Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

NIST Releases Draft E-mail Security Guidelines

November 7, 2016

SC Media published a post last week advising that the U.S. National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) has released a draft guide that looks at methods of making email more secure. The guide, entitled DNS-Based Email Security, examines the Domain Name System Security Extensions (DNSSEC) specifications and DNS-Based Authentication of Named Entities (DANE) protocol. I know – not sexy – but pretty darn important.

The guide discusses ongoing challenges encountered by server-based e-mail security mechanisms, which it notes are vulnerable to attacks through fraudulent or invalid digital certificates, and security process failures as a result of fraudulent servers. "Even if there are protections in place, some attacks have been able to subvert email communication by attacking the underlying support protocols such as Domain Name Systems (DNS)," the report notes.

The guide also observes that server-based security systems provide a false sense of security with serious consequences that "frequently involve unauthorized parties being able to read or modify supposedly secure information, or to use e-mail as a vector for inserting malware into the system in order to gain access to enterprise systems or information."

Researchers and cryptographers have advocated updating the DNSSEC protocol, which aims to defend against exploits of cache poisoning flaws. The efforts received a new boost in August when a Neustar report demonstrated that a DNSSEC exploit could allow attackers to insert malicious code and exfiltrate sensitive data.

The report is "long overdue," according to Tom Kellermann, CEO of Strategic Cyber Ventures. "Eighty percent of cyberattacks are leveraged via spear phishing which takes advantage of the lack of authentication and encryption that is deployed in e-mail communications," he said. Kellermann suggested that regulators should mandate NIST's recommendations to "ensure safety and security in America's cyberspace."

E-mail security has received more attention in recent months as a result of breaches at the Democratic Congressional Campaign Committee (DCCC), the Democratic National Committee (DNC) e-mails, and the exfiltration of 11.5 million documents from the Panamanian law firm Mossack Fonseca.

The guide encourages exchange-level encryption solution, individual encryption, and signing methods. NIST has requested comments from information security pros on the guide. If you include yourself in that august group, offering your comments would certainly be helpful.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson