You know the security prompt you constantly receive to secure your account and often ignore? Or that email you received one time from a friend or colleague clearly not sent by that person? More than 90 percent of all cyberattacks begin with this kind of phishing email.
Colleges and universities are, unfortunately, no stranger to phishing. In March 2018, The Deputy Attorney General of the United States announced 320 universities, along with US government entities, were hacked by the Iranian hacker network. The attackers succeeded in the deception by using stolen login credentials belonging to university professors. These credentials granted access to university databases and library systems. From there, they proceeded to access confidential information.
Phishing and spoofing attacks are most likely when companies don’t have a published Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and/or Domain-based Message Authentication, Reporting and Conformance (DMARC) policy properly in place. SPF is an email validation system that detects spoofing attempts. Spoofing is when a third party disguises itself as a particular sender using a counterfeit email address. DKIM uses an encrypted token pair to validate the message integrity is maintained during sending and delivery. DMARC is considered the industry standard for email policy and reporting tools that help to prevent such attacks.
250ok recently analyzed the 3,164 top-level .edu domains controlled by accredited US colleges and universities. The scope of this study focused on DMARC adoption. The analysis revealed almost 90 percent (3,211) of top-level .edu domains in the US lack the most basic DMARC policy, which leaves students, parents, alumni, and employees at risk. For colleges and universities in Canada and the EU, the diagnosis is even worse. It is worth noting a meaningful number of institutions likely use a subdomain for some of their messaging (e.g., “college.edu” is a root domain; “mail.college.edu” is a subdomain). However, leaving the root domain unauthenticated is an open invitation for spoofing, phishing, and mail forgery. A published record at the root domain will protect the entirety of the domain, including any potential subdomain as they will automatically inherit the DMARC policy of the root domain.
In 2017, the US Department of Homeland Security announced Binding Operational Directive 18-01, requiring all US federal agencies to achieve a reject policy on their .gov domains by October 2018. Currently, only .4 percent of top-level .edu domains in the US have implemented a reject policy—the gold standard for DMARC.
For many US colleges and universities, such as the those recently hacked, the issue isn’t a lack of concern. Rather, it’s their inexperience with setting up email authentication. Here are five recommendations for getting started:
- Implement both SPF and DKIM for all domains. If DKIM is further out on your roadmap, SPF is an ideal place to begin. For SPF we recommend -all or ~all, and strongly advise against the use of +all or ?all.
- Publish a DMARC record for all domains, regardless of whether or not you send mail from them. Deploying a DMARC none policy (p=none) is a good starting point. This is a great first step to familiarize yourself with DMARC data and begin the process of evaluating the length and complexity of your DMARC journey.
- Find a DMARC software solution to help you quickly interpret the large amounts of DMARC data you will receive and guide you through the journey of getting to a reject policy for your domains responsibly.
- If you do not have email authentication expertise or resources that can project-manage the process of getting to reject for your domains, engage with a consultant who can guide you through the process and expedite your timeline to achieving a reject policy for your domains.
- For non-sending domains and defensively registered domains, publish a DMARC with reject policy. This is a quick win in protecting your brand by locking down these assets that should never send mail.
Armed with this knowledge, our hope is higher ed institutions across the US will step up to the challenge of protecting their students, faculty, and alumni. Perhaps the pressure on US federal agencies to deploy DMARC and achieve a reject policy will be a catalyst for positive change in email authentication nationwide, and phishing will eventually become a thing of the past.