Email is a core network application for both the private sector and government, and has become an essential business communication tool. Since email is nearly ubiquitous and often poorly secured, it also has become a vector for fraud and data theft. Phishing emails can compromise not only Federal networks and databases, but also trust in government communications.
“In fact, 1 in 141 government emails contained a malicious link or attachment, according to Symantec’s 2017 Internet Security Threat Report,” Chris Townsend, Federal vice president at Symantec, told MeriTalk. “For phishing tactics alone, government saw 1 in every 2,329 email used a phishing tactic, compared to the national average of 1 in 2,596.”
The National Institute of Standards and Technology is updating its guidance for trustworthy email and has released a new draft of Special Publication 8000-177. The new document “gives recommendations for state-of-the-art email security technologies to detect and prevent phishing and other malicious email messages. The guide was written for email administrators and for those developing security policies for an enterprise email infrastructure.”
Phishing is a type of social engineering that uses spoofed email addresses. Federal agencies are vulnerable to both sides of phishing schemes. On the one side, government systems can be compromised by employees or contractors who respond to falsified emails by clicking on malicious links, downloading malicious software, or providing sensitive information to the wrong people. On the other side, government domains (in both .gov and .mil) can be spoofed in malicious emails to citizens.
In the wake of the massive 2014 and 2015 breaches of the Office of Personnel Management, the Federal Trade Commission warned millions of citizens whose information might have been compromised of phony OPM emails that could lure recipients into providing sensitive information to scammers. With tax season approaching, the Internal Revenue Service routinely warns taxpayers and tax preparers of scammers using phony IRS addresses.
“The Internet’s underlying core email protocol, Simple Mail Transport Protocol (SMTP), was adopted in 1982 and is still deployed and operated today,” NIST says. It’s important to note that SMTP was not developed for security and remains unsecure. Since social engineering relies on misdirecting humans there is no perfect technology-based defense against phishing, but NIST recommends ways to harden SMTP:
- Sender Policy Framework (SPF), a standardized way for sending domain information to ensure that the sender is an authorized user of the domain.
- Domain Keys Identified Mail (DKIM) generates digital signatures to eliminate man-in-the-middle attacks.
- Domain-based Message Authentication, Reporting, and Conformance (DMARC) allows senders to specify policy on how a message should be handled, the security reports that receivers can send back, and the frequency of the reports.
The document also contains guidance on securing email to ensure that contents have not been tampered with in transit. These include Transport Layer Security (TLS) and associated certificate authentication protocols, and Secure/Multipurpose Internet Mail Extensions (S/MIME) with certificate and key distribution protocols.
Since the guidance focuses on email as a service, this guidance does not discuss hardening or configuring of servers or network planning. These are covered in NIST’s SP 800-45, Guidelines of electronic Mail Security.
Comments on the latest draft of trustworthy email guidelines should be sent by January 31 to email@example.com. A template for comments is available and NIST advises reviewers to pay particular attention to Sections 5.2 (on Email transmission security) and 7.3 (on standalone clients), which have new material added.