Security News > 2007 > March > ITL Bulletin for March 2007
Fowarded from: Elizabeth Lennon ITL BULLETIN FOR MARCH 2007 IMPROVING THE SECURITY OF ELECTRONIC MAIL: UPDATED GUIDELINES ISSUED BY NIST Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Electronic mail (email) has become a widely accepted method for people to communicate with each other. Today, more than a billion people in the world use the Internet, according to Internet World Stats, an organization that collects information on Internet usage in over 230 countries. Electronic mail, a very popular Internet application, is used on a regular basis by individuals, government, and business organizations throughout the world to exchange personal and business information. The popularity and widespread use of electronic mail systems make them tempting targets for malicious attacks, and all users and organizations should be concerned about protecting the security of their systems and their email communications. Attacks on email systems have taken different approaches. Some attackers with extensive knowledge of the workings of these systems have been able to exploit their weaknesses and use the systems to distribute viruses and other malware throughout an organization. Some sophisticated attacks have used email to compromise user workstations within an organization's internal network, and to influence users to provide information to the attackers or to unknowingly extend the attacks to other systems. Flaws in systems have enabled unauthorized users to gain access to and to change information not meant to be publicly accessible, and to execute commands and install software on the organization's mail server. Denial of service (DoS) attacks can harm an organization by preventing legitimate users from accessing systems. Attackers have also penetrated email systems to disable other organizational systems and to send false messages to others from the organization. Revised Guidelines on Electronic Mail Security The Information Technology Laboratory of the National Institute of Standards and Technology (NIST) recently updated its guidelines on protecting electronic mail systems. NIST Special Publication (SP) 800-45, Version 2, Guidelines on Electronic Mail Security: Recommendations of the National Institute of Standards and Technology, was written by Miles Tracy of Federal Reserve Information Technology, by Wayne Jansen and Karen Scarfone of NIST, and by Jason Butterfield of Booz Allen Hamilton. The publication revises NIST's original guidelines on electronic mail security that were issued in 2002, and recommends strengthened security practices for designing, implementing, and operating email systems on the public and private networks that are in use today. The guide explains the structure of electronic mail systems and the standards that govern the composition, delivery, and storage of messages. One section is devoted to a discussion of the use of cryptography for signing and encrypting email messages to protect the confidentiality and integrity of information. Other topics covered in the publication include planning and managing mail servers, securing the operating system, and safeguarding the mail server application by filtering the messages that pass through the server and securing access to mailboxes. Additional sections of the publication provide assistance on using network protection mechanisms such as firewalls and intrusion detection and prevention systems, securing the mail client, and maintaining server security on a daily basis. The appendices in NIST SP 800-45, Version 2, provide extensive supplemental information on the terms used in the guide, and supply listings of in-print and online resources for further exploration. Other useful listings offer sources for available email security tools and applications. Comprehensive checklists are provided to help organizations carry out actions that are recommended in the guidelines: protecting the security of electronic mail systems; planning and managing mail servers; securing the mail server operating system; securing mail servers and their content; implementing a secure network infrastructure; securing mail clients; and administering the mail server. NIST SP 800-45, Version 2, is available from NIST's website at http://csrc.nist.gov/publications/nistpubs/800-45-version2/SP800-45v2.pdf. The Components of Electronic Mail Systems Electronic mail systems consist of two principal components: mail clients and mail servers. Users read, compose, send, and store their email using mail clients. Mail is formatted and sent from the mail client via the network infrastructure to a mail server. The latter is the computer host that delivers, forwards, and stores mail. All components - the mail servers, the mail clients, and the network infrastructure that connects and supports them - must be protected. Voluntary industry standards have been developed for formatting, processing, transmitting, delivering, and displaying mail. Cryptography is used to protect the confidentiality and integrity of email. Cryptographic methods can be applied to sign a message to ensure the integrity of information that is sent and to confirm the identity of the sender of the message. Cryptography can also be used to encrypt the message itself to protect the confidentiality of information that is sent. Federal government organizations are required to use the cryptography standards that have been approved as Federal Information Processing Standards (FIPS). NIST SP 800-45 includes