Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Government and Healthcare Are the Weakest Links in Global Email Security

Government and healthcare sectors have weak email security. Many domains lack SPF, DMARC, DKIM, and MTA-STS, leaving them open to phishing attacks. Comparitech analyzed live DNS records for 5,849 domains across 13 sectors and scored each one out of 8 points based on four standard email authentication protocols: SPF, DMARC, DKIM, and MTA-STS. The results […]

Government and Healthcare Are the Weakest Links in Global Email Security

Government and healthcare sectors have weak email security. Many domains lack SPF, DMARC, DKIM, and MTA-STS, leaving them open to phishing attacks.

Comparitech analyzed live DNS records for 5,849 domains across 13 sectors and scored each one out of 8 points based on four standard email authentication protocols: SPF, DMARC, DKIM, and MTA-STS. The results aren’t flattering. More than 8 percent of organizations had zero protection in place, and only 0.6 percent — 33 domains out of 5,849 — scored full marks. That’s 33 organizations out of nearly 6,000 doing everything right.

Government came last, with an average score of 2.73 out of 8.

“121 out of the 452 domains we scanned had zero protections in place (27%)–the highest of all sectors.” reads the report published by Comparitech. “No government domains scored full marks, but three did score 7.5 – Australia’s national science agency (CSIRO), the Mila – Quebec Artificial Intelligence Institute in Canada, and The Alan Turing Institute in the UK (also dedicated to data science and artificial intelligence).”

China’s government domains averaged just 0.9, with 65 percent having no protection at all. France wasn’t far behind at 1.4 average and 47 percent unprotected. The UK and US were the best performers in the sector, but even 17 percent of US government domains had zero protection — despite a Department of Homeland Security mandate requiring DMARC on all federal email domains.

Healthcare providers ranked second-worst at 3.43.

“85 out of the 438 domains we scanned had zero protections in place (19%) — the second highest of all sectors.” continues the report. “Four domains scored full points. Three of these were part of the UK’s NHS (NHS Blood and TransplantManchester University NHS Foundation Trust, and University Hospitals Birmingham NHS Foundation Trust), and one was the Dutch cancer specialist, Prinses Máxima Centrum.”

Chinese healthcare provider domains averaged 2.1, with 45 percent fully unprotected. The Netherlands was the outlier in healthcare, averaging 6.0 with zero unprotected domains — and four domains there scored perfect marks, including three NHS trusts in the UK and a Dutch cancer center.

Universities showed an interesting failure mode. Nearly 86 percent had a DMARC record in place, which sounds good. But 42 percent of those had left DMARC in monitoring-only mode, which means phishing emails pass straight through without being blocked or quarantined. Setting up DMARC and never enforcing it is roughly equivalent to installing a lock and leaving the key in it.

Technology companies led the field with an average score of 4.83, and only 2 percent of their domains had zero protection. Only two domains in the entire study scored perfect 8/8 across all sectors: microsoft.com and f5.com. On the country side,

“Asian countries/territories had the lowest average scores, with China (2.3), South Korea (2.84), Hong Kong (3.07), and Japan (3.53) ranking among the lowest. The European countries of France (3.77), Germany (3.8), and Spain (3.98) also scored poorly.” states Comparitech.”Among the highest-scoring countries were the Netherlands (5.51), Denmark (5.33), Norway (5.31), and Finland (5.19).”

The Nordic pattern isn’t accidental: GDPR creates pressure toward stronger data protection practices, and it shows in the scores.

MTA-STS, the protocol that enforces encrypted connections for email transfer, is almost universally ignored. Only 3 percent of all domains in the study had it in place. SPF was present on 90 percent of domains and DMARC on 81 percent, but having a record in place and enforcing it are different things: a DMARC policy set to p=none does nothing to stop a phishing email from landing in someone’s inbox.

“Our report highlights how each and every industry and country has room for improvement when it comes to email security. This is even the case within sectors and/or countries where email security is regulated to some degree.” concludes the report.

“Equally, certain sectors within specific countries face heavier regulation. For example, in the US, the Department of Homeland Security (DHS) mandates that DMARC should be in use on all government agency email domains. And, in the UK, the Government Digital Service (GDS) requires DMARC across governmental domains, and with p=reject (hard fail)”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Email Security)