NIST Seeks Review of Email Safety Doc

Email systems have become so routine that consumers and workers often regard them as simply part of the furniture — like a standard-issue desk at a government or business office.

However, the technology is more complex than most users appreciate — and that complexity makes it constantly vulnerable to cybersecurity threats.

Email is a central application of large-scale computer networking, and its increased use has resulted in a corresponding increase in criminal and nuisance threats, theNational Institute of Standards and Technology said in a recently released advisory on email security.

The document, titled “Trustworthy Email,” was issued as a preliminary draft, and NIST is seeking comment on its recommendations from public and private sector sources familiar with e-commerce security issues.

While the draft is geared largely to federal IT managers, its analysis and recommendations also will be useful to small and midsize businesses and organizations, NIST said. After assessing comment, it will issue a final document.

Two Major Threats

Publication of the document — NIST Special Publication 800-177 — reflects the agency’s role in providing continuing assistance to the public and private sectors on cybersecurity issues. Comments will be accepted through Nov. 30.

“The two main threats to current email services are phishing and leaking confidential information,” said Scott Rose, a NIST computer scientist who coauthored the document.

In phishing incidents, hackers use forged emails to trick users into providing valuable data such as bank account numbers, NIST said.

Other scams lure people into clicking on a link that downloads malicious code that can search for an organization’s most valuable data or steal personal information, NIST said. Hackers also can intercept email messages to capture proprietary information or tamper with information in the message before it is delivered to a recipient.

The NIST document provides an overview of existing technologies and best practices, and offers deployment guidance to meet federal government security requirements. It describes emerging protocols to make email security and privacy easier for end users.

A key element of the guidance focuses on aspects of domain name security that can be employed to enhance electronic message protection.

While there are two basic threats to email, there are multiple ways to exploit both, Rose told the E-Commerce Times.

The guidance suggests solutions to address all common exploitation techniques. For example, to reduce the risk of spoofing, organizations should use methods to authenticate domain names used to send emails, and employees should digitally sign email. For confidential messages, organizations can encrypt email between the designated senders and receivers, or secure the transmission between servers.

Three Areas for Improvement

“Trustworthy Email” is written for enterprise email administrators, information security specialists and network managers, NIST said. The document is a complement to NIST security advisories, including its”Guidelines on Electronic Mail Security,” issued in 2007.

The recommendations for improving email security in “Trustworthy Email” fall into three categories. First are the technologies for supporting core Simple Mail Transfer Protocol and the domain name system, including mechanisms for authenticating a Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication, Reporting and Conformance.

The second area involves NIST’s suggestion for protecting email transmission security, including the use of Transport Layer Security and associated certificate authentication protocols.

Finally, NIST addresses email content security, which could be facilitated through Secure Multipurpose Internet Mail Extensions, a standard for public key encryption and signing of data. It also endorses the use of OpenPGP, a nonproprietary protocol for encrypting email using public key cryptography.

“The NIST initiatives are going to be an improvement for email security and address current security threats. Having the new draft document is necessary in an ever-changing IT world,” said Joshua Cannell, malware intelligence analyst atMalwarebytes.

These changes in IT indicate a need to standardize security practices and develop the best security recommendations for protecting enterprises, he told the E-Commerce Times.

NIST’s “proposed solution adds some enhancement to the protection of email communications but does not address the biggest problems of phishing attacks and data leakage. These types of attacks can originate through email communication, but they are not due to a lack of security in email,” said Joseph Pizzo, engineering manager atNorse.

While such attacks can be conducted through phishing, they also can be conducted through standard Web browsing, sharing of hardware devices and by other means, he told the E-Commerce Times.

“Any security initiative is a good practice, but the underlying issue of data leakage and phishing are really left out of these new proposed regulations,” he Pizzo.

“Unfortunately, there is no one single bullet to stop all phishing,” NIST’s Rose said.

Several of the highlighted components of “Trustworthy Email” include industry best practices that do address phishing such as the sender policy, domain keying and authentication suggestions, he said.”These protocols can be used to detect if an attacker is attempting to spoof another domain. The guide also covers digitally signed email, which can authenticate the sender end to end,” Rose said.

The Federal Buzz

GSA Offers US$50 billion telecom deal: TheGeneral Services Administration has issued a request for proposals for a follow-up contract for various telecom services under the agency’s Networx program.

The 15-year contract has a total potential value of $50 billion. GSA is modifying the current telecom platform from a regional setup with a broader-based enterprise infrastructure solution.

The program is part of GSA’s Network Services 2020 strategy to become the federal government’s strategic sourcing center for network-based and -enabled services. The EIS will provide voice, video and data transport services; hosting, cloud services, call centers and associated labor services; cable and wiring; and network and security equipment, GSA said.

The following companies are incumbents for telecom support: AT&T, CenturyLink, Level 3 Communications, Sprint,and Verizon. The response date for the RFP is Jan. 15.

“The EIS acquisition demonstrates GSA’s commitment to provide federal agencies with the business solutions they need to fulfill their important missions,” said Mary Davie, GSA’s assistant commissioner of integrated technology services.

“This is the culmination of an extensive and successful collaborative process between GSA, federal agencies and industry which lasted more than two years and provided GSA with valuable feedback that helped us build and refine the RFP,” she said.

White House Unit Appoints Cyberexpert: TheU.S. Office of Personnel Management has appointed Clifton Triplett to the newly created post of senior cyber and information technology advisor. The appointment is part of OPM’s effort to shore up its cyberprotection programs.

OPM revealed in April that it had experienced a data breach of employment records. More than 20 million people were affected by the breach, the largest such incident to date in the federal government.

Before joining OPM, Triplett was a managing partner at SteelPointe Partners. A graduate of the U.S. Military Academy at West Point, he received an M.A. in computer information systems from Boston University.

In addition to service at the Defense Department, he held senior management positions in a variety of industries, including chief information officer at Baker Hughes and vice president of global services at Motorola.END