CybersecurityTwo new projects tackle e-mail security

E-mail. The modern working world cannot exist without it, but hackers exploit this vital service to steal money and valuable information. The National Institute of Standards and Technology (NIST) is tackling this threat with two new projects.

NIST is publishing a draft document for comment that provides guidelines to enhance trust in e-mail. And the National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and expertise to demonstrate a secure, standards-based e-mail system using commercially available software and other tools.

NIST notes that in the early, halcyon days of the Internet, researchers were more interested in sharing information rather than securing it. Now, decades later, securing the world’s most widely used medium for business communication is a full-time job for researchers and IT specialists around the globe.

“The two main threats to current e-mail services are phishing and leaking confidential information,” explains computer scientist Scott Rose.

In phishing, hackers use forged e-mails to trick e-mail users to unknowingly provide valuable data such as bank account numbers. In other scams, addressees are lured into clicking on a link that downloads malicious code, which can home in on an organization’s most valuable data like a heat-seeking missile or steal personal information.

Hackers can also intercept e-mail messages to learn an organization’s proprietary information, or tamper with the information in the message before it is delivered to the recipient.

In the draft Trustworthy E-mail (NIST Special Publication (SP) 800-177), authors provide an overview of existing technologies and best practices, and they offer deployment guidance to meet federal government security requirements. Emerging protocols to make e-mail security and privacy easier for end users also are described.

While there are two basic threats to e-mail, there are multiple ways to exploit both, Rose says. Trustworthy E-mailsuggests solutions to address all common exploits. To reduce the risk of spoofing, for example, the authors suggest that organizations use techniques to authenticate domain names used to send e-mails, and that employees or members digitally sign e-mail. For confidential e-mail, organizations can encrypt e-mail between sender and receiver or secure the transmission between e-mail servers.

Trustworthy E-mailis written for enterprise e-mail administrators, information security specialists, and network managers. The document applies to federal IT systems, but can be used in other organizations. The publication is designed to complement NIST’s earlier document, Guidelines on Electronic Mail Security, NIST SP 800-45 version 2.

The authors seek input on the draft document. The deadline for comments on Trustworthy E-mail, SP 800-177, is 30 November 2015. NIST says that any questions or comments should be sent to sp800-177@nist.gov.

At the same time, the NCCoE is seeking collaborators to provide products and technical expertise during a project that will demonstrate a secure e-mail system.

The NCCoE’s Domain Name System (DNS) Based Secured E-mail project will lead to a publicly available NIST Cybersecurity Practice Guide. The guide will explain how to employ and build a platform to meet federal and industry security and privacy requirements using commercially available tools and components. More information is available in a recent white paper.

For those intereste in participating, details are provided in Federal Register Notice Document 2015-25304. Letters of interest will be accepted on a first-come, first-served basis. Those selected to participate will enter into a Cooperative Research and Development Agreement with NIST.

The NCCoE is a partnership of NIST, the State of Maryland, and Maryland’s Montgomery County.