A new draft Special Publication from NIST addresses email security. SP 800-45A has the depth and breadth we have come to expect from NIST with over 140 pages covering security breaches such as the following examples:
- Since exchanging email with the outside world is a requirement for most organizations, email is allowed through their network perimeter defenses. Because of this, attackers are increasingly using email as a vector for their attacks. At a basic level, viruses and other types of malware may be distributed throughout an organization via email. Increasingly, however, attackers are getting more sophisticated and are using email to deliver targeted zero-day attacks to users in an attempt to compromise their workstations. If successful, the attackers will then have an attack platform within the organization’s internal network.
- Given email’s nature of human to human communication, it can be used as a social engineering vehicle. Email can allow an attacker to exploit an organization’s users to gather information or get the users to perform actions that further an attack.
- Flaws in the mail server application may be used as the means of compromising the underlying server and hence the attached network. Examples of this unauthorized access include gaining access to files or folders that were not meant to be publicly accessible, and being able to execute commands and/or install software on the mail server.
- Denial of service (DoS) attacks may be directed to the mail server or its support network infrastructure, denying or hindering valid users from using the mail server.
- Sensitive information on the mail server may be read by unauthorized individuals or changed in an unauthorized manner.
- Sensitive information transmitted unencrypted between mail server and client may be intercepted. All popular email communication standards default to sending usernames, passwords, and email messages unencrypted.
- Information within email messages may be altered at some point between the sender and recipient.
- Malicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the mail server. For example, once the mail server is compromised, an attacker could retrieve users’ passwords, which may grant the attacker access to other hosts on the organization’s network.
- Malicious entities may attack external organizations from a successful attack on a mail server host.
- Misconfiguration may allow malicious entities to use the organization’s mail server to send email-based advertisements (i.e., spam).
- Users may send inappropriate, proprietary, or other sensitive information via email. This could expose the organization to legal action.
Comments on the draft are welcome before October 6th.
More email security resources