Nearly all the top 10 universities in the United States, United Kingdom and Australia are putting their students, faculty and staff at risk of compromising email by failing to prevent attackers from spoofing the email domains of schools.
Universities in the United States are most at risk with the worst levels of security, followed by the United Kingdom, then Australia, according to a report released Tuesday by enterprise security company Proofpoint.
The report is based on an analysis of Domain-Based Message Authentication, Reporting and Conformance (DMARC) records in schools. DMARC is a nearly decade old email verification protocol used to authenticate the domain of an email message before it reaches its destination.
The protocol provides three levels of protection – Monitor, Quarantine, and the strongest level, Deny. The report found that none of the country’s top universities had a disallowed level of security enabled.
“Higher education institutions hold a greater proportion of sensitive personal and financial data, perhaps more than any industry outside of healthcare,” Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy, said in a statement.
“Unfortunately, this makes these institutions a highly attractive target for cybercriminals,” he continued. “The pandemic and rapid changes in distance learning have further increased cybersecurity challenges for tertiary education institutions and open them up to significant risks from malicious email-based cyberattacks such as phishing.”
Barriers to Adoption of DMARC
Universities are not alone in poor DMARC implementation.
A recent analysis of 64 million domains globally by Red Sift, a London-based manufacturer of an integrated email and brand protection platform, found that only 2.1 percent of domains had implemented DMARC. Furthermore, only 28% of all publicly traded companies in the world have fully implemented the protocol, while 41% have only enabled its basic level.
There can be many reasons for not adopting DMARC by an organization. “There may be a lack of awareness of the importance of implementing DMARC policies, as well as companies not fully aware of how to begin implementing the protocol,” said Ryan Witt, Proofpoint Industries Solutions and Strategy Leader. Explained.
“Additionally,” he continued, “the lack of government policy to mandate DMARC as a requirement may be a contributing factor.”
“Further, with the pandemic and the current economy, organizations are struggling to change their business models, so competing priorities and lack of resources are also likely factors,” he said.
advertisement
Installing the technology can also be challenging. Craig Lurey, CTO and co-founder of Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software in Chicago, explained, “This requires the ability to publish DNS records, which requires experience in systems and network administration. is needed.”
Furthermore, he told TechNewsWorld: “Many layers of setup are necessary to implement DMARC properly. This needs to be closely monitored during the implementation and rollout of the policy to ensure that legitimate email is not being blocked. ,
no bullets for spoofing
Nicole Hoffman, a senior cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions in San Francisco, agreed that implementing DMARC can be a daunting task. “If implemented incorrectly, it can break things and disrupt business operations,” she told TechNewsWorld.
“Some organizations hire third parties to assist with implementation, but this requires financial resources that need to be approved,” she said.
He cautioned that DMARC will not protect against all forms of email domain spoofing.
“If you receive an email that appears to be from Bob on Google, but the email actually originated from Yahoo Mail, DMARC will detect it,” she explained. “However, if a threat actor registers a domain similar to that of Google, such as Google3, DMARC will not detect it.”
Unused domains can also be a way to avoid DMARC. “Domains that are registered but unused are also prone to email domain spoofing,” Luray explained. “Even when organizations have implemented DMARC on their primary domains, failing to enable DMARC on unused domains makes them potential targets for spoofing.”
Unique challenges of universities
Universities can have their own difficulties when it comes to implementing DMARC.
“Many times universities don’t have a centralized IT department,” Brian Westnage, Red Sift senior director of global channels, told TechNewsworld. “Each college has its own IT department operating in silos. This can make it a challenge to implement DMARC across the organization as everyone is doing something different with email. ,
Witt said the ever-changing student population at universities, coupled with a culture of openness and information-sharing, can often conflict with the rules and controls needed to effectively protect users and systems from attack and compromise.
advertisement
In addition, he continued, many educational institutions have an affiliated health system, so they need to comply with the controls associated with a regulated industry.
Funding at universities could also be an issue, noted John Bumbank, the principle threat hunter of Netenrich, a San Jose, Calif.-based IT and digital security operations company. “The biggest challenge for universities is under-funding of security teams – if they have one – and under-funding of IT teams in general,” he told TechNewsWorld.
“Universities don’t pay particularly well, so part of it is the knowledge gap,” he said.
“Many universities have a culture against enforcing any policies that may hinder research,” he said. “When I worked at a university 15 years ago, there were knock-down drag-out fights against the mandatory antivirus on workstations.”
costly problem
Mark Arnold, vice president of advisory services at LARES, an information security consulting firm in Denver, noted domain spoofing is a significant threat to organizations and the technology of choice for threat actors to impersonate businesses and employees.
“Organizational threat models must account for this prevalent threat,” he told TechNewsWorld. “Implementing DMARC helps organizations filter and validate messages and thwart phishing campaigns and other commercial email agreements.”
Business email agreement (BEC) is probably the most costly problem of all cyber security, maintained Witt. According to the FBI, BEC thieves lost $43 billion between June 2016 and December 2021.
“Most people don’t realize how exceptionally easy it is to spoof email,” Witt said. “Anyone can send a BEC email to an intended target, and there is a high probability of it getting through, especially if the impersonated organization is not authenticating their email.”
“These messages often do not contain malicious links or attachments, bypassing traditional security solutions that analyze messages for these traits,” he continued. “Instead, emails are sent only with text designed to prepare the victim to act.”
“Domain spoofing, and its cousin typosquatting, are some of the lowest-hanging fruits for cybercriminals,” Bumbenek said. “If you can get people to click on your email because it looks like it’s coming from their own university, you’ll get a higher click-through rate and, by extension, more fraud damages, stolen credentials and more.” See you successful cybercrime.”
“In recent years,” he said, “attackers have been stealing students’ financial aid refunds. There is a lot of money to be made by criminals here.”