[BrieFing]
  Restoring trust in electronic documents BY SUSAN MILLER
With the task of verifying the trustworthiness of shared data becoming exponentially larger and more difficult, the Defense Advanced Research Projects Agency is developing a dramatically better way to detect and reject invalid or maliciously crafted electronic data.
The new Safe Documents (SafeDocs) program seeks to ensure that an electronic document, image or message is automatically checked before it
is deemed safe to open and that untrustworthy versions are converted into safer document formats without affecting their essential functionality.
“With today’s online risk environment, allowing software to interact with untrusted electronic documents and messages is akin to downloading and running untrusted programs on your computer,” said Sergey Bratus, DARPA’s SafeDocs program manager. “Through SafeDocs, we are looking for ways to reduce the complexity of electronic document exchange and minimize the means of exploitation for all malicious actors — from cybercriminals to nation-states.”
DARPA plans to focus on two technical areas. The first will involve developing methodologies and tools for understanding, simplifying and reducing electronic data formats to safe, verification-friendly subsets that can be used without affecting the formats’ core functions.
Under the second focus, researchers will create software construction kits for building secure, verified parsers
to break data inputs into manageable objects for further processing. The technology could be used on new and existing data formats •
DMARC deadline looms for federal agencies
12 GCN AUGUST/SEPTEMBER 2018 • GCN.COM
BY TROY K. SCHNEIDER
When it comes to cyber intrusions, email is by far the biggest attack vector. So last October when the Department of Homeland Security issued Binding Operational Directive 18-01 to enhance email and web security, authenticating the domains from which federal email is sent became a central focus.
By Oct. 16, 2018, federal agencies are expected to be blocking all unauthorized use of agency domains for sending email. Achieving full compliance is complicated, however, and the risks of doing it wrong are significant.
Email protocols — like the
internet itself — were not designed with security in mind. “Email is not authenticated in and of itself,” said Alexander Garcia-Tobar, CEO and co-founder of ValiMail. With the right information in a message header,
“We had an agency [where] jaws just dropped when they were shown that there were 38 services — legitimate ones — that were sending as that agency’s domain. They had no idea.”
Former Agriculture Department CIO Jonathan Alboum, who participated
in the same panel discussion, said the exponential increase in third-party
email senders is a logical result of the government’s embrace of digital services.
It would be foolish to send every citizen-service message via an agency’s core internal email system, but “over time, we’ve added a lot of complexity to our environments,” said Alboum, who is now Veritas Technologies’ CTO for public sector.
Garcia-Tobar said the second phase of compliance involves enforcement and protection. Organizations should create and publish whitelists of approved senders for each domain, which effectively tell email servers worldwide
“Email is not authenticated in and of itself.”
— ALEXANDER GARCIA-TOBAR, VALIMAIL
“anyone can send an email as anyone.” At FCW’s Cybersecurity Summit
in August, he explained how the Domain-based Message Authentication, Reporting and Conformance protocol adds that missing authentication.
By putting a DMARC record into the Domain Name System for each agency domain — a simple cut-and-paste effort, he said — agencies can receive notifications for every service or IP address that is sending messages using that domain.
The list of senders produced by this “discovery phase” can be surprisingly long, said Garcia-Tobar, whose firm provides DMARC services that have been approved under the Federal Risk and Authorization Management Program.
to trash messages from senders not on those lists.
Agencies were supposed to begin gathering data for each domain in January, and Garcia-Tobar said that although discovery-phase compliance
is still far from universal, the federal government’s progress has been impressive. Less than 30 percent of agencies had a DMARC record a year ago, but “now it’s more than 70 percent. That is faster than any vertical sector we’ve seen...on the commercial side.”
Actual enforcement, however, lags far behind. Among the top 30 federal agencies, “if you look at their primary email-sending domain, less than 20 percent of those are protected at this point,” he said.•