Nearly 50% of all phishing attacks targeting government personnel in 2021 stole the credentials of federal, state and local government employees, according to a report released Wednesday by a cloud endpoint security firm.
Phishing attacks against public officials jumped 30% from 2020 to 2021, with one in eight workers exposed to phishing threats during the period, noted the report prepared by Lookout and based on an analysis of anonymized data from 200 million devices and 175 million apps owned by the company’s federal, state and local customers.
While malware delivery dominates mobile phishing attacks outside the public sector, credential theft continues to grow, increasing 47% in 2021 from the previous year, as malware delivery fell by 12% over the same period.
Compromised credentials offer threat actors an easy way to get their hands on valuable data held by governments.
“The first thing that comes to mind is nation-state actors trying to establish a presence on government networks,” observed Mike Fleck, senior director of sales engineering at Cyren, a cloud-based security provider in McLean, Virginia.
“Fraudsters would also be interested in access — think bogus unemployment claims and ‘cleaning’ VINs of stolen vehicles,” he told TechNewsWorld.
“When it comes to government,” added Steve Banda, Lookout’s senior manager for security solutions, “there will be highly confidential information available that will be valuable to a party somewhere, either a malicious individual or a state- nation”.
BYOD is growing in government
The report also noted that all levels of government are increasing their reliance on unmanaged mobile devices. The use of unmanaged devices in the federal government has increased by approximately 5% between 2020 and 2021, and by nearly 14% for state and local governments over the same period.
“We’ve seen there’s been some shift in what organizations are starting to do with mobile devices,” Banda told TechNewsWorld. “There’s a big shift toward unmanaged, especially as agencies feel more comfortable adopting BYOD strategies.”
“Remote work has definitely accelerated BYOD,” he added.
Although the increased use of unmanaged devices suggests the expansion of remote working, it could also be a recognition of the benefits of BYOD for employees and agencies.
“I used to have separate work and home phones, and it’s a lot easier to do everything on one device,” Fleck said.
“Covid has forced remote work faster than any government procurement cycle,” he explained. “It makes sense that agencies have been pressured to adopt a BYOD policy faster than their ability to purchase and deploy a mobile device management platform.”
Increased exposure to phishing
Allowing the use of unmanaged devices also indicates that agencies are finding that employees can work effectively remotely, said Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Florida.
“Modern software and tools enable unprecedented collaboration capabilities, and the devices being used are better than ever,” he told TechNewsWorld.
“With the onset of Covid forcing many organizations that were resistant to remote working to implement the tactic, many organizations have seen the benefits of allowing it to continue,” he said.
With more than a third of state and local government employees using personal devices for work in 2021, the report notes that these agencies are leading government adoption of BYOD.
While this provides employees with greater flexibility, he acknowledged that these unmanaged devices are more frequently exposed to phishing sites than managed devices because unmanaged personal devices connect to a wider range of websites and use a wider variety of applications.
“My experience shows that remote workers can be more susceptible to phishing because they work in an environment that blurs the line between work and private life, making them more comfortable and less alert than if they were in an office. “, observed Kron.
Ray Steen, CSO of MainSpring, a managed IT services provider in Frederick, Maryland, added that remote workers aren’t necessarily more likely to fall for a phishing scam than other employees.
“But without the oversight or protection of corporate firewalls, they’re easier to reach through a variety of channels,” he told TechNewsWorld. “This increases the number of phishing scams they are exposed to, making them more vulnerable than long-term office staff.”
Outdated Android versions
The report contained both good and bad news regarding government workers running older versions of Android on their phones.
The bad news is that nearly 50% of state and local government employees use outdated Android operating systems, which exposes them to hundreds of device vulnerabilities.
The good news is that this is a marked improvement from 2021, when 99% were running older versions of the mobile operating system.
A good cybersecurity practice is to keep a mobile operating system up to date, the report explains. However, government agencies or departments may choose to delay updates until their proprietary apps have been tested, he continued. This delay creates a window of vulnerability during which a malicious actor could use a mobile device to access the organization’s infrastructure and steal data.
“New versions or releases of the operating system build on its previous version, containing rollups of all enhancements and security enhancements,” said Stuart Jones, director of Cloudmark division at Proofpoint, a security company in company in Sunnyvale, California.
“Without the latest version of the operating system,” he told TechNewsWorld, “these enhancements are not leveraged on the device or available to the user.”
Steen added that in 2021, Google’s Threat Analysis Group (TAG) found at least nine zero days impacting its products, including Android devices.
“Fixes for these vulnerabilities have been included in Android updates, but users stuck on older versions of the operating system cannot benefit from them,” he said.
Banda noted that it might be difficult to stay up to date with Android due to its fragmented environment.
“In order to update to a certain level, you need to have the right combination of firmware from the mobile operator and the device manufacturer,” he explained. “There are a number of components that determine whether you can support a release.”
This not only makes it difficult for a user to keep their Android version up to date, but for employers to keep the devices secure. “A company needs to know who is running which version of Android,” Banda said. “They need to figure out how to get that visibility and how to create policies to keep everyone updated on the latest release available to them.”
Having worked in the federal space for most of his career, Sami Elhini, biometrics specialist at Contrast Security, a maker of self-protection software solutions in Los Altos, Calif., said he was painfully aware of the length that adversaries will go to exploit and infiltrate government institutions.
“As a worker in this field, you have to be hypervigilant about all interactions, including those with co-workers,” he told TechNewsWorld. “As this report shows, phishing, a form of social engineering, is on the rise, and for good reason. Social engineering is one of the most effective ways to gain access to information or assets that one should not have access to.