In July, the FermiMail Team, in conjunction with the Cybersecurity Team, deployed ProofPoint Targeted Attack Protection, a tool intended to protect the lab against the increasing threat of phishing. This article attempts to clarify any outstanding questions regarding this service.
Q: What is ProofPoint?
A: ProofPoint is an email threat mitigation platform that can provide different security controls, one of which can rewrite URLs in messages to protect the user if they click on a malicious link. To view the re-written URLs, simply hover over a link in an email. The destination URL should contain “https://urldefense.proofpoint.com” at the beginning.
All emails coming from outside Fermilab that contain an embedded link, whether it’s malicious or not, will have the link rewritten by ProofPoint (known as “being ProofPointed”). If a user clicks a link, their browser will be redirected to ProofPoint to determine whether the link is benign or not. If the link is malicious, the user will be notified. If the link is safe, the browser will be redirected to the original website as intended. Alternatively, interoffice email (between fnal.gov email addresses) will NOT be re-written.
Please note that ProofPoint works even when you aren’t at Fermilab. This means that no matter where you are viewing your messages or on which device, they will be ProofPointed. The service also works when you are onsite, continuing to protect you wherever you might be in the world.
Q: Why do we have ProofPoint?
A: Phishing is one of, if not the most, dangerous cybersecurity threats facing the lab today. It could compromise the security of the lab’s networks and data, enabling attackers to penetrate security defenses to perform malicious activities on the network. Even a single careless click can endanger the laboratory.
The significance of this threat should not be minimized, as the percentage of Fermilab users who click on hyperlinks in malicious emails remains higher than desired. The Cybersecurity Team is aware of those who are informed and cautious when reviewing emails, and we thank you for your diligence in continuing to assist us in this effort. However, we cannot accept the risk posed by the significant number of individuals who continue to click on things they shouldn’t. In addition to increased educational efforts, we are using ProofPoint to help mitigate this danger. Having this tool in place reduces (but does not prevent) the effects of errant clicking.
Q: Does Fermilab have spam filtering implemented?
A: Yes. There is some spam filtering performed by our email servers, but spam filtering is not 100 percent effective. Suspicious emails will get through no matter what. This is true of (almost) every email platform.
It is possible to create additional filtering yourself via your email client. For Microsoft Outlook, you can right click on the email you don’t want, select “Junk Email,” and then click “block sender.” If you’d like to set more customized filtering rules, select “Rules” from the Home menu, followed by “Create Rule.” You will then be guided through a series of screens to assist you with this process. This is especially helpful if you wish to send repeat emails from vendors to the trash. Many other email clients have similar capabilities.
Q: Does ProofPoint replace cybersecurity awareness training?
A: Of course, ProofPoint does not replace traditional cybersecurity awareness or phishing awareness training. ProofPoint is merely a layer of extra protection, not the only protection against this serious threat. Just because a link is ProofPointed, that does not mean that you shouldn’t pay attention to what you’re clicking on, as no cybersecurity control is completely bulletproof.
For example, as mentioned above, onsite emails between fnal.gov email addresses are not ProofPointed. But if a lab employee’s email account gets compromised, an attacker can send phishing emails from their account. Those phishing emails will appear to be coming from a lab employee but will not be ProofPointed. As such, clicking on the link in this email will result in a compromise.
What if I want to view the original URL?
A: One of the techniques to identify a phishing email is to hover over the link and observe the destination URL. In many cases this link may not match the contents of the email, thus indicating it is phishing. With ProofPoint, this becomes a bit more complicated.
Instead of searching through the ProofPointed link for the original, you may use our ProofPoint Decoder. The tool is available on the recently upgraded security.fnal.gov website in the left-hand menu under the “Tools” section. If you’d like to access the tool directly, copy/paste the following into your browser:
http://cstweb.fnal.gov/proofpoint_decoder/
We thank everyone for their efforts to keep the lab safe and encourage those who feel confident in their phishing identification skills to join us in our awareness efforts to keep our workspace as safe and secure as possible.
Jessie Pudelek is a computer security analyst at Fermilab.