DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that is designed to prevent email "spoofing" attacks, which are attacks where a malicious actor changes emails to make them appear to recipients that they are coming from a trusted email address, when they are not.
The spoofing of an agency's email address can lead to significant reputational damage, expose the agency's clients and customers to fraud, and could result in the agency having their legitimate emails being blocked by internet service providers. Because of these risks, all agencies are strongly encouraged to implement DMARC by creating an appropriate DMARC entry in your agency DNS.
DMARC uses the SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) mechanisms to authenticate the sending address of emails. Once setup, if a malicious actor uses your agency's domain as an email address, you will be notified, and recipient agencies will be informed what action to take, which can include quarantining the suspect email, or outright rejecting it.
More detail on DMARC is available here.
To assist agencies with the implementation and management of DMARC, the CSU have centrally funded access to the web-based DMARCAnalyzer Service (https://www.dmarcanalyzer.com), which provides detailed visibility to the hygiene state of the DMARC, SPF and DKIM records for your domains and can assist you in configuring them. It provides visibility of mail sent externally using their DNS domain names including the ability to know when their email or web domains are being spoofed and potentially used in phishing attacks.
Training on how to use the DMARCAnalyzer service can be found on our training page. This training includes an overview of DMARC and how it works, as well as introduces the specific DMARCAnalyzer tool.
If you would like to participate in this centrally provided service, or have any questions, please contact email@example.com for assistance.
What is it?
Vulnerability management is a key activity in managing risk in an organisation’s networks.
A whole-of-government vulnerability scanning service was first established in 2014. The success of this program was recognised and funding was secured to continue this centrally funded whole-of-government service.
Queensland Government agencies can use the vulnerability scanning service to identifying active vulnerabilities within their environment via periodic scanning of external and/or internal assets, as well as generate detailed reports which allow agencies to make an informed assessment of current risk and exposure levels.
Quantifying and assessing vulnerabilities allows agencies to make informed choices in prioritising their remediation and mitigation efforts.
This service is provided at no cost to all Queensland Government departments.
Statutory Authorities wishing to use the platform can contact the Cyber Security Unit to discuss participating at moderate cost. The CSU may waive these costs to Statutory Authorities while there is excess capacity in the system.
I want to know more and how I can get involved?
Organisations that fall within the core scope of this program can participate at no cost. To determine if your organisation is eligible, please contact firstname.lastname@example.org.
What is it?
Since 2014, a free of charge to agencies phishing platform has been provided to in scope agencies to increase user awareness of phishing emails, the consequences of clicking on phishing emails and how to report them, with a goal of reducing the number of incidents of staff clicking on phishing emails.
The current supplier is ProofPoint, using the Wombat Security ThreatSim platform. The ThreatSim tool allows agencies to phish their own staff and provide on the spot training to assist users in identifying phishing emails.
Additional training modules are also available under the arrangement for agencies to train staff in other information security topics. The training is informative, interesting and comprehensive statistical reporting is also available, and the platform has proven to be successful with agencies using it to complement their awareness training. Agencies who do not already have user awareness training are encouraged to use the available modules.
CSU can providing de-identified whole-of-government reports using the ThreatSim platform, and will make these available to agency executives at regular intervals.
How can I get involved?
In-scope agencies can contact their phishing administrators. Talk to your security team to find out who that may be.
A community of practice has been established to encourage cross agency awareness, skills exchange and training strategies. Phishing administrators attend these meetings every 6 weeks.
If you are not part of a government department and wish to use the platform, CSU have negotiated the ability for other government entities to purchase from our contract.
Needing more information including costs?
If you would like further information regarding phishing services or reporting, please contact the Cyber Security Unit via email email@example.com. For additional targets outside of what has been allocated to your agency, please contact CSU to discuss your requirements and pricing options. For in-scope agencies wishing to purchase additional targets the price is US$2.95 per target for 10,000 or less targets.
If you have any issues using the platform, please contact Wombat Technologies: firstname.lastname@example.org
Below is material available to agencies for their use. We thank those agencies who have contributed to this user awareness material. If you would like to add something, please contact email@example.com.