Email Security

The DHS email gateway steward provides email monitoring for spam and virus activity at the gateway.

A relationship has been established between the email steward and the DHS SOC to enable communications. DHS SOC personnel will be trained to respond to incidents pertaining to email security and will assist the email Steward as necessary.

Email is the most commonly used application for exchanging data electronically. The email process can be divided into two main components: (1) mail servers, which deliver, forward, and store mail, and (2) clients, which interface with the user and allow them to read, compose, send, and store messages.

Instant messaging (IM) and “I Seek You” (ICQ) tools provide similar capabilities to email, but are inherently less secure; the technology to secure IM and ICQ tools is still being developed.

IM and ICQ tools possess all of the risks associated with unsecured email, including the

capability to install software or malware on a recipient’s system without their knowledge. If IM and ICQ tools are to be used, they should not include or communicate with publicly available IM or ICQ tools provided by several Internet Service Providers. Any such tools employed need to be capable of blocking any format except pure text. This specifically includes blocking

executable code, Web links, video or still images, and audio. The use of Instant Messaging and ICQ is not currently authorized for use on sensitive systems and networks.

Second only to Web servers, mail servers are the host on a network that is most often targeted by intruders. Mail servers are targeted because they communicate, to some degree, with untrusted third parties. Additionally, email has been an effective method of passing malicious code (viruses). As a result, mail servers, mail clients, and the network infrastructure that supports them must be protected. Email security issues include:

• Flaws in the email application software have been used as the means of compromising the server and subsequently the associated network.

• Denial of service (DoS) attacks may be directed to the mail server.

• Sensitive information on the mail server may be read by unauthorized individuals or changed in an unauthorized manner.

• Unencrypted sensitive information transmitted between a mail server and email client could be intercepted.

• Information within the email may be altered at some point between the sender and recipient.

• Viruses and other types of malicious code may be distributed throughout an organization via email.

• The sending of inappropriate, proprietary, or other sensitive information via email could expose an organization to legal action.

DHS Policy

Components shall provide appropriate security for their email systems and email clients by:

a. Correctly securing, installing, and configuring the underlying operating system.

b. Correctly securing, installing, and configuring mail server software.

c. Securing and filtering email content.

d. Deploying appropriate network protection mechanisms, such as:

− Firewalls

− Routers

− Switches

− Intrusion detection systems.

e. Securing mail clients.

f. Conducting mail server administration in a secure manner. This includes:

− Performing regular backups

− Performing periodic security testing

− Updating and patching software

DHS Policy

− Reviewing audit logs at least weekly.

Email security responsibilities are provided below.

Email Responsibilities CISO

• Establishes Department-wide policy to secure Department email systems.

ISSMs

• Advise the CISO on methods for securing Department email systems.

• Enforce Department email security policies.

Certifying Officials

• Certify that adequate security controls are in place for email systems.

DAAs

• Ensure that adequate email security controls are in place prior to accreditation of the system.

System/Network Administrators

• Ensure email security controls are in place and functioning as intended.

• Ensure email security controls provide the security features outlined in this document.

• Test and apply patches in a timely manner.

• Remove or disable unneeded services and applications on email servers.

• Configure user authentication for email systems.

• Review and analyze log files.

• Back up data as required by the system security plan.

• Protect email systems against malicious code.

• Deploy the following network protection mechanisms:

− Firewalls

− Routers

− Switches

− Intrusion detection systems.

ISSOs

• Schedule semiannual/quarterly appointments with the SOC or IV&V team to scan the email system with a vulnerability assessment tool.

• Ensure that email system security controls are in place and functioning as intended.

• Ensure that email system security controls provide the security features outlined in this document and the system security plan.

• Ensure an IT Contingency Plan is in place.

Securing a mail server is a two-step process. The first step is to secure the underlying operating system. Many security issues can be avoided if the operating systems are configured

appropriately. The second step is to configure the email application. Administrators must configure their servers to apply the organization’s security policy. Securing a mail server includes the following steps:

• Apply patches as they become available after first testing them in a lab environment

• Remove or disable unneeded services and applications

• Configure user authentication

• Scan the operating system with a vulnerability assessment tool

Components must consider encryption technologies to protect their email systems. Most standard mail protocols default to unencrypted user authentication and send email data in the clear. Sending data in the clear allows a hacker to compromise a user’s account and/or intercept emails.

When a PKI system is properly integrated into the client email facility, it is possible to “hash” a message to determine that it has not been altered or otherwise tampered with. It is also possible to encrypt sensitive data in an email using the employee’s digital certificate encryption key and digitally sign an email using the digital certificate’s signing key. This establishes integrity, confidentiality, and nonrepudiation with regard to sensitive information.

The infrastructure that supports the network plays a vital role in the security of the email system.

The network infrastructure is the first line of defense between the Internet and a mail server.

However, network design alone cannot protect a mail server. The following steps need to be accomplished on a regular recurring basis:

• Review and analyze log files

• Back up data daily (or in accordance with the system security plan)

• Protect against malicious code (e.g., viruses, worms, Trojan horses)

• Have a recovery plan in the event of a disaster

• Test and apply patches in a timely manner

• Scan the system for vulnerabilities with a vulnerability-scanning tool

NIST SP 800-45, Guidelines on Electronic Mail Security, and NIST SP 800-49, Federal

S/MIME V3 Client Profile, have valuable information detailing how to secure email. NIST 800-45 gives detailed technical guidance for Microsoft Exchange, Linux, and Unix mail services and contains general guidance on how to secure mail servers.