Fujitsu
Not logged in » Login
X

Please login

Please log in with your Fujitsu Partner Account.

Login


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now

Recent Discussion:

NickBown | 22.12.2018, 14:18
We have come across this issue as well, and don't seem to have found a way around it (the server is ...
NickBown | 20.12.2018, 18:40
Hi everyoneWe've got an RX2540 M1 which won't boot past the Fujitsu splash screen (which shows the i...
MarkM | 15.10.2018, 11:33
Hi there.I do not believe the Fujitsu policy on this subject has changed.So NO you can not order dri...
Mar 30 2016

NIST Refreshes Secure Email Guidelines

For the first time in nearly a decade, the U.S. National Institute of Standards and Technology (NIST) has addressed the issue of email security: on Tuesday this week, it issued the second draft of Special Publication (SP) 800-177, which is supposed to propagate "recommendations and guidelines for enhancing trust in email." Stakeholders like mail server and network administrators are invited to turn in comments.

Email systems and comparable systems have been around since 1962, preceding the dawn of the Internet as we know it by a full seven years. Today, practically no one can go without email anymore – except a chosen few lucky enough to be able to delegate its handling to personal assistants. Against this backdrop, it's a little unsettling that many of its core technologies – such as the underlying Simple Mail Transfer Protocol (SMTP) – were adopted in the 1980s and have since remained largely untouched. This state of affairs is all the more surprising in light of the fact that email has long outpaced conventional mail services and that security breaches, from man-in-the-middle (MITM) attacks to the spread of ransomware like Locky or Petya, were a key concern almost from day one. So far, attempts to make amends have been few and far between: the NIST Guidelines on Electronic Mail Security (PDF) date from 2007, and today, the majority of mail security policies deployed around the world are based on that standard. Unfortunately, adhering to these guidelines will not solve many problems, although NIST regards "properly implemented" mail systems that provide "spoofing protection, integrity protection, encryption and authentication" as "sufficiently secure" for communications with legal authorities, banks or your family MD.

As it happens with most IT systems and practices, "sufficiently secure" does not mean that established measures and processes are – or will always be – absolutely unbreakable. Hence it is only natural that the new draft, entitled Trustworthy Email (PDF), attempts to complement the existing guidelines wherever possible. According to the NIST author team, the focus is on mechanisms that allow for authenticating sending domains and assuring transmission and content security. More specifically, this includes incorporating the following techniques:

  • Sender Policy Framework (SPF) – a standard for a sending domain to identify and assert authorized mail senders for a given domain
  • Domain Keys Identified Mail (DKIM) – a method of using digital signatures generated by sending mail servers to eliminate the possibility of content modification through MITM attacks
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) – a set of rules that enables senders and receivers to more accurately specify how incoming and outgoing mails should be handled, e.g. by allowing receivers to compare "From" addresses with SPF and DKIM results or domain owners to receive feedback about how often unauthorized users try to pose as someone belonging to their domain

Moreover, the authors suggest using a combination of TLS and DNSSEC to mitigate the growing number of risks that derive from attacks on certification authorities (CAs) that hand out PKI/X.509 certificates, and employing the well-known S/MIME standard to authenticate senders of legitimate mass mailings.

For more information, please check out NIST's Computer Security Resource Center.

 
SHARE

Comments on this article

No comments yet.

Please Login to leave a comment.