The US National Cybersecurity Center of Excellence (NCCoE) has published a guide on how to improve email security – and it wants your feedback on it.
The center is part of NIST – America's National Institute of Standards and Technology – which itself part of the US Department of Commerce. The NCCoE has put out its "draft practice guide" in an effort to educate and inform people about how to introduce proper email security.
The hope of the 241-page publication [PDF] is to increase defenses as broadly as possible against phishing, man-in-the-middle, malware and various other types of email-based attacks. Given the recent high-profile hack of the Democratic National Committee's email system and Hillary Clinton campaign manager John Podesta, the guide can't come soon enough for some.
The NCCoE points out that email attacks have increased in recent years, in part because of the ever-growing importance of email and in part because people fail to protect email in the same way they do other important methods of communication.
"Organizations need to protect their server-based email security mechanisms against intrusion and man-in-the-middle attacks during the automated cryptographic service negotiation process," the organization argues.
"In the absence of appropriate combination protections, any of these attacks can result in reading or modification of information by unauthorized third parties."
The guide walks through commercially available technologies that can greatly increase email security. It also takes a pragmatic approach: most people – even sysadmins – are not able to put serious protections in place, particularly when it comes to verifying the legitimacy of an incoming email, since such approaches are complex and time-consuming.
At the same time, server-based security systems are open to attack, especially if using outdated technology – giving people a false sense of security. The draft guide is designed to go through the best currently available technology and assist people in introducing it.
The guide includes encryption tools at the exchange level, as well as individual encryption and signing tools. It hopes to be user-friendly, although it's aimed at infosec pros rather than your average consumer.
It lists four main end-goals for companies:
- Encrypt email traffic between servers.
- Allow individual email users to digitally sign and/or encrypt email messages to other end users.
- Allow individual email users to obtain other users' certificates in order to validate signed email or send encrypted email.
- Generate information that can be queried by email recipients to identify valid email senders for a domain, and that a given message originated from one of the valid senders.
The guide is "initially focused" on SMTP over TLS and S/MIME and it is a fan of DANE and DNSSEC.
The NCCoE suspects – as do we – that sysadmins are going to have some views on this, and so it has put NIST Special Publication 1800-6 out for public comment until December 19. You can find out more online. ®