Mitigating the threat of ransomware, FHFA uses all the tools at their disposal

Have you ever gotten one of those phishing test emails from your agency’s IT team? You know the ones promising free food for filling out a form or a suspicious request to buy a bunch of iTunes gift cards for your boss. It turns out that those test emails are effective at countering real-life phishing attacks. That is according to Ralph Mosios, the chief information security officer at the Federal Housing Finance Agency.

“Phishing is probably the number one threat vector,” Mosios said on Federal Monthly Insights: Going Beyond Data Protection. “So we conduct these phishing tests. We monitor the metrics, we change it up every month, we target specific groups to ensure that they are not clicking on attachments, not clicking on links in emails.”

FHFA regulates federal home loan banks as well as the Fannie Mae and Freddie Mac organizations. As such, ransomware attacks are a serious concern.

Training the end users is critical, since they are on the front lines of potentially interacting with malicious actors digitally. According to Mosios, preventative measures like DMARC and DomainKeys Identified Mail reduce the attack surface for end users, but they are not 100% effective at preventing attackers through.

“Besides a phishing test, we do provide literature and information to our end users on what the threat is,” Mosios said on the Federal Drive with Tom Temin. “We have annual training, general cybersecurity training, that we emphasize phishing as well … As a matter of fact, we get measured on phishing metrics. The government standard is to keep that click rate at 10% or below.”

There are other avenues for ransomware attacks besides phishing, which is why Mosios practices cyber hygiene.

“If you’re not patching your systems, you’re going to be vulnerable to ransomware attacks and other malicious software,” Mosios said. “I like to make sure that we patch our systems. An organization cannot control the number of vulnerabilities they have. But you certainly can reduce the time to patch those systems based on risk level. So that’s part of my overall cyber hygiene program.”

With much of the FHFA’s workforce working remotely and fewer than 30% of employees going into the office, managing mobile devices such as laptops and smartphones is another consideration for the chief information security officer.

“[We] actually configure the laptop to save it to a network drive, which is our default policy,” Mosios said. “But certainly users can save it locally. But our backup systems encourage it, or force it to save it to our network drive. So you really have to be connected to the internet, which goes into our network, of course.”

For smartphones, the policy is stricter. Users cannot store information on their cell phones.

And if all preventative measures fail, though none have to date, a regular backup of data is necessary to counter the effects of a ransomware attack.

“We certainly have a backup and recovery strategy, we conduct tests on our backup and recovery systems. We have administrators that actually test the data as well,” Mosios said. “It’s one thing to back up the system. But if you don’t actually test the integrity of the data, then it’s like essentially, like not even having a backup, because as you probably can imagine, backup systems do get corrupted. So it’s part of any good playbook is to ensure that you test the backup and the data.”

Finally, FHFA has a communication plan if they are subjected to a successful ransomware attack. Mosios said that he works with senior leadership to test their responses and make sure that their playbooks are in place. A ransomware attack could cut off their access to social media channels and everything connected to their network could become encrypted. They need to know how to get around these obstacles.

“Ransomware is something that keeps me up at night. I’m sure many people in my position, tend to worry about it,” Mosios said. “But again, it’s all about risk management, right? You cannot protect everything 100% of the time, but there’s certainly a lot of preventative measures that you can be put in place. There are defensive measures, there’s more proactive measures that you can put in place to reduce that risk exposure.”