Email, Mobile Security Building Blocks

Friday, July 17, 2015 @ 12:07 PM gHale

Two security areas of concern for any organization are email and mobile devices.

Along those lines there are two information technology security building blocks proposed through a National Institute of Standards and Technology (NIST) public-private partnership that may be able to help out.

NIST Revises Random Number Generation
NIST Updates ICS Security Guide
Grant Money for Security Projects
Students Defend ‘Operation Transit Storm’

One building block, Domain Name System-, or DNS-, Based Secured Email, would enable trustworthy email exchange across organizational boundaries, while the other, Derived Personal Identity Verification, or PIV, Credentials, would let mobile devices provide security services based on those credentials.

NIST’s National Cybersecurity Center of Excellence released the proposals.

There is an increased reliance email, but with that comes the potential for vulnerabilities.

“Many current server-based email security mechanisms are vulnerable to, and have been defeated by, attacks on the integrity of the cryptographic implementations on which they depend,” the draft states. The consequences of such breaches include exposed information and the use of email as a way to insert malware into a system.

The DNS-Based Secured Email will result in a publicly available NIST Cybersecurity Practice Guide that explains how to use the platform to meet security and privacy requirements and how to compose a DNS-based email security platform from commercially available tools and components, the draft said.

On the mobile side, the Derived PIV Credentials building block would let devices, which lack the card readers typically needed for smart card identity credentials such as PIV, use two-factor authentication to bolster security. The two factors would be the information derived from the card and a password, providing the same level of security for mobile devices that desktop computers and card readers have.

“Building blocks are an example of cyber security implementations that apply to multiple industry sectors and will be incorporated into many of the center’s sector-specific use cases,” the draft said.

The center’s “work to develop building blocks results in NIST Cybersecurity Practice Guides (Special Publication series 1800), publicly available descriptions of the practical steps needed to implement a cyber security reference design.”

The comment period for both drafts is open until Aug. 14.