The U.S. National Cybersecurity Center of Excellence (NCCoE) and the National Institute of Standards and Technology (NIST) released a draft guide that examines methods of making email more secure. The guide, entitled DNS-Based Email Security, examines the Domain Name System Security Extensions (DNSSEC) specifications and DNS-Based Authentication of Named Entities (DANE) protocol.
The guidance discusses ongoing challenges encountered by server-based email security mechanisms, which it mentions are vulnerable to attacks through fraudulent or invalid digital certificates, and security process failures as a result of fraudulent servers. “Even if there are protections in place, some attacks have been able to subvert email communication by attacking the underlying support protocols such as Domain Name Systems (DNS),” the authors wrote in the report.
The guide also noted that server-based security systems provide a false sense of security with dire consequences that “frequently involve unauthorized parties being able to read or modify supposedly secure information, or to use email as a vector for inserting malware into the system in order to gain access to enterprise systems or information.”
Researchers and cryptographers have advocated updating the DNSSEC protocol, which aims to defend against exploits of cache poisoning flaws. The efforts received a new impetus in August when a Neustar report demonstrated that a DNSSEC exploit could allow attackers to insert malicious code and exfiltrate sensitive data.
The report is “long overdue,” according to Tom Kellermann, CEO of Strategic Cyber Ventures. “Eighty percent of cyberattacks are leveraged via spearphishing which takes advantage of the lack of authentication and encryption that is deployed in email communications,” he wrote in an email to SCMedia.com. Kellermann suggested that regulators should mandate NIST's recommendations to “ensure safety and security in America's cyberspace.”
Email security has received more attention in recent months as a result of breaches at the Democratic Congressional Campaign Committee (DCCC), the Democratic National Committee (DNC) emails, and the exfiltration of 11.5 million documents from the Panamanian law firm Mossack Fonseca.
The guide encourages exchange-level encryption solution, individual encryption, and signing methods. NIST has requested comments from information security pros on the guide.