Driven by low costs and fast delivery, private and public sector organizations continue to rely on email as the dominate method of electronic communications. Securing these transactions has been less of a priority, which is one reason why email attacks have increased.
Whether the goal is authentication of the source of an email message or assurance that the message has not been altered by or disclosed to an unauthorized party, organizations must employ some cryptographic protection mechanism. Economies of scale and a need for uniform security implementation drive most enterprises to rely on mail servers and/or Internet service providers (ISPs) to provide security to all members of an enterprise. Many current server-based email security mechanisms are vulnerable to, and have been defeated by, attacks on the integrity of the cryptographic implementations on which they depend. The consequences of these vulnerabilities frequently involve unauthorized parties being able to read or modify supposedly secure information, or introduce malware to gain access to enterprise systems or information. Protocols exist that are capable of providing needed email security and privacy, but impediments such as unavailability of easily implemented software libraries and operational issues stemming from some software applications have limited adoption of existing security and privacy protocols.
To address this cybersecurity challenge, NCCoE security engineers developed an example solution that allows an organization to improve email security and defend against email based-attacks such as phishing and man-in-the-middle types of attacks with minimal impact to email service performance. Using open source and commercially available technologies, this practice guide demonstrates a security platform that provides trustworthy email exchanges and tools that help organizations to encrypt emails between mail servers, allow individual email users to digitally sign and/or encrypt email messages, and allow email users to identify valid email senders as well as send digitally signed messages and validate signatures of received messages.