Nearly all of the top 10 universities in the US, UK and Australia have failed to block attackers spoofing their school’s email domains, putting students, faculty and staff at risk of email compromise.
According to a report released Tuesday by the enterprise security firm, proof pointUS universities are most at risk and have the lowest levels of protection, followed by the UK and Australia.
This report is based on an analysis of domain-based Message Authentication, Reporting, and Conformance (DMARC) records in schools. DMARC is an almost decade-old email verification protocol used to authenticate a sender’s domain before delivering an email message to its destination.
The protocol offers three levels of protection: monitoring, quarantine, and the strongest level of denial. According to the report, no top university in any country had denial-level protections enabled.
“Higher education institutions hold large amounts of highly sensitive personal and financial data, perhaps more than any other industry outside healthcare.
“Unfortunately, this makes these institutions very attractive targets for cybercriminals,” he continued. “The pandemic and rapid shift to distance learning have further increased cybersecurity challenges for higher education institutions, exposing them to significant risk from malicious email-based cyberattacks such as phishing.”
Barriers to DMARC adoption
Universities aren’t the only ones with poor implementations of DMARC.
According to a recent analysis of the world’s 64 million domains by red shiftIt is a London-based manufacturer of integrated email and brand protection platforms.In addition, only 28% of all publicly traded companies in the world have fully implemented the protocol, while 41% have only a basic level. I have it enabled.
There are several possible reasons why organizations do not adopt DMARC. “There may be a lack of awareness of the importance of implementing DMARC policies, and businesses are not fully aware of how to start implementing the protocol,” says Ryan, Proofpoint Industries Solutions and strategy lead. Witt explained.
“Additionally, the lack of government policy to mandate DMARC as a requirement may play a role,” he continued.
“Additionally, with the pandemic and current economy, organizations may be struggling to transform their business models, so conflicting priorities and scarcity of resources may also be a factor.”
Setting up the technology can also be difficult. “You need the ability to publish DNS records, which requires system and network administration experience,” explains CTO and co-founder Craig Lurey. keeper securityis a provider of zero trust and zero knowledge cybersecurity software in Chicago.
Additionally, he told TechNewsWorld: Close monitoring is required during policy implementation and rollout to ensure that valid email is not blocked. “
There are no bullets in spoofing
Nicole Hoffman is a Senior Cyber Threat Intelligence Analyst. digital shadow, a provider of digital risk protection solutions in San Francisco, agreed that implementing DMARC can be a daunting task. “If implemented incorrectly, things can break and disrupt operations,” she told TechNewsWorld.
“Some organizations are hiring third parties to help with implementation, but this requires financial resources that need to be approved,” she added.
She warned that DMARC doesn’t protect against all types of email domain spoofing.
“If you receive an email that looks like it’s from Bob at Google, but it’s actually from Yahoo Mail, DMARC will detect it,” she explained. “But if an attacker registers a domain that looks a lot like Google’s domain, such as her Google3, DMARC won’t detect it.”
Unused domains can also be a way to avoid DMARC. “Registered but unused domains are also at risk of email his domain spoofing,” Lurey explains. “Even if an organization implements his DMARC on his primary domain, he may be targeted for spoofing if he does not enable DMARC on unused domains.”
Universities may have their own set of issues with implementing DMARC.
Brian Westnedge, Senior Director of Global Channels at Red Sift, told TechNewsWorld: “Each university has its own IT department and operates in silos. Implementing his DMARC across an organization can be difficult because everyone does things a little differently with email. because you are doing
Witt argues that ever-changing student numbers at universities, combined with a culture of openness and information sharing, have created the rules, controls and controls often needed to effectively protect users and systems from attacks and breaches. I added that there could be conflicts.
Furthermore, he continued, many academic institutions have associated healthcare systems and therefore must adhere to controls related to regulated industries.
Funding can be a problem at universities, too. Netenrichis an IT and digital security operations company based in San Jose, California. “The biggest challenge for the university is underfunding its security team (if any) and underfunding his IT team in general,” he told TechNewsWorld.
“College salaries aren’t very high, so part of that is a knowledge gap,” he said.
“Many universities also have a culture of being against implementing policies that can hinder research,” he added. “When I was working in college 15 years before him, there was a knockdown drag on workstation must-have antivirus.”
Mark Arnold, Vice President, Advisory Services LaresDenver-based information security consulting firm noted that domain spoofing is a significant threat to organizations and a technique of choice for attackers to impersonate companies and employees.
“An organization’s threat model should account for this pervasive threat,” he told TechNewsWorld. “By implementing DMARC, organizations can filter and verify messages to stop phishing campaigns and other business compromises of their emails.”
Business email compromise (BEC) is probably the most costly problem in all of cybersecurity, Witt said. According to the FBI, between June 2016 and December 2021, he lost $43 billion to BEC thieves.
“Most people don’t realize how easy it is to spoof email,” says Witt. “Anyone can send a BEC email to the intended target, and it is more likely to be sent, especially if the spoofing organization has not authenticated the email.”
“These messages often do not contain malicious links or attachments, circumventing traditional security solutions that analyze messages for these characteristics,” he continued. “Instead, emails are sent with text designed to trick victims into acting.”
“Domain spoofing and similar typosquatting are the easiest tactics for cybercriminals,” added Bambenek. “If you can get people to click on your email because it looks like it’s coming from your university, you’ll get higher click-through rates, which in turn increases fraud losses, credential theft, and cybercrime success. To do.”
“In recent years, attackers have been stealing student financial aid refunds. Criminals make a lot of money here.”
https://www.technewsworld.com/story/top-universities-exposing-students-faculty-and-staff-to-email-crime-176970.html?rss=1 Top Universities Exposing Students, Faculty and Staff to Email Crime