged devices suggests the expansion of remote work, it also might be a recognition of the benefits of BYOD to employees and agencies.
“I’ve had separate work and personal phones before, and it’s much easier to do everything on one device,” Fleck said.
“Covid forced remote work faster than any government procurement cycle,” he explained. “It makes sense that agencies were forced to adopt a BYOD policy faster than their ability to purchase and deploy a mobile device management platform.”
Greater Phishing Exposure
Permitting the use of unmanaged devices also indicates that agencies are finding that employees can work effectively remotely, maintained Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“Modern software and tools allow for unprecedented collaboration abilities, and the devices being used are more capable than ever before,” he told TechNewsWorld.
“With the onset of Covid forcing many organizations that were resistant to remote working to implement the tactic, a lot of organizations have seen the benefits in allowing it to continue,” he said.
With more than one-third of state and local government employees using personal devices for work in 2021, the report noted that these agencies are leading the government adoption of BYOD.
While this provides employees with greater flexibility, it acknowledged that these unmanaged devices are more frequently exposed to phishing sites than managed devices, because unmanaged personal devices connect to a broader range of websites and use a greater variety of apps.
“My experience shows that remote workers may be more susceptible to phishing because they are working in an environment that blurs the line between a job and home life, making them more comfortable and less alert than if they were in an office,” observed Kron.
Ray Steen, CSO of MainSpring, a provider of IT-managed services in Frederick, Md., added that remote workers are not necessarily more likely to fall for a phishing scam than other employees.
“But without supervision or the protection of enterprise firewalls, they are easier to reach through a variety of channels,” he told TechNewsWorld. “This increases the number of phishing scams they are exposed to, rendering them more vulnerable than in-office personnel over the long run.”
Outdated Android Versions
The report had good and bad news about government workers running old versions of Android on their phones.
The bad news was that nearly 50% of state and local government employees are running outdated Android operating systems, exposing them to hundreds of device vulnerabilities.
The good news is that’s a marked improvement over 2021, when 99% were running hoary versions of the mobile operating system.
A cybersecurity best practice is to keep a mobile operating system up to date, the report explained. However, government agencies or departments may choose to delay updates until their proprietary apps have been tested, it continued. This delay creates a vulnerability window during which a threat actor could use a mobile device to access the organization’s infrastructure and steal data.
“New releases or versions of the OS build upon its previous release, containing roll-ups of all the security enhancements and improvements,” said Stuart Jones, director of the Cloudmark division at Proofpoint, an enterprise security company in Sunnyvale, Calif.
“Without the latest version of the OS,” he told TechNewsWorld, “these enhancements are not taken advantage of on the device or available to the user.”
Steen added that in 2021, Google’s Threat Analysis Group (TAG) discovered at least nine zero-days impacting its products, including Android devices.
“Patches for those vulnerabilities were included in Android updates, but users stuck on older OS versions can’t benefit from them,” he said.
Banda noted that it could be challenging to remain up to speed with Android because of its fragmented environment.
“In order to update to a certain level, you need to have the right combination of mobile operator and device manufacturer’s firmware,” he explained. “There’s a number of components that determine if you can take on a release.”
That not only makes it difficult for a user to keep their Android version current, but for employers to keep the devices secure. “A company needs to know who is running what version of Android,” Banda said. “They have to figure out how to get that visibility and how to create policies to keep everyone up to speed on the latest version that’s available to them.”
Having worked in the Federal space for most of his career, Sami Elhini, a biometrics specialist with Contrast Security, a maker of self-protecting software solutions in Los Altos, Calif., said he is painfully aware of the lengths adversaries will go to exploit and infiltrate government institutions.
“As a worker in this field, one must be hypervigilant about all interactions, including those with coworkers,” he told TechNewsWorld. “As this report shows, phishing, a form of social engineering, is on the rise, and for good reason. Social engineering is one of the most effective ways of gaining access to information or assets one should not have access to.”