references to the FIPS for security and to NIST's programs for validating the conformance of cryptographic modules to FIPS. Appendix B of the guide contains a listing of the voluntary standards that are related to email and email security. To improve and maintain the security of their electronic mail systems, organizations should apply the principles of good planning and management that provide for the security of all of their other information and information systems. Comprehensive security plans enable organizations to identify the security requirements for each information system, and to put into place appropriate security controls. With continuous monitoring and management of systems, organizations can assess and maintain effective security. NIST'S Recommendations for Electronic Mail Security NIST recommends that organizations follow these guidelines in planning, implementing, and maintaining secure electronic mail systems: - Carefully plan and address the security aspects of the deployment of a mail server. Careful planning is critical to the efficient implementation of a secure mail server. It is more difficult and costly to address security issues once the mail server is deployed. With careful planning, organizations can make sure that their mail servers meet their security requirements and are in compliance with all relevant organizational policies prior to installation, configuration, and deployment. Management controls are especially important in organizations where the information technology support structure is highly fragmented. This fragmentation can lead to inconsistencies in managing systems, and these inconsistencies often result in security vulnerabilities. Organizations are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. The development of such a plan will support mail server administrators in making the inevitable trade-off decisions between usability, performance, and risk. Some of the issues that should be addressed in the organization's deployment plan include: * Purpose of the server and the services to be provided; * Software to be installed; * Users and their privileges; * Security and privacy issues; * Management practices and procedures to assure secure systems; * Types of personnel required for deployment and operational phases of the mail server and the supporting infrastructure. Personnel types that should be considered include system and mail server administrators, network administrators, and information systems security officers; * Skills and training required by assigned personnel; and * Availability of personnel. - Implement appropriate security management practices and controls when maintaining and operating a secure mail server. Appropriate management practices are essential to operating and maintaining a secure mail server. As part of their comprehensive planning and management practices, organizations should identify their systems and information to be protected, and then develop, document, and implement the policies, standards, procedures, and guidelines that will help to ensure the confidentiality, integrity, and availability of information system resources. To ensure the security of a mail server and the supporting network infrastructure, the following practices should be implemented: * Organization-wide information system security policy; * Configuration/change control and management; * Risk assessment and management; * Standardized software configurations that satisfy the information system security policy; * Security awareness and training; * Contingency, continuity of operations, and disaster recovery planning; and * Certification and accreditation. - Ensure that the mail server operating system is deployed, configured, and managed to meet the security requirements of the organization. The first step in securing a mail server is to secure the underlying operating system. Most commonly available mail servers operate on a general-purpose operating system. Many security issues can be avoided if the operating system's underlying mail servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use at the expense of security. Because manufacturers are not aware of each organization's security needs, each mail server administrator must configure new servers to reflect their organization's security requirements and reconfigure them as those requirements change. Using security configuration guides or checklists can assist administrators in securing systems consistently and efficiently. To secure the operating system, organizations should carry out the following steps: * Patch and update the operating system; * Remove or disable unnecessary services and applications; * Configure operating system user authentication; * Configure resource controls; * Install and configure additional security controls if needed; and * Perform security tests on the operating system. - Ensure that the mail server application is deployed, configured, and managed to meet the security requirements of the organization. Many of the steps outlined for the security of the operating system apply also to the secure installation and configuration of the mail server application. The basic recommendation is that organizations install the minimal mail server services required and eliminate any known vulnerabilities through patches or upgrades. If an installation program installs unnecessary applications, services, or scripts, they should be removed immediately after the installation process has been completed. The following steps should be performed in securing the mail server application: * Patch and upgrade the mail server application; * Remove or disable unnecessary services, applications, and sample content; * Configure mail server user authentication and access controls; * Configure mail server resource controls; and * Test the security of the mail server applications. - Consider the implementation of cryptographic technologies to protect user authentication and mail data. Most standard mail protocols default to unencrypted user authentication and send email data unencrypted through the network. When unprotected data is sent, an attacker may be able to easily compromise a user account and to intercept or alter unencrypted email messages. Most organizations should consider encrypting the user authentication session even if they do not encrypt the email data itself. Encrypted user authentication is now supported by most standard and proprietary mailbox protocols. Organizations should examine closely the decision about whether to encrypt and sign email data. Encrypting and signing email places a greater load on the user's computer and the organization's network infrastructure, and this practice may complicate malware scanning and email content filtering. Encrypting and signing messages may also result in significant administrative overhead and may increase the costs of managing email systems. However, for many organizations, the benefits of email encryption and signatures will outweigh the costs. - Employ the network infrastructure to protect mail servers. The network infrastructure includes the firewalls, routers, and the intrusion detection and prevention systems that support the mail server. These systems play a critical role in the security of the mail server. In most configurations, the network infrastructure will be the first line of defense between the Internet and a mail server. Network design alone, however, cannot protect a mail server. Because of the frequency, sophistication, and variety of mail server attacks that occur today, organizations should consider protecting their mail servers through layered and diverse protection mechanisms. - Ensure that the mail clients are deployed, configured, and used properly to meet the security requirements of the organization. The client side of the electronic mail process may represent a greater risk to the security of the mail system than the mail server functions. Organizations must address numerous issues in order to provide an appropriate level of security for email clients. The following steps will help organizations with the secure installation, configuration, and implementation of mail client applications: * Patch and upgrade the mail client applications; * Configure mail client security features, such as disabling automatic opening of messages and enabling antispam and anti-phishing features; * Configure mailbox authentication and access; and * Secure the client host's operating system. - Maintain the security of a mail server as an ongoing process. Organizations should devote constant effort, resources, and vigilance to maintain a secure mail server. The mail server should be monitored and maintained on a daily basis to assure mail security. To maintain the security of a mail server, organizations should take the following actions: * Configure, protect, and analyze log files; * Back up data frequently; * Protect against malware (e.g., viruses, worms, Trojan horses); * Establish and implement procedures for recovering from compromise; * Test and apply patches in a timely manner; and * Test the security of the system periodically. More Information NIST SP 800-45, Version 2, recommends that organizations follow effective practices for planning, implementing, and managing secure electronic mail systems as part of a comprehensive approach to information security. Many NIST publications assist organizations in developing that comprehensive approach. For information about the following publications that are linked to electronic mail security and to other security-related standards and guidelines issued by NIST, see the web page http://csrc.nist.gov/publications/index.html. FIPS 140-2, Security Requirements for Cryptographic Modules. FIPS 197, Advanced Encryption Standard (AES). FIPS 200, Minimum Security Requirements for Federal Information and Information Systems. NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems. NIST SP 800-30, Risk Management Guide for Information Technology Systems. NIST SP 800-34, Contingency Planning Guide for Information Technology Systems. NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems. NIST SP 800-40, Version 2, Creating a Patch and Vulnerability Management Program. NIST SP 800-41, Guideline on Firewalls and Firewall Policy. NIST SP 800-46, Security for Telecommuting and Broadband Communications. NIST SP 800-53, Recommended Security Controls for Federal Information Systems. NIST SP 800-63, Electronic Authentication Guideline. NIST SP 800-83, Guide to Malware Incident Prevention and Handling. NIST SP 800-92, Guide to Computer Security Log Management. NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS). Disclaimer Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose. Elizabeth B. Lennon Writer/Editor Information Technology Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 8900 Gaithersburg, MD 20899-8900 Telephone (301) 975-2832 Fax (301) 975-2378 _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
News URL
http://csrc.nist.gov/publications/nistpubs/800-45-version2/SP800-45v2.pdf