Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).
NIST Tackles Email Security with a Two-Faceted Approach
For Immediate Release: October 6, 2015
Email. The modern working world cannot exist without it, but hackers exploit this vital service to steal money and valuable information. The National Institute of Standards and Technology (NIST) is tackling this threat with two new projects.
NIST is publishing a draft document for comment that provides guidelines to enhance trust in email. And the National Cybersecurity Center of Excellence (NCCoE) is seeking collaborators to provide products and expertise to demonstrate a secure, standards-based email system using commercially available software and other tools.
In the early, halcyon days of the Internet, researchers were more interested in sharing information rather than securing it. Now, decades later, securing the world’s most widely used medium for business communication is a full-time job for researchers and IT specialists around the globe.
“The two main threats to current email services are phishing and leaking confidential information,” explains computer scientist Scott Rose.
In phishing, hackers use forged emails to trick email users to unknowingly provide valuable data such as bank account numbers. In other scams, addressees are lured into clicking on a link that downloads malicious code, which can home in on an organization’s most valuable data like a heat-seeking missile or steal personal information.
Hackers can also intercept email messages to learn an organization’s proprietary information, or tamper with the information in the message before it is delivered to the recipient.
In the draft Trustworthy Email (NIST Special Publication (SP) 800-177), authors provide an overview of existing technologies and best practices, and they offer deployment guidance to meet federal government security requirements. Emerging protocols to make email security and privacy easier for end users also are described.
While there are two basic threats to email, there are multiple ways to exploit both, Rose says. Trustworthy Email suggests solutions to address all common exploits. To reduce the risk of spoofing, for example, the authors suggest that organizations use techniques to authenticate domain names used to send emails, and that employees or members digitally sign email. For confidential email, organizations can encrypt email between sender and receiver or secure the transmission between email servers.
Trustworthy Email is written for enterprise email administrators, information security specialists and network managers. The document applies to federal IT systems, but can be used in other organizations. The publication is designed to complement NIST’s earlier document, Guidelines on Electronic Mail Security, NIST SP 800-45 version 2.
The authors seek input on the draft document. The deadline for comments on Trustworthy Email, SP 800-177, is November 30, 2015. Please send any questions or comments to firstname.lastname@example.org.
At the same time, the NCCoE is seeking collaborators to provide products and technical expertise during a project that will demonstrate a secure email system.
The NCCoE’s Domain Name System (DNS) Based Secured Email project will lead to a publicly available NIST Cybersecurity Practice Guide. The guide will explain how to employ and build a platform to meet federal and industry security and privacy requirements using commercially available tools and components. More information is available in a recent white paper.
If you are interested in participating, details are provided in Federal Register Notice Document 2015-25304. Letters of interest will be accepted on a first-come, first-served basis. Those selected to participate will enter into a Cooperative Research and Development Agreement with NIST.
The NCCoE is a partnership of NIST, the State of Maryland and Maryland's Montgomery County. The center is dedicated to furthering rapid adoption of practical, standards-based cybersecurity solutions for businesses and public organizations using commercially available and open-source technologies.