NIST News:We are excited to announce the release of our latest NIST Cybersecurity Practice Guide, “Domain Name Systems-Based Electronic Mail Security.” The document is a draft, and we welcome your comments and feedback.
What’s the guide about?
Email has become the dominant method of electronic communication for both private and public sector organizations, fueled by low costs and fast delivery. Securing these transactions has been less of a priority, which is one reason why email attacks have increased.
Whether the goal is authentication of the source of an email message or assurance that the message has not been altered by or disclosed to an unauthorized party, organizations must employ some cryptographic protection mechanism.
Economies of scale and a need for uniform security implementation drive most enterprises to rely on mail servers and/or Internet service providers (ISPs) to provide security to all members of an enterprise. Many current server-based email security mechanisms are vulnerable to, and have been defeated by, attacks on the integrity of the cryptographic implementations on which they depend.
The consequences of these vulnerabilities frequently involve unauthorized parties being able to read or modify supposedly secure information, or introduce malware to gain access to enterprise systems or information. Protocols exist that are capable of providing needed email security and privacy, but impediments such as unavailability of easily implemented software libraries and operational issues stemming from some software applications have limited adoption of existing security and privacy protocols.
To address this cybersecurity challenge, NCCoE security engineers developed a proof of concept security platform that allows an organization to improve email security and defend against email based-attacks such as phishing and man-in-the-middle types of attacks.
Using open source and commercially available technologies, this practice guide demonstrates a security platform that provides trustworthy email exchanges and tools that help organizations to encrypt emails between mail servers, allow individual email users to digitally sign and/or encrypt email messages, and allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages.
The example solution gives companies the ability to reduce risk associated with email and enable the use of existing security protocols more efficiently and with minimal impact to email service performance.
The guide is available for download in PDF or for web viewing. We look forward to receiving your comments on the draft guide—the approach, the architecture, and possible alternatives.
The comment period is open through December 19, 2016. Comments will be made public after review and can be submitted anonymously. Submit comments online or via email to dns-email-NCCoE@nist.gov.
