"Universities Put Email Users at Cyber Risk"

Security researchers at Proofpoint conducted a Domain-based Message Authentication, Reporting and Conformance (DMARC) analysis and found that institutions in the U.S. have among some of the poorest protections to prevent domain spoofing and lack protections to block fraudulent emails.  DMARC is an email validation protocol aimed at protecting domain names from being misused by cybercriminals by authenticating the sender’s identity before sending a message to its intended destination.  The researchers stated that top U.S. universities are among the worst in the world at protecting users from email fraud, lacking security measures to prevent common threat tactics such as domain spoofing or other types of fraudulent emails.  The researchers found that 97% of the top 10 universities in the United States, the United Kingdom, and Australia are subjecting students, staff, and administration to higher risks of email-based impersonation and other attacks because their systems lack basic security.  Moreover, researchers found that U.S. institutions are the worst offenders of the bunch, with some of the poorest levels of cybersecurity protection.  Ryan Kalember, executive vice president of Proofpoint, stated that the news is troubling, especially as email remains the most common vector for security compromises across all industries.  Among universities in the United States, Proofpoint looked at Columbia, Harvard, Princeton, Yale, Stanford, the Universities of California Berkeley and Los Angeles, the University of Pennsylvania, Massachusetts Institute of Technology, and New York University.  DMARC has three levels of protection: monitor, quarantine, and reject.  The last is the most secure for preventing suspicious emails from reaching the inbox.  The researchers found that none of the top U.S. and U.K. universities had a Reject policy in place that can actively block malicious emails from reaching their targets, leaving users of their email systems wide-open to email fraud.  While 65 percent of the top U.S. and U.K. universities, or 13 out of 20, did have a base level of DMARC protection to either monitor or quarantine emails, five of the top 10 U.S. universities did not publish any level of DMARC record.  The researchers stated that, more specifically, 11 out of the 20 institutions investigated in the United States and the United Kingdom have a Monitor policy in place, while only 2 have a Quarantine policy in place.  Across all the 30 universities observed, 17 of them (57 percent) implemented at least a Monitor policy, while four of them (13 percent) had at least a Quarantine policy.

Threatpost reports: "Universities Put Email Users at Cyber Risk